User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020410 Fedora/3.0.6-1.fc10 Firefox/3.0.6 Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package. Additional Information Source Context: unconfined_u:unconfined_r:unconfined_t:s0 Target Context: system_u:object_r:lib_t:s0 Target Objects: /usr/lib/fglrx/libatiadlxx.so [ file ] Source: glxinfo Source Path: /usr/bin/glxinfo Port: <Unknown> Host: localhost.localdomainSource RPM Packages: gnome-screensaver-2.24.1-2.fc10 Target RPM Packages: xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10 Policy RPM: selinux-policy-3.5.13-44.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: allow_execmod Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.27.15-170.2.24.fc10.i686 #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 athlon (AMD Phenom Quad Core) Alert Count: 1 First Seen: Sat 21 Feb 2009 11:54:08 PM IST Last Seen: Sun 22 Feb 2009 12:18:33 AM IST Local ID: 3591d9a3-a2dd-417c-a336-4b9e3deca9f7 Raw Audit Messages : node=localhost.localdomain type=AVC msg=audit(1235242113.561:28): avc: denied { execmod } for pid=12565 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=sda7 ino=2370152 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1235242113.561:28): arch=40000003 syscall=125 success=yes exit=0 a0=8ac000 a1=1f000 a2=5 a3=bfe3e7f0 items=0 ppid=3254 pid=12565 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) Reproducible: Always Steps to Reproduce: 1.Install fglrx packages from compiz-fusion repo (including deps) 2.reboot the system 3.After reboot with updated kernel, and login, it appears on the top right in Selinux icon. Actual Results: Same as given in results box As a workaround I used chcon command: chcon -t textrel_shlib_t '/usr/lib/fglrx/libatiadlxx.so'
Fixed in current release of selinux-policy: selinux-policy-3.5.13-45.fc10