Bug 509469 - OpenGL applications -> libGL.so.1: failed to map segment from shared object: Permission denied
Summary: OpenGL applications -> libGL.so.1: failed to map segment from shared object: ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-03 00:53 UTC by sangu
Modified: 2009-11-23 13:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-05 02:03:16 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description sangu 2009-07-03 00:53:14 UTC
Description of problem:
$ glxinfo 
glxinfo: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Permission denied

ls -alZ /usr/lib64/nvidia/libGL.so.1
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       /usr/lib64/nvidia/libGL.so.1 -> libGL.so.185.18.14
[sangu@localhost boot]$ ls -alZ /usr/lib64/libGL.so.1
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       /usr/lib64/libGL.so.1 -> libGL.so.1.2
[sangu@localhost boot]$ ls -alZ /usr/lib64/libGL.so.1.2 
-rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/libGL.so.1.2
[sangu@localhost boot]$ ls -alZ /usr/lib64/nvidia/libGL.so.185.18.14 
-rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/nvidia/libGL.so.185.18.14


Version-Release number of selected component (if applicable):
3.6.20-2.fc12

How reproducible:
always

Steps to Reproduce:
1. $ glxinfo
2.
3.
  
Actual results:


Expected results:


Additional info:
요약:

SELinux is preventing glxinfo from changing a writable memory segment
executable.

상세 설명:

The glxinfo application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If glxinfo does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

액세스 허용:

If you trust glxinfo to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/glxinfo'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/bin/glxinfo'"

Fix 명령 :

chcon -t execmem_exec_t '/usr/bin/glxinfo'

자세한 정보:

소스 문맥                 unconfined_u:unconfined_r:unconfined_t:s0
대상 문맥                 unconfined_u:unconfined_r:unconfined_t:s0
대상 객체                 None [ process ]
소스                        glxinfo
소스 경로                 /usr/bin/glxinfo
포트                        <알려지지 않음>
호스트                     (removed)
소스 RPM 패키지          glx-utils-7.5-0.14.fc11
대상 RPM 패키지          
정책 RPM                    selinux-policy-3.6.20-2.fc12
Selinux 활성화             True
정책 유형                 targeted
MLS 활성화                 True
강제 모드                 Enforcing
플러그인명               allow_execmem
호스트명                  (removed)
플랫폼                     Linux (removed)
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
통지 카운트              1
초기 화면                 2009년 07월 03일 (금) 오전 09시 34분 52초
마지막 화면              2009년 07월 03일 (금) 오전 09시 34분 52초
로컬 ID                     b6750a9a-47e7-4ca1-824a-ad00ebf437ce
줄 번호                    

원 감사 메세지          

node=(removed) type=AVC msg=audit(1246581292.279:16254): avc:  denied  { execmem } for  pid=17178 comm="glxinfo" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=(removed) type=SYSCALL msg=audit(1246581292.279:16254): arch=c000003e syscall=9 success=no exit=63643608 a0=7fc30198f000 a1=35000 a2=7 a3=812 items=0 ppid=14237 pid=17178 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="glxinfo" exe="/usr/bin/glxinfo" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Comment 1 sangu 2009-07-03 04:52:06 UTC
$ chcon -t execmem_exec_t '/usr/bin/glxinfo'

$ glxinfo
[...]
 Segmentation fault

$ cat /var/log/Xorg.0.log
[...]
(II) LoadModule: "glx"
(II) Loading /usr/lib64/xorg/modules/extensions/nvidia//libglx.so
dlopen: /usr/lib64/xorg/modules/extensions/nvidia//libglx.so: failed to map segment from shared object: Permission denied
(EE) Failed to load /usr/lib64/xorg/modules/extensions/nvidia//libglx.so
(II) UnloadModule: "glx"
(EE) Failed to load module "glx" (loader failed, 7)
[...]

$ ls -Z /usr/lib64/xorg/modules/extensions/nvidia/libglx.so*
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       /usr/lib64/xorg/modules/extensions/nvidia/libglx.so -> libglx.so.185.18.14
-rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/xorg/modules/extensions/nvidia/libglx.so.185.18.14

Comment 2 Daniel Walsh 2009-07-06 18:07:07 UTC
Are you seeing any additional AVC messages?

Comment 3 sangu 2009-07-06 23:58:02 UTC
After rebooting
$ glxinfo
glxinfo: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied

Again

# chcon -t execmem_exec_t /usr/bin/glxinfo
$ glxinfo
[...]
 Segmentation fault

Then,
(In reply to comment #2)
> Are you seeing any additional AVC messages?  

# tail -f /var/log/audit/audit.log
[...]
type=ANOM_ABEND msg=audit(1246924299.706:23247): auid=500 uid=500 gid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0 pid=2802 comm="glxinfo" sig=11

Comment 4 Daniel Walsh 2009-07-21 12:39:16 UTC
Well that is not an AVC.  I take it everything works in permissive mode?

Can you run the command with the dontaudit rules turned off to see if you get any other avc's about glxinfo?

# semodule -DB
glxinfo
Look for AVC's
# semodule -B

Comment 5 sangu 2009-08-05 02:03:16 UTC
After installing new xorg-x11-drv-nvidia package, this issue was fixed.
Thanks!

Comment 6 Peter Larsen 2009-11-21 02:58:22 UTC
I've got this same problem with:
ll /usr/lib64/nvidia/libGL.so.1
lrwxrwxrwx. 1 root root 15 2009-11-20 21:07 /usr/lib64/nvidia/libGL.so.1 -> libGL.so.190.42

Followed by this in dmesg:
type=1400 audit(1258772111.484:44): avc:  denied  { execstack } for  pid=4863 comm="glxinfo" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Comment 7 Daniel Walsh 2009-11-23 13:34:29 UTC
Peter if you use the nvidia drivers you have to set the allow_execstack boolean

# setsebool -P allow_execstack 1


Note You need to log in before you can comment on or make changes to this bug.