Description of problem: $ glxinfo glxinfo: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Permission denied ls -alZ /usr/lib64/nvidia/libGL.so.1 lrwxrwxrwx. root root system_u:object_r:lib_t:s0 /usr/lib64/nvidia/libGL.so.1 -> libGL.so.185.18.14 [sangu@localhost boot]$ ls -alZ /usr/lib64/libGL.so.1 lrwxrwxrwx. root root system_u:object_r:lib_t:s0 /usr/lib64/libGL.so.1 -> libGL.so.1.2 [sangu@localhost boot]$ ls -alZ /usr/lib64/libGL.so.1.2 -rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/libGL.so.1.2 [sangu@localhost boot]$ ls -alZ /usr/lib64/nvidia/libGL.so.185.18.14 -rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/nvidia/libGL.so.185.18.14 Version-Release number of selected component (if applicable): 3.6.20-2.fc12 How reproducible: always Steps to Reproduce: 1. $ glxinfo 2. 3. Actual results: Expected results: Additional info: 요약: SELinux is preventing glxinfo from changing a writable memory segment executable. 상세 설명: The glxinfo application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If glxinfo does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. 액세스 허용: If you trust glxinfo to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/glxinfo'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/glxinfo'" Fix 명령 : chcon -t execmem_exec_t '/usr/bin/glxinfo' 자세한 정보: 소스 문맥 unconfined_u:unconfined_r:unconfined_t:s0 대상 문맥 unconfined_u:unconfined_r:unconfined_t:s0 대상 객체 None [ process ] 소스 glxinfo 소스 경로 /usr/bin/glxinfo 포트 <알려지지 않음> 호스트 (removed) 소스 RPM 패키지 glx-utils-7.5-0.14.fc11 대상 RPM 패키지 정책 RPM selinux-policy-3.6.20-2.fc12 Selinux 활성화 True 정책 유형 targeted MLS 활성화 True 강제 모드 Enforcing 플러그인명 allow_execmem 호스트명 (removed) 플랫폼 Linux (removed) 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 통지 카운트 1 초기 화면 2009년 07월 03일 (금) 오전 09시 34분 52초 마지막 화면 2009년 07월 03일 (금) 오전 09시 34분 52초 로컬 ID b6750a9a-47e7-4ca1-824a-ad00ebf437ce 줄 번호 원 감사 메세지 node=(removed) type=AVC msg=audit(1246581292.279:16254): avc: denied { execmem } for pid=17178 comm="glxinfo" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=(removed) type=SYSCALL msg=audit(1246581292.279:16254): arch=c000003e syscall=9 success=no exit=63643608 a0=7fc30198f000 a1=35000 a2=7 a3=812 items=0 ppid=14237 pid=17178 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="glxinfo" exe="/usr/bin/glxinfo" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
$ chcon -t execmem_exec_t '/usr/bin/glxinfo' $ glxinfo [...] Segmentation fault $ cat /var/log/Xorg.0.log [...] (II) LoadModule: "glx" (II) Loading /usr/lib64/xorg/modules/extensions/nvidia//libglx.so dlopen: /usr/lib64/xorg/modules/extensions/nvidia//libglx.so: failed to map segment from shared object: Permission denied (EE) Failed to load /usr/lib64/xorg/modules/extensions/nvidia//libglx.so (II) UnloadModule: "glx" (EE) Failed to load module "glx" (loader failed, 7) [...] $ ls -Z /usr/lib64/xorg/modules/extensions/nvidia/libglx.so* lrwxrwxrwx. root root system_u:object_r:lib_t:s0 /usr/lib64/xorg/modules/extensions/nvidia/libglx.so -> libglx.so.185.18.14 -rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib64/xorg/modules/extensions/nvidia/libglx.so.185.18.14
Are you seeing any additional AVC messages?
After rebooting $ glxinfo glxinfo: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied Again # chcon -t execmem_exec_t /usr/bin/glxinfo $ glxinfo [...] Segmentation fault Then, (In reply to comment #2) > Are you seeing any additional AVC messages? # tail -f /var/log/audit/audit.log [...] type=ANOM_ABEND msg=audit(1246924299.706:23247): auid=500 uid=500 gid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0 pid=2802 comm="glxinfo" sig=11
Well that is not an AVC. I take it everything works in permissive mode? Can you run the command with the dontaudit rules turned off to see if you get any other avc's about glxinfo? # semodule -DB glxinfo Look for AVC's # semodule -B
After installing new xorg-x11-drv-nvidia package, this issue was fixed. Thanks!
I've got this same problem with: ll /usr/lib64/nvidia/libGL.so.1 lrwxrwxrwx. 1 root root 15 2009-11-20 21:07 /usr/lib64/nvidia/libGL.so.1 -> libGL.so.190.42 Followed by this in dmesg: type=1400 audit(1258772111.484:44): avc: denied { execstack } for pid=4863 comm="glxinfo" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
Peter if you use the nvidia drivers you have to set the allow_execstack boolean # setsebool -P allow_execstack 1