Bug 509679 - setroubleshoot: SELinux is preventing Xorg (xserver_t) "execmem" to <Unknown> (xserver_t).
setroubleshoot: SELinux is preventing Xorg (xserver_t) "execmem" to <...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:e7e85cd2a9f...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-04 20:33 EDT by sangu
Modified: 2009-09-05 18:06 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-05 21:57:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description sangu 2009-07-04 20:33:53 EDT
The following was filed automatically by setroubleshoot:

요약:

SELinux is preventing Xorg (xserver_t) "execmem" to <Unknown> (xserver_t).

상세 설명:

SELinux denied access requested by Xorg. The current boolean settings do not
allow this access. If you have not setup Xorg to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

액세스 허용:

One of the following booleans is set incorrectly: allow_xserver_execmem,
allow_execstack, allow_execmem

Fix 명령 :

Choose one of the following to allow access:
Allows XServer to execute writable memory
# setsebool -P allow_xserver_execmem 1
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


자세한 정보:

소스 문맥                 system_u:system_r:xserver_t:s0-s0:c0.c1023
대상 문맥                 system_u:system_r:xserver_t:s0-s0:c0.c1023
대상 객체                 None [ process ]
소스                        Xorg
소스 경로                 /usr/bin/Xorg
포트                        <알려지지 않음>
호스트                     (removed)
소스 RPM 패키지          xorg-x11-server-Xorg-1.6.1.901-2.fc11
대상 RPM 패키지          
정책 RPM                    selinux-policy-3.6.20-2.fc12
Selinux 활성화             True
정책 유형                 targeted
MLS 활성화                 True
강제 모드                 Enforcing
플러그인명               catchall_boolean
호스트명                  (removed)
플랫폼                     Linux (removed)
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
통지 카운트              1
초기 화면                 2009년 07월 05일 (일) 오전 09시 09분 23초
마지막 화면              2009년 07월 05일 (일) 오전 09시 09분 23초
로컬 ID                     6f87fdb2-2100-4880-aba0-df245219c2af
줄 번호                    

원 감사 메세지          

node=(removed) type=AVC msg=audit(1246752563.839:8): avc:  denied  { execmem } for  pid=1587 comm="Xorg" scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1246752563.839:8): arch=c000003e syscall=9 success=no exit=765165528 a0=7ff4c0101000 a1=78000 a2=7 a3=812 items=0 ppid=1586 pid=1587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg" subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= xserver_t ==============
allow xserver_t self:process execmem;
Comment 1 Daniel Walsh 2009-07-05 21:57:17 EDT
Please set the boolean and do not report the bugzilla, unless you see this as a bug.

This is probably caused by you using nvidia driver.

Note You need to log in before you can comment on or make changes to this bug.