515625 – Execute OpenGL applications -> avc: denied { execstack }

Bug 515625 - Execute OpenGL applications -> avc: denied { execstack }

Summary: Execute OpenGL applications -> avc: denied { execstack }

Keywords:
Status:	CLOSED DUPLICATE of bug 468678
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mesa
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Adam Jackson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-08-05 02:12 UTC by sangu
Modified:	2009-10-17 03:08 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-17 03:08:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FreeDesktop.org	24488	0	None	None	None	Never

Description sangu 2009-08-05 02:12:39 UTC

Description of problem:
$cat /var/log/audit/audit.log | grep execstack
[skip]
type=AVC msg=audit(1249399294.566:21455): avc:  denied  { execstack } for  pid=10868 comm="blender.bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1249399485.745:21456): avc:  denied  { execstack } for  pid=11345 comm="gnome-falling-b" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1249430143.379:20973): avc:  denied  { execstack } for  pid=1633 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1249437254.704:20980): avc:  denied  { execstack } for  pid=3052 comm="empathy" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

$ empathy
empathy: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied

After doing chcon -t execmem_exec_t, OpenGL application works well.

$chcon -t execmem_exec_t /usr/bin/empathy

Then, whenever updating  new selinux-policy package,  this issue appears, again.


Version-Release number of selected component (if applicable):
3.6.26-2.fc12

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
selinux-policy-targeted-3.6.26-2.fc12.noarch
libselinux-2.0.85-2.fc12.x86_64
policycoreutils-2.0.68-1.fc12.x86_64
checkpolicy-2.0.19-3.fc12.x86_64

Comment 1 Daniel Walsh 2009-08-05 20:48:31 UTC

Why does empathy need execstack?

Comment 2 Peter Gordon 2009-08-06 02:03:58 UTC

This doesn't seem to be Empathy-specific..From the error message given, it looks like it's the Mesa libGL code that requires execstack features. Though why that is, and of why Empathy and Nautilus link to it explicitly in that way, I'm not certain.

Adam, could you look into this please? :)

Comment 3 Adam Jackson 2009-08-07 20:22:53 UTC

Try mesa-7.6-0.8.fc12 or newer.

Comment 4 sangu 2009-10-17 03:08:03 UTC

Oops sorry!
I use Nvidia proprietary driver.

Comment 5 sangu 2009-10-17 03:08:35 UTC


*** This bug has been marked as a duplicate of bug 468678 ***

Note You need to log in before you can comment on or make changes to this bug.