Description of problem: Wanted to try out the experimental 3D support in nouveau due in F13, so I installed mesa-dri-drivers-experimental, logged back in, and attempted to enable gnome desktop effects, but selinux prevented it. (After a quick 'setenforce 0' I'm happy to see that free nvidia 3d is at least working for desktop effects!) Version-Release number of selected component (if applicable): selinux-policy-3.7.11-1.fc13.noarch selinux-policy-targeted-3.7.11-1.fc13.noarch mesa-dri-drivers-experimental-7.8-0.18.fc13.i686 Additional info: type=AVC msg=audit(1268166757.252:32317): avc: denied { execmem } for pid=3667 comm="compiz" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1268166757.252:32317): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a00000 a2=7 a3=22 items=0 ppid=1 pid=3667 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="compiz" exe="/usr/bin/compiz" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1268166757.254:32318): auid=500 uid=500 gid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3667 comm="compiz" sig=11
fixed after a reboot. should that be necessary?
No. I will change the label on compiz to be execmem_exec_t, which will allow this access. chcon -t execmem_exec_t /usr/bin/compiz Will do it for you until you get the update. Fixed in selinux-policy-3.7.13-1.fc13
I cannot confirm this on my system. Also using mesa-dri-drivers-experimental and desktop effects.
I would like to be able to run compiz without it having execmem permission. There is afaik only this single report and it say's: "fixed after a reboot. should that be necessary?". I think we would have gotten more reports if compiz required execmem, even using mesa-dri-drivers-experimental. By adding this file context specification i am forced to allow this or disable compiz. I cannot chcon -t bin_t /usr/bin/compiz after every policy update.
The reason we are not hearing this is most people have allow_execmem or allow_execstack turned on. Nvidia driver is going to cause this headache. I believe this will come back if he goes back to bin_t.
selinux-policy-3.7.14-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-1.fc13
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-3.fc13
Verified fixed with the new policy - thanks. 1) boot f13alpha live (persistence disabled) 2) # ll -Z `which compiz` -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/compiz 3) # yum --enablerepo updates-testing update selinux-policy 4) # ll -Z `which compiz` -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/compiz 5) # yum install mesa\*experimental 6) can now toggle desktop effects on without a selinux denial
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.