Description of problem: glxgears w. SELinux in enforcing mode: # glxgears LLVM ERROR: Allocation failed when allocating new memory in the JIT Can't allocate RWX Memory: Permission denied type=AVC msg=audit(1320761517.596:305): avc: denied { execmem } for pid=13410 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process % rpm -a -q selinux-\* selinux-policy-3.10.0-54.fc17.noarch selinux-policy-targeted-3.10.0-54.fc17.noarch % rpm -q --whatprovides "/usr/bin/glxgears" glx-utils-7.10-5.20101028.fc16.x86_64 Using the default targeted policy. Should it be assigned to glx-utils instead?
setsebool -P allow_execmem 1 Will allow this. I am thinking of changing this around to adding a boolean deny_execmem, and then allowing people who do not want to use the desktop to turn the execmem priv off. Since so many apps seem to be using JIT, execmem priv is becoming less useful on the desktop.
Fwiw, allow_execmem is required for webkit jit/javascript functionality too (see also historical bug #604003
And QtScript too, which is based on JavaScriptCore, i.e. the whole KDE SC requires execmem, unless we turn off the JIT and slow everything down.
selinux-policy-3.10.0-55.1.fc17 eliminates allow_execmem boolean and replaces it with deny_execmem, So all users now will have execmem by default and you would have to actively turn this off. Only case where stuff will run with it turned off is probably non X users.
I see that build went through koji two days ago, so let's just close the bug. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
*** Bug 745062 has been marked as a duplicate of this bug. ***