developers mailing list for the security enhanced linux project ()

Russell Coker | 18 Jul 15:09

libGL.so.1

type=AVC msg=audit(1279458495.111:24): avc:  denied  { execmem } for  pid=1801 
comm="ksmserver" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=process
type=SYSCALL msg=audit(1279458495.111:24): arch=40000003 syscall=192 
success=no exit=-13 a0=b47ba000 a1=9000 a2=7 a3=812 items=0 ppid=1239 pid=1801 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=4294967295 comm="ksmserver" exe="/usr/bin/ksmserver" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

# ksmserver 
ksmserver: error while loading shared libraries: libGL.so.1: failed to map 
segment from shared object: Permission denied

It seems that problems with libGL.so.1 have been around for a while, are these 
solvable without a huge amount of coding?

--

-- 
russell@...
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

headers

Stephen Smalley | 21 Jul 20:05

Re: libGL.so.1

On Sun, 2010-07-18 at 23:09 +1000, Russell Coker wrote:
> type=AVC msg=audit(1279458495.111:24): avc:  denied  { execmem } for  pid=1801 
> comm="ksmserver" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
> s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tclass=process
> type=SYSCALL msg=audit(1279458495.111:24): arch=40000003 syscall=192 
> success=no exit=-13 a0=b47ba000 a1=9000 a2=7 a3=812 items=0 ppid=1239 pid=1801 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=pts0 ses=4294967295 comm="ksmserver" exe="/usr/bin/ksmserver" 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> # ksmserver 
> ksmserver: error while loading shared libraries: libGL.so.1: failed to map 
> segment from shared object: Permission denied
> 
> It seems that problems with libGL.so.1 have been around for a while, are these 
> solvable without a huge amount of coding?

Fedora has been carrying a patch to mesa to ensure that libGL.so isn't
marked with an executable stack for a long time, and I think the patch
has gone upstream in modern versions of mesa.

$ execstack -q /usr/lib64/libGL.so.1
- /usr/lib64/libGL.so.1

--

-- 
Stephen Smalley
National Security Agency

(Continue reading)

headers

Russell Coker | 24 Oct 22:45

Re: libGL.so.1

On Thu, 22 Jul 2010, Stephen Smalley <sds@...> wrote:
> > # ksmserver 
> > ksmserver: error while loading shared libraries: libGL.so.1: failed to
> > map  segment from shared object: Permission denied
> >
> > 
> >
> > It seems that problems with libGL.so.1 have been around for a while, are
> > these  solvable without a huge amount of coding?
> 
> Fedora has been carrying a patch to mesa to ensure that libGL.so isn't
> marked with an executable stack for a long time, and I think the patch
> has gone upstream in modern versions of mesa.
> 
> $ execstack -q /usr/lib64/libGL.so.1
> - /usr/lib64/libGL.so.1

xorg-x11-6.8.0-redhat-libGL-exec-shield-fixes.patch

I've been working on this one again.  Fedora has the above patch and the 
recent upstream Mesa as the following ./configure option:
--enable-selinux        Build SELinux-aware Mesa [default=disabled]

Building the SE Linux aware version doesn't seem to make any difference in my 
tests.  I still get the following failure:

# mplayer 
mplayer: error while loading shared libraries: libGL.so.1: failed to map 
segment from shared object: Permission denied
type=AVC msg=audit(1287952965.121:53): avc:  denied  { execmem } for

(Continue reading)