SELinux detects problem with proprietary binary fglrx driver; however, AMD/ATI will not help

Francis K Shim belfrancis2001 at yahoo.ca
Wed Sep 24 23:00:13 UTC 2008 

I am submitting this report to this list for documentation, perspectives
and, hopefully, helpful assistance towards resolving this issue.  Sorry
in advance for the length of this post.

First reported to the Unofficial Wiki + Bugzilla of the ATI fglrx
binary, then to AMD/ATI technical support was the following issue:

I have the following configuration:
* Lenovo Thinkpad T60p
* ATI Mobility FireGL V5250 graphics card
* version 8.52.3 of the fglrx module
* Fedora 8 running version 2.6.25.14-69.fc8 of the GNU/Linux kernel

*NOTE: I have upgraded the kernel and driver from the first indications
of the problem; hence, older versions are in the bug report below.
However, the same bug persists according to both symptoms and to the
security log.

At intermittent start-ups of the X server using the fglrx driver the X
server does not display due to a security compatibility problem between
the fglrx driver and the secure SELinux module of the GNU/linux kernel.
The following is the report from the system log outlining the problem:

SELinux: out of range capability -157851600
------------[ cut here ]------------
kernel BUG at security/selinux/hooks.c:1332!
invalid opcode: 0000 [#1] SMP 
Modules linked in: ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss arc4
snd_seq_midi_event snd_seq ecb snd_seq_device crypto_blkcipher
snd_pcm_oss snd_mixer_oss snd_pcm i2c_i801 iwl3945 iTCO_wdt battery
iTCO_vendor_support snd_timer i2c_core ac mac80211 video thinkpad_acpi
bay snd_page_alloc irda output snd_hwdep e1000e button snd cfg80211
crc_ccitt fglrx(P)(U) pcspkr hwmon soundcore sr_mod cdrom sg usb_storage
ata_piix dm_snapshot dm_zero dm_mirror dm_mod ahci libata sd_mod
scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded:
scsi_wait_scan]

Pid: 1488, comm: Xorg Tainted: P (2.6.25.6-27.fc8 #1)
EIP: 0060:[<c04cd328>] EFLAGS: 00213246 CPU: 1
EIP is at task_has_capability+0x46/0x79
EAX: 00000030 EBX: f6976030 ECX: 00203046 EDX: 00203046
ESI: f685f200 EDI: f6959eb0 EBP: f6959ebc ESP: f6959e6c
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process Xorg (pid: 1488, ti=f6959000 task=f6f98000 task.ti=f6959000)
Stack: c06d780d f6976030 f6f98000 00000003 f6f98000 f6976030 00000000
00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 f6976030 f6f98000 f69ca000 f6959ecc c04cd37a f6f98000 f9678400 
Call Trace:
[<c04cd37a>] ? selinux_capable+0x1f/0x23
[<c04c973d>] ? security_capable+0xc/0xe
[<c042ca37>] ? __capable+0xb/0x1f
[<f954e670>] ? firegl_version+0x0/0x1b0 [fglrx]
[<c042ca5b>] ? capable+0x10/0x12
[<f954e537>] ? firegl_ioctl+0xe7/0x220 [fglrx]
[<c046e370>] ? handle_mm_fault+0x64f/0x6ef
[<f9543c80>] ? ip_firegl_ioctl+0xe/0x10 [fglrx]
[<c048ad76>] ? vfs_ioctl+0x4e/0x67
[<c048aff1>] ? do_vfs_ioctl+0x262/0x279
[<c04d0226>] ? selinux_file_ioctl+0xa8/0xab
[<c048b048>] ? sys_ioctl+0x40/0x5c
[<c0405b7e>] ? syscall_call+0x7/0xb
=======================
Code: 05 00 00 89 d0 f3 ab 8b 4d b8 89 d8 b2 04 c1 f8 05 c6 45 bc 03 89
5d c4 89 4d c0 74 19 48 74 11 53 68 0d 78 6d c0 e8 6d 9e f5 ff <0f> 0b
58 5a eb fe ba 45 00 00 00 8b 46 08 83 e3 1f 0f b7 f2 8d 
EIP: [<c04cd328>] task_has_capability+0x46/0x79 SS:ESP 0068:f6959e6c
---[ end trace 93d33da5bd859df0 ]---
[fglrx:firegl_release] *ERROR* device busy: 1 0
[fglrx] release failed with code -EBUSY

-------------------- End of report -------------------

AMD/ATI's response is as follows:


I regret there is no support for Linux at this time.

Please see the following

737-28027: LINUX support for ATI Video cards


 

        LINUX support for ATI Video cards: 
        
        Although we have drivers for Linux posted on the ATI website, we
        do not provide technical support for driver or multimedia issues
        in Linux directly. 
        
        The Linux drivers available (For laptops, RADEON and All in
        wonder Products) from AMD are provided are "as is". 
        
        If you are looking for drivers then go to:
        http://ati.amd.com/support/driver.html
        
        For information regarding the ATI Proprietary Linux Driver
        visit: http://www.ati.com/products/catalyst/linux.html
        
        Our web site offers several links to Linux support websites that
        may help you. 
        
        The link below has information that might be helpful to your
        case. 
        
        http://wiki.cchtml.com/index.php/Main_Page\
        
        There are also very good articles from third parties: 
        
             1. http://www.rage3d.com/content/articles/atilinuxhowto/Linux_ATI.html#SECTION000140000000000000000 
             2. http://www.linux.org/help/index.html 
             3. http://www.linuxdoc.org/ 
             4. http://www.xfree86.org/
        
        To report issues with Linux drivers you can submit an online
        ticket using the “Linux Driver Feedback” category, and your
        report will be received and reviewed/tested by our driver team.
        Please note that your report will only be responded to if we
        require additional information. We do not respond to all support
        inquires. 
        
        For the Linux Driver Feedback submission page, visit. 
        
        http://support.ati.com/ics/survey/survey.asp?deptID=894&surveyID=508&type=web
        
---------------- End of response -----------------

I could disable SELinux and I would not have this problem; however, I
was hoping that there was a much secure or safer work-around to this
problem.

Peace,
Frank

More information about the fedora-selinux-list mailing list