[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please disable the SELinux execstack/relro checks before FC5 final

Ivan Gyurdiev wrote:
>>> execstack -c /usr/lib*/libGL.so
> This thread is totally confusing me....
> I haven't been following exactly what's going on with this problem, but:
> - /usr/lib*/libGL.so.1 is the Mesa GL library
> - /usr/lib*/nvidia/libGL.so.1 is the Nvidia GL library, when properly
> installed via livna
> On my computer both are marked GNU_STACK RWE, which seems relevant to
> this problem (correct me if that's not true), so I'm not sure why Nvidia
> is being blamed, and Mesa is not. This is x86_64.

Don't assume the filesystem layout is the same on all machines.  For me,
the /usr/lib*/libGL.so files are the NVidia files.  This is why I
mentioned the command line above.

Whether the Mesa libraries have the same issue is another issue which
somebody might want to investigate.

I think what follows from the results I"ve seen so far is that it is
only a build problem on the NVidia driver's side that the E bit is set
and that it is safe to clear the bit using the execstack command.

> - I get denials attempting to execute /dev/zero, exectstack, and execmem
> for glxgears with the Nvidia driver.

Do you have the DSO marked with textrel_shlib_t?  That'll always be
necessary.  Look at the driver:

  Type           Offset   VirtAddr           PhysAddr           FileSiz
 MemSiz   Flg Align
  LOAD           0x000000 0x0000003fe9900000 0x0000003fe9900000 0x081258
0x081258 R E 0x100000
  LOAD           0x081260 0x0000003fe9a81260 0x0000003fe9a81260 0x02fda0
0x0318c0 RWE 0x100000
  DYNAMIC        0x0b02b8 0x0000003fe9ab02b8 0x0000003fe9ab02b8 0x000200
0x000200 RW  0x8
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000
0x000000 RWE 0x8

 Section to Segment mapping:
  Segment Sections...
   00      [RO: .hash .dynsym .dynstr .gnu.version .gnu.version_r
.rela.dyn .rela.plt .plt .text .rodata]
   01      .data .writetext .eh_frame .dynamic .got .bss
   02      .dynamic

They deliberately create a text section which is writable
(.data.writetext).  That segment must be writable.

> Will do more testing, but the point is that it's not clear which libGL
> library is causing the problem from this thread.
>> [jim cornette-lt ~]$ locate libGL.so.1
>> /usr/lib/libGL.so.1
>> /usr/lib/libGL.so.1.2
> Doesn't this indicate the Mesa libGL library, and not the Nvidia or ATI
> one?

That completely depends on how things are installed on your machine.

➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]