[Pkg-fglrx-devel] Bug#514061: Workaround

Don Pellegrino don at drexel.edu
Mon Feb 9 17:37:37 UTC 2009 

In my original report I mentioned that I couldn't find the error message
with grep.  The error is recorded in /var/log/audit/audit.log and I
didn't run grep -r so I initially missed it.  The error is:

type=AVC msg=audit(1234196438.214:4): avc:  denied  { execmem } for
pid=3063 comm="atieventsd" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

type=SYSCALL msg=audit(1234196438.214:4): arch=40000003 syscall=192
success=no exit=-13 a0=b7e06000 a1=6000 a2=7 a3=812 items=0 ppid=3061
pid=3063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="atieventsd"
exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null)

Experimentation with my local policy file shows that both execmem and
execstack are needed:

type=AVC msg=audit(1234199603.086:4): avc:  denied  { execstack } for
pid=3057 comm="atieventsd" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

type=SYSCALL msg=audit(1234199603.086:4): arch=40000003 syscall=125
success=no exit=-13 a0=bf81d000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=3055 pid=3057 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atieventsd"
exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null)

The basic work-around is to just assume atieventsd should be given the
security it needs and to add a local policy entry:

module local-ati 1.0.0;

require {
        type initrc_t;
	class process { execmem execstack };
}

# Workaround for atieventsd
allow initrc_t self:process { execmem execstack };

This policy can be added with the following commands:

# checkmodule -M -m -o local-ati.mod local-ati.te
# semodule_package -o local-ati.pp -m local-ati.mod
# semodule -i ./local-ati.pp

I am a novice SELinux user and I don't believe this is the best
work-around.  For one the allow statement appears to cover the entire
initrc_t type rather than the /usr/sbin/atieventsd binary specifically.
Second, I don't know enough to determine if this the proper course of
action.  Should a policy update be made or should this go to ATI for a
correction to the atieventsd binary itself so that it doesn't use
execmem or execstack?

Finally, it is curious that /etc/init.d/fglrx-driver start worked to
load atieventsd after boot without any problems.  So it seems that
loading the process at boot time gives different behavior.

More information about the Pkg-fglrx-devel mailing list