unconfined_execmem_exec_t

cgrim · #1 14th October 2008, 08:42 PM

After upgrade on Fedora 10 a lot of applications (vlc, mplayer, amarok, kino, avidemux, ...) doesn't work because of SELinux prevention. I have to run something like this for all that aplications:

Code:

chcon -t unconfined_execmem_exec_t '/usr/bin/gmplayer'

SETroubleShooter shows this:
SELinux is preventing gmplayer from changing a writable memory segment executable.
The gmplayer application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If gmplayer does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.

Is it really application bug or is it SELinux problem or have I some virus which attacked that applications? ;-)

SlowJet · #2 15th October 2008, 06:04 AM

I'm assuming those are new KDE-4 apps and the "what the heck are they doing now?" has been detected by the selinux man.

I would do these things,

1. yum update to the newest selinux-policy.
2. touch /.autorelabel
reboot

If the gmplayer still doesn't work,
file a bugZ then
3. SELinux Management - in Gnome it is under System, Administration
Select boolean, schroll down to global
Click on check box - Allow_execmem (way over on the right after the vey long .....allow_excmem

Besure to check selinux updates to see if it works because now any incorrect program can mix data in code pages.

Also see
man setools - schroll to bottom
man getsebool
man setsebool
for cli usage.

SJ

cgrim · #3 15th October 2008, 07:57 AM

I have everything updated on the newest version.
Yesterday I tried autorelabel, but after filling whole display by asterixes it freezes ... I waited for about one hour and nothing changed. So I restarted system. Now it's still the same

Another applications which have problems with SELinux are: blender, compiz, opera, googleEarth, k3b, glxinfo, quake3, ...

No w I enabled allow_execmem, allow_execstack and allow_execmod for global and everything started to work. -> Thank you

So I will generate a lot of bugzilla records for all that applications listed above as SELinux TroubleShooter said to me ;-)

SlowJet · #4 15th October 2008, 08:29 AM

Yeah, BZ the programs, they may not be coded clean yet.

SJ

cgrim · #5 15th October 2008, 01:10 PM

amarok
compiz
blender

... tomorrow I will continue with other programs ;-)

cgrim · #6 16th October 2008, 09:20 AM

The result is: nVidia drivers are causing this problem in the most cases. I tried to contact nVidia. Does anyone has any experiance with them? How they react on linux drivers request?

Only in k3b is another situation https://bugzilla.rpmfusion.org/show_bug.cgi?id=69

brebs · #7 16th October 2008, 10:54 AM

Quote:

Originally Posted by cgrim

I tried to contact nVidia.

Should create a thread in the nvidia forum.