Simply starting up gnome-shell/gnome-session doesn't start the desktop environment Reproducible: Always Steps to Reproduce: 1. nano .xinitrc 2a. exec gnome-session 2b. exec gnome-shell 3. startx Actual Results: A blue pinstripe background shows but no desktop or panels Expected Results: It should show the panels or desktop normally gnome-base/gnome-shell-3.2.1-r3 USE="bluetooth networkmanager" 0 kB sys-libs/glibc-2.13-r4 USE="hardened (multilib) nls -debug -gd -glibc-omitfp -profile (-selinux) -vanilla" 0 kB Laptop with Intel HD Graphics
Created attachment 298979 [details] emerge --info
Created attachment 298981 [details] eselect mesa list
Created attachment 298983 [details] emerge -pve gnome-light
Created attachment 298985 [details] dmesg for gnome-session
Created attachment 298987 [details] dmesg for gnome-shell
Emerge and tested gnome-shell with 1 and 5 and still fails [1] x86_64-pc-linux-gnu-4.5.3 * [2] x86_64-pc-linux-gnu-4.5.3-hardenednopie [3] x86_64-pc-linux-gnu-4.5.3-hardenednopiessp [4] x86_64-pc-linux-gnu-4.5.3-hardenednossp [5] x86_64-pc-linux-gnu-4.5.3-vanilla
First, please attach your ~/.xsession-errors file after the crash, it may contain useful information. Second, this dmesg line > grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/gnome-shell[gnome-shell:29431] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xinit[xinit:29424] uid/euid:1000/1000 gid/egid:1000/1000 appears to indicate that your system is denying gnome-shell access to rwx memory that might be needed, for instance, for javascript jit (gnome-shell is largely written in javascript and uses mozilla's spidermonkey vm). That is almost certain to prevent gnome-shell from functioning properly, and might be the cause of your segfault. Are there perhaps some special commands or configurations that are needed to allow rwx memory on hardened? (I frankly have no idea - neither I nor any of the other gentoo gnome team members run hardened systems.)
Executing paxctl -m /usr/bin/gnome-shell gets rid of the libpthread error. However, dmesg shows that are more tasks that PAX kills such as /usr/libexec/gnome-settings-daemon and it still doesn't load to the desktop environment within 5 sec. I recompiled a kernel without grsecurity and pax and I can confirm that Gnome 3 works and loads quickly to the desktop, with code generated with pie and ssp gcc compiler. I need recheck the pax markings on other files so Gnome 3 works properly with the hardened kernel.
Created attachment 299041 [details] dmesg gnome-settings-daemon PAX termination New error generated after paxctl -m /usr/bin/gnome-settings solves error in attachments 298985 and 298987
Okay I got the proper pax marking for the gnome-shell that it works normally with hardened kernel enabled grsecurity and pax enabled. Executing paxctl -z /usr/bin/gnome-shell #restore defaults paxctl -xemr /usr/bin/gnome-shell fixes all the problems that I have been having. Just disable RANDMMAP (-r) and disable MPROTECT (-m); xe were the original values.
Orson, thank you for your investigation. The gnome-shell-3.2.2.1 ebuild that I have just added to portage should automatically call paxctl to disable RANDMMAP and MPROTECT for /usr/bin/gnome-shell. Please verify that this really works and that you can run gnome-shell without needing to manually paxctl it. @hardened, if 'pax-mark mr "${ED}usr/bin/gnome-shell"' in src_install() is the wrong way to go about this, please say something. >*gnome-shell-3.2.2.1 (21 Jan 2012) > > 21 Jan 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > -gnome-shell-3.2.1-r1.ebuild, -gnome-shell-3.2.1-r2.ebuild, > -files/gnome-shell-3.2.1-messageTray-reduce-fade.patch, > -files/gnome-shell-3.2.1-theme-lighten-sent-message.patch, > +gnome-shell-3.2.2.1.ebuild: > Bump, fixes lots of crashes, rendering errrors, and memory leaks (in network > menu, notifications, workspace thumbnails, icons, etc.) Also, mark > gnome-shell executable to allow running under hardened/PaX (bug #398941, > thanks to Orson Teodoro). Drop old.
Yes the gnome-shell-3.2.2.1.ebuild properly applies the pax markings and gnome-shell works properly.
The same change has also been applied to >=cinnamon-1.2, since it is a close fork of gnome-shell.