Without 'paxctl -m /usr/bin/celestia' it fails to run: [178651.095191] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/celestia[celestia:10082] uid/euid:1101/1101 gid/egid:1101/1101, parent /bin/bash[bash:9703] uid/euid:1101/1101 gid/egid:1101/1101 [178651.095214] celestia[10082]: segfault at ffffffffffffffff ip 00000287f10645b1 sp 0000039cbb9aefe0 error 6 in i915g_dri.so[287f0e0b000+36b000] [178651.095258] grsec: Segmentation fault occurred at ffffffffffffffff in /usr/bin/celestia[celestia:10082] uid/euid:1101/1101 gid/egid:1101/1101, parent /bin/bash[bash:9703] uid/euid:1101/1101 gid/egid:1101/1101 [178651.095298] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/celestia[celestia:10082] uid/euid:1101/1101 gid/egid:1101/1101, parent /bin/bash[bash:9703] uid/euid:1101/1101 gid/egid:1101/1101
please confirm with 1.6.1. if it persists, could you file a bug upstream?
Confirm for 1.6.1, sorry for delay.
@hardened: please apply any fix you deem necessary
21 Feb 2012; Kacper Kowalik <xarthisius@gentoo.org> celestia-1.6.1.ebuild: Pax mark m main binary wrt bug 365359 by Nikoli <nikoli@lavabit.com> Thanks to Zorry for testing.
Now celestia works fine without paxctl -m, i have Radeon HD6770 with gallium driver, llvm is disabled: [ebuild R ~] media-libs/mesa-8.0.3 USE="egl g3dvl gallium gbm nptl openvg pax_kernel shared-glapi vdpau xa -bindist -classic -d3d -debug -gles1 -gles2 -llvm -osmesa -pic (-selinux) -shared-dricore -wayland -xvmc" VIDEO_CARDS="r600 radeon -i915 -i965 -intel -nouveau -r100 -r200 -r300 -vmware" 0 kB
Please remove pax-mark from celestia ebuild, it is bug in _some_ video drivers: users need to pax mark every bin using libGL.so. nouveau drivers still have this problem bug #432520, radeon foss drivers work fine (even with llvm enabled), do not know about other. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/x11-drivers/ati-drivers/ati-drivers-13.12.ebuild?view=markup&revision=1.2 if use pax_kernel; then ewarn "Please run \"revdep-pax -s libGL.so.1 -me\" after installation and" ewarn "after you have run \"eselect opengl set ati\". Executacle" ewarn "revdep-pax is part of package sys-apps/elfix." fi
(In reply to Nikoli from comment #6) > Please remove pax-mark from celestia ebuild, it is bug in _some_ video > drivers: users need to pax mark every bin using libGL.so. nouveau drivers > still have this problem bug #432520, radeon foss drivers work fine (even > with llvm enabled), do not know about other. > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/x11-drivers/ati- > drivers/ati-drivers-13.12.ebuild?view=markup&revision=1.2 > if use pax_kernel; then > ewarn "Please run \"revdep-pax -s libGL.so.1 -me\" after > installation and" > ewarn "after you have run \"eselect opengl set ati\". > Executacle" > ewarn "revdep-pax is part of package sys-apps/elfix." > fi Maybe instead of removing it we could say "You man need to run"? Or is this entirely unneeded?
I think it is not needed in celestia package and in other packages using opengl. Warning should be displayed by video drivers packages, because they are the source of the problem.
If no one disagrees in the next few hours I'm going to make this commit.
removed pax-mark. I agree, if a user wants to use binary drivers with this issue they can use revdep-pax.
