Re: Selinux and Nvidia drivers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 31 May 2011 10:30:21 -0400, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/30/2011 06:40 AM, Alexander Volovics wrote:
>> On Mon, May 30, 2011 at 07:25:45PM +0900, Misha Shnurapet wrote:
>> 
>>> 30.05.2011, 18:47, "Alexander Volovics" <a.volovic@xxxxxxxxxx>:
>>>> Wat is the reaction of selinux to the nvidia driver. Does selinux try
>>>> to prevent the nvidia driver from being loaded?
>>  
>>> Nope. I've been using them together and experienced no issues.
>> 
>> Thanks. Then I guess I should finally start reading up on selinux and
>> not trust my 'intuition' anymore. I thought the nvidia driver being a
>> "fremdkÃrper" and all ...
>> 
>> Alexander
>> 
> Sometimes the nvidia driver device can be mislabled, which can cause
> SELinux issues.  In the past we have had problems with nvidia requiring
> GUI apps to need execstack and execmem, but we are now allowing these by
> default.


Dan, that's nice to know. The NVidia installer does the following:

      Linux installations using SELinux (Security-Enhanced Linux)
      require that the security type of all shared libraries be
      set to 'shlib_t' or 'textrel_shlib_t', depending on the
      distribution. nvidia-installer will detect when to set the
      security type, and set it using chcon(1) on the shared
      libraries it installs.  If the execstack(8) system utility
      is present, nvidia-installer will use it to also clear the
      executable stack flag of the libraries.  Use this option to
      override nvidia-installer's detection of when to set the
      security type.  Valid values for FORCE-SELINUX are 'yes'
      (force setting of the security type), 'no' (prevent setting
      of the security type), and 'default' (let nvidia-installer
      decide when to set the security type).

That's the documentation from <driver-name> --advanced-options. I also 
use a script with semanage fcontext to clean up some issues. I should try 
not running the script next time I upgrade and see if there are 
performance issues / SELinux warnings (I normally run in permissive mode).

If I do find issues, should I report it on the Fedora buglist (change in 
SELinux policy), NVidia forum (change in their installer script), or both?

. . . . just my two cents.

/mde/

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux