On Wed, 2004-04-28 at 11:40 -0400, Daniel J Walsh wrote: > Andrew Farris wrote: > > >I am working toward getting Enforcing mode to work with the nvidia > >binary drivers, and having some difficulties. I see that there is some > >policy with this intention , but it is not quite adequate yet, as below. > >Some hints how to proceed, or solutions to this would be appreciated. > >Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t: > > > >Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc: > >denied { read write } for pid=15200 exe=/usr/X11R6/bin/glxinfo > >name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t > >tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file > > > >Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc: > >denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears > >name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t > >tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file > >To relabel the devices I uncommented the definition of > >xserver_misc_device_t from ./types/device.te, and added the following > >line to ./file_contexts/program/xserver.fc (then make reload, followed > >by setfiles on these devices). > >/dev/nvidia.* system_u:object_r:xserver_misc_device_t > >And I rely on these (there are 4) lines in policy.conf after the make (I > >do not understand how these are generated yet). > >allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr > >lock write append }; > Did setting the context to > > xserver_misc_device_t > get it to work? > > Dan Sorry about the extra size email, it is confusing. Yes, running with the /dev/nvidia* devices labeled as xserver_misc_device_t will allow the X server to run and login.. etc. However it does NOT allow glxinfo or glxgears to run (they complain about access permissions to /dev/nvidiactl). I need policy that will allow user programs access { read write } to /dev/nvidiactl before any OpenGL apps will run with these drivers (the same issue happens for Quake3, AAOps.. not just these GL test tools). Perhaps the solution involves including each game in games.fc? The same problem may exist for running with the new nvidia dri software for OpenGL, I did not check yet, but will. If the problem does not exist for that then a similar setup for nvidiactl may work, I'm not sure. -- Andrew Farris, CPE senior (California Polytechnic State University, SLO) fedora@xxxxxxxxxxxxxxxx :: lmorgul on irc.freenode.net "The only thing necessary for the triumph of evil is for good men to do nothing." (Edmond Burke)