-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2012 02:29 PM, Mark Dalton wrote: > I was not able to get VirtualGL and selinux to work together. It is > something during boot time it seems. I have tried generating rules based > on audit/audit.log. > > The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they > don't know how to make it work either. > > I have tried in permissive mode after boot and that did not work either, > which is why I think it is something during boot time. Like the device > setup. My guess is related to: /dev/dri as it sets up these and then access > to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in > my case it can be configured with/without group restriction). > > From VirtualGL website they also have: > > > vglgenkey Issues > > Currently, the only known way to make |vglgenkey| work (|vglgenkey| is used > to grant 3D X Server access to members of the |vglusers| group) is to > disable SELinux. With SELinux enabled, the *//usr/bin/xauth/* file is > hidden within the context of the GDM startup scripts, so |vglgenkey| has no > way of generating or importing an xauth key to > *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that matter, access is > denied to *//etc/opt/VirtualGL/* as well.) > > Perhaps someone with a greater knowledge of SELinux can explain how to > disable enforcement only for GDM and not the whole system. > > I had reinstalled that previous machine and don't have the other rules I > applied. > > I repeated this on another machine, and did not run any audit2allow. > > Also there are 2 problems: 1. Boot time problem with the VirtualGL which > seems to generate a avc message. (Fails if the machine is not booted in > permissive or disabled mode) 2. A problem with xauth when setenforce is > enforcing. (This works if setenforce is permissive or disabled regardless > of the boot time settings). > > The machine policy is set to targeted. > > Attached is the longer data with strace. The xauth does not seem to > generate any audit.log messages even with semodule -DB, but if I turn > selinux to permissive the xauth commands succeed. > > > > To clarify: - It works if the system is booted with /etc/selinux/config > SELINUX=permissive or SELINUX=disable - It fails if the system is booted > with /etc/selinux/config SELINUX=enforcing * Even if after the boot > 'setenforce 0' is run - My > > I do get avc message, note this is running in permissive mode. [root@amelie > mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC > msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756 > subj=system_u:system_r:nscd_t:s0 msg='avc: received policyload notice > (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?' > > [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access > /dev/dri: No such file or directory crw-rw----. root vglusers > system_u:object_r:device_t:s0 /dev/nvidia0 crw-rw----. root vglusers > system_u:object_r:device_t:s0 /dev/nvidiactl > > Mark > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Can you boot in permissive mode? What avc messages are you seeing? ausearch -m avc -ts recent -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14kHw7AdU3X1z6pj DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ =jGq8 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
