Re: VirtualGL/TurboVNC and selinux

[Mark Dalton <mdalton@xxxxxxxxxxxxx>]

On 05/07/2012 02:32 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/07/2012 02:29 PM, Mark Dalton wrote:
> > I was not able to get VirtualGL and selinux to work together. It is
> > something during boot time it seems.  I have tried generating rules based
> > on audit/audit.log.
> >
> > The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they
> > don't know how to make it work either.
> >
> > I have tried in permissive mode after boot and that did not work either,
> > which is why I think it is something during boot time.  Like the device
> > setup. My guess is related to: /dev/dri as it sets up these and then access
> > to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in
> > my case it can be configured with/without group restriction).
> >
> >  From VirtualGL website they also have:
> >
> >
> > vglgenkey Issues
> >
> > Currently, the only known way to make |vglgenkey| work (|vglgenkey| is used
> > to grant 3D X Server access to members of the |vglusers| group) is to
> > disable SELinux. With SELinux enabled, the *//usr/bin/xauth/* file is
> > hidden within the context of the GDM startup scripts, so |vglgenkey| has no
> > way of generating or importing an xauth key to
> > *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that matter, access is
> > denied to *//etc/opt/VirtualGL/* as well.)
> >
> > Perhaps someone with a greater knowledge of SELinux can explain how to
> > disable enforcement only for GDM and not the whole system.
> >
> > I had reinstalled that previous machine and don't have the other rules I
> > applied.
> >
> > I repeated this on another machine, and did not run any audit2allow.
> >
> > Also there are 2 problems: 1. Boot time problem with the VirtualGL which
> > seems to generate a avc message.  (Fails if the machine is not booted in
> > permissive or disabled mode) 2. A problem with xauth when setenforce is
> > enforcing. (This works if setenforce is permissive or disabled regardless
> > of the boot time settings).
> >
> > The machine policy is set to targeted.
> >
> > Attached is the longer data with strace.   The xauth does not seem to
> > generate any audit.log messages even with semodule -DB, but if I turn
> > selinux to permissive the xauth commands succeed.
> >
> >
> >
> > To clarify: - It works if the system is booted with /etc/selinux/config
> > SELINUX=permissive or SELINUX=disable - It fails if the system is booted
> > with /etc/selinux/config SELINUX=enforcing * Even if after the boot
> > 'setenforce 0' is run - My
> >
> > I do get avc message, note this is running in permissive mode. [root@amelie
> > mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC
> > msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756
> > subj=system_u:system_r:nscd_t:s0 msg='avc:  received policyload notice
> > (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?'
> >
> > [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access
> > /dev/dri: No such file or directory crw-rw----. root vglusers
> > system_u:object_r:device_t:s0    /dev/nvidia0 crw-rw----. root vglusers
> > system_u:object_r:device_t:s0    /dev/nvidiactl
> >
> > Mark
> >
> >
> >
> > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Can you boot in permissive mode?  What avc messages are you seeing?
>
> ausearch -m avc -ts recent
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14kHw7AdU3X1z6pj
> DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ
> =jGq8
> -----END PGP SIGNATURE-----

I did not see anything obviously useful to me..   The attachment also 
had some information.
My goal is to find a way to keep selinux enabled and run VirtualGL.

Thank you for your quick response.

Mark

First boot:
[root@amelie log]# ausearch -m avc -ts recent
----
time->Mon May  7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.225:118): arch=c000003e syscall=59 
success=yes exit=0 a0=1f0d870 a1=1f0d5a0 a2=1f0c5e0 a3=10 items=0 
ppid=1981 pid=1982 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336416897.225:118): avc:  denied  { read write } 
for  pid=1982 comm="portreserve" path="/dev/console" dev=devtmpfs 
ino=5164 scontext=system_u:system_r:portreserve_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
----
time->Mon May  7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.230:120): arch=c000003e syscall=47 
success=yes exit=17 a0=4 a1=7fff41541fb0 a2=40000000 a3=4000 items=0 
ppid=1 pid=1983 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336416897.230:120): avc:  denied  { read } for  
pid=1983 comm="portreserve" path="/var/db/nscd/services" dev=dm-0 
ino=1183821 scontext=system_u:system_r:portreserve_t:s0 
tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file
----
time->Mon May  7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.251:122): arch=c000003e syscall=59 
success=yes exit=0 a0=b3b790 a1=b3b7d0 a2=b3a5e0 a3=10 items=0 ppid=1989 
pid=1990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="irqbalance" 
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336416897.251:122): avc:  denied  { read } for  
pid=1990 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 
scontext=system_u:system_r:irqbalance_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.640:148): arch=c000003e syscall=59 
success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0 
ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.640:148): avc:  denied  { read write } 
for  pid=30419 comm="portreserve" path="/dev/console" dev=devtmpfs 
ino=5164 scontext=system_u:system_r:portreserve_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.647:149): arch=c000003e syscall=47 
success=yes exit=17 a0=4 a1=7fffdda478b0 a2=40000000 a3=4000 items=0 
ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.647:149): avc:  denied  { read } for  
pid=30420 comm="portreserve" path="/var/db/nscd/services" dev=dm-0 
ino=1183821 scontext=system_u:system_r:portreserve_t:s0 
tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.666:150): arch=c000003e syscall=59 
success=yes exit=0 a0=17c2790 a1=17c27d0 a2=17c15e0 a3=10 items=0 
ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance" 
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336417372.666:150): avc:  denied  { read } for  
pid=30427 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 
scontext=system_u:system_r:irqbalance_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file


Second boot and test:
[root@amelie mdalton]# ausearch -m avc -ts recent
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.640:148): arch=c000003e syscall=59 
success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0 
ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.640:148): avc:  denied  { read write } 
for  pid=30419 comm="portreserve" path="/dev/console" dev=devtmpfs 
ino=5164 scontext=system_u:system_r:portreserve_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.647:149): arch=c000003e syscall=47 
success=yes exit=17 a0=4 a1=7fffdda478b0 a2=40000000 a3=4000 items=0 
ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.647:149): avc:  denied  { read } for  
pid=30420 comm="portreserve" path="/var/db/nscd/services" dev=dm-0 
ino=1183821 scontext=system_u:system_r:portreserve_t:s0 
tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file
----
time->Mon May  7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.666:150): arch=c000003e syscall=59 
success=yes exit=0 a0=17c2790 a1=17c27d0 a2=17c15e0 a3=10 items=0 
ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance" 
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336417372.666:150): avc:  denied  { read } for  
pid=30427 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 
scontext=system_u:system_r:irqbalance_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux