-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2012 03:12 PM, Mark Dalton wrote: > On 05/07/2012 02:32 PM, Daniel J Walsh wrote: On 05/07/2012 02:29 PM, Mark > Dalton wrote: >>>> I was not able to get VirtualGL and selinux to work together. It is >>>> something during boot time it seems. I have tried generating rules >>>> based on audit/audit.log. >>>> >>>> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states >>>> they don't know how to make it work either. >>>> >>>> I have tried in permissive mode after boot and that did not work >>>> either, which is why I think it is something during boot time. Like >>>> the device setup. My guess is related to: /dev/dri as it sets up >>>> these and then access to the /dev/nvidia0 and /dev/nvidiactl are >>>> restricted to vglusers group (in my case it can be configured >>>> with/without group restriction). >>>> >>>> From VirtualGL website they also have: >>>> >>>> >>>> vglgenkey Issues >>>> >>>> Currently, the only known way to make |vglgenkey| work (|vglgenkey| >>>> is used to grant 3D X Server access to members of the |vglusers| >>>> group) is to disable SELinux. With SELinux enabled, the >>>> *//usr/bin/xauth/* file is hidden within the context of the GDM >>>> startup scripts, so |vglgenkey| has no way of generating or importing >>>> an xauth key to *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that >>>> matter, access is denied to *//etc/opt/VirtualGL/* as well.) >>>> >>>> Perhaps someone with a greater knowledge of SELinux can explain how >>>> to disable enforcement only for GDM and not the whole system. >>>> >>>> I had reinstalled that previous machine and don't have the other >>>> rules I applied. >>>> >>>> I repeated this on another machine, and did not run any audit2allow. >>>> >>>> Also there are 2 problems: 1. Boot time problem with the VirtualGL >>>> which seems to generate a avc message. (Fails if the machine is not >>>> booted in permissive or disabled mode) 2. A problem with xauth when >>>> setenforce is enforcing. (This works if setenforce is permissive or >>>> disabled regardless of the boot time settings). >>>> >>>> The machine policy is set to targeted. >>>> >>>> Attached is the longer data with strace. The xauth does not seem >>>> to generate any audit.log messages even with semodule -DB, but if I >>>> turn selinux to permissive the xauth commands succeed. >>>> >>>> >>>> >>>> To clarify: - It works if the system is booted with >>>> /etc/selinux/config SELINUX=permissive or SELINUX=disable - It fails >>>> if the system is booted with /etc/selinux/config SELINUX=enforcing * >>>> Even if after the boot 'setenforce 0' is run - My >>>> >>>> I do get avc message, note this is running in permissive mode. >>>> [root@amelie mdalton]# grep -i avc /var/log/audit/audit.log >>>> type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28 >>>> auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc: received >>>> policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=? >>>> terminal=?' >>>> >>>> [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access >>>> /dev/dri: No such file or directory crw-rw----. root vglusers >>>> system_u:object_r:device_t:s0 /dev/nvidia0 crw-rw----. root >>>> vglusers system_u:object_r:device_t:s0 /dev/nvidiactl >>>> >>>> Mark >>>> >>>> >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Can you boot in permissive mode? What avc messages are you seeing? > > ausearch -m avc -ts recent > > > I did not see anything obviously useful to me.. The attachment also had > some information. My goal is to find a way to keep selinux enabled and run > VirtualGL. > > Thank you for your quick response. > > Mark > > First boot: [root@amelie log]# ausearch -m avc -ts recent ---- time->Mon > May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.225:118): > arch=c000003e syscall=59 success=yes exit=0 a0=1f0d870 a1=1f0d5a0 > a2=1f0c5e0 a3=10 items=0 ppid=1981 pid=1982 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336416897.225:118): avc: denied { read write } for pid=1982 > comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file ---- > time->Mon May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.230:120): > arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fff41541fb0 > a2=40000000 a3=4000 items=0 ppid=1 pid=1983 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336416897.230:120): avc: denied { read } for pid=1983 > comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file ---- time->Mon > May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.251:122): > arch=c000003e syscall=59 success=yes exit=0 a0=b3b790 a1=b3b7d0 a2=b3a5e0 > a3=10 items=0 ppid=1989 pid=1990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance" > exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 > key=(null) type=AVC msg=audit(1336416897.251:122): avc: denied { read } > for pid=1990 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:irqbalance_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file ---- > time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.640:148): > arch=c000003e syscall=59 success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0 > a3=10 items=0 ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336417372.640:148): avc: denied { read write } for pid=30419 > comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file ---- > time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.647:149): > arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fffdda478b0 > a2=40000000 a3=4000 items=0 ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336417372.647:149): avc: denied { read } for pid=30420 > comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file ---- time->Mon > May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.666:150): > arch=c000003e syscall=59 success=yes exit=0 a0=17c2790 a1=17c27d0 > a2=17c15e0 a3=10 items=0 ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="irqbalance" exe="/usr/sbin/irqbalance" > subj=system_u:system_r:irqbalance_t:s0 key=(null) type=AVC > msg=audit(1336417372.666:150): avc: denied { read } for pid=30427 > comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:irqbalance_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file > > > Second boot and test: [root@amelie mdalton]# ausearch -m avc -ts recent > ---- time->Mon May 7 15:02:52 2012 type=SYSCALL > msg=audit(1336417372.640:148): arch=c000003e syscall=59 success=yes exit=0 > a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0 ppid=30418 pid=30419 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4294967295 comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336417372.640:148): avc: denied { read write } for pid=30419 > comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file ---- > time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.647:149): > arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fffdda478b0 > a2=40000000 a3=4000 items=0 ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="portreserve" exe="/sbin/portreserve" > subj=system_u:system_r:portreserve_t:s0 key=(null) type=AVC > msg=audit(1336417372.647:149): avc: denied { read } for pid=30420 > comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821 > scontext=system_u:system_r:portreserve_t:s0 > tcontext=unconfined_u:object_r:nscd_var_run_t:s0 tclass=file ---- time->Mon > May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.666:150): > arch=c000003e syscall=59 success=yes exit=0 a0=17c2790 a1=17c27d0 > a2=17c15e0 a3=10 items=0 ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="irqbalance" exe="/usr/sbin/irqbalance" > subj=system_u:system_r:irqbalance_t:s0 key=(null) type=AVC > msg=audit(1336417372.666:150): avc: denied { read } for pid=30427 > comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164 > scontext=system_u:system_r:irqbalance_t:s0 > tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Turn off the dontaudit rules and then send me the log compressed. # semodule -DB # reboot # ausearch -m avc -i -ts recent | gzip -c > /tmp/audit.log.tgz # semodule -B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+oJksACgkQrlYvE4MpobNOlACg2bPaENSryRcGZG+Dhe9UikDm GjEAoNYt1ys5o9Ysd/65KaMp3+X/Nui5 =21rr -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
