Daniel Walsh resolved this it seems. I will attempt to repeat this
on another fresh install.
semanage fcontext -a -t xdm_rw_etc_t '/etc/opt/VirtualGL(/.*)?'
restorecon -R -v /etc/opt/VirtualGL
Thank you!
Mark
On 05/07/2012 02:29 PM, Mark Dalton wrote:
I was not able to get VirtualGL and selinux to work together.
It is something during boot time it seems. I have tried
generating
rules based on audit/audit.log.
The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
states they don't know how to make it work either.
I have tried in permissive mode after boot and that did not work
either,
which is why I think it is something during boot time. Like the
device
setup. My guess is related to: /dev/dri as it sets up these and
then
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to
vglusers
group (in my case it can be configured with/without group
restriction).
From VirtualGL website they also have:
vglgenkey
Issues
Currently, the
only known way to make vglgenkey work
(vglgenkey is
used to grant 3D X Server access to members of the vglusers group)
is to disable SELinux. With SELinux enabled, the /usr/bin/xauth file is hidden within
the context of the GDM startup scripts, so vglgenkey has
no way of generating or importing an xauth key to /etc/opt/VirtualGL/vgl_xauth_key (and, for that matter,
access is denied to /etc/opt/VirtualGL as well.)
Perhaps someone with a greater knowledge of SELinux can
explain how to disable enforcement only for GDM and not the
whole system.
I had reinstalled that previous machine and don't
have the other rules I applied.
I repeated this on another machine, and did not run any
audit2allow.
Also there are 2 problems:
1. Boot time problem with the VirtualGL which seems to
generate a
avc message. (Fails if the machine is not booted in
permissive or
disabled mode)
2. A problem with xauth when setenforce is enforcing.
(This works if setenforce is permissive or disabled
regardless
of the boot time settings).
The machine policy is set to targeted.
Attached is the longer data with strace. The xauth does not
seem
to generate any audit.log messages even with semodule -DB, but
if
I turn selinux to permissive the xauth commands succeed.
To clarify:
- It works if the system is booted with
/etc/selinux/config
SELINUX=permissive
or
SELINUX=disable
- It fails if the system is booted with
/etc/selinux/config
SELINUX=enforcing
* Even if after the boot 'setenforce 0' is run
- My
I do get avc message, note this is running in permissive mode.
[root@amelie mdalton]# grep -i avc /var/log/audit/audit.log
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970
uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0
msg='avc: received policyload notice (seqno=4) : exe="?"
sauid=28 hostname=? addr=? terminal=?'
[root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
ls: cannot access /dev/dri: No such file or directory
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidia0
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidiactl
Mark
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux