<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I was not able to get VirtualGL and selinux to work together.<br>
It is something during boot time it seems. I have tried generating<br>
rules based on audit/audit.log.<br>
<br>
The VirtualGL web <a
href="http://www.virtualgl.org/Documentation/RHEL6">http://www.virtualgl.org/Documentation/RHEL6</a><br>
states they don't know how to make it work either.<br>
<br>
I have tried in permissive mode after boot and that did not work
either,<br>
which is why I think it is something during boot time. Like the
device<br>
setup. My guess is related to: /dev/dri as it sets up these and then<br>
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to
vglusers<br>
group (in my case it can be configured with/without group
restriction).<br>
<br>
From VirtualGL website they also have:<br>
<span class="Apple-style-span" style="color: rgb(0, 0, 0);
font-family: Arial, Helvetica, sans-serif; font-size: 15px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 19px; orphans: 2; text-align:
-webkit-auto; text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-color: rgb(250, 250, 250); ">
<h3 style="margin-top: 1em; margin-bottom: 0.6em; font-weight:
bold; font-size: 1.22em; text-decoration: underline; ">vglgenkey
Issues</h3>
<p style="margin-top: 0px; margin-bottom: 0px; ">Currently, the
only known way to make<span class="Apple-converted-space"> </span><code
style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120, 20);
">vglgenkey</code><span class="Apple-converted-space"> </span>work
(<code style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120, 20);
">vglgenkey</code><span class="Apple-converted-space"> </span>is
used to grant 3D X Server access to members of the<span
class="Apple-converted-space"> </span><code style="font-size:
0.9em; font-family: 'Lucida Console', 'Andale Mono', 'Courier
New', Courier; color: rgb(0, 120, 20); ">vglusers</code><span
class="Apple-converted-space"> </span>group) is to disable
SELinux. With SELinux enabled, the<span
class="Apple-converted-space"> </span><strong><em>/usr/bin/xauth</em></strong><span
class="Apple-converted-space"> </span>file is hidden within
the context of the GDM startup scripts, so<span
class="Apple-converted-space"> </span><code style="font-size:
0.9em; font-family: 'Lucida Console', 'Andale Mono', 'Courier
New', Courier; color: rgb(0, 120, 20); ">vglgenkey</code><span
class="Apple-converted-space"> </span>has no way of generating
or importing an xauth key to<span class="Apple-converted-space"> </span><strong><em>/etc/opt/VirtualGL/vgl_xauth_key</em></strong><span
class="Apple-converted-space"> </span>(and, for that matter,
access is denied to<span class="Apple-converted-space"> </span><strong><em>/etc/opt/VirtualGL</em></strong><span
class="Apple-converted-space"> </span>as well.)</p>
<p class="vspace" style="margin-top: 1.33em; margin-bottom: 0px;">Perhaps
someone with a greater knowledge of SELinux can explain how to
disable enforcement only for GDM and not the whole system.<br>
</p>
<p class="vspace" style="margin-top: 1.33em; margin-bottom: 0px; ">I
had reinstalled that previous machine and don't
<br>
have the other rules I applied.
<br>
<br>
I repeated this on another machine, and did not run any
audit2allow.
<br>
<br>
Also there are 2 problems:
<br>
1. Boot time problem with the VirtualGL which seems to
generate a
<br>
avc message. (Fails if the machine is not booted in
permissive or
<br>
disabled mode)
<br>
2. A problem with xauth when setenforce is enforcing.
<br>
(This works if setenforce is permissive or disabled
regardless
<br>
of the boot time settings).
<br>
<br>
The machine policy is set to targeted.
<br>
<br>
Attached is the longer data with strace. The xauth does not
seem
<br>
to generate any audit.log messages even with semodule -DB, but
if
<br>
I turn selinux to permissive the xauth commands succeed.
<br>
<br>
<br>
<br>
To clarify:
<br>
- It works if the system is booted with /etc/selinux/config
<br>
SELINUX=permissive
<br>
or
<br>
SELINUX=disable
<br>
- It fails if the system is booted with /etc/selinux/config
<br>
SELINUX=enforcing
<br>
* Even if after the boot 'setenforce 0' is run
<br>
- My
<br>
<br>
I do get avc message, note this is running in permissive mode.
<br>
[root@amelie mdalton]# grep -i avc /var/log/audit/audit.log
<br>
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970
uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0
msg='avc: received policyload notice (seqno=4) : exe="?"
sauid=28 hostname=? addr=? terminal=?'
<br>
<br>
[root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
<br>
ls: cannot access /dev/dri: No such file or directory
<br>
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidia0
<br>
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidiactl
<br>
<br>
Mark
</p>
</span>
</body>
</html>