<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
Daniel Walsh resolved this it seems. I will attempt to repeat this<br>
on another fresh install.<br>
<br>
semanage fcontext -a -t xdm_rw_etc_t '/etc/opt/VirtualGL(/.*)?'<br>
restorecon -R -v /etc/opt/VirtualGL<br>
<br>
Thank you!<br>
<br>
Mark<br>
<br>
<br>
On 05/07/2012 02:29 PM, Mark Dalton wrote:
<blockquote cite="mid:4FA814A3.4050706@princeton.edu" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
I was not able to get VirtualGL and selinux to work together.<br>
It is something during boot time it seems. I have tried
generating<br>
rules based on audit/audit.log.<br>
<br>
The VirtualGL web <a moz-do-not-send="true"
href="http://www.virtualgl.org/Documentation/RHEL6">http://www.virtualgl.org/Documentation/RHEL6</a><br>
states they don't know how to make it work either.<br>
<br>
I have tried in permissive mode after boot and that did not work
either,<br>
which is why I think it is something during boot time. Like the
device<br>
setup. My guess is related to: /dev/dri as it sets up these and
then<br>
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to
vglusers<br>
group (in my case it can be configured with/without group
restriction).<br>
<br>
From VirtualGL website they also have:<br>
<span class="Apple-style-span" style="color: rgb(0, 0, 0);
font-family: Arial, Helvetica, sans-serif; font-size: 15px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 19px; orphans: 2;
text-align: -webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-color: rgb(250, 250, 250); ">
<h3 style="margin-top: 1em; margin-bottom: 0.6em; font-weight:
bold; font-size: 1.22em; text-decoration: underline; ">vglgenkey
Issues</h3>
<p style="margin-top: 0px; margin-bottom: 0px; ">Currently, the
only known way to make<span class="Apple-converted-space"> </span><code
style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120,
20); ">vglgenkey</code><span class="Apple-converted-space"> </span>work
(<code style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120,
20); ">vglgenkey</code><span class="Apple-converted-space"> </span>is
used to grant 3D X Server access to members of the<span
class="Apple-converted-space"> </span><code
style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120,
20); ">vglusers</code><span class="Apple-converted-space"> </span>group)
is to disable SELinux. With SELinux enabled, the<span
class="Apple-converted-space"> </span><strong><em>/usr/bin/xauth</em></strong><span
class="Apple-converted-space"> </span>file is hidden within
the context of the GDM startup scripts, so<span
class="Apple-converted-space"> </span><code
style="font-size: 0.9em; font-family: 'Lucida Console',
'Andale Mono', 'Courier New', Courier; color: rgb(0, 120,
20); ">vglgenkey</code><span class="Apple-converted-space"> </span>has
no way of generating or importing an xauth key to<span
class="Apple-converted-space"> </span><strong><em>/etc/opt/VirtualGL/vgl_xauth_key</em></strong><span
class="Apple-converted-space"> </span>(and, for that matter,
access is denied to<span class="Apple-converted-space"> </span><strong><em>/etc/opt/VirtualGL</em></strong><span
class="Apple-converted-space"> </span>as well.)</p>
<p class="vspace" style="margin-top: 1.33em; margin-bottom:
0px;">Perhaps someone with a greater knowledge of SELinux can
explain how to disable enforcement only for GDM and not the
whole system.<br>
</p>
<p class="vspace" style="margin-top: 1.33em; margin-bottom: 0px;
">I had reinstalled that previous machine and don't <br>
have the other rules I applied. <br>
<br>
I repeated this on another machine, and did not run any
audit2allow. <br>
<br>
Also there are 2 problems: <br>
1. Boot time problem with the VirtualGL which seems to
generate a <br>
avc message. (Fails if the machine is not booted in
permissive or <br>
disabled mode) <br>
2. A problem with xauth when setenforce is enforcing. <br>
(This works if setenforce is permissive or disabled
regardless <br>
of the boot time settings). <br>
<br>
The machine policy is set to targeted. <br>
<br>
Attached is the longer data with strace. The xauth does not
seem <br>
to generate any audit.log messages even with semodule -DB, but
if <br>
I turn selinux to permissive the xauth commands succeed. <br>
<br>
<br>
<br>
To clarify: <br>
- It works if the system is booted with
/etc/selinux/config <br>
SELINUX=permissive <br>
or <br>
SELINUX=disable <br>
- It fails if the system is booted with
/etc/selinux/config <br>
SELINUX=enforcing <br>
* Even if after the boot 'setenforce 0' is run <br>
- My <br>
<br>
I do get avc message, note this is running in permissive mode.
<br>
[root@amelie mdalton]# grep -i avc /var/log/audit/audit.log <br>
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970
uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0
msg='avc: received policyload notice (seqno=4) : exe="?"
sauid=28 hostname=? addr=? terminal=?' <br>
<br>
[root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* <br>
ls: cannot access /dev/dri: No such file or directory <br>
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidia0 <br>
crw-rw----. root vglusers system_u:object_r:device_t:s0
/dev/nvidiactl <br>
<br>
Mark </p>
</span> </blockquote>
<br>
</body>
</html>