VirtualGL/TurboVNC and selinux

Mark Dalton mdalton at princeton.edu
Mon May 7 18:29:55 UTC 2012 

I was not able to get VirtualGL and selinux to work together.
It is something during boot time it seems.  I have tried generating
rules based on audit/audit.log.

The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
states they don't know how to make it work either.

I have tried in permissive mode after boot and that did not work either,
which is why I think it is something during boot time.  Like the device
setup. My guess is related to: /dev/dri as it sets up these and then
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
group (in my case it can be configured with/without group restriction).

 From VirtualGL website they also have:


      vglgenkey Issues

Currently, the only known way to make|vglgenkey|work (|vglgenkey|is used 
to grant 3D X Server access to members of the|vglusers|group) is to 
disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is 
hidden within the context of the GDM startup scripts, so|vglgenkey|has 
no way of generating or importing an xauth key 
to*//etc/opt/VirtualGL/vgl_xauth_key/*(and, for that matter, access is 
denied to*//etc/opt/VirtualGL/*as well.)

Perhaps someone with a greater knowledge of SELinux can explain how to 
disable enforcement only for GDM and not the whole system.

I had reinstalled that previous machine and don't
have the other rules I applied.

I repeated this on another machine, and did not run any audit2allow.

Also there are 2 problems:
     1. Boot time problem with the VirtualGL which seems to generate a
         avc message.  (Fails if the machine is not booted in permissive or
         disabled mode)
     2. A problem with xauth when setenforce is enforcing.
            (This works if setenforce is permissive or disabled regardless
              of the boot time settings).

The machine policy is set to targeted.

Attached is the longer data with strace.   The xauth does not seem
to generate any audit.log messages even with semodule -DB, but if
I turn selinux to permissive the xauth commands succeed.



To clarify:
     - It works if the system is booted with /etc/selinux/config
           SELINUX=permissive
         or
            SELINUX=disable
     - It fails if the system is booted with /etc/selinux/config
            SELINUX=enforcing
        * Even if after the boot 'setenforce 0' is run
           - My

I do get avc message, note this is running in permissive mode.
[root at amelie mdalton]# grep -i avc /var/log/audit/audit.log
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28 
auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc:  received 
policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=? 
terminal=?'

[root at amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
ls: cannot access /dev/dri: No such file or directory
crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidia0
crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidiactl

Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120507/2e81b631/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vglxauth-selinux.txt
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120507/2e81b631/attachment.txt>

More information about the selinux mailing list