VirtualGL/TurboVNC and selinux

Daniel J Walsh dwalsh at redhat.com
Mon May 7 18:32:14 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 02:29 PM, Mark Dalton wrote:
> I was not able to get VirtualGL and selinux to work together. It is
> something during boot time it seems.  I have tried generating rules based
> on audit/audit.log.
> 
> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they
> don't know how to make it work either.
> 
> I have tried in permissive mode after boot and that did not work either, 
> which is why I think it is something during boot time.  Like the device 
> setup. My guess is related to: /dev/dri as it sets up these and then access
> to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in
> my case it can be configured with/without group restriction).
> 
> From VirtualGL website they also have:
> 
> 
> vglgenkey Issues
> 
> Currently, the only known way to make |vglgenkey| work (|vglgenkey| is used
> to grant 3D X Server access to members of the |vglusers| group) is to
> disable SELinux. With SELinux enabled, the *//usr/bin/xauth/* file is
> hidden within the context of the GDM startup scripts, so |vglgenkey| has no
> way of generating or importing an xauth key to
> *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that matter, access is
> denied to *//etc/opt/VirtualGL/* as well.)
> 
> Perhaps someone with a greater knowledge of SELinux can explain how to
> disable enforcement only for GDM and not the whole system.
> 
> I had reinstalled that previous machine and don't have the other rules I
> applied.
> 
> I repeated this on another machine, and did not run any audit2allow.
> 
> Also there are 2 problems: 1. Boot time problem with the VirtualGL which
> seems to generate a avc message.  (Fails if the machine is not booted in
> permissive or disabled mode) 2. A problem with xauth when setenforce is
> enforcing. (This works if setenforce is permissive or disabled regardless 
> of the boot time settings).
> 
> The machine policy is set to targeted.
> 
> Attached is the longer data with strace.   The xauth does not seem to
> generate any audit.log messages even with semodule -DB, but if I turn
> selinux to permissive the xauth commands succeed.
> 
> 
> 
> To clarify: - It works if the system is booted with /etc/selinux/config 
> SELINUX=permissive or SELINUX=disable - It fails if the system is booted
> with /etc/selinux/config SELINUX=enforcing * Even if after the boot
> 'setenforce 0' is run - My
> 
> I do get avc message, note this is running in permissive mode. [root at amelie
> mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC
> msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756
> subj=system_u:system_r:nscd_t:s0 msg='avc:  received policyload notice 
> (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?'
> 
> [root at amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access
> /dev/dri: No such file or directory crw-rw----. root vglusers
> system_u:object_r:device_t:s0    /dev/nvidia0 crw-rw----. root vglusers
> system_u:object_r:device_t:s0    /dev/nvidiactl
> 
> Mark
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Can you boot in permissive mode?  What avc messages are you seeing?

ausearch -m avc -ts recent

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14kHw7AdU3X1z6pj
DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ
=jGq8
-----END PGP SIGNATURE-----

More information about the selinux mailing list