VirtualGL/TurboVNC and selinux
Mark Dalton
mdalton at princeton.edu
Tue May 29 16:28:14 UTC 2012
Daniel Walsh resolved this it seems. I will attempt to repeat this
on another fresh install.
semanage fcontext -a -t xdm_rw_etc_t '/etc/opt/VirtualGL(/.*)?'
restorecon -R -v /etc/opt/VirtualGL
Thank you!
Mark
On 05/07/2012 02:29 PM, Mark Dalton wrote:
> I was not able to get VirtualGL and selinux to work together.
> It is something during boot time it seems. I have tried generating
> rules based on audit/audit.log.
>
> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
> states they don't know how to make it work either.
>
> I have tried in permissive mode after boot and that did not work either,
> which is why I think it is something during boot time. Like the device
> setup. My guess is related to: /dev/dri as it sets up these and then
> access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
> group (in my case it can be configured with/without group restriction).
>
> From VirtualGL website they also have:
>
>
> vglgenkey Issues
>
> Currently, the only known way to make|vglgenkey|work (|vglgenkey|is
> used to grant 3D X Server access to members of the|vglusers|group) is
> to disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is
> hidden within the context of the GDM startup scripts, so|vglgenkey|has
> no way of generating or importing an xauth key
> to*//etc/opt/VirtualGL/vgl_xauth_key/*(and, for that matter, access is
> denied to*//etc/opt/VirtualGL/*as well.)
>
> Perhaps someone with a greater knowledge of SELinux can explain how to
> disable enforcement only for GDM and not the whole system.
>
> I had reinstalled that previous machine and don't
> have the other rules I applied.
>
> I repeated this on another machine, and did not run any audit2allow.
>
> Also there are 2 problems:
> 1. Boot time problem with the VirtualGL which seems to generate a
> avc message. (Fails if the machine is not booted in
> permissive or
> disabled mode)
> 2. A problem with xauth when setenforce is enforcing.
> (This works if setenforce is permissive or disabled regardless
> of the boot time settings).
>
> The machine policy is set to targeted.
>
> Attached is the longer data with strace. The xauth does not seem
> to generate any audit.log messages even with semodule -DB, but if
> I turn selinux to permissive the xauth commands succeed.
>
>
>
> To clarify:
> - It works if the system is booted with /etc/selinux/config
> SELINUX=permissive
> or
> SELINUX=disable
> - It fails if the system is booted with /etc/selinux/config
> SELINUX=enforcing
> * Even if after the boot 'setenforce 0' is run
> - My
>
> I do get avc message, note this is running in permissive mode.
> [root at amelie mdalton]# grep -i avc /var/log/audit/audit.log
> type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28
> auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc: received
> policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=?
> terminal=?'
>
> [root at amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
> ls: cannot access /dev/dri: No such file or directory
> crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidia0
> crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidiactl
>
> Mark
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120529/080d82d1/attachment.html>
More information about the selinux
mailing list