VirtualGL/TurboVNC and selinux

Mark Dalton mdalton at princeton.edu
Tue May 29 16:28:14 UTC 2012 

Daniel Walsh resolved this it seems.   I will attempt to repeat this
on another fresh install.

semanage  fcontext -a -t xdm_rw_etc_t '/etc/opt/VirtualGL(/.*)?'
restorecon -R -v /etc/opt/VirtualGL

Thank you!

Mark


On 05/07/2012 02:29 PM, Mark Dalton wrote:
> I was not able to get VirtualGL and selinux to work together.
> It is something during boot time it seems.  I have tried generating
> rules based on audit/audit.log.
>
> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
> states they don't know how to make it work either.
>
> I have tried in permissive mode after boot and that did not work either,
> which is why I think it is something during boot time.  Like the device
> setup. My guess is related to: /dev/dri as it sets up these and then
> access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
> group (in my case it can be configured with/without group restriction).
>
> From VirtualGL website they also have:
>
>
>       vglgenkey Issues
>
> Currently, the only known way to make|vglgenkey|work (|vglgenkey|is 
> used to grant 3D X Server access to members of the|vglusers|group) is 
> to disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is 
> hidden within the context of the GDM startup scripts, so|vglgenkey|has 
> no way of generating or importing an xauth key 
> to*//etc/opt/VirtualGL/vgl_xauth_key/*(and, for that matter, access is 
> denied to*//etc/opt/VirtualGL/*as well.)
>
> Perhaps someone with a greater knowledge of SELinux can explain how to 
> disable enforcement only for GDM and not the whole system.
>
> I had reinstalled that previous machine and don't
> have the other rules I applied.
>
> I repeated this on another machine, and did not run any audit2allow.
>
> Also there are 2 problems:
>     1. Boot time problem with the VirtualGL which seems to generate a
>         avc message.  (Fails if the machine is not booted in 
> permissive or
>         disabled mode)
>     2. A problem with xauth when setenforce is enforcing.
>            (This works if setenforce is permissive or disabled regardless
>              of the boot time settings).
>
> The machine policy is set to targeted.
>
> Attached is the longer data with strace.   The xauth does not seem
> to generate any audit.log messages even with semodule -DB, but if
> I turn selinux to permissive the xauth commands succeed.
>
>
>
> To clarify:
>     - It works if the system is booted with /etc/selinux/config
>           SELINUX=permissive
>         or
>            SELINUX=disable
>     - It fails if the system is booted with /etc/selinux/config
>            SELINUX=enforcing
>        * Even if after the boot 'setenforce 0' is run
>           - My
>
> I do get avc message, note this is running in permissive mode.
> [root at amelie mdalton]# grep -i avc /var/log/audit/audit.log
> type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28 
> auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc:  received 
> policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=? 
> terminal=?'
>
> [root at amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
> ls: cannot access /dev/dri: No such file or directory
> crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidia0
> crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidiactl
>
> Mark
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120529/080d82d1/attachment.html>

More information about the selinux mailing list