Selinux and Nvidia drivers
Mark Eggers
mdeggers at gmail.com
Tue May 31 19:11:05 UTC 2011
On Tue, 31 May 2011 10:30:21 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/30/2011 06:40 AM, Alexander Volovics wrote:
>> On Mon, May 30, 2011 at 07:25:45PM +0900, Misha Shnurapet wrote:
>>
>>> 30.05.2011, 18:47, "Alexander Volovics" <a.volovic at upcmail.nl>:
>>>> Wat is the reaction of selinux to the nvidia driver. Does selinux try
>>>> to prevent the nvidia driver from being loaded?
>>
>>> Nope. I've been using them together and experienced no issues.
>>
>> Thanks. Then I guess I should finally start reading up on selinux and
>> not trust my 'intuition' anymore. I thought the nvidia driver being a
>> "fremdkörper" and all ...
>>
>> Alexander
>>
> Sometimes the nvidia driver device can be mislabled, which can cause
> SELinux issues. In the past we have had problems with nvidia requiring
> GUI apps to need execstack and execmem, but we are now allowing these by
> default.
Dan, that's nice to know. The NVidia installer does the following:
Linux installations using SELinux (Security-Enhanced Linux)
require that the security type of all shared libraries be
set to 'shlib_t' or 'textrel_shlib_t', depending on the
distribution. nvidia-installer will detect when to set the
security type, and set it using chcon(1) on the shared
libraries it installs. If the execstack(8) system utility
is present, nvidia-installer will use it to also clear the
executable stack flag of the libraries. Use this option to
override nvidia-installer's detection of when to set the
security type. Valid values for FORCE-SELINUX are 'yes'
(force setting of the security type), 'no' (prevent setting
of the security type), and 'default' (let nvidia-installer
decide when to set the security type).
That's the documentation from <driver-name> --advanced-options. I also
use a script with semanage fcontext to clean up some issues. I should try
not running the script next time I upgrade and see if there are
performance issues / SELinux warnings (I normally run in permissive mode).
If I do find issues, should I report it on the Fedora buglist (change in
SELinux policy), NVidia forum (change in their installer script), or both?
. . . . just my two cents.
/mde/
More information about the users
mailing list