Selinux and Nvidia drivers

Mark Eggers mdeggers at gmail.com
Tue May 31 19:11:05 UTC 2011 

On Tue, 31 May 2011 10:30:21 -0400, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/30/2011 06:40 AM, Alexander Volovics wrote:
>> On Mon, May 30, 2011 at 07:25:45PM +0900, Misha Shnurapet wrote:
>> 
>>> 30.05.2011, 18:47, "Alexander Volovics" <a.volovic at upcmail.nl>:
>>>> Wat is the reaction of selinux to the nvidia driver. Does selinux try
>>>> to prevent the nvidia driver from being loaded?
>>  
>>> Nope. I've been using them together and experienced no issues.
>> 
>> Thanks. Then I guess I should finally start reading up on selinux and
>> not trust my 'intuition' anymore. I thought the nvidia driver being a
>> "fremdkörper" and all ...
>> 
>> Alexander
>> 
> Sometimes the nvidia driver device can be mislabled, which can cause
> SELinux issues.  In the past we have had problems with nvidia requiring
> GUI apps to need execstack and execmem, but we are now allowing these by
> default.


Dan, that's nice to know. The NVidia installer does the following:

      Linux installations using SELinux (Security-Enhanced Linux)
      require that the security type of all shared libraries be
      set to 'shlib_t' or 'textrel_shlib_t', depending on the
      distribution. nvidia-installer will detect when to set the
      security type, and set it using chcon(1) on the shared
      libraries it installs.  If the execstack(8) system utility
      is present, nvidia-installer will use it to also clear the
      executable stack flag of the libraries.  Use this option to
      override nvidia-installer's detection of when to set the
      security type.  Valid values for FORCE-SELINUX are 'yes'
      (force setting of the security type), 'no' (prevent setting
      of the security type), and 'default' (let nvidia-installer
      decide when to set the security type).

That's the documentation from <driver-name> --advanced-options. I also 
use a script with semanage fcontext to clean up some issues. I should try 
not running the script next time I upgrade and see if there are 
performance issues / SELinux warnings (I normally run in permissive mode).

If I do find issues, should I report it on the Fedora buglist (change in 
SELinux policy), NVidia forum (change in their installer script), or both?

. . . . just my two cents.

/mde/

More information about the users mailing list