PDA

View Full Version : new kernel fglrx module and SElinux



pibelinux1
30th March 2006, 01:18 AM
i am having trobule when i enable SElinux on my new kernerl and fglrx module , on the rpm.livna.org site states:
Note2: The Nvidia driver currently has a issue with SELinux; see Bug 843
but i am having the same problem with my ati card on my laptop, and when i disble SElinux works normal.
i will attach a file of my Xorg file and i dont know how to report the bug when SElinux is enable.
it is this something that i have did it wrong? or is there a bug either in X or the kernel?, by the way i installed the driver via yum only with the base repos and livna, i have not mix repositories as suggested before.
also i have not tried myself to complite the driver with the official driver from ati, but i am sure still not compatible with Xorg. 7.0 right?.
On my old fedora core 4 configuraton it used to have that driver and SElinux enable with no glitches, but now on FC5 i am experience this issue.
i have attach a long log file from /var/log/messages

RHamel
30th March 2006, 02:10 AM
The file you really need to show is the /var/log/audit/audit.log file.

My bad. It looks like they've moved it back to the messages file.

RHamel
30th March 2006, 06:03 AM
So the following messages are where I think you are getting your error:


Mar 27 16:19:20 localhost kernel: audit(1143501560.533:239): avc: denied { execmod } for pid=3887 comm="xine" name="libfame-0.9.so.1.0.0" dev=dm-0 ino=2719746 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 27 16:27:11 localhost kernel: audit(1143502031.566:271): avc: denied { execmod } for pid=4273 comm="xine" name="libfame-0.9.so.1.0.0" dev=dm-0 ino=2719746 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 27 16:43:07 localhost kernel: audit(1143502987.050:295): avc: denied { execmod } for pid=4377 comm="xine" name="libfame-0.9.so.1.0.0" dev=dm-0 ino=2719746 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 15:17:38 localhost kernel: audit(1143670658.891:145): avc: denied { execmod } for pid=2520 comm="xine" name="libfame-0.9.so.1.0.0" dev=dm-0 ino=2719746 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 15:58:56 localhost kernel: audit(1143673136.322:199): avc: denied { execmod } for pid=2976 comm="xmms" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:00:51 localhost kernel: audit(1143673251.153:205): avc: denied { execmod } for pid=2993 comm="xmms" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:01:04 localhost kernel: audit(1143673264.934:211): avc: denied { execmod } for pid=3004 comm="xmms" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:08:04 localhost kernel: audit(1143673684.248:219): avc: denied { execmod } for pid=3054 comm="xmms" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:12:53 localhost kernel: audit(1143673973.606:227): avc: denied { execmod } for pid=3098 comm="mplayer" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:12:53 localhost kernel: audit(1143673973.706:230): avc: denied { execmod } for pid=3099 comm="mplayer" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:19:25 localhost kernel: audit(1143674365.927:234): avc: denied { execmod } for pid=3137 comm="xmms" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:26 localhost kernel: audit(1143674545.994:343): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:26 localhost kernel: audit(1143674545.998:344): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:31 localhost kernel: audit(1143674551.606:349): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:31 localhost kernel: audit(1143674551.610:350): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:42 localhost kernel: audit(1143674562.935:359): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:42 localhost kernel: audit(1143674562.939:360): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:56 localhost kernel: audit(1143674576.140:363): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:22:56 localhost kernel: audit(1143674576.144:364): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:23:04 localhost kernel: audit(1143674584.164:365): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:23:04 localhost kernel: audit(1143674584.168:366): avc: denied { execmod } for pid=7256 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:23:20 localhost kernel: audit(1143674600.593:369): avc: denied { execmod } for pid=8711 comm="kdesktop_lock" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:23:40 localhost kernel: audit(1143674620.007:372): avc: denied { execmod } for pid=8759 comm="kdesktop_lock" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:24:08 localhost kernel: audit(1143674648.112:375): avc: denied { execmod } for pid=8885 comm="ld-linux.so.2" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=system_u:system_r:crond_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:32:10 localhost kernel: audit(1143675130.986:387): avc: denied { execmod } for pid=10743 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:32:10 localhost kernel: audit(1143675130.990:388): avc: denied { execmod } for pid=10743 comm="kcontrol" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:37:15 localhost kernel: audit(1143675435.594:8): avc: denied { execmod } for pid=2399 comm="metacity" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:39:15 localhost kernel: audit(1143675555.986:12): avc: denied { execmod } for pid=2427 comm="nautilus" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file
Mar 29 16:45:43 localhost kernel: audit(1143675943.626:8): avc: denied { execmod } for pid=2474 comm="glxgears" name="libGL.so.1.2" dev=dm-0 ino=5964861 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file


All these errors can be fixed by a single rule. How things are being now in Selinux have changed in Fedora. I think to make it more dynamic, but I'm not absolutely sure. I think you need to edit the following file:

/usr/share/selinux/devel/include/system/unconfined.if

You need to find libGL and add a line after


allow $1 home_type:file execmod;

add


allow $1 lib_t:file execmod;


Be sure to change the selinux context of unconfied.if back to system_u:object-r:usr_t with the chcon command.
Then reboot, and hopefully this will work.