PDA

View Full Version : Selinux and libgl



mrkilgoretrout
3rd May 2006, 12:56 AM
I seem to be having issues with selinux and opengl, particularly when playing doom3 and quake4. If I try to start the games with setenforce 1 and LD_PRELOAD=/usr/lib/libGL.so.1 I get:

ERROR: ld.so: object '/usr/lib/libGL.so.1' from LD_PRELOAD cannot be preloaded: ignored.
./doom.x86: error while loading shared libraries: /usr/lib/tls/libnvidia-tls.so.1: cannot restore segment prot after reloc: Permission denied
I get the same permission problem for libGLcore.so.1 and libGL.so.1. After chcon on these three files I simply get a segfault.
If I try to start the games with setenforce 0, no problems whatsoever. Anyone know what is going on?
Oh I'm using the proprietary nvidia drivers and kernel 2.6.16.
Thanks

jcliburn
3rd May 2006, 01:50 AM
Post the avc: denied messages (if any) you see in the syslog when you encounter the error.

mrkilgoretrout
3rd May 2006, 03:57 AM
Thanks for the reply. I got it to work by recompiling the kernel module with selinux turned off, then chcon on the three files in question. The games now run with selinux on. Is this a security problem for me? Anyone know what was happening?
before changing the context of anyfiles syslog reports:

kernel: audit(1146624558.177:56): avc: denied { execmod } for pid=7779 comm="doom.x86" name="libnvidia-tls.so.1.0.8756" dev=dm-0 ino=10880506 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file
with similar messages for the other two files.

Firewing1
3rd May 2006, 04:10 AM
I recently was convinced into trying SELinux and found how to make custom modules:

su -
echo 'AVC ERROR HERE' >> audit.log
audit2allow -M MyPolicyName < audit.log
setenforce 0
semodule -i MyPolicyName.pp
setenforce 1
It should work now. Please note that "AVC ERROR HERE" must be a copy > paste of your AVC error, and NEVER overwrite the audit.log file. The thing is you must uninstall your policy:
su -
setenforce 0
semodule -r MyPolicyName
setenforce 1
before installing a new one - And if you overwrite audit.log you'll lose changed to your previous module.
Firewing1

jcliburn
3rd May 2006, 01:54 PM
Thanks for the reply. I got it to work by recompiling the kernel module with selinux turned off, then chcon on the three files in question. The games now run with selinux on. Is this a security problem for me? Anyone know what was happening?
before changing the context of anyfiles syslog reports:

kernel: audit(1146624558.177:56): avc: denied { execmod } for pid=7779 comm="doom.x86" name="libnvidia-tls.so.1.0.8756" dev=dm-0 ino=10880506 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file
with similar messages for the other two files.
It's not a security problem for you. The default SELinux policy wasn't aware of your game, so it griped when you tried to load libraries needed by the game. You handled it perfectly by changing the context of the libs.