Bug 1162546

Summary: missing SELinux policy for Xorg.bin
Product: [Fedora] Fedora Reporter: Mykola Dvornik <mykola.dvornik>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: bgvaughan, dm, dwalsh, faassen, giulio.martinat, gsgatlin, mgrepl, mykola.dvornik, pschmidt.gaz, slartibart70, slobodyan.vac, sudhir, tbmostafa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-105.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-30 23:55:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
grep Xorg.bin /var/log/audit/audit.log none

Description Mykola Dvornik 2014-11-11 10:00:26 UTC 
Created attachment 956199 [details]
grep Xorg.bin /var/log/audit/audit.log

Description of problem:

SELinux prevents Xorg.bin from accessing the /tmp and /var/log 

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-95.fc21
xorg-x11-server-Xorg-1.16.1-1

How reproducible:

Persistent

Steps to Reproduce:
1. start process with optirun command provided by the bumblebee
2. 
3.

Actual results:

Fails with 'SELinux is preventing Xorg.bin from ...'

Expected results:

Runs just fine

Additional info:
Comment 1 Miroslav Grepl 2014-11-11 10:29:43 UTC 
Ok. If you execute

# chcon -t xserver_exec_t /usr/libexec/Xorg.bin

does everything work for you?
Comment 2 Mykola Dvornik 2014-11-11 12:08:14 UTC 
(In reply to Miroslav Grepl from comment #1)
> Ok. If you execute
> 
> # chcon -t xserver_exec_t /usr/libexec/Xorg.bin
> 
> does everything work for you?

yes, solves the problem. thanks a lot.
Comment 3 Gary Gatling 2014-11-24 16:13:02 UTC 
Hello,

I am the person trying to make rpm packages for bumblebee + fedora.

Here is my current selinux policy module:

http://pastebin.com/c2EZJ18z

If I have the system set to "permissive" mode then everything works ok.

If I set the system to "enforcing" it does not work. But setroubleshooter does not show anything in fedora 21. Like there are no popups.

If I just use my policy module in enforcing I get the error:

systemd-logind: failed to get session: PID XXXX does not belong to any known session

If I run 

chcon -t xserver_exec_t /usr/libexec/Xorg.bin

the error changes to:

Xlib: extension "GLX" missing on display ":8"

but "glxgears -info" is segfaulting at that point.

I have two strace outputs. One from when its in "enforcing" (fail)

optirun -b primus strace -o/tmp/fail glxgears -info

http://pastebin.com/JJPKb3Ch

The other from when its in "permissive" (succeed)

optirun -b primus strace -o/tmp/succeed glxgears -info

http://pastebin.com/GWGUnKBW

Does anyone have any hints I could use to troubleshoot the issue? I'm not
really a huge selinux expert or anything. I merely used audit2allow just
to get far enough in my policy module to make the troubleshooter messages
go away. I had to add a huge amount of rules to get it to work in fedora 21 compared to fedora 20 but I must be still missing "something."

Thanks in advance for any ideas anyone has. I guess we should strive to get it to work in enforcing mode since it is now the default in fedora 21. Although I can still use permissive myself on my home machine if this can't be made to work and I'll still be ok. But people still had issues so I thought I should try...
Comment 4 Mykola Dvornik 2014-11-25 10:45:56 UTC 
Most likely the issues is due to the SELinux environment sanitation. The bumblebeed is executed on behalf of root and then it starts Xorg.bin that drops its privileges to user. (prominent F21 change). So the LD_LIBRARY_PATH set by root gets cleared on root->user transition. 

Miroslav, could you please comment on this?
Comment 5 Miroslav Grepl 2014-12-19 10:44:40 UTC 
Gary,
are you getting AVC in permissive mode with 

chcon -t xserver_exec_t /usr/libexec/Xorg.bin

and without your custom module?
Comment 6 Gary Gatling 2014-12-19 19:08:13 UTC 
Hello.

After making a version of my package without the selinux module and testing it on a fresh fedora 21 install, that does seem to get rid of any AVC message. Ran

chcon -t xserver_exec_t /usr/libexec/Xorg.bin

as root.

Also, just to provide more information, I had to make a patch beginning in fedora 21 to bumblebee.

The patch is here:

http://pastebin.com/XQNz8HYt

And it is applied in the spec file as 

# xorg binary moved to new path in fedora 21+
%if 0%{?fedora} >20
%patch0 -p1 -b .xorgwrapfix
%endif

If this patch is missing, then bumblebee calls a shell wrapper at /usr/bin/Xorg and the special library paths are missing when it goes through the shell wrapper for some reason I do not understand. So it fails to work.


I know you did not ask for this but just to satisfy my own curiosity I also tried setting selinux into "enforcing" mode and it still does not work and running the provided command. The error message with no selinux module and "enforcing" mode after running "chcon -t xserver_exec_t /usr/libexec/Xorg.bin" is:

[gsgatlin@y470c]$ optirun -b primus glxgears -info
Xlib: extension "GLX" missing on display ":8".

abrt shows "mesa-demos quit unexpectedly" right after that.


Hope this information was helpful. Let me know if you need me to provide anything further.
Comment 7 Mykola Dvornik 2015-01-04 13:00:24 UTC 
for me chcon solves the problem even in the enforcing mode. The only problem I have at the moment is the SELinux environment sanitation that cleans-up LD_LIBRARY_PATH when Xorg.wrap starts to play with setuid/setgid.
Comment 8 Dawid Mos 2015-01-04 21:31:33 UTC 
I've same situation as Gary.
After running "chcon -t xserver_exec_t /usr/libexec/Xorg.bin" got:
Xlib: extension "GLX" missing on display ":8"

After "setenforce 0" everything is fine with optirun so "chcon..." doesn't solve the problem.
Comment 9 Brian Vaughan 2015-01-04 21:38:45 UTC 
(In reply to Dawid Mos from comment #8)

Same experience here. After "setenforce 0", "PRIMUS_VERBOSE=2 optirun -b primus glxgears -info" produces the expected result of a window with animated gears and informational log messages, and no errors.
Comment 10 Daniel Walsh 2015-01-05 13:29:34 UTC 
What does

ausearch -m avc -ts recent

Show
Comment 11 Gary Gatling 2015-01-05 14:24:58 UTC 
Hi. I re-installed a laptop with f21 over christmas holiday. Its my main system now. On my f21 system

[root@y470 ~]# ausearch -m avc -ts recent
<no matches>

Running 

optirun -b primus glxgears -info

doesn't seem to make any difference in the output on my laptop. I think I may have added some rules though since I got some more alerts. I was going to try to add those to my policy this week in the rpm.

If I change it to a earlier date: (12/1/2014)
----
time->Wed Dec 17 14:15:02 2014
type=AVC msg=audit(1418843702.545:402): avc:  denied  { read } for  pid=13760 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0
----
time->Thu Dec 18 03:31:02 2014
type=AVC msg=audit(1418891462.148:494): avc:  denied  { read } for  pid=5434 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Thu Dec 18 03:31:02 2014
type=AVC msg=audit(1418891462.148:495): avc:  denied  { getattr } for  pid=5434 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Fri Dec 19 03:43:02 2014
type=AVC msg=audit(1418978582.252:529): avc:  denied  { read } for  pid=2924 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Fri Dec 19 03:43:02 2014
type=AVC msg=audit(1418978582.252:530): avc:  denied  { getattr } for  pid=2924 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Sat Dec 20 03:30:02 2014
type=AVC msg=audit(1419064202.476:541): avc:  denied  { read } for  pid=9422 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Sat Dec 20 03:30:02 2014
type=AVC msg=audit(1419064202.476:542): avc:  denied  { getattr } for  pid=9422 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Sat Dec 20 07:34:23 2014
type=AVC msg=audit(1419078863.344:603): avc:  denied  { rename } for  pid=10609 comm="Xorg.bin" name="Xorg.8.log" dev="dm-1" ino=3670375 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1
----
time->Sat Dec 20 07:34:23 2014
type=AVC msg=audit(1419078863.344:604): avc:  denied  { unlink } for  pid=10609 comm="Xorg.bin" name="Xorg.8.log.old" dev="dm-1" ino=3670360 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1
----
time->Sat Dec 20 07:35:57 2014
type=AVC msg=audit(1419078957.475:605): avc:  denied  { unlink } for  pid=10766 comm="Xorg.bin" name="Xorg.8.log.old" dev="dm-1" ino=3670375 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1
----

time->Sun Dec 21 03:35:01 2014
type=AVC msg=audit(1419150901.586:879): avc:  denied  { read } for  pid=14782 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Sun Dec 21 03:35:01 2014
type=AVC msg=audit(1419150901.587:880): avc:  denied  { getattr } for  pid=14782 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Mon Dec 22 03:50:02 2014
type=AVC msg=audit(1419238202.395:611): avc:  denied  { read } for  pid=28914 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Mon Dec 22 03:50:02 2014
type=AVC msg=audit(1419238202.396:612): avc:  denied  { getattr } for  pid=28914 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Tue Dec 23 03:44:01 2014
type=AVC msg=audit(1419324241.513:608): avc:  denied  { read } for  pid=25342 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Tue Dec 23 03:44:01 2014
type=AVC msg=audit(1419324241.514:609): avc:  denied  { getattr } for  pid=25342 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Tue Dec 23 03:44:01 2014
type=AVC msg=audit(1419324241.736:610): avc:  denied  { getattr } for  pid=25342 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Dec 24 03:11:02 2014
type=AVC msg=audit(1419408662.089:1313): avc:  denied  { read } for  pid=28631 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Wed Dec 24 03:11:02 2014
type=AVC msg=audit(1419408662.089:1314): avc:  denied  { getattr } for  pid=28631 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Thu Dec 25 03:34:02 2014
type=AVC msg=audit(1419496442.485:530): avc:  denied  { read } for  pid=4319 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Thu Dec 25 03:34:02 2014
type=AVC msg=audit(1419496442.485:531): avc:  denied  { getattr } for  pid=4319 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1498): avc:  denied  { write } for  pid=25588 comm="Xorg.bin" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1499): avc:  denied  { mknod } for  pid=25588 comm="Xorg.bin" capability=27  scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:system_r:bumblebee_t:s0 tclass=capability permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1500): avc:  denied  { add_name } for  pid=25588 comm="Xorg.bin" name="nvidia0" scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1501): avc:  denied  { create } for  pid=25588 comm="Xorg.bin" name="nvidia0" scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1502): avc:  denied  { setattr } for  pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1503): avc:  denied  { chown } for  pid=25588 comm="Xorg.bin" capability=0  scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:system_r:bumblebee_t:s0 tclass=capability permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1504): avc:  denied  { read write } for  pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:38 2014
type=AVC msg=audit(1419796238.359:1505): avc:  denied  { open } for  pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:39 2014
type=AVC msg=audit(1419796239.423:1506): avc:  denied  { getattr } for  pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:39 2014
type=AVC msg=audit(1419796239.423:1507): avc:  denied  { read write } for  pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:39 2014
type=AVC msg=audit(1419796239.423:1508): avc:  denied  { open } for  pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 14:50:39 2014
type=AVC msg=audit(1419796239.423:1509): avc:  denied  { ioctl } for  pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Sun Dec 28 19:26:17 2014
type=AVC msg=audit(1419812777.439:1601): avc:  denied  { ioctl } for  pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
Comment 12 Miroslav Grepl 2015-01-06 10:33:35 UTC 
Ok we have more issues here. I am going to label 

commit 03f58844e96ec89e32eded1f385de6d203b9f9e8
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 6 11:30:12 2015 +0100

    Label /usr/libexec/Xorg.bin as xserver_exec_t.


Garry,
what does

restorecon -Rv /var/cache/dnf
Comment 13 slartibart70 2015-01-12 15:26:03 UTC 
Just to add my expieriences with a freshly installed fc21 on a lenovo t440p laptop (having a nvidia 730M card alongside the intel gpu).

As previously stated, the relabeling of the Xorg.bin is not sufficient when having selinux enabled:

$ ll -Z /usr/libexec/Xorg.bin
-rwxr-xr-x. root root system_u:object_r:xserver_exec_t:s0 /usr/libexec/Xorg.bin

$ setenforce 1
$ optirun glxgears -info
Xlib:  extension "GLX" missing on display ":8".
Error: couldn't get an RGB, Double-buffered visual

$ setenforce 0
$ optirun glxgears -info
GL_RENDERER   = GeForce GT 730M/PCIe/SSE2
GL_VERSION    = 4.4.0 NVIDIA 340.46
GL_VENDOR     = NVIDIA Corporation
GL_EXTENSIONS = GL_AMD_multi_draw_indirect GL_AMD_seamless_cubemap_per_texture GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_bindless_texture GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_color_buffer_float GL_ARB_compatibility GL_ARB_compressed_texture_pixel_storage GL_ARB_conservative_depth GL_ARB_compute_shader GL_ARB_compute_variable_group_size GL_ARB_copy_buffer [... shortened ...]

What is needed so optirun runs with selinux in enforcing mode?
Any help is appreciated!
Comment 14 Miroslav Grepl 2015-01-14 13:40:53 UTC 
What AVC are you getting in permissive mode?

Re-test in permissive and run

# ausearch -m avc,user_avc -ts recent
Comment 15 pschmidt.gaz 2015-01-15 23:52:35 UTC 
I would like to join this bug as well. This is what I got from my system.

# primusrun glxgears -info
# optirun -b none /usr/bin/nvidia-settings -c :8
# ausearch -m avc,user_avc -ts recent

----
time->Thu Jan 15 21:39:01 2015
type=PROCTITLE msg=audit(1421365141.269:400): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D
type=SYSCALL msg=audit(1421365141.269:400): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5610 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null)
type=AVC msg=audit(1421365141.269:400): avc:  denied  { open } for  pid=5610 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1
----
time->Thu Jan 15 21:42:44 2015
type=PROCTITLE msg=audit(1421365364.890:413): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D
type=SYSCALL msg=audit(1421365364.890:413): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5783 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null)
type=AVC msg=audit(1421365364.890:413): avc:  denied  { open } for  pid=5783 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1
----
time->Thu Jan 15 21:43:56 2015
type=PROCTITLE msg=audit(1421365436.917:414): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D
type=SYSCALL msg=audit(1421365436.917:414): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5829 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null)
type=AVC msg=audit(1421365436.917:414): avc:  denied  { open } for  pid=5829 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1
Comment 16 Fedora Update System 2015-01-27 16:50:03 UTC 
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Comment 17 Fedora Update System 2015-01-30 04:32:55 UTC 
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).
Comment 18 pschmidt.gaz 2015-01-30 10:33:17 UTC 
It changed the error but did not fix the problem. Now I am able to enter the nvidia control panel. However, not only the panel is unable to fetch the opengl/glx data (error: "Failed to query the GLX server vendor."), but other programs are also unable to display anything in 3d. Some examples:

primusrun glxgears
Xlib:  extension "GLX" missing on display ":8".
Segmentation fault (core dumped)

primusrun ./valley 
Loading "/home/pcastellani/.Valley/valley_1.0.cfg"...
Loading "libGPUMonitor_x64.so"...
Loading "libGL.so.1"...
Loading "libopenal.so.1"...
Set 1920x1080 fullscreen video mode
Xlib:  extension "GLX" missing on display ":8".
GLAppWindow::create_visual(): glXChooseFBConfig(): failed
Engine::video_restart(): can't set 1920x1080 fullscreen video mode

Can't set video mode
GLAppWindow::create_visual(): glXChooseFBConfig(): failed
Engine::video_restart(): can't set 1920x1080 fullscreen video mode

Set 1280x720 windowed video mode
Xlib:  extension "GLX" missing on display ":8".
GLAppWindow::create_visual(): glXChooseFBConfig(): failed

Unigine fatal error
GLAppWindow::create_visual(): glXChooseFBConfig(): failed
Engine::video_restart(): can't set 1280x720 windowed video mode
Shutdown
AL lib: (EE) alc_cleanup: 1 device not closed

Note: Valley now does enter the configuration screen, it did not do so previously, the above message is returned once I attempt to launch the benchmark from there.

The previous ausearch command does not return anything. The programs do work when enforcing is disabled as before.
Comment 19 Fedora Update System 2015-01-30 23:55:23 UTC 
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 V. Slobodyan 2015-01-31 10:32:00 UTC 
New version of selinux-policy still can't fix issue:

$ yum list selinux-policy
selinux-policy.noarch  3.13.1-105.fc21

$ optirun glxgears
Xlib:  extension "GLX" missing on display ":8".
Error: couldn't get an RGB, Double-buffered visual

More verbose level:

$ optirun -vv glxgears
[ 1262.072085] [DEBUG]Reading file: /etc/bumblebee/bumblebee.conf
[ 1262.072478] [INFO]Configured driver: nvidia
[ 1262.072762] [DEBUG]optirun version 3.2.1 starting...
[ 1262.072768] [DEBUG]Active configuration:
[ 1262.072770] [DEBUG] bumblebeed config file: /etc/bumblebee/bumblebee.conf
[ 1262.072771] [DEBUG] X display: :8
[ 1262.072772] [DEBUG] LD_LIBRARY_PATH: /usr/lib64/nvidia-bumblebee:/usr/lib/nvidia-bumblebee:/usr/lib64:/usr/lib
[ 1262.072775] [DEBUG] Socket path: /var/run/bumblebee.socket
[ 1262.072777] [DEBUG] Accel/display bridge: auto
[ 1262.072778] [DEBUG] VGL Compression: proxy
[ 1262.072780] [DEBUG] VGLrun extra options: 
[ 1262.072781] [DEBUG] Primus LD Path: /usr/lib/primus:/usr/lib64/primus
[ 1262.072848] [DEBUG]Using auto-detected bridge virtualgl
[ 1263.250550] [INFO]Response: Yes. X is active.

[ 1263.250561] [INFO]Running application using virtualgl.
[ 1263.250626] [DEBUG]Process vglrun started, PID 31981.
Xlib:  extension "GLX" missing on display ":8".
Error: couldn't get an RGB, Double-buffered visual
[ 1263.372244] [DEBUG]SIGCHILD received, but wait failed with No child processes
[ 1263.372261] [DEBUG]Socket closed.
[ 1263.372271] [DEBUG]Killing all remaining processes.
Comment 21 V. Slobodyan 2015-01-31 11:08:00 UTC 
Issue still here with SELINUX=enforcing

But with SELINUX=permissive his gone. As early was.

So, for me selinux-policy update is not solution.
Comment 22 Gary Gatling 2015-02-17 00:08:34 UTC 
Hello, So I think this should be fixed now.

In order to get bumblebee to work with the nouveau driver it was necessary to create a  bumblebee-nouveau package. One of the things it does is add selinux security policy. Here is what it looks like after fixing it today:

http://fpaste.org/186296/

For the nvidia driver there is a different package called bumblebee-nvidia. It has a different SELinux policy here that was just fixed today:


http://fpaste.org/186297/


So I was able to figure out what was missing. The missing part I added was this:

http://fpaste.org/186298/

The way I figured it out was to run:

semodule --disable_dontaudit --build

reboot a couple of times. Run it again. Run optirun a few times in both enforcing and permissive mode. Then realize that even though there were no popup about "AVC" denials from the selinux troubleshooter app there were actionable items in the audit.log that "audit2allow" was able to translate for me. The only way I was able to see them was by using this "semodule --disable_dontaudit --build" command.

Hope that helps out.
Comment 23 giulix 2015-02-17 18:49:34 UTC 
Nice work! I can now go playing GAMES!!!

Seriously, thank you!
Comment 24 antaka 2015-02-21 03:37:13 UTC 
Wonder what version of bumblebee this fix went in?
Comment 25 Gary Gatling 2015-02-21 16:20:10 UTC 
Hello. The policies are in

bumblebee-nvidia-346.35-3

or

bumblebee-nouveau-1.2.0-1

I linked to the policies in my previous comment.

Hope that helps.