Bug 1162546
Summary: | missing SELinux policy for Xorg.bin | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mykola Dvornik <mykola.dvornik> | ||||
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 21 | CC: | bgvaughan, dm, dwalsh, faassen, giulio.martinat, gsgatlin, mgrepl, mykola.dvornik, pschmidt.gaz, slartibart70, slobodyan.vac, sudhir, tbmostafa | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-01-30 23:55:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Ok. If you execute # chcon -t xserver_exec_t /usr/libexec/Xorg.bin does everything work for you? (In reply to Miroslav Grepl from comment #1) > Ok. If you execute > > # chcon -t xserver_exec_t /usr/libexec/Xorg.bin > > does everything work for you? yes, solves the problem. thanks a lot. Hello, I am the person trying to make rpm packages for bumblebee + fedora. Here is my current selinux policy module: http://pastebin.com/c2EZJ18z If I have the system set to "permissive" mode then everything works ok. If I set the system to "enforcing" it does not work. But setroubleshooter does not show anything in fedora 21. Like there are no popups. If I just use my policy module in enforcing I get the error: systemd-logind: failed to get session: PID XXXX does not belong to any known session If I run chcon -t xserver_exec_t /usr/libexec/Xorg.bin the error changes to: Xlib: extension "GLX" missing on display ":8" but "glxgears -info" is segfaulting at that point. I have two strace outputs. One from when its in "enforcing" (fail) optirun -b primus strace -o/tmp/fail glxgears -info http://pastebin.com/JJPKb3Ch The other from when its in "permissive" (succeed) optirun -b primus strace -o/tmp/succeed glxgears -info http://pastebin.com/GWGUnKBW Does anyone have any hints I could use to troubleshoot the issue? I'm not really a huge selinux expert or anything. I merely used audit2allow just to get far enough in my policy module to make the troubleshooter messages go away. I had to add a huge amount of rules to get it to work in fedora 21 compared to fedora 20 but I must be still missing "something." Thanks in advance for any ideas anyone has. I guess we should strive to get it to work in enforcing mode since it is now the default in fedora 21. Although I can still use permissive myself on my home machine if this can't be made to work and I'll still be ok. But people still had issues so I thought I should try... Most likely the issues is due to the SELinux environment sanitation. The bumblebeed is executed on behalf of root and then it starts Xorg.bin that drops its privileges to user. (prominent F21 change). So the LD_LIBRARY_PATH set by root gets cleared on root->user transition. Miroslav, could you please comment on this? Gary, are you getting AVC in permissive mode with chcon -t xserver_exec_t /usr/libexec/Xorg.bin and without your custom module? Hello. After making a version of my package without the selinux module and testing it on a fresh fedora 21 install, that does seem to get rid of any AVC message. Ran chcon -t xserver_exec_t /usr/libexec/Xorg.bin as root. Also, just to provide more information, I had to make a patch beginning in fedora 21 to bumblebee. The patch is here: http://pastebin.com/XQNz8HYt And it is applied in the spec file as # xorg binary moved to new path in fedora 21+ %if 0%{?fedora} >20 %patch0 -p1 -b .xorgwrapfix %endif If this patch is missing, then bumblebee calls a shell wrapper at /usr/bin/Xorg and the special library paths are missing when it goes through the shell wrapper for some reason I do not understand. So it fails to work. I know you did not ask for this but just to satisfy my own curiosity I also tried setting selinux into "enforcing" mode and it still does not work and running the provided command. The error message with no selinux module and "enforcing" mode after running "chcon -t xserver_exec_t /usr/libexec/Xorg.bin" is: [gsgatlin@y470c]$ optirun -b primus glxgears -info Xlib: extension "GLX" missing on display ":8". abrt shows "mesa-demos quit unexpectedly" right after that. Hope this information was helpful. Let me know if you need me to provide anything further. for me chcon solves the problem even in the enforcing mode. The only problem I have at the moment is the SELinux environment sanitation that cleans-up LD_LIBRARY_PATH when Xorg.wrap starts to play with setuid/setgid. I've same situation as Gary. After running "chcon -t xserver_exec_t /usr/libexec/Xorg.bin" got: Xlib: extension "GLX" missing on display ":8" After "setenforce 0" everything is fine with optirun so "chcon..." doesn't solve the problem. (In reply to Dawid Mos from comment #8) Same experience here. After "setenforce 0", "PRIMUS_VERBOSE=2 optirun -b primus glxgears -info" produces the expected result of a window with animated gears and informational log messages, and no errors. What does ausearch -m avc -ts recent Show Hi. I re-installed a laptop with f21 over christmas holiday. Its my main system now. On my f21 system [root@y470 ~]# ausearch -m avc -ts recent <no matches> Running optirun -b primus glxgears -info doesn't seem to make any difference in the output on my laptop. I think I may have added some rules though since I got some more alerts. I was going to try to add those to my policy this week in the rpm. If I change it to a earlier date: (12/1/2014) ---- time->Wed Dec 17 14:15:02 2014 type=AVC msg=audit(1418843702.545:402): avc: denied { read } for pid=13760 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0 ---- time->Thu Dec 18 03:31:02 2014 type=AVC msg=audit(1418891462.148:494): avc: denied { read } for pid=5434 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 18 03:31:02 2014 type=AVC msg=audit(1418891462.148:495): avc: denied { getattr } for pid=5434 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Fri Dec 19 03:43:02 2014 type=AVC msg=audit(1418978582.252:529): avc: denied { read } for pid=2924 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Fri Dec 19 03:43:02 2014 type=AVC msg=audit(1418978582.252:530): avc: denied { getattr } for pid=2924 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat Dec 20 03:30:02 2014 type=AVC msg=audit(1419064202.476:541): avc: denied { read } for pid=9422 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Sat Dec 20 03:30:02 2014 type=AVC msg=audit(1419064202.476:542): avc: denied { getattr } for pid=9422 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat Dec 20 07:34:23 2014 type=AVC msg=audit(1419078863.344:603): avc: denied { rename } for pid=10609 comm="Xorg.bin" name="Xorg.8.log" dev="dm-1" ino=3670375 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1 ---- time->Sat Dec 20 07:34:23 2014 type=AVC msg=audit(1419078863.344:604): avc: denied { unlink } for pid=10609 comm="Xorg.bin" name="Xorg.8.log.old" dev="dm-1" ino=3670360 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1 ---- time->Sat Dec 20 07:35:57 2014 type=AVC msg=audit(1419078957.475:605): avc: denied { unlink } for pid=10766 comm="Xorg.bin" name="Xorg.8.log.old" dev="dm-1" ino=3670375 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file permissive=1 ---- time->Sun Dec 21 03:35:01 2014 type=AVC msg=audit(1419150901.586:879): avc: denied { read } for pid=14782 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Sun Dec 21 03:35:01 2014 type=AVC msg=audit(1419150901.587:880): avc: denied { getattr } for pid=14782 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Mon Dec 22 03:50:02 2014 type=AVC msg=audit(1419238202.395:611): avc: denied { read } for pid=28914 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Mon Dec 22 03:50:02 2014 type=AVC msg=audit(1419238202.396:612): avc: denied { getattr } for pid=28914 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Tue Dec 23 03:44:01 2014 type=AVC msg=audit(1419324241.513:608): avc: denied { read } for pid=25342 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Tue Dec 23 03:44:01 2014 type=AVC msg=audit(1419324241.514:609): avc: denied { getattr } for pid=25342 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Tue Dec 23 03:44:01 2014 type=AVC msg=audit(1419324241.736:610): avc: denied { getattr } for pid=25342 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Wed Dec 24 03:11:02 2014 type=AVC msg=audit(1419408662.089:1313): avc: denied { read } for pid=28631 comm="logrotate" name="dnf" dev="dm-0" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Wed Dec 24 03:11:02 2014 type=AVC msg=audit(1419408662.089:1314): avc: denied { getattr } for pid=28631 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-0" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Thu Dec 25 03:34:02 2014 type=AVC msg=audit(1419496442.485:530): avc: denied { read } for pid=4319 comm="logrotate" name="dnf" dev="dm-1" ino=3933474 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 25 03:34:02 2014 type=AVC msg=audit(1419496442.485:531): avc: denied { getattr } for pid=4319 comm="logrotate" path="/var/cache/dnf/x86_64/21/hawkey.log" dev="dm-1" ino=3933479 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1498): avc: denied { write } for pid=25588 comm="Xorg.bin" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1499): avc: denied { mknod } for pid=25588 comm="Xorg.bin" capability=27 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:system_r:bumblebee_t:s0 tclass=capability permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1500): avc: denied { add_name } for pid=25588 comm="Xorg.bin" name="nvidia0" scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1501): avc: denied { create } for pid=25588 comm="Xorg.bin" name="nvidia0" scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1502): avc: denied { setattr } for pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1503): avc: denied { chown } for pid=25588 comm="Xorg.bin" capability=0 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:system_r:bumblebee_t:s0 tclass=capability permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1504): avc: denied { read write } for pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:38 2014 type=AVC msg=audit(1419796238.359:1505): avc: denied { open } for pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:39 2014 type=AVC msg=audit(1419796239.423:1506): avc: denied { getattr } for pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:39 2014 type=AVC msg=audit(1419796239.423:1507): avc: denied { read write } for pid=25588 comm="Xorg.bin" name="nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:39 2014 type=AVC msg=audit(1419796239.423:1508): avc: denied { open } for pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 14:50:39 2014 type=AVC msg=audit(1419796239.423:1509): avc: denied { ioctl } for pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Sun Dec 28 19:26:17 2014 type=AVC msg=audit(1419812777.439:1601): avc: denied { ioctl } for pid=25588 comm="Xorg.bin" path="/dev/nvidia0" dev="devtmpfs" ino=992880 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- Ok we have more issues here. I am going to label commit 03f58844e96ec89e32eded1f385de6d203b9f9e8 Author: Miroslav Grepl <mgrepl> Date: Tue Jan 6 11:30:12 2015 +0100 Label /usr/libexec/Xorg.bin as xserver_exec_t. Garry, what does restorecon -Rv /var/cache/dnf Just to add my expieriences with a freshly installed fc21 on a lenovo t440p laptop (having a nvidia 730M card alongside the intel gpu). As previously stated, the relabeling of the Xorg.bin is not sufficient when having selinux enabled: $ ll -Z /usr/libexec/Xorg.bin -rwxr-xr-x. root root system_u:object_r:xserver_exec_t:s0 /usr/libexec/Xorg.bin $ setenforce 1 $ optirun glxgears -info Xlib: extension "GLX" missing on display ":8". Error: couldn't get an RGB, Double-buffered visual $ setenforce 0 $ optirun glxgears -info GL_RENDERER = GeForce GT 730M/PCIe/SSE2 GL_VERSION = 4.4.0 NVIDIA 340.46 GL_VENDOR = NVIDIA Corporation GL_EXTENSIONS = GL_AMD_multi_draw_indirect GL_AMD_seamless_cubemap_per_texture GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_bindless_texture GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_color_buffer_float GL_ARB_compatibility GL_ARB_compressed_texture_pixel_storage GL_ARB_conservative_depth GL_ARB_compute_shader GL_ARB_compute_variable_group_size GL_ARB_copy_buffer [... shortened ...] What is needed so optirun runs with selinux in enforcing mode? Any help is appreciated! What AVC are you getting in permissive mode? Re-test in permissive and run # ausearch -m avc,user_avc -ts recent I would like to join this bug as well. This is what I got from my system. # primusrun glxgears -info # optirun -b none /usr/bin/nvidia-settings -c :8 # ausearch -m avc,user_avc -ts recent ---- time->Thu Jan 15 21:39:01 2015 type=PROCTITLE msg=audit(1421365141.269:400): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D type=SYSCALL msg=audit(1421365141.269:400): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5610 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null) type=AVC msg=audit(1421365141.269:400): avc: denied { open } for pid=5610 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Jan 15 21:42:44 2015 type=PROCTITLE msg=audit(1421365364.890:413): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D type=SYSCALL msg=audit(1421365364.890:413): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5783 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null) type=AVC msg=audit(1421365364.890:413): avc: denied { open } for pid=5783 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Jan 15 21:43:56 2015 type=PROCTITLE msg=audit(1421365436.917:414): proctitle=2F7573722F6C6962657865632F586F72672E62696E003A38002D636F6E666967002F6574632F62756D626C656265652F786F72672E636F6E662E6E7669646961002D636F6E666967646972002F6574632F62756D626C656265652F786F72672E636F6E662E64002D7368617265767473002D6E6F6C697374656E00746370002D type=SYSCALL msg=audit(1421365436.917:414): arch=c000003e syscall=2 success=yes exit=11 a0=82d45c a1=802 a2=0 a3=0 items=0 ppid=4418 pid=5829 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="Xorg.bin" exe="/usr/libexec/Xorg.bin" subj=system_u:system_r:bumblebee_t:s0 key=(null) type=AVC msg=audit(1421365436.917:414): avc: denied { open } for pid=5829 comm="Xorg.bin" path="/dev/tty1" dev="devtmpfs" ino=1042 scontext=system_u:system_r:bumblebee_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). It changed the error but did not fix the problem. Now I am able to enter the nvidia control panel. However, not only the panel is unable to fetch the opengl/glx data (error: "Failed to query the GLX server vendor."), but other programs are also unable to display anything in 3d. Some examples: primusrun glxgears Xlib: extension "GLX" missing on display ":8". Segmentation fault (core dumped) primusrun ./valley Loading "/home/pcastellani/.Valley/valley_1.0.cfg"... Loading "libGPUMonitor_x64.so"... Loading "libGL.so.1"... Loading "libopenal.so.1"... Set 1920x1080 fullscreen video mode Xlib: extension "GLX" missing on display ":8". GLAppWindow::create_visual(): glXChooseFBConfig(): failed Engine::video_restart(): can't set 1920x1080 fullscreen video mode Can't set video mode GLAppWindow::create_visual(): glXChooseFBConfig(): failed Engine::video_restart(): can't set 1920x1080 fullscreen video mode Set 1280x720 windowed video mode Xlib: extension "GLX" missing on display ":8". GLAppWindow::create_visual(): glXChooseFBConfig(): failed Unigine fatal error GLAppWindow::create_visual(): glXChooseFBConfig(): failed Engine::video_restart(): can't set 1280x720 windowed video mode Shutdown AL lib: (EE) alc_cleanup: 1 device not closed Note: Valley now does enter the configuration screen, it did not do so previously, the above message is returned once I attempt to launch the benchmark from there. The previous ausearch command does not return anything. The programs do work when enforcing is disabled as before. selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. New version of selinux-policy still can't fix issue: $ yum list selinux-policy selinux-policy.noarch 3.13.1-105.fc21 $ optirun glxgears Xlib: extension "GLX" missing on display ":8". Error: couldn't get an RGB, Double-buffered visual More verbose level: $ optirun -vv glxgears [ 1262.072085] [DEBUG]Reading file: /etc/bumblebee/bumblebee.conf [ 1262.072478] [INFO]Configured driver: nvidia [ 1262.072762] [DEBUG]optirun version 3.2.1 starting... [ 1262.072768] [DEBUG]Active configuration: [ 1262.072770] [DEBUG] bumblebeed config file: /etc/bumblebee/bumblebee.conf [ 1262.072771] [DEBUG] X display: :8 [ 1262.072772] [DEBUG] LD_LIBRARY_PATH: /usr/lib64/nvidia-bumblebee:/usr/lib/nvidia-bumblebee:/usr/lib64:/usr/lib [ 1262.072775] [DEBUG] Socket path: /var/run/bumblebee.socket [ 1262.072777] [DEBUG] Accel/display bridge: auto [ 1262.072778] [DEBUG] VGL Compression: proxy [ 1262.072780] [DEBUG] VGLrun extra options: [ 1262.072781] [DEBUG] Primus LD Path: /usr/lib/primus:/usr/lib64/primus [ 1262.072848] [DEBUG]Using auto-detected bridge virtualgl [ 1263.250550] [INFO]Response: Yes. X is active. [ 1263.250561] [INFO]Running application using virtualgl. [ 1263.250626] [DEBUG]Process vglrun started, PID 31981. Xlib: extension "GLX" missing on display ":8". Error: couldn't get an RGB, Double-buffered visual [ 1263.372244] [DEBUG]SIGCHILD received, but wait failed with No child processes [ 1263.372261] [DEBUG]Socket closed. [ 1263.372271] [DEBUG]Killing all remaining processes. Issue still here with SELINUX=enforcing But with SELINUX=permissive his gone. As early was. So, for me selinux-policy update is not solution. Hello, So I think this should be fixed now. In order to get bumblebee to work with the nouveau driver it was necessary to create a bumblebee-nouveau package. One of the things it does is add selinux security policy. Here is what it looks like after fixing it today: http://fpaste.org/186296/ For the nvidia driver there is a different package called bumblebee-nvidia. It has a different SELinux policy here that was just fixed today: http://fpaste.org/186297/ So I was able to figure out what was missing. The missing part I added was this: http://fpaste.org/186298/ The way I figured it out was to run: semodule --disable_dontaudit --build reboot a couple of times. Run it again. Run optirun a few times in both enforcing and permissive mode. Then realize that even though there were no popup about "AVC" denials from the selinux troubleshooter app there were actionable items in the audit.log that "audit2allow" was able to translate for me. The only way I was able to see them was by using this "semodule --disable_dontaudit --build" command. Hope that helps out. Nice work! I can now go playing GAMES!!! Seriously, thank you! Wonder what version of bumblebee this fix went in? Hello. The policies are in bumblebee-nvidia-346.35-3 or bumblebee-nouveau-1.2.0-1 I linked to the policies in my previous comment. Hope that helps. |
Created attachment 956199 [details] grep Xorg.bin /var/log/audit/audit.log Description of problem: SELinux prevents Xorg.bin from accessing the /tmp and /var/log Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-95.fc21 xorg-x11-server-Xorg-1.16.1-1 How reproducible: Persistent Steps to Reproduce: 1. start process with optirun command provided by the bumblebee 2. 3. Actual results: Fails with 'SELinux is preventing Xorg.bin from ...' Expected results: Runs just fine Additional info: