Bug 468678

Summary: NVIDIA driver causes confusing SELinux denials
Product: [Fedora] Fedora Reporter: Torsten Rausche <trausche>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: sangu.fedora, torsten
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-29 17:51:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
glxinfo gets an execmem denial
none
glxinfo gets an execstack denial none

Description Torsten Rausche 2008-10-27 12:33:01 UTC 
This bug was reported at rpmfusion.org:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=90
But it possibly is a bug in the SELinux policy.

Description of problem:
With (a)kmod-nvidia.x86_64 and xorg-x11-drv-nvidia.x86_64 installed in a
current Rawhide system otherwise unsuspicious applications get in trouble with
SELinux. There are no problems when just using Rawhide's
xorg-x11-drv-nv.x86_64.

The denials are execmem and execstack related. I will attach examples with
glxinfo. But it also happens with applications like vinagre or openoffice.org
-- perhaps every application which somehow uses OpenGL.

Version-Release number of selected component (if applicable):
xorg-x11-drv-nvidia-177.80-1.fc10.x86_64
xorg-x11-drv-nvidia-libs-177.80-1.fc10.x86_64
kmod-nvidia-177.80-1.fc10.1.x86_64
kmod-nvidia-2.6.27.3-27.rc1.fc10.x86_64-177.80-1.fc10.1.x86_64
akmod-nvidia-177.80-1.fc10.x86_64
selinux-policy-3.5.13-4.fc10.noarch
selinux-policy-targeted-3.5.13-4.fc10.noarch
glx-utils-7.2-0.13.fc10.x86_64
mesa-libGL-7.2-0.13.fc10.x86_64
mesa-libGLU-7.2-0.13.fc10.x86_64

How reproducible:
In permissive mode it seems that only the first invocation of an affected
application triggers the denials. Subsequent invocations of the same
application seem to work fine. In enforcing mode you always get the denials.

Steps to Reproduce:
1. Activate SELinux
2. Install and activate the xorg-x11-drv-nvidia.x86_64 driver package
3. Run glxinfo in a shell

Actual results:
exexstack and execmem denials by SELinux

Expected results:
Working accelerated OpenGL without warnings by SELinux

Additional Information:
It seems that only applications specifically built for F10 have
problems. While glx-utils-7.2-0.13.fc10.x86_64 causes denials, the OpenGL
application celestia-1.5.0-1.fc9.x86_64 (note the fc9!) works perfectly well
for example. So this could also be related to changes in gcc or default compiler
flags. Though I could not find any notices about such changes.
Comment 1 Torsten Rausche 2008-10-27 12:35:57 UTC 
Created attachment 321607 [details]
glxinfo gets an execmem denial
Comment 2 Torsten Rausche 2008-10-27 12:37:01 UTC 
Created attachment 321608 [details]
glxinfo gets an execstack denial
Comment 3 Daniel Walsh 2008-10-29 17:51:06 UTC 
There is not much we can do about this other then turn the allow_execstack boolean on.  Have you opened up a bug with nvidia?

We don't have access to there closed source drivers or libraries.  So please report it to them.

For now you can turn off the check by executing

setsebool -P allow_execstack 1
Comment 4 sangu 2009-10-17 03:08:35 UTC 
*** Bug 515625 has been marked as a duplicate of this bug. ***