From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020 Description of problem: I have a fully upgraded (as of today) FC3 system on which I always could install the NVIDIA drivers. But, to get a successful install after the last upgrade (today) (which included selinux-policy-targeted.noarch 1.17.30-2.58) I now have to "setenforce 0" before installing the NVIDIA drivers. Otherwise, the install fails due to several access denied issues, e.g.: Dec 25 18:51:34 tiger kernel: audit(1104022294.445:0): avc: denied { write } for pid=3956 exe=/sbin/ldconfig path=/var/log/nvidia-installer.log dev=hda6 ino=517383 scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:var_log_t tclass=file Dec 25 18:51:34 tiger kernel: audit(1104022294.801:0): avc: denied { read } for pid=3956 exe=/sbin/ldconfig name=libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:35 tiger kernel: audit(1104022295.012:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:38 tiger kernel: audit(1104022298.997:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/lib/libGL.so.1.0.6629 dev=hda4 ino=521611 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file/avc The initial context of root is "root:system_r:unconfined_t" and I can't change to "root:sysadm_r:sysadm_t". I did a "fixfiles relabel" and reboot without changing the outcome. I don't think the issue is with the NVIDIA drivers as they worked on FC3 before, and as "setenforce 0" "fixes" the issue. I would appreciate pointers to what could be wrong. This bug could be related to #143633. Best regards, Erwin Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.58 How reproducible: Always Steps to Reproduce: 1. Fully upgrade FC3 as of 12/26/04. 2. Set "setenforce 1" 3. Try to install NVIDIA drivers. 4. Obtain error messages in /var/log/messages, see above. 5. Set "setenforce 0" 6. Try to install NVIDIA drivers again. 7. Success! Actual Results: I concluded that the selinux policy prevents the install to go through. Specifically, some libraries can't be found when needed after the install with "setenforce 1". Expected Results: Install of packages should not require selinux commands to be issued. If the rpm or install script does not customize the selinux permissions, a sensible default should be given by the selinux system. Additional info: I don't think the issue is specific to the NVIDIA driver install. This issue occurred only recently (after the last update). With earlier updates, I could always install the NVIDIA drivers. Note that the selinx FAQ is also no longer applicable to the selinux-policy-targeted, as the "id -Z" for root does not give the results shown in the FAQ.
For now we don't have a good solution for this, other then to relabel the file system. Basically to get it to work with SELinux you can setenforce 0 install NVIDIA touch /.autorelabel reboot
Daniel, Will using setenforce Permissive still allow the installed files to labelled correctly without the autorelabel/reboot?
No. You need a to use a SELinux aware application in order to label the files correctly. (restorecon, rpm, setfiles ...) What we can do is allow ldconfig to read the mislabeled files (lib_t instead of shlib_t) and this will allow all not protected processes to work correctly. (All of userspace).
I can confirm that the same bug happens to me. Linux topaz 2.6.9-1.724_FC3 #1 Sun Jan 2 15:43:49 EST 2005 i686 athlon i386 GNU/Linux NVIDIA GeForce2 I've gotten around this by using the System Settings/Security Level tool to disable SELinux and then rebooting, installing the NVIDIA driver and then issuing startx, reenabling SELinux, then rebooting. Regards, Stephen
You should never disable/renable SELinux. As soon as you disable SELinux and boot, files will be written without proper File Context and you will need to relabel in order for the SELinux system to function properly. You can run SELinux in non enforcing mode if you want to install a piece of software that the SELinux system will not allow you to install. setenforce 0 INSTALL NVIDIA setenforce 1 Should work fine on a targeted SELinux system.