Bug 179656 - NVIDIA proprietary X driver policy updates needed
NVIDIA proprietary X driver policy updates needed
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-01 16:57 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 2.2.16-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-23 15:19:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for updated location of NVIDIA libGL* (746 bytes, patch)
2006-02-01 16:57 EST, Ville Skyttä
no flags Details | Diff
audit.log from unsuccessful X startup (5.48 KB, text/plain)
2006-02-17 11:33 EST, Ville Skyttä
no flags Details
ATrpms nvidia file_contexts adjustments (476 bytes, text/plain)
2006-03-31 13:17 EST, Tim Fenn
no flags Details

  None (edit)
Description Ville Skyttä 2006-02-01 16:57:28 EST
The NVIDIA proprietary X driver things need updating in the targeted policy:

First, the NVIDIA libGL* libs are in the /usr/lib(64)/nvidia dir on my box
(package from livna.org).  Patch attached.

Second, when starting X, I get this in logs:
(II) Loading /usr/lib64/xorg/modules/drivers/nvidia_drv.so
dlopen: /usr/lib64/xorg/modules/drivers/nvidia_drv.so: cannot enable executable
stack as shared object requires: Permission denied
(EE) Failed to load /usr/lib64/xorg/modules/drivers/nvidia_drv.so

"execstack -c /usr/lib64/xorg/modules/drivers/nvidia_drv.so" fixes it.  Is there
a way to accomplish that in the selinux policy out of the box?
Comment 1 Ville Skyttä 2006-02-01 16:57:28 EST
Created attachment 123997 [details]
Patch for updated location of NVIDIA libGL*
Comment 2 Daniel Walsh 2006-02-14 15:37:41 EST
Fixed in selinux-policy-2.2.15-2
Comment 3 Ville Skyttä 2006-02-17 11:33:30 EST
Created attachment 124821 [details]
audit.log from unsuccessful X startup

The library permissions seem to be fixed in 2.2.15-4, but the problem with
nvidia_drv.so (see initial comment) persists.  audit.log snippet from
unsuccessful X/gdm startup attached.
Comment 4 Daniel Walsh 2006-02-20 11:15:57 EST
selinux-policy-2.2.16-1 Adds the execstack priv to xserver, although it would be
good to report this as a bug to nvidia.

Dan
Comment 5 Ville Skyttä 2006-02-23 15:19:11 EST
Confirmed working and reported at
http://www.nvnews.net/vbulletin/showthread.php?t=65363
Comment 6 Lonni J Friedman 2006-02-23 15:38:46 EST
NVIDIA has bug 207999 open for this issue.

Thanks,
Lonni
Comment 7 Axel Thimm 2006-03-31 05:58:54 EST
Dan, could you also add ATrpms' paths to selinux-policy? E.g. something like

-/usr/lib(64)?/xorg/modules/extensions/nvidia/libglx\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)

Thanks!

(BTW who do I need to contact to get appropriate right to reopen bugs?)
Comment 8 Daniel Walsh 2006-03-31 11:49:03 EST
This is a sorting problem in FC5.  The context is in the file, but it is being
overridden by a path later in the file.  I will update the policy to fix the
problem.

As far as who to contact, I have no idea.

Dan
Comment 9 Tim Fenn 2006-03-31 13:17:02 EST
Created attachment 127143 [details]
ATrpms nvidia file_contexts adjustments
Comment 10 Tim Fenn 2006-03-31 13:18:24 EST
I've attached the full list of modifications to file_contexts required for the
ATrpms nvidia drivers, which includes the glx and GLcore changes.
Comment 11 Thorsten Leemhuis 2006-04-01 02:49:20 EST
(In reply to comment #8)
> This is a sorting problem in FC5.  The context is in the file, but it is being
> overridden by a path later in the file.  I will update the policy to fix the
> problem.

Dan, could you also take a look at Bug #187476 please -- a lot of livna users
are hitting this currently
Comment 12 Axel Thimm 2006-08-14 04:55:40 EDT
(In reply to comment #8)
> I will update the policy to fix the problem.

I think this got forgotten, because Tim's comment #7 was done after the bug was
closed, so I'm reopening it (unless you prefer to clone the bug instead?)

I received a bug report from a strict policy user (this is targeted, but I guess
the fix/bug will be the same), that's how I remembered this one.

Thanks!

Note You need to log in before you can comment on or make changes to this bug.