Bug 467066 - desktop effect with selinux (compiz)
desktop effect with selinux (compiz)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-15 11:18 EDT by Dominick Grift
Modified: 2008-10-29 14:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 14:11:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Selinux denegation for compiz (3.11 KB, text/plain)
2008-10-20 18:06 EDT, Pau
no flags Details
Selinux denegation for dropbox (3.65 KB, text/plain)
2008-10-20 18:06 EDT, Pau
no flags Details

  None (edit)
Description Dominick Grift 2008-10-15 11:18:21 EDT
Description of problem:

Need these perms for desktop effects (compiz) to work:

allow $1 xdm_xserver_t:shm { read write unix_read unix_write };
allow $1 xdm_xserver_tmpfs_t:file { read write };
dev_rw_dri($1)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.12-1.fc10.noarch

How reproducible:

put it in permissive
enable desktop effects
put it in enforcing (not recommend)
Comment 1 Pau 2008-10-20 10:01:16 EDT
What happend to me is that if I try to enable desktop effects while selinux is enabled, it blocks compiz (I have no effects :(). Same happened when I tried to execute Skype or Dropbox, and I didn't know how to allow them to execute (or how to say to selinux: "Hey! Let them work!").
Comment 2 Daniel Walsh 2008-10-20 11:01:57 EDT
Pau, please attach your avc messages.  I am pretty sure your errors are nto the same as the ones mentioned above.

Domg472 please check to see if this works with the latest rawhide.

(Works for me...)
Comment 3 Dominick Grift 2008-10-20 17:44:22 EDT
updated rawhide still shows the same avc denials.

maybe i should note that i am using the proprietory nvidia drivers.
Comment 4 Pau 2008-10-20 18:06:12 EDT
Created attachment 320939 [details]
Selinux denegation for compiz
Comment 5 Pau 2008-10-20 18:06:34 EDT
Created attachment 320940 [details]
Selinux denegation for dropbox
Comment 6 Daniel Walsh 2008-10-21 09:11:48 EDT
Pau if you execute the commands mentioned in the setroubleshoot does the problem go away?  Are these AVC's causing any real problem?

I have no idea what dropbox is, but it might be coded badly.

domg444

Please attach the avc's you are seeing.
Comment 7 Dominick Grift 2008-10-21 09:50:00 EDT
node=rawhide.grift.internal type=SYSCALL msg=audit(1224596658.698:1418): arch=c000003e syscall=30 success=yes exit=854568960 a0=0 a1=0 a2=0 a3=1 items=0 ppid=1 pid=9725 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="compiz" exe="/usr/bin/compiz" subj=domg472:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc:  denied  { read write } for  pid=9725 comm="compiz" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file 
node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc:  denied  { read write } for  pid=9725 comm="compiz" key=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm 
node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc:  denied  { unix_read unix_write } for  pid=9725 comm="compiz" key=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm 

Strange, although i loaded semodule -DB, it isn't showing the dev_rw_dri() right now.
Comment 8 Dominick Grift 2008-10-21 10:07:03 EDT
node=rawhide.grift.internal type=AVC msg=audit(1224597454.575:147): avc:  denied  { read write } for  pid=3298 comm="compiz" name="nvidiactl" dev=tmpfs ino=9862 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file

there we go
Comment 9 Daniel Walsh 2008-10-21 11:41:54 EDT
domg444

Could you run ausearch -i on node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc: 
denied  { read write } for  pid=9725 comm="compiz"
path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=0
scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023

To see what file it is refering to?


nvidiactl looks like it needs policy.

Use of shm is fixed in selinux-policy-3.5.13-3.fc10.noarch
Comment 10 Dominick Grift 2008-10-21 11:57:19 EDT
sh-3.2# /sbin/ausearch -m avc -ts today -i | grep xdm_xserver_tmpfs_t
node=rawhide.grift.internal type=AVC msg=audit(10/21/2008 15:44:18.698:1418) : avc:  denied  { read write } for  pid=9725 comm=compiz path=/SYSV00000000 (deleted) dev=tmpfs ino=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file
Comment 11 Dominick Grift 2008-10-21 11:58:30 EDT
i will try that again with effects enabled (if i can get it to start)
Comment 12 Dominick Grift 2008-10-21 12:05:41 EDT
Sorry i cannot reproduce it right now. Compiz is not working at the moment. Will try this again when compiz works again.
Comment 13 Pau 2008-10-21 12:50:40 EDT
At this moment you can try activating the compositing extension of gnome. Just open a terminal and run gconf-editor. Then go to apps > metacity > general and enable compositing (you'll be able to use apps as awn or others that need compositing)... and all without compiz!
Comment 14 Daniel Walsh 2008-10-21 14:30:25 EDT
 audit2allow  -w -i /tmp/t
node=rawhide.grift.internal type=AVC msg=audit(10/21/2008 15:44:18.698:1418) : avc:  denied  { read write } for  pid=9725 comm=compiz path=/SYSV00000000 (deleted) dev=tmpfs ino=0 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file

	Was caused by:
	The boolean allow_write_xshm was set incorrectly. 
	Description:
	Allows clients to write to the X server shared memory segments.

	Allow access by executing:
	# setsebool -P allow_write_xshm 1
Comment 15 Dominick Grift 2008-10-21 14:40:45 EDT
Whoops, i did not think of that. Thanks

Note You need to log in before you can comment on or make changes to this bug.