Description of problem: Need these perms for desktop effects (compiz) to work: allow $1 xdm_xserver_t:shm { read write unix_read unix_write }; allow $1 xdm_xserver_tmpfs_t:file { read write }; dev_rw_dri($1) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.12-1.fc10.noarch How reproducible: put it in permissive enable desktop effects put it in enforcing (not recommend)
What happend to me is that if I try to enable desktop effects while selinux is enabled, it blocks compiz (I have no effects :(). Same happened when I tried to execute Skype or Dropbox, and I didn't know how to allow them to execute (or how to say to selinux: "Hey! Let them work!").
Pau, please attach your avc messages. I am pretty sure your errors are nto the same as the ones mentioned above. Domg472 please check to see if this works with the latest rawhide. (Works for me...)
updated rawhide still shows the same avc denials. maybe i should note that i am using the proprietory nvidia drivers.
Created attachment 320939 [details] Selinux denegation for compiz
Created attachment 320940 [details] Selinux denegation for dropbox
Pau if you execute the commands mentioned in the setroubleshoot does the problem go away? Are these AVC's causing any real problem? I have no idea what dropbox is, but it might be coded badly. domg444 Please attach the avc's you are seeing.
node=rawhide.grift.internal type=SYSCALL msg=audit(1224596658.698:1418): arch=c000003e syscall=30 success=yes exit=854568960 a0=0 a1=0 a2=0 a3=1 items=0 ppid=1 pid=9725 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="compiz" exe="/usr/bin/compiz" subj=domg472:staff_r:staff_t:s0-s0:c0.c1023 key=(null) node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc: denied { read write } for pid=9725 comm="compiz" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc: denied { read write } for pid=9725 comm="compiz" key=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc: denied { unix_read unix_write } for pid=9725 comm="compiz" key=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm Strange, although i loaded semodule -DB, it isn't showing the dev_rw_dri() right now.
node=rawhide.grift.internal type=AVC msg=audit(1224597454.575:147): avc: denied { read write } for pid=3298 comm="compiz" name="nvidiactl" dev=tmpfs ino=9862 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file there we go
domg444 Could you run ausearch -i on node=rawhide.grift.internal type=AVC msg=audit(1224596658.698:1418): avc: denied { read write } for pid=9725 comm="compiz" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 To see what file it is refering to? nvidiactl looks like it needs policy. Use of shm is fixed in selinux-policy-3.5.13-3.fc10.noarch
sh-3.2# /sbin/ausearch -m avc -ts today -i | grep xdm_xserver_tmpfs_t node=rawhide.grift.internal type=AVC msg=audit(10/21/2008 15:44:18.698:1418) : avc: denied { read write } for pid=9725 comm=compiz path=/SYSV00000000 (deleted) dev=tmpfs ino=0 scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file
i will try that again with effects enabled (if i can get it to start)
Sorry i cannot reproduce it right now. Compiz is not working at the moment. Will try this again when compiz works again.
At this moment you can try activating the compositing extension of gnome. Just open a terminal and run gconf-editor. Then go to apps > metacity > general and enable compositing (you'll be able to use apps as awn or others that need compositing)... and all without compiz!
audit2allow -w -i /tmp/t node=rawhide.grift.internal type=AVC msg=audit(10/21/2008 15:44:18.698:1418) : avc: denied { read write } for pid=9725 comm=compiz path=/SYSV00000000 (deleted) dev=tmpfs ino=0 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmpfs_t:s0 tclass=file Was caused by: The boolean allow_write_xshm was set incorrectly. Description: Allows clients to write to the X server shared memory segments. Allow access by executing: # setsebool -P allow_write_xshm 1
Whoops, i did not think of that. Thanks