Red Hat Bugzilla – Bug 468678
NVIDIA driver causes confusing SELinux denials
Last modified: 2009-10-16 23:08:35 EDT
This bug was reported at rpmfusion.org:
But it possibly is a bug in the SELinux policy.
Description of problem:
With (a)kmod-nvidia.x86_64 and xorg-x11-drv-nvidia.x86_64 installed in a
current Rawhide system otherwise unsuspicious applications get in trouble with
SELinux. There are no problems when just using Rawhide's
The denials are execmem and execstack related. I will attach examples with
glxinfo. But it also happens with applications like vinagre or openoffice.org
-- perhaps every application which somehow uses OpenGL.
Version-Release number of selected component (if applicable):
In permissive mode it seems that only the first invocation of an affected
application triggers the denials. Subsequent invocations of the same
application seem to work fine. In enforcing mode you always get the denials.
Steps to Reproduce:
1. Activate SELinux
2. Install and activate the xorg-x11-drv-nvidia.x86_64 driver package
3. Run glxinfo in a shell
exexstack and execmem denials by SELinux
Working accelerated OpenGL without warnings by SELinux
It seems that only applications specifically built for F10 have
problems. While glx-utils-7.2-0.13.fc10.x86_64 causes denials, the OpenGL
application celestia-1.5.0-1.fc9.x86_64 (note the fc9!) works perfectly well
for example. So this could also be related to changes in gcc or default compiler
flags. Though I could not find any notices about such changes.
Created attachment 321607 [details]
glxinfo gets an execmem denial
Created attachment 321608 [details]
glxinfo gets an execstack denial
There is not much we can do about this other then turn the allow_execstack boolean on. Have you opened up a bug with nvidia?
We don't have access to there closed source drivers or libraries. So please report it to them.
For now you can turn off the check by executing
setsebool -P allow_execstack 1
*** Bug 515625 has been marked as a duplicate of this bug. ***