Bug 978615 - Quake Live falls back to software rendering on HD 4000 graphics with setenforce 1
Quake Live falls back to software rendering on HD 4000 graphics with setenfor...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2013-06-26 19:40 EDT by Leszek Matok
Modified: 2013-07-06 21:33 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-59.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-06 21:33:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Leszek Matok 2013-06-26 19:40:34 EDT
This is Fedora 19 beta + all updates, mostly from "fedora" repo (so I assume it's basically F19 proper by now).

The system has i5-3317U CPU with HD 4000 graphics.

Quake Live (http://www.quakelive.com/) loads but works with like 5 fps on this system, gfxinfo shows Gallium/llvmpipe rendering.

I couldn't figure out what's the problem, as games like Neverball and Xonotic worked ok, not to mention glxinfo and glxgears. So I've tried setenforce 0 and voila - everything works! So it must be SELinux-related.

Maybe it's because libGL loads /usr/lib64/dri/i965_dri.so to which Firefox probably isn't allowed access? I really don't know.

I don't know where to get correct info about SELinux denials for this. Can you tell me where to look?
Comment 1 Daniel Walsh 2013-06-27 10:44:53 EDT
ausearch -m avc -ts recent
Comment 2 Leszek Matok 2013-06-27 12:04:09 EDT
[root@ponton ~]# ausearch -m avc -ts recent
<no matches>

That explains no setroubleshoot whinge, I guess.

It's not a coincidence though, I can always fix this with setenforce 0 and break again by setting 1...
Comment 3 Daniel Walsh 2013-06-27 15:26:05 EDT
getsebool selinuxuser_direct_dri_enabled
Comment 4 Leszek Matok 2013-06-27 18:46:42 EDT
selinuxuser_direct_dri_enabled --> on

As I wrote in the original submission, everything OpenGL-related (including games like Xonotic) works. It's only Quake Live having a problem, presumably because it works from plugin-container, from Firefoxes context.
Comment 5 Miroslav Grepl 2013-06-28 04:42:53 EDT
# semodule -DB


# ausearch -m avc,user_avc -ts recent

# grep context /var/log/messages
Comment 6 Daniel Walsh 2013-06-28 07:02:16 EDT
Currently we dont allow mozilla_plugin_t to use the /dev/dri type devices.

If you install and compile this policy, I bet it will work better

# cat > myfirefox.te << _EOF
policy_module(myfirefox, 1.0)
type mozilla_plugin_t;

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myfirefox.pp
Comment 7 Leszek Matok 2013-06-28 12:40:14 EDT
↑ That set of commands worked (with \` ;)). I can play in Enforcing mode now.

I guess that answers Miroslav's needinfo as well...

Can this be made into permanent policy update?
Comment 8 Daniel Walsh 2013-06-28 14:19:33 EDT
186dc6c7a2f5a69107224e097a1c446ca369c6d7 and

Will cause the plugins to use the selinuxuser_direct_dri_enabled boolean, which should be on by default.
Comment 9 Fedora Update System 2013-07-03 15:50:30 EDT
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19.
Comment 10 Fedora Update System 2013-07-04 22:14:14 EDT
Package selinux-policy-3.12.1-59.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-07-06 21:33:25 EDT
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.