This is Fedora 19 beta + all updates, mostly from "fedora" repo (so I assume it's basically F19 proper by now). The system has i5-3317U CPU with HD 4000 graphics. Quake Live (http://www.quakelive.com/) loads but works with like 5 fps on this system, gfxinfo shows Gallium/llvmpipe rendering. I couldn't figure out what's the problem, as games like Neverball and Xonotic worked ok, not to mention glxinfo and glxgears. So I've tried setenforce 0 and voila - everything works! So it must be SELinux-related. Maybe it's because libGL loads /usr/lib64/dri/i965_dri.so to which Firefox probably isn't allowed access? I really don't know. I don't know where to get correct info about SELinux denials for this. Can you tell me where to look?
ausearch -m avc -ts recent
[root@ponton ~]# ausearch -m avc -ts recent <no matches> That explains no setroubleshoot whinge, I guess. It's not a coincidence though, I can always fix this with setenforce 0 and break again by setting 1...
getsebool selinuxuser_direct_dri_enabled
selinuxuser_direct_dri_enabled --> on As I wrote in the original submission, everything OpenGL-related (including games like Xonotic) works. It's only Quake Live having a problem, presumably because it works from plugin-container, from Firefoxes context.
# semodule -DB re-test # ausearch -m avc,user_avc -ts recent # grep context /var/log/messages
Currently we dont allow mozilla_plugin_t to use the /dev/dri type devices. If you install and compile this policy, I bet it will work better # cat > myfirefox.te << _EOF policy_module(myfirefox, 1.0) gen_require(` type mozilla_plugin_t; ') dev_rw_dri(mozilla_plugin_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myfirefox.pp
↑ That set of commands worked (with \` ;)). I can play in Enforcing mode now. I guess that answers Miroslav's needinfo as well... Can this be made into permanent policy update?
186dc6c7a2f5a69107224e097a1c446ca369c6d7 and 186dc6c7a2f5a69107224e097a1c446ca369c6d7 Will cause the plugins to use the selinuxuser_direct_dri_enabled boolean, which should be on by default.
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Package selinux-policy-3.12.1-59.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.