nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   NVIDIA Linux (http://www.nvnews.net/vbulletin/forumdisplay.php?f=14)
-   -   [Fedora 12 Beta] opengl applications -> avc: denied execstack (http://www.nvnews.net/vbulletin/showthread.php?t=140384)

sangu 10-22-09 07:21 PM
[Fedora 12 Beta] opengl applications -> avc: denied execstack
 
OS : Fedora 12 Beta or Rawhide (20091022)
SElinux : ON
Nvidia driver version : 190.42

SELinux is preventing OpenGL applications from making the program stack
executable.

$glxgears
glxgears: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied

Code:
/var/log/audit/audit.log
[skip]
node=localhost.localdomain type=AVC msg=audit(1256256177.849:18): avc:  denied  { execstack } for  pid=2945 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1256256177.849:18): arch=c000003e syscall=10 success=no exit=-13 a0=7fff96612000 a1=1000 a2=1000007 a3=7ffeac9eca79 items=0 ppid=2215 pid=2945 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="glxgears" exe="/usr/bin/glxgears" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
$ getsebool -a | grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off

< http://people.redhat.com/drepper/selinux-mem.html >

mooninite 10-22-09 09:13 PM
Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack
 
Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.

artem 10-23-09 03:57 AM
Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack
 
Quote:
Originally Posted by mooninite (Post 2109542)
Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.
with -P :)

Code:
setsebool -P allow_execstack 1

kwizart 11-14-09 02:09 PM
Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack
 
There is another way to fix this, it's to remove the execution stack requirement.
That can be done using execstack from the prelink package:
execstack -c nvidia/libGL.so.190.42 ,others and etc.
and for the binaries:
execstack -c /usr/bin/nvidia-settings

Unfortunately, this last (execstack on binaries ) doesn't work on x86 binaries:
Quote:
execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-settings: Reshuffling of objects to make room for
program header entry only supported for shared libraries
execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-smi: Reshuffling of objects to make room for
program header entry only supported for shared libraries
error: Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
# ['bash', '--login', '-c', 'rpmbuild -bb --target i686 --nodeps builddir/build/SPECS/xorg-x11-drv-nvidia.spec']
Traceback (most recent call last):
In theses case (and then for x86_64 binaries) it seems easier to build from source, wich can be done easily.

But then I wonder if we will need to build the exact version of each tool or we can assume nvidia-xconfig 190.42 will work fine with 96.43.14 and 173.14.22 drivers ...?

Then there is another question related to:
Does patching the nvidia binaries will be a problem ?

Nicolas (kwizart)


All times are GMT -5. The time now is 02:09 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©1998 - 2013, nV News.