Originally Posted by AaronP
I don't know about paxctl. I'd suggest looking at the selinux workarounds in nvidia-installer. You can hopefully do something similar with paxctl.
There's not really anything about SELinux in the installer.
PAX protects against things SELinux doesn't like preventing programs from writing code in their data region and thexecuting it like the nvidia driver apparently does. You can see why that is a security risk.
This is what PAX can do to any file:
Flag Name Description
P PAGEEXEC Refuse code execution on writable pages based on the NX bit (or emulated NX bit)
S SEGMEXEC Refuse code execution on writable pages based on the segmentation logic of IA-32
E EMUTRAMP Allow known code execution sequences on writable pages that should not cause any harm
M MPROTECT Prevent the creation of new executable code to the process address space
R RANDMMAP Randomize the stack base to prevent certain stack overflow attacks from being successful
X RANDEXEC Randomize the address where the application maps to to prevent certain attacks from being exploitable
Currently PAX is preventing the nvidia driver from doing all those.
Can you tell me what the relevant files in the nvidia driver requires for opengl to work?