[Fedora 12 Beta] opengl applications -> avc: denied execstack

[sangu]

OS : Fedora 12 Beta or Rawhide (20091022)
SElinux : ON
Nvidia driver version : 190.42

SELinux is preventing OpenGL applications from making the program stack
executable.

$glxgears
glxgears: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied

Code:

/var/log/audit/audit.log
[skip]
node=localhost.localdomain type=AVC msg=audit(1256256177.849:18): avc:  denied  { execstack } for  pid=2945 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1256256177.849:18): arch=c000003e syscall=10 success=no exit=-13 a0=7fff96612000 a1=1000 a2=1000007 a3=7ffeac9eca79 items=0 ppid=2215 pid=2945 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="glxgears" exe="/usr/bin/glxgears" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

$ getsebool -a | grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off

< http://people.redhat.com/drepper/selinux-mem.html >

[mooninite]

Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.

[artem]

Quote:

Originally Posted by mooninite

Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.

with -P

Code:

setsebool -P allow_execstack 1

[kwizart]

There is another way to fix this, it's to remove the execution stack requirement.
That can be done using execstack from the prelink package:
execstack -c nvidia/libGL.so.190.42 ,others and etc.
and for the binaries:
execstack -c /usr/bin/nvidia-settings

Unfortunately, this last (execstack on binaries ) doesn't work on x86 binaries:

Quote:

execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-settings: Reshuffling of objects to make room for
program header entry only supported for shared libraries
execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-smi: Reshuffling of objects to make room for
program header entry only supported for shared libraries
error: Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
# ['bash', '--login', '-c', 'rpmbuild -bb --target i686 --nodeps builddir/build/SPECS/xorg-x11-drv-nvidia.spec']
Traceback (most recent call last):

In theses case (and then for x86_64 binaries) it seems easier to build from source, wich can be done easily.

But then I wonder if we will need to build the exact version of each tool or we can assume nvidia-xconfig 190.42 will work fine with 96.43.14 and 173.14.22 drivers ...?

Then there is another question related to:
Does patching the nvidia binaries will be a problem ?

Nicolas (kwizart)