Go Back   nV News Forums > Linux Support Forums > NVIDIA Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 10-22-09, 07:21 PM   #1
sangu
Registered User
 
Join Date: Feb 2005
Posts: 84
Default [Fedora 12 Beta] opengl applications -> avc: denied execstack

OS : Fedora 12 Beta or Rawhide (20091022)
SElinux : ON
Nvidia driver version : 190.42

SELinux is preventing OpenGL applications from making the program stack
executable.

$glxgears
glxgears: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied

Code:
/var/log/audit/audit.log
[skip]
node=localhost.localdomain type=AVC msg=audit(1256256177.849:18): avc:  denied  { execstack } for  pid=2945 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1256256177.849:18): arch=c000003e syscall=10 success=no exit=-13 a0=7fff96612000 a1=1000 a2=1000007 a3=7ffeac9eca79 items=0 ppid=2215 pid=2945 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="glxgears" exe="/usr/bin/glxgears" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
$ getsebool -a | grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off

< http://people.redhat.com/drepper/selinux-mem.html >

Last edited by sangu; 04-22-11 at 08:15 PM.
sangu is offline   Reply With Quote
Old 10-22-09, 09:13 PM   #2
mooninite
Registered User
 
Join Date: May 2006
Posts: 477
Default Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack

Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.
mooninite is offline   Reply With Quote
Old 10-23-09, 03:57 AM   #3
artem
Registered User
 
Join Date: Jun 2006
Posts: 703
Default Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack

Quote:
Originally Posted by mooninite View Post
Hm... allow_execstack looks to be defaulted off now.

Just issue "setsebool allow_execstack 1" for now.
with -P

Code:
setsebool -P allow_execstack 1
artem is offline   Reply With Quote
Old 11-14-09, 02:09 PM   #4
kwizart
Registered User
 
Join Date: Feb 2005
Location: Paris, France
Posts: 129
Default Re: [Fedora 12 Beta] opengl applications -> avc: denied execstack

There is another way to fix this, it's to remove the execution stack requirement.
That can be done using execstack from the prelink package:
execstack -c nvidia/libGL.so.190.42 ,others and etc.
and for the binaries:
execstack -c /usr/bin/nvidia-settings

Unfortunately, this last (execstack on binaries ) doesn't work on x86 binaries:
Quote:
execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-settings: Reshuffling of objects to make room for
program header entry only supported for shared libraries
execstack: /builddir/build/BUILDROOT/xorg-x11-drv-nvidia-190.42-3.fc12.i386/usr/bin/nvidia-smi: Reshuffling of objects to make room for
program header entry only supported for shared libraries
error: Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.m2qSy6 (%install)
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
# ['bash', '--login', '-c', 'rpmbuild -bb --target i686 --nodeps builddir/build/SPECS/xorg-x11-drv-nvidia.spec']
Traceback (most recent call last):
In theses case (and then for x86_64 binaries) it seems easier to build from source, wich can be done easily.

But then I wonder if we will need to build the exact version of each tool or we can assume nvidia-xconfig 190.42 will work fine with 96.43.14 and 173.14.22 drivers ...?

Then there is another question related to:
Does patching the nvidia binaries will be a problem ?

Nicolas (kwizart)
kwizart is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 07:21 PM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.