Go Back   nV News Forums > Linux Support Forums > NVIDIA Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 05-09-06, 04:20 AM   #1
rbirdman
Registered User
 
Join Date: Sep 2004
Posts: 44
Default Installing on Fedora Core 5 with SELinux(some additional info)

I have just installed FC5 with SELinux enabled on my laptop, basically just for the hell of it. I thought I would post my experiences installing the NVidia driver in case it's useful to someone.

After following the sticky thread above, I found GNOME hung for a considerable time but eventually would load if I waited long enough. Starting Firefox would see it launch but without both a title bar and borders, very odd. Checking dmesg I found the following SELinux log and my attempts to fix it.

[root@localhost ~]# tail error.txt | grep meta
audit(1147157359.193:7): avc: denied { execmod } for pid=3256 comm="metacity" name="libnvidia-tls.so.1.0.8756" dev=hda7 ino=777687 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=rootobject_r:lib_t:s0 tclass=file
[root@localhost ~]# find / -noleaf -inum 777687
find: /proc/2239/task/2239/fd/4: No such file or directory
find: /proc/2239/fd/4: No such file or directory
/usr/lib/tls/libnvidia-tls.so.1.0.8756
[root@localhost ~]# chcon -t texrel_shlib_t /usr/lib/tls/libnvidia-tls.so.1.0.8756

This did not help but generated different errors first with nautilus then with metacity again. Trying to fix them in a similar fashion did not help. Eventually I ran the following command which saw the problem fixed. It should be noted that this will require a reboot as it clears the files out of /tmp.

fixfiles relabel /usr/lib/

If my understanding is correct it may be possible to avoid the whole issue with the following command but this would undermine SELinux somewhat.

setsebool -P allow_execmod 1

When I have time I will uninstal the driver and have another go and also test the setsebool command.
rbirdman is offline   Reply With Quote
Old 05-09-06, 11:00 AM   #2
jcat
Registered User
 
Join Date: May 2006
Posts: 8
Default Re: Installing on Fedora Core 5 with SELinux(some additional info)

Hello! This is my first post on this forum.

Just wanted to say thanks for getting me up and running again with the nvidia driver. I knew SELinux was getting in the way, but I'm a bit of a newbie as far as SE linux is concerned and I didn't want to just switch it off!

fixfiles relabel /usr/lib/ should be added to the sticky at the top of the forum, as the sticky is obviousely not going to be enough, to get everyone working again.

Thanks for the help.


Cheers,

jcat
jcat is offline   Reply With Quote
Old 05-09-06, 05:52 PM   #3
rbirdman
Registered User
 
Join Date: Sep 2004
Posts: 44
Default Re: Installing on Fedora Core 5 with SELinux(some additional info)

Nice to get some feedback straight away. Glad it helped.

I also meant to post this link. It refers to using the new semanage tool to fix these problems as well as the boolean values. I don't know it it useful or not yet.

http://fedora.redhat.com/docs/selinu...y-unconfined_t
rbirdman is offline   Reply With Quote
Old 05-10-06, 03:32 AM   #4
rbirdman
Registered User
 
Join Date: Sep 2004
Posts: 44
Default Re: Installing on Fedora Core 5 with SELinux(some additional info)

I had a chance to play with the driver again tonight. I used the nvidia-installer to remove the driver. I can confirm the following command works and may be a useful alternative to turning off SELinux completely. Obviously it not as good as labeling the driver files with the correct security context.

setsebool -P allow_execmod 1

[root@localhost NVidia]# ls -Z /usr/lib/xorg/modules/drivers/nvidia_drv.so
-rwxr-xr-x root root rootobject_r:lib_t /usr/lib/xorg/modules/drivers/nvidia_drv.so
[root@localhost NVidia]# lsmod | grep nvidia
nvidia 4545140 12
i2c_core 20673 1 nvidia
[root@localhost NVidia]# getsebool allow_execmod
allow_execmod --> on
[root@localhost Nvidia]#

When I get a chance I will have another go and try relabeling everything from scratch.
rbirdman is offline   Reply With Quote
Old 05-11-06, 03:04 AM   #5
rbirdman
Registered User
 
Join Date: Sep 2004
Posts: 44
Default Re: Installing on Fedora Core 5 with SELinux(some additional info)

I had a go at relabeling the files themselves and it was quite straight forward second time around. There were 5 files that needed relabeling. The two mentioned in the sticky get the driver loaded. I then need to label three more to get GNOME working properly. This may be different for other Desktops. I've gone through my history and I don't think I've missed anything.

I used semanage and restorecon as mention in the SELinux faq linked to in one of the previous posts. I'm not sure that this makes any difference or not but it sees a policy loaded message generated.

I ran startx from the command line and cleared dmesg with dmesg -c >> /dev/null so as to be able to view the avc messages better. I also used find with the inum switch to verify what files needed to be labeled. The errors came two at a time. The dmesg logs and the commands I used are below.

Hope this helps.

Rob.

audit(1147318551.522:307): avc: denied { execmod } for pid=3538 comm="X" name="libnvidia-tls.so.1.0.8756" dev=hda7 ino=770956 scontext=user_u:system_r:xdm_xserver_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file
audit(1147318551.530:308): avc: denied { execmod } for pid=3538 comm="X" name="nvidia_drv.so" dev=hda7 ino=771137 scontext=user_u:system_r:xdm_xserver_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file

semanage fcontext -a -t texrel_shlib_t /usr/lib/tls/libnvidia-tls.so.1.0.8756
restorecon -v /usr/lib/tls/libnvidia-tls.so.1.0.8756
semanage fcontext -a -t texrel_shlib_t /usr/lib/xorg/modules/drivers/nvidia_drv.so
restorecon -v /usr/lib/xorg/modules/drivers/nvidia_drv.so

audit(1147319101.272:311): avc: denied { execmod } for pid=3628 comm="X" name="libGLcore.so.1.0.8756" dev=hda7 ino=770937 scontext=user_u:system_r:xdm_xserver_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file
audit(1147319104.756:312): avc: denied { execmod } for pid=3662 comm="metacity" name="libGLcore.so.1.0.8756" dev=hda7 ino=770937 scontext=user_u:system_r:unconfined_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file

semanage fcontext -a -t texrel_shlib_t /usr/lib/libGLcore.so.1.0.8756
restorecon -v /usr/lib/libGLcore.so.1.0.8756

audit(1147319291.232:314): avc: denied { execmod } for pid=3738 comm="X" name="libglx.so.1.0.8756" dev=hda7 ino=1056003 scontext=user_u:system_r:xdm_xserver_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file
audit(1147319294.788:315): avc: denied { execmod } for pid=3772 comm="metacity" name="libGL.so.1.0.8756" dev=hda7 ino=770868 scontext=user_u:system_r:unconfined_t:s0 tcontext=rootbject_r:lib_t:s0 tclass=file

semanage fcontext -a -t texrel_shlib_t /usr/lib/xorg/modules/extensions/libglx.so.1.0.8756
restorecon -v /usr/lib/xorg/modules/extensions/libglx.so.1.0.8756
semanage fcontext -a -t texrel_shlib_t /usr/lib/libGL.so.1.0.8756
restorecon -v /usr/lib/libGL.so.1.0.8756

ps

This also works for flashplayer and java with similar excecmod error messages.

pss

hope this hasn't been too painful for everyone
rbirdman is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
CPUMark99 - how do you compare fuelrod Benchmarking And Overclocking 66 07-19-11 08:32 AM

All times are GMT -5. The time now is 04:13 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.