[ATrpms-users] Question about SELinux and nvidia packaging

[Harry Orenstein]

Axel,

I don't know if this is strictly an issue to take up here but, if you feel I 
should take this elsewhere, please let me know.

I infrequently get the following error on boot when mythbackend starts up:

/usr/bin/mythbackend: error while loading shared 
libraries: /usr/lib/nvidia-graphics-169.12/libGLcore.so.1: cannot restore 
segment prot after reloc: Permission denied

Now, I'm not sure why mythbackend has to use the nvidia libs since it doesn't 
generate any output, but that doesn't seem to be a question to ask here.  I 
did some googling, and the best I can tell is that this happens when the 
context of the indicated lib is not set correctly.

The file is a symlink to libGLcore.so.169.12.  The symlink has a context 
different than the context set by the policy file for other nvidia files 
(textrel_shlib_t) because symlinks are not set in the policy.  I assume 
they're not expected because symlinks would not be set up by a standard 
installation of the nvidia drivers.

My idea for a solution is to duplicate the policy's context entry for 
libGLcore, which only sets regular files (--), as a local policy and set it 
for symlinks (-l).  The error happens infrequently enough that I have not yet 
been able to tell if it works (no error.. yet).

Would it be possible to add an semanage command to the packaging for the 
nvidia driver?  Something like:

/usr/sbin/semanage fcontext -a -f -l -t 
textrel_shlib_t "/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.
[^/]*)*"

Would it cause a problem if multiple versions of the nvidia driver were 
installed (adding the local context via semanage might throw an error if it 
already exists).

Hope my explanation makes some sense.  Any thoughts on this would be welcome.  
TIA!!


-- Harry O.