[ATrpms-users] UNS: Re: Question about SELinux and nvidia packaging
Harry Orenstein
holists at verizon.net
Tue Apr 29 03:44:55 CEST 2008
On Monday 28 April 2008 06:53:24 pm Tim Fenn wrote:
> On Sun, 27 Apr 2008 02:31:20 -0400 Harry Orenstein
>
> <holists at verizon.net> wrote:
> > I infrequently get the following error on boot when mythbackend
> > starts up:
> >
> > /usr/bin/mythbackend: error while loading shared
> > libraries: /usr/lib/nvidia-graphics-169.12/libGLcore.so.1: cannot
> > restore segment prot after reloc: Permission denied
> >
> > Now, I'm not sure why mythbackend has to use the nvidia libs since it
> > doesn't generate any output, but that doesn't seem to be a question
> > to ask here. I did some googling, and the best I can tell is that
> > this happens when the context of the indicated lib is not set
> > correctly.
> >
> > The file is a symlink to libGLcore.so.169.12. The symlink has a
> > context different than the context set by the policy file for other
> > nvidia files (textrel_shlib_t) because symlinks are not set in the
> > policy. I assume they're not expected because symlinks would not be
> > set up by a standard installation of the nvidia drivers.
>
> This is something for the selinux-policy - it should have been fixed
> ages ago:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=179656
>
> you may want to bring it up in fedora-selinux - does a simple
> restorecon fix it? Is selinux-policy up to date?
>
> -Tim
I took a look at the link you gave. All of those policy changes seem to have
been made in version of the targeted policy I'm running (3.0.8-95). The
problem I'm having is that ATrpms nvidia installs create symlinks and all the
policy entries only apply to regular files. I've added an additional local
policy for symlinks (same as the GLcore policy, but only for links).
A restorecon won't fix the issue because the default policy for the directory
is set for the symlinks (which is correct according to the targeted policy).
I'm going to wait for more feedback from you or anyone else for a few days,
and also to wait and see if my fix stops the Permission Denied error. After
that I'll try to follow up on the fedora-selinux list.
Thanks for the feedback!
-- Harry O.
More information about the atrpms-users
mailing list