[ATrpms-users] UNS: Re: Question about SELinux and nvidia packaging

Tue Apr 29 05:16:00 CEST 2008

On Mon, 28 Apr 2008 21:44:55 -0400 Harry Orenstein
<holists at verizon.net> wrote:

> On Monday 28 April 2008 06:53:24 pm Tim Fenn wrote:
> > On Sun, 27 Apr 2008 02:31:20 -0400 Harry Orenstein
> >
> > <holists at verizon.net> wrote:
> > > I infrequently get the following error on boot when mythbackend
> > > starts up:
> > >
> > > /usr/bin/mythbackend: error while loading shared
> > > libraries: /usr/lib/nvidia-graphics-169.12/libGLcore.so.1: cannot
> > > restore segment prot after reloc: Permission denied
> > >
> > > Now, I'm not sure why mythbackend has to use the nvidia libs
> > > since it doesn't generate any output, but that doesn't seem to be
> > > a question to ask here.  I did some googling, and the best I can
> > > tell is that this happens when the context of the indicated lib
> > > is not set correctly.
> > >
> > > The file is a symlink to libGLcore.so.169.12.  The symlink has a
> > > context different than the context set by the policy file for
> > > other nvidia files (textrel_shlib_t) because symlinks are not set
> > > in the policy.  I assume they're not expected because symlinks
> > > would not be set up by a standard installation of the nvidia
> > > drivers.
> >
> > This is something for the selinux-policy - it should have been fixed
> > ages ago:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=179656
> >
> > you may want to bring it up in fedora-selinux - does a simple
> > restorecon fix it?  Is selinux-policy up to date?
> >
> > -Tim
> 
> I took a look at the link you gave.  All of those policy changes seem
> to have been made in version of the targeted policy I'm running
> (3.0.8-95).  The problem I'm having is that ATrpms nvidia installs
> create symlinks and all the policy entries only apply to regular
> files.  I've added an additional local policy for symlinks (same as
> the GLcore policy, but only for links).
> 
> A restorecon won't fix the issue because the default policy for the
> directory is set for the symlinks (which is correct according to the
> targeted policy).
> 
> I'm going to wait for more feedback from you or anyone else for a few
> days, and also to wait and see if my fix stops the Permission Denied
> error.  After that I'll try to follow up on the fedora-selinux list.
> 

The symlinks shouldn't matter - they can carry the default lib_t
label.  This is most likely the dreaded execmod/execstack issue.  Try:

setsebool -P allow_execstack 1
setsebool -P allow_execmod 1

However, there may be a more elegant/proper solution that someone could
clue you in on over on fedora-selinux.

HTH,
Tim

-- 
CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS