FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-07-2012, 06:32 PM
Daniel J Walsh
 
Default VirtualGL/TurboVNC and selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 02:29 PM, Mark Dalton wrote:
> I was not able to get VirtualGL and selinux to work together. It is
> something during boot time it seems. I have tried generating rules based
> on audit/audit.log.
>
> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they
> don't know how to make it work either.
>
> I have tried in permissive mode after boot and that did not work either,
> which is why I think it is something during boot time. Like the device
> setup. My guess is related to: /dev/dri as it sets up these and then access
> to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in
> my case it can be configured with/without group restriction).
>
> From VirtualGL website they also have:
>
>
> vglgenkey Issues
>
> Currently, the only known way to make |vglgenkey| work (|vglgenkey| is used
> to grant 3D X Server access to members of the |vglusers| group) is to
> disable SELinux. With SELinux enabled, the *//usr/bin/xauth/* file is
> hidden within the context of the GDM startup scripts, so |vglgenkey| has no
> way of generating or importing an xauth key to
> *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that matter, access is
> denied to *//etc/opt/VirtualGL/* as well.)
>
> Perhaps someone with a greater knowledge of SELinux can explain how to
> disable enforcement only for GDM and not the whole system.
>
> I had reinstalled that previous machine and don't have the other rules I
> applied.
>
> I repeated this on another machine, and did not run any audit2allow.
>
> Also there are 2 problems: 1. Boot time problem with the VirtualGL which
> seems to generate a avc message. (Fails if the machine is not booted in
> permissive or disabled mode) 2. A problem with xauth when setenforce is
> enforcing. (This works if setenforce is permissive or disabled regardless
> of the boot time settings).
>
> The machine policy is set to targeted.
>
> Attached is the longer data with strace. The xauth does not seem to
> generate any audit.log messages even with semodule -DB, but if I turn
> selinux to permissive the xauth commands succeed.
>
>
>
> To clarify: - It works if the system is booted with /etc/selinux/config
> SELINUX=permissive or SELINUX=disable - It fails if the system is booted
> with /etc/selinux/config SELINUX=enforcing * Even if after the boot
> 'setenforce 0' is run - My
>
> I do get avc message, note this is running in permissive mode. [root@amelie
> mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC
> msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756
> subj=system_u:system_r:nscd_t:s0 msg='avc: received policyload notice
> (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?'
>
> [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access
> /dev/dri: No such file or directory crw-rw----. root vglusers
> system_ubject_r:device_t:s0 /dev/nvidia0 crw-rw----. root vglusers
> system_ubject_r:device_t:s0 /dev/nvidiactl
>
> Mark
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Can you boot in permissive mode? What avc messages are you seeing?

ausearch -m avc -ts recent

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14 kHw7AdU3X1z6pj
DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ
=jGq8
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-07-2012, 07:12 PM
Mark Dalton
 
Default VirtualGL/TurboVNC and selinux

On 05/07/2012 02:32 PM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 02:29 PM, Mark Dalton wrote:

I was not able to get VirtualGL and selinux to work together. It is
something during boot time it seems. I have tried generating rules based
on audit/audit.log.

The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they
don't know how to make it work either.

I have tried in permissive mode after boot and that did not work either,
which is why I think it is something during boot time. Like the device
setup. My guess is related to: /dev/dri as it sets up these and then access
to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in
my case it can be configured with/without group restriction).

From VirtualGL website they also have:


vglgenkey Issues

Currently, the only known way to make |vglgenkey| work (|vglgenkey| is used
to grant 3D X Server access to members of the |vglusers| group) is to
disable SELinux. With SELinux enabled, the *//usr/bin/xauth/* file is
hidden within the context of the GDM startup scripts, so |vglgenkey| has no
way of generating or importing an xauth key to
*//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that matter, access is
denied to *//etc/opt/VirtualGL/* as well.)

Perhaps someone with a greater knowledge of SELinux can explain how to
disable enforcement only for GDM and not the whole system.

I had reinstalled that previous machine and don't have the other rules I
applied.

I repeated this on another machine, and did not run any audit2allow.

Also there are 2 problems: 1. Boot time problem with the VirtualGL which
seems to generate a avc message. (Fails if the machine is not booted in
permissive or disabled mode) 2. A problem with xauth when setenforce is
enforcing. (This works if setenforce is permissive or disabled regardless
of the boot time settings).

The machine policy is set to targeted.

Attached is the longer data with strace. The xauth does not seem to
generate any audit.log messages even with semodule -DB, but if I turn
selinux to permissive the xauth commands succeed.



To clarify: - It works if the system is booted with /etc/selinux/config
SELINUX=permissive or SELINUX=disable - It fails if the system is booted
with /etc/selinux/config SELINUX=enforcing * Even if after the boot
'setenforce 0' is run - My

I do get avc message, note this is running in permissive mode. [root@amelie
mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC
msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756
subj=system_u:system_r:nscd_t:s0 msg='avc: received policyload notice
(seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?'

[root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access
/dev/dri: No such file or directory crw-rw----. root vglusers
system_ubject_r:device_t:s0 /dev/nvidia0 crw-rw----. root vglusers
system_ubject_r:device_t:s0 /dev/nvidiactl

Mark



-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


Can you boot in permissive mode? What avc messages are you seeing?

ausearch -m avc -ts recent

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14 kHw7AdU3X1z6pj
DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ
=jGq8
-----END PGP SIGNATURE-----


I did not see anything obviously useful to me.. The attachment also
had some information.

My goal is to find a way to keep selinux enabled and run VirtualGL.

Thank you for your quick response.

Mark

First boot:
[root@amelie log]# ausearch -m avc -ts recent
----
time->Mon May 7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.225:118): arch=c000003e syscall=59
success=yes exit=0 a0=1f0d870 a1=1f0d5a0 a2=1f0c5e0 a3=10 items=0
ppid=1981 pid=1982 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336416897.225:118): avc: denied { read write }
for pid=1982 comm="portreserve" path="/dev/console" dev=devtmpfs
ino=5164 scontext=system_u:system_rortreserve_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file

----
time->Mon May 7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.230:120): arch=c000003e syscall=47
success=yes exit=17 a0=4 a1=7fff41541fb0 a2=40000000 a3=4000 items=0
ppid=1 pid=1983 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336416897.230:120): avc: denied { read } for
pid=1983 comm="portreserve" path="/var/db/nscd/services" dev=dm-0
ino=1183821 scontext=system_u:system_rortreserve_t:s0
tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file

----
time->Mon May 7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.251:122): arch=c000003e syscall=59
success=yes exit=0 a0=b3b790 a1=b3b7d0 a2=b3a5e0 a3=10 items=0 ppid=1989
pid=1990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="irqbalance"
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336416897.251:122): avc: denied { read } for
pid=1990 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file

----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.640:148): arch=c000003e syscall=59
success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0
ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.640:148): avc: denied { read write }
for pid=30419 comm="portreserve" path="/dev/console" dev=devtmpfs
ino=5164 scontext=system_u:system_rortreserve_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file

----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.647:149): arch=c000003e syscall=47
success=yes exit=17 a0=4 a1=7fffdda478b0 a2=40000000 a3=4000 items=0
ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.647:149): avc: denied { read } for
pid=30420 comm="portreserve" path="/var/db/nscd/services" dev=dm-0
ino=1183821 scontext=system_u:system_rortreserve_t:s0
tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file

----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.666:150): arch=c000003e syscall=59
success=yes exit=0 a0=17c2790 a1=17c27d0 a2=17c15e0 a3=10 items=0
ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance"
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336417372.666:150): avc: denied { read } for
pid=30427 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file



Second boot and test:
[root@amelie mdalton]# ausearch -m avc -ts recent
----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.640:148): arch=c000003e syscall=59
success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0
ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.640:148): avc: denied { read write }
for pid=30419 comm="portreserve" path="/dev/console" dev=devtmpfs
ino=5164 scontext=system_u:system_rortreserve_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file

----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.647:149): arch=c000003e syscall=47
success=yes exit=17 a0=4 a1=7fffdda478b0 a2=40000000 a3=4000 items=0
ppid=1 pid=30420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve"
exe="/sbin/portreserve" subj=system_u:system_rortreserve_t:s0 key=(null)
type=AVC msg=audit(1336417372.647:149): avc: denied { read } for
pid=30420 comm="portreserve" path="/var/db/nscd/services" dev=dm-0
ino=1183821 scontext=system_u:system_rortreserve_t:s0
tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file

----
time->Mon May 7 15:02:52 2012
type=SYSCALL msg=audit(1336417372.666:150): arch=c000003e syscall=59
success=yes exit=0 a0=17c2790 a1=17c27d0 a2=17c15e0 a3=10 items=0
ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance"
exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1336417372.666:150): avc: denied { read } for
pid=30427 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org