FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-07-2012, 07:45 PM
Daniel J Walsh
 
Default VirtualGL/TurboVNC and selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 03:12 PM, Mark Dalton wrote:
> On 05/07/2012 02:32 PM, Daniel J Walsh wrote: On 05/07/2012 02:29 PM, Mark
> Dalton wrote:
>>>> I was not able to get VirtualGL and selinux to work together. It is
>>>> something during boot time it seems. I have tried generating rules
>>>> based on audit/audit.log.
>>>>
>>>> The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states
>>>> they don't know how to make it work either.
>>>>
>>>> I have tried in permissive mode after boot and that did not work
>>>> either, which is why I think it is something during boot time. Like
>>>> the device setup. My guess is related to: /dev/dri as it sets up
>>>> these and then access to the /dev/nvidia0 and /dev/nvidiactl are
>>>> restricted to vglusers group (in my case it can be configured
>>>> with/without group restriction).
>>>>
>>>> From VirtualGL website they also have:
>>>>
>>>>
>>>> vglgenkey Issues
>>>>
>>>> Currently, the only known way to make |vglgenkey| work (|vglgenkey|
>>>> is used to grant 3D X Server access to members of the |vglusers|
>>>> group) is to disable SELinux. With SELinux enabled, the
>>>> *//usr/bin/xauth/* file is hidden within the context of the GDM
>>>> startup scripts, so |vglgenkey| has no way of generating or importing
>>>> an xauth key to *//etc/opt/VirtualGL/vgl_xauth_key/* (and, for that
>>>> matter, access is denied to *//etc/opt/VirtualGL/* as well.)
>>>>
>>>> Perhaps someone with a greater knowledge of SELinux can explain how
>>>> to disable enforcement only for GDM and not the whole system.
>>>>
>>>> I had reinstalled that previous machine and don't have the other
>>>> rules I applied.
>>>>
>>>> I repeated this on another machine, and did not run any audit2allow.
>>>>
>>>> Also there are 2 problems: 1. Boot time problem with the VirtualGL
>>>> which seems to generate a avc message. (Fails if the machine is not
>>>> booted in permissive or disabled mode) 2. A problem with xauth when
>>>> setenforce is enforcing. (This works if setenforce is permissive or
>>>> disabled regardless of the boot time settings).
>>>>
>>>> The machine policy is set to targeted.
>>>>
>>>> Attached is the longer data with strace. The xauth does not seem
>>>> to generate any audit.log messages even with semodule -DB, but if I
>>>> turn selinux to permissive the xauth commands succeed.
>>>>
>>>>
>>>>
>>>> To clarify: - It works if the system is booted with
>>>> /etc/selinux/config SELINUX=permissive or SELINUX=disable - It fails
>>>> if the system is booted with /etc/selinux/config SELINUX=enforcing *
>>>> Even if after the boot 'setenforce 0' is run - My
>>>>
>>>> I do get avc message, note this is running in permissive mode.
>>>> [root@amelie mdalton]# grep -i avc /var/log/audit/audit.log
>>>> type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28
>>>> auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc: received
>>>> policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=?
>>>> terminal=?'
>>>>
>>>> [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access
>>>> /dev/dri: No such file or directory crw-rw----. root vglusers
>>>> system_ubject_r:device_t:s0 /dev/nvidia0 crw-rw----. root
>>>> vglusers system_ubject_r:device_t:s0 /dev/nvidiactl
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Can you boot in permissive mode? What avc messages are you seeing?
>
> ausearch -m avc -ts recent
>
>
> I did not see anything obviously useful to me.. The attachment also had
> some information. My goal is to find a way to keep selinux enabled and run
> VirtualGL.
>
> Thank you for your quick response.
>
> Mark
>
> First boot: [root@amelie log]# ausearch -m avc -ts recent ---- time->Mon
> May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.225:118):
> arch=c000003e syscall=59 success=yes exit=0 a0=1f0d870 a1=1f0d5a0
> a2=1f0c5e0 a3=10 items=0 ppid=1981 pid=1982 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336416897.225:118): avc: denied { read write } for pid=1982
> comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_rortreserve_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file ----
> time->Mon May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.230:120):
> arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fff41541fb0
> a2=40000000 a3=4000 items=0 ppid=1 pid=1983 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336416897.230:120): avc: denied { read } for pid=1983
> comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821
> scontext=system_u:system_rortreserve_t:s0
> tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file ---- time->Mon
> May 7 14:54:57 2012 type=SYSCALL msg=audit(1336416897.251:122):
> arch=c000003e syscall=59 success=yes exit=0 a0=b3b790 a1=b3b7d0 a2=b3a5e0
> a3=10 items=0 ppid=1989 pid=1990 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance"
> exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0
> key=(null) type=AVC msg=audit(1336416897.251:122): avc: denied { read }
> for pid=1990 comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_r:irqbalance_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file ----
> time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.640:148):
> arch=c000003e syscall=59 success=yes exit=0 a0=def870 a1=def5a0 a2=dee5e0
> a3=10 items=0 ppid=30418 pid=30419 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336417372.640:148): avc: denied { read write } for pid=30419
> comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_rortreserve_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file ----
> time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.647:149):
> arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fffdda478b0
> a2=40000000 a3=4000 items=0 ppid=1 pid=30420 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336417372.647:149): avc: denied { read } for pid=30420
> comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821
> scontext=system_u:system_rortreserve_t:s0
> tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file ---- time->Mon
> May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.666:150):
> arch=c000003e syscall=59 success=yes exit=0 a0=17c2790 a1=17c27d0
> a2=17c15e0 a3=10 items=0 ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="irqbalance" exe="/usr/sbin/irqbalance"
> subj=system_u:system_r:irqbalance_t:s0 key=(null) type=AVC
> msg=audit(1336417372.666:150): avc: denied { read } for pid=30427
> comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_r:irqbalance_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file
>
>
> Second boot and test: [root@amelie mdalton]# ausearch -m avc -ts recent
> ---- time->Mon May 7 15:02:52 2012 type=SYSCALL
> msg=audit(1336417372.640:148): arch=c000003e syscall=59 success=yes exit=0
> a0=def870 a1=def5a0 a2=dee5e0 a3=10 items=0 ppid=30418 pid=30419
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336417372.640:148): avc: denied { read write } for pid=30419
> comm="portreserve" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_rortreserve_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file ----
> time->Mon May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.647:149):
> arch=c000003e syscall=47 success=yes exit=17 a0=4 a1=7fffdda478b0
> a2=40000000 a3=4000 items=0 ppid=1 pid=30420 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="portreserve" exe="/sbin/portreserve"
> subj=system_u:system_rortreserve_t:s0 key=(null) type=AVC
> msg=audit(1336417372.647:149): avc: denied { read } for pid=30420
> comm="portreserve" path="/var/db/nscd/services" dev=dm-0 ino=1183821
> scontext=system_u:system_rortreserve_t:s0
> tcontext=unconfined_ubject_r:nscd_var_run_t:s0 tclass=file ---- time->Mon
> May 7 15:02:52 2012 type=SYSCALL msg=audit(1336417372.666:150):
> arch=c000003e syscall=59 success=yes exit=0 a0=17c2790 a1=17c27d0
> a2=17c15e0 a3=10 items=0 ppid=30426 pid=30427 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="irqbalance" exe="/usr/sbin/irqbalance"
> subj=system_u:system_r:irqbalance_t:s0 key=(null) type=AVC
> msg=audit(1336417372.666:150): avc: denied { read } for pid=30427
> comm="irqbalance" path="/dev/console" dev=devtmpfs ino=5164
> scontext=system_u:system_r:irqbalance_t:s0
> tcontext=system_ubject_r:console_device_t:s0 tclass=chr_file
>
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Turn off the dontaudit rules and then send me the log compressed.

# semodule -DB
# reboot
# ausearch -m avc -i -ts recent | gzip -c > /tmp/audit.log.tgz
# semodule -B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oJksACgkQrlYvE4MpobNOlACg2bPaENSryR cGZG+Dhe9UikDm
GjEAoNYt1ys5o9Ysd/65KaMp3+X/Nui5
=21rr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-29-2012, 04:28 PM
Mark Dalton
 
Default VirtualGL/TurboVNC and selinux

Daniel Walsh resolved this it seems.** I will attempt to repeat this

on another fresh install.



semanage* fcontext -a -t xdm_rw_etc_t '/etc/opt/VirtualGL(/.*)?'

restorecon -R -v /etc/opt/VirtualGL



Thank you!



Mark





On 05/07/2012 02:29 PM, Mark Dalton wrote:


I was not able to get VirtualGL and selinux to work together.

It is something during boot time it seems.* I have tried
generating

rules based on audit/audit.log.



The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6

states they don't know how to make it work either.



I have tried in permissive mode after boot and that did not work
either,

which is why I think it is something during boot time.* Like the
device

setup. My guess is related to: /dev/dri as it sets up these and
then

access to the /dev/nvidia0 and /dev/nvidiactl are restricted to
vglusers

group (in my case it can be configured with/without group
restriction).



From VirtualGL website they also have:


vglgenkey

Issues
Currently, the
only known way to make*vglgenkey*work


(vglgenkey*is


used to grant 3D X Server access to members of the*vglusers*group)
is to disable SELinux. With SELinux enabled, the*/usr/bin/xauth*file is hidden within
the context of the GDM startup scripts, so*vglgenkey*has
no way of generating or importing an xauth key to*/etc/opt/VirtualGL/vgl_xauth_key*(and, for that matter,
access is denied to*/etc/opt/VirtualGL*as well.)

Perhaps someone with a greater knowledge of SELinux can
explain how to disable enforcement only for GDM and not the
whole system.



I had reinstalled that previous machine and don't

have the other rules I applied.



I repeated this on another machine, and did not run any
audit2allow.



Also there are 2 problems:

*** 1. Boot time problem with the VirtualGL which seems to
generate a

******* avc message.* (Fails if the machine is not booted in
permissive or

******* disabled mode)

*** 2. A problem with xauth when setenforce is enforcing.

********** (This works if setenforce is permissive or disabled
regardless

************ of the boot time settings).



The machine policy is set to targeted.



Attached is the longer data with strace.** The xauth does not
seem

to generate any audit.log messages even with semodule -DB, but
if

I turn selinux to permissive the xauth commands succeed.







To clarify:

*** - It works if the system is booted with
/etc/selinux/config

********* SELINUX=permissive

******* or

********** SELINUX=disable

*** - It fails if the system is booted with
/etc/selinux/config

********** SELINUX=enforcing

****** * Even if after the boot 'setenforce 0' is run

********* - My



I do get avc message, note this is running in permissive mode.


[root@amelie mdalton]# grep -i avc /var/log/audit/audit.log

type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970
uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0
msg='avc:* received policyload notice (seqno=4) : exe="?"
sauid=28 hostname=? addr=? terminal=?'



[root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia*

ls: cannot access /dev/dri: No such file or directory

crw-rw----. root vglusers system_ubject_r:device_t:s0***
/dev/nvidia0

crw-rw----. root vglusers system_ubject_r:device_t:s0***
/dev/nvidiactl



Mark






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org