Need to handle xorg-x11-drv-nvidia with selinux-policy!

KH KH kwizart at gmail.com
Tue May 22 10:16:25 UTC 2007 

2007/5/21, Daniel J Walsh <dwalsh at redhat.com>:
> KH KH wrote:
> > Hello
> >
> >> From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
> > There is a need to handle xorg-x11-drv-nvidia package with Selinux:
> > This was previously documented to be done manually on documentation
> > that uses livna package...
> > The nvidia installer detect it but livna package uses a different
> > scheme so it has be be handled somewhere else...
> >
> > This can be done into the xorg-x11-drv-nvidia package or into
> > selinux-policy (the second is the prefered choice if possible).
> >
> > Because it deal with versioned libs i wonder if i can be possible to
> > handle it easily with the selinux-policy package ?
> >
> > Thx for any advices (i will submit a bug for selinux-policy if it is
> > possible)
> >
> > Nicolas (kwizart)
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> u1 update has these fixes  (preview available on
> http://people.redhat.com/dwalsh/SELinux/RHEL5

Well i didn't riched to check (which one may i check ?)

> Of course if nvidia would just fix the way they build their libraries,
> this would probably not be a problem
>
Should we request it to nVidia ? Is is related to CFLAGS and $RPM_OPT_FLAGS ?

Well i forgot to say that livna packaging scheme uses a different path
for theses libraries (to prevent replacement issue)... And i also
don't know currently if the new lib ( libnvidia-wfb.so.%{version} -
provided with version > 97xx ) is concern by the need to change the
selinux context...

If i take care of the Selinux context inside xorg-x11-drv-nvidia i
will have in %post section: (where nvidialibdir is %{_libdir}/nvidia )

%{_sbindir}/semanage fcontext -a -t textrel_shlib_t
%{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t
%{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version}
&>/dev/null
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t
%{nvidialibdir}/libGLcore.so.%{version} &>/dev/null
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t
%{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null
if sestatus |egrep -q 'SELinux status.*enabled'
then
       restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so
%{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version}
%{nvidialibdir}/libGLcore.so.%{version}
%{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || :
fi || :

Thx for you advices!

Nicolas (kwizart)

More information about the fedora-selinux-list mailing list