kmod-nvidia-1.0.8178-6.2.6.16_1.2080_FC5
Paul Howarth
paul at city-fan.org
Thu Mar 30 09:19:33 UTC 2006
Eric TANGUY wrote:
>> On Thu, 2006-03-30 at 08:45 +0200, Eric Tanguy wrote:
>>> Le mercredi 29 mars 2006 à 23:18 +0100, Paul Howarth a écrit :
>>>> On Wed, 2006-03-29 at 13:47 -0800, Florin Andrei wrote:
>>>>> On Wed, 2006-03-29 at 13:42 -0800, Florin Andrei wrote:
>>>>>
>>>>>> What's interesting is that I don't get this error. glxgears works
>>> fine
>>>>>> for me.
>>>>> SELinux does log a few things, but it says "granted" which is why
>>>>> glxgears works.
>>>>>
>>>>> type=AVC msg=audit(1143668274.597:239): avc: granted { execmem }
>>> for
>>>>> pid=4444 comm="glxgears" scontext=user_u:system_r:unconfined_t:s0
>>>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>>>> type=SYSCALL msg=audit(1143668274.597:239): arch=40000003
>>> syscall=192
>>>>> success=yes exit=1183744 a0=0 a1=2000 a2=7 a3=2 items=0 pid=4444
>>>>> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
>>> sgid=500
>>>>> fsgid=500 comm="glxgears" exe="/usr/bin/glxgears"
>>>> Perhaps you have the booleans allow_execmem and allow_execmod on?
>>>>
>>>> Paul.
>>>>
>>> I would like to modify nothing in selinux policy to make glx. I think
>>> this
>>> have to work out of the box.
>>> DO we have to wait for a new policy version ???
>> Try:
>> # setsebool -P allow_execmod 1
>>
> Yes i know it works but it does not seem to be acceptable that i have to
> modify something in selinux to have a video driver working as it must.
Why not? You have to modify SELinux booleans to do all sorts of other
things, like sharing home directories in samba, running a PHP
application on Apache etc.
As it happens, http://bugzilla.livna.org/show_bug.cgi?id=843 shows an
alternative fix that could be implemented in livna's driver package (or
Core policy) and you wouldn't have to set this boolean, but I wouldn't
describe changing a boolean as modifying policy.
Paul.
More information about the fedora-list
mailing list