FC3 " avc: denied" issue

[Russell Coker]

On Monday 27 December 2004 22:14, Valdis.Kletnieks at vt.edu wrote:
> > FC3 has SE Linux enabled by default.  Anything that is designed for FC3
> > has to be designed to work with SE Linux.  It seems that the NVIDIA
> > driver archive is not designed to do so.  It would be much easier if they
> > just provided a RPM.
>
> The problem is that they didn't drink the "All Linux is RedHat RPM-based"
> kool-aid.

Do you think that I have drunk such kool-aid?  I was a Debian developer for 
many years before joining Red Hat.

> They're additionally hobbled by the fact that they have a userspace
> component (where the .so's came from) and a kernel module - and if either
> userspace and module, or module and kernel, get out of sync, things Fail
> Very Badly.

They designed it badly.  Keeping interfaces synchronised isn't that difficult, 
all the code that gets into the main-line kernel keeps the interfaces the 
same for long periods of time.  Interface changes have version numbers and 
applications can (if necessary) support both interfaces.

>From what you are telling me the first thing that they need to do is to design 
an interface between user-space and the kernel code.

> Currently, they ship *one* release that will work out-of-the-box for
> literally 134 or so different distro/release/kernel combos.  For *JUST* the
> Fedora releases, they have:
>
> There's also RH 7.2->9.0 and RHEL 3.0 and Mandrake 8.1->10 and Suse
> prebuilts.

If they are producing multiple packages for each distribution then they must 
have the builds automated.  It should be quite easy to make an automatic 
build script that builds RPMs, Debian packages, and any other types of 
package that seem necessary.

> Currently, *any* of those users can get *the same package*, run the
> installer, and things Just Work.   Otherwise, they get the support problem
> of shipping 134 different RPM's (which is not THAT bad, really), and making
> sure the people actually download the *RIGHT* one (can you say "help desk
> nightmare"?)

If the interface between kernel and user-space doesn't change then all they 
need to do is have one RPM for the shared objects and a set of RPMs that 
install .ko's in the correct places for each kernel.  You would just have to 
make sure that every time you upgrade your kernel you install the matching 
drivers.  If you didn't install the drivers then the symptom would be a lack 
of 3D graphics which would be easy to fix.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page