[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-list
Subject: Re: Selinux and Nvidia drivers
From: Mark Eggers <mdeggers () gmail ! com>
Date: 2011-05-31 19:11:05
Message-ID: is3eg9$rqa$2 () dough ! gmane ! org
[Download RAW message or body]
On Tue, 31 May 2011 10:30:21 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/30/2011 06:40 AM, Alexander Volovics wrote:
>> On Mon, May 30, 2011 at 07:25:45PM +0900, Misha Shnurapet wrote:
>>
>>> 30.05.2011, 18:47, "Alexander Volovics" <a.volovic@upcmail.nl>:
>>>> Wat is the reaction of selinux to the nvidia driver. Does selinux try
>>>> to prevent the nvidia driver from being loaded?
>>
>>> Nope. I've been using them together and experienced no issues.
>>
>> Thanks. Then I guess I should finally start reading up on selinux and
>> not trust my 'intuition' anymore. I thought the nvidia driver being a
>> "fremdkörper" and all ...
>>
>> Alexander
>>
> Sometimes the nvidia driver device can be mislabled, which can cause
> SELinux issues. In the past we have had problems with nvidia requiring
> GUI apps to need execstack and execmem, but we are now allowing these by
> default.
Dan, that's nice to know. The NVidia installer does the following:
Linux installations using SELinux (Security-Enhanced Linux)
require that the security type of all shared libraries be
set to 'shlib_t' or 'textrel_shlib_t', depending on the
distribution. nvidia-installer will detect when to set the
security type, and set it using chcon(1) on the shared
libraries it installs. If the execstack(8) system utility
is present, nvidia-installer will use it to also clear the
executable stack flag of the libraries. Use this option to
override nvidia-installer's detection of when to set the
security type. Valid values for FORCE-SELINUX are 'yes'
(force setting of the security type), 'no' (prevent setting
of the security type), and 'default' (let nvidia-installer
decide when to set the security type).
That's the documentation from <driver-name> --advanced-options. I also
use a script with semanage fcontext to clean up some issues. I should try
not running the script next time I upgrade and see if there are
performance issues / SELinux warnings (I normally run in permissive mode).
If I do find issues, should I report it on the Fedora buglist (change in
SELinux policy), NVidia forum (change in their installer script), or both?
. . . . just my two cents.
/mde/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic