Hello
From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
There is a need to handle xorg-x11-drv-nvidia package with Selinux: This was previously documented to be done manually on documentation that uses livna package... The nvidia installer detect it but livna package uses a different scheme so it has be be handled somewhere else...
This can be done into the xorg-x11-drv-nvidia package or into selinux-policy (the second is the prefered choice if possible).
Because it deal with versioned libs i wonder if i can be possible to handle it easily with the selinux-policy package ?
Thx for any advices (i will submit a bug for selinux-policy if it is possible)
Nicolas (kwizart)
KH KH wrote:
Hello
From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
There is a need to handle xorg-x11-drv-nvidia package with Selinux: This was previously documented to be done manually on documentation that uses livna package... The nvidia installer detect it but livna package uses a different scheme so it has be be handled somewhere else...
This can be done into the xorg-x11-drv-nvidia package or into selinux-policy (the second is the prefered choice if possible).
Because it deal with versioned libs i wonder if i can be possible to handle it easily with the selinux-policy package ?
Thx for any advices (i will submit a bug for selinux-policy if it is possible)
Nicolas (kwizart)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
u1 update has these fixes (preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Of course if nvidia would just fix the way they build their libraries, this would probably not be a problem
2007/5/21, Daniel J Walsh dwalsh@redhat.com:
KH KH wrote:
Hello
From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
There is a need to handle xorg-x11-drv-nvidia package with Selinux: This was previously documented to be done manually on documentation that uses livna package... The nvidia installer detect it but livna package uses a different scheme so it has be be handled somewhere else...
This can be done into the xorg-x11-drv-nvidia package or into selinux-policy (the second is the prefered choice if possible).
Because it deal with versioned libs i wonder if i can be possible to handle it easily with the selinux-policy package ?
Thx for any advices (i will submit a bug for selinux-policy if it is possible)
Nicolas (kwizart)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
u1 update has these fixes (preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Well i didn't riched to check (which one may i check ?)
Of course if nvidia would just fix the way they build their libraries, this would probably not be a problem
Should we request it to nVidia ? Is is related to CFLAGS and $RPM_OPT_FLAGS ?
Well i forgot to say that livna packaging scheme uses a different path for theses libraries (to prevent replacement issue)... And i also don't know currently if the new lib ( libnvidia-wfb.so.%{version} - provided with version > 97xx ) is concern by the need to change the selinux context...
If i take care of the Selinux context inside xorg-x11-drv-nvidia i will have in %post section: (where nvidialibdir is %{_libdir}/nvidia )
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libGLcore.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null if sestatus |egrep -q 'SELinux status.*enabled' then restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} %{nvidialibdir}/libGLcore.so.%{version} %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || : fi || :
Thx for you advices!
Nicolas (kwizart)
KH KH wrote:
2007/5/21, Daniel J Walsh dwalsh@redhat.com:
KH KH wrote:
Hello
From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
There is a need to handle xorg-x11-drv-nvidia package with Selinux: This was previously documented to be done manually on documentation that uses livna package... The nvidia installer detect it but livna package uses a different scheme so it has be be handled somewhere else...
This can be done into the xorg-x11-drv-nvidia package or into selinux-policy (the second is the prefered choice if possible).
Because it deal with versioned libs i wonder if i can be possible to handle it easily with the selinux-policy package ?
Thx for any advices (i will submit a bug for selinux-policy if it is possible)
Nicolas (kwizart)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
u1 update has these fixes (preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Well i didn't riched to check (which one may i check ?)
I am not sure what you are asking? You can check the poicy in http://people.redhat.com/dwalsh/SELinux/RHEL5
Of course if nvidia would just fix the way they build their libraries, this would probably not be a problem
Should we request it to nVidia ? Is is related to CFLAGS and $RPM_OPT_FLAGS ?
Yes. It has to do with using -fpic or -fPIC in the CFLAGS.
Well i forgot to say that livna packaging scheme uses a different path for theses libraries (to prevent replacement issue)... And i also don't know currently if the new lib ( libnvidia-wfb.so.%{version} - provided with version > 97xx ) is concern by the need to change the selinux context...
If i take care of the Selinux context inside xorg-x11-drv-nvidia i will have in %post section: (where nvidialibdir is %{_libdir}/nvidia )
You can check the default context of the path with matchpathcon. def_con=`matchpathcon -n %{_libdir}/xorg/modules/drivers/nvidia_drv.so` if [ $def_con != "system_u:object_r:textrel_shlib_t" ]; then
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null
fi
%{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libGLcore.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null if sestatus |egrep -q 'SELinux status.*enabled' then restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} %{nvidialibdir}/libGLcore.so.%{version} %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || : fi || :
Thx for you advices!
Nicolas (kwizart)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org