Need to handle xorg-x11-drv-nvidia with selinux-policy!
Daniel J Walsh
dwalsh at redhat.com
Tue May 22 13:33:14 UTC 2007
KH KH wrote:
> 2007/5/21, Daniel J Walsh <dwalsh at redhat.com>:
>> KH KH wrote:
>> > Hello
>> >
>> >> From here http://www.nvnews.net/vbulletin/showthread.php?t=72490
>> > There is a need to handle xorg-x11-drv-nvidia package with Selinux:
>> > This was previously documented to be done manually on documentation
>> > that uses livna package...
>> > The nvidia installer detect it but livna package uses a different
>> > scheme so it has be be handled somewhere else...
>> >
>> > This can be done into the xorg-x11-drv-nvidia package or into
>> > selinux-policy (the second is the prefered choice if possible).
>> >
>> > Because it deal with versioned libs i wonder if i can be possible to
>> > handle it easily with the selinux-policy package ?
>> >
>> > Thx for any advices (i will submit a bug for selinux-policy if it is
>> > possible)
>> >
>> > Nicolas (kwizart)
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> u1 update has these fixes (preview available on
>> http://people.redhat.com/dwalsh/SELinux/RHEL5
>
> Well i didn't riched to check (which one may i check ?)
I am not sure what you are asking? You can check the poicy in
http://people.redhat.com/dwalsh/SELinux/RHEL5
>
>> Of course if nvidia would just fix the way they build their libraries,
>> this would probably not be a problem
>>
> Should we request it to nVidia ? Is is related to CFLAGS and
> $RPM_OPT_FLAGS ?
>
Yes. It has to do with using -fpic or -fPIC in the CFLAGS.
> Well i forgot to say that livna packaging scheme uses a different path
> for theses libraries (to prevent replacement issue)... And i also
> don't know currently if the new lib ( libnvidia-wfb.so.%{version} -
> provided with version > 97xx ) is concern by the need to change the
> selinux context...
>
> If i take care of the Selinux context inside xorg-x11-drv-nvidia i
> will have in %post section: (where nvidialibdir is %{_libdir}/nvidia )
>
You can check the default context of the path with matchpathcon.
def_con=`matchpathcon -n %{_libdir}/xorg/modules/drivers/nvidia_drv.so`
if [ $def_con != "system_u:object_r:textrel_shlib_t" ]; then
> %{_sbindir}/semanage fcontext -a -t textrel_shlib_t
> %{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null
fi
> %{_sbindir}/semanage fcontext -a -t textrel_shlib_t
> %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version}
> &>/dev/null
> %{_sbindir}/semanage fcontext -a -t textrel_shlib_t
> %{nvidialibdir}/libGLcore.so.%{version} &>/dev/null
> %{_sbindir}/semanage fcontext -a -t textrel_shlib_t
> %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null
> if sestatus |egrep -q 'SELinux status.*enabled'
> then
> restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so
> %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version}
> %{nvidialibdir}/libGLcore.so.%{version}
> %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || :
> fi || :
>
> Thx for you advices!
>
> Nicolas (kwizart)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list