Paul Howarth wrote:
Claude Jones wrote:On Tuesday August 01 2006 8:20 am, Marc Schwartz wrote: Marc: comments interspersedJust a heads up. If you do want to use the nVidia installer with SELinux enabled, the instructions on the FedoraFaq web site need to be updated.The changes I suggested on f-s-l were to avoid globally allowing execstack/execmod, and limiting this to those objects that actually needed it. The approach suggested in fedorafaq works, but could be more securely done.Undo the changes to the booleans: # /usr/sbin/setsebool -P allow_execstack 0 # /usr/sbin/setsebool -P allow_execmod 0ran these and immediately got a prompt with no messagesThen update the file contexts instead: # /usr/sbin/semanage fcontext -a -f -- -t textrel_shlib_t '/usr/lib/libGL(core)?\.so(\.[^/]*)*'Running each of the next three produced readout that seemed to indicate errors in syntax - i.e. instructions for proper running of the command:/usr/sbin/semanage fcontext -a -f -- -t textrel_shlib_t'/usr/lib/libGL(core)?\.so(\.[^/]*)*' semanage {login|user|port|interface|fcontext|translation} -l [-n] semanage login -{a|d|m} [-sr] login_name semanage user -{a|d|m} [-LrRP] selinux_name semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range semanage interface -{a|d|m} [-tr] interface_spec semanage fcontext -{a|d|m} [-frst] file_spec semanage translation -{a|d|m} [-T] levelSpace missing between textrel_shlib_t and '/usr/lib/libGL(core)?\.so(\.[^/]*)*'# /usr/sbin/semanage fcontext -a -f -- -t textrel_shlib_t '/usr/lib/libnvidia.*\.so(\.[^/]*)*'Running this command yielded similar results as just above, and in this case there is no file/directory named "/usr/lib/libnvidia" - the same for the next command# /sbin/restorecon -v /usr/lib/libGL* /usr/lib/libnvidia* In case of line wrapping, each of the three commands above should be on a single line.The above is based upon a discussion with Paul Howarth on the SELinux listI'm running the nvidia rpms from Livna - there is a folder called "/usr/lib/nvidia" which has "*.so" files in it; could this be what you mean for the last two commands? That still wouldn't account for the problem with "/usr/lib/libGL", however...The advice I gave to Mark was based on his use of the nvidia installer directly; the file contexts for a properly-packaged RPM like the one from livna will be different because the files will be somewhere else (and the context fixes might even be done in the RPM itself; I don't know).Paul.
Paul,Thanks for replying here. I was in transit between home and office when Claude's post came through.
Marc
