Nvidia and SElinux
by Chuck Forsberg WA7KGX
The Nvidia X driver is a "killer application". Can't get the
card fan to quiet down without it. Cen't get compiz running
without it. Some apps such as Flightgear aren't usable without it.
Integrated motherboard graphics I've seen are too slow.
Not an answer except for servers people hardly look at.
Assuming SElinux provides an important level of real world
protection, it needs to work in the desktop world. If SElinux
is that important it shouldn't be such a hassle that only server
admins will put up with it.
--
Chuck Forsberg caf(a)omen.com www.omen.com 503-614-0430
Developer of Industrial ZMODEM(Tm) for Embedded Applications
Omen Technology Inc "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231 FAX 629-0665
15 years, 6 months
Rawhide does not boot since 2.6.27-0.398
by Bruno GARDIN
I am testing rawhide for a few month now but i have problem of boot
since kernel 2.6.27-0.398. My rawhide is a virtual system on vmware
server now in version 2.0. Whenever i try to boot, i got the following
errors at the end :
Activating logical volumes
VOlume group "VolGroup00" not found
Unable to access resume device (/dev/VolGroup00/LogVol01)
Creating root device
Mounting root file system
mount: error mounting /dev/root on /sysroot as ext3. No such file or directory
Setting up other filesystems
setuproot: moving /dev failed:No such file or directory
setuproot: error mounting/proc: No such file or directory
setuproot: error mounting /sys: No such file or directory
Mount failed for selinuxfs on /selinux: No such file or directory
Switching to new root and running init
swithroot: mount failed: No such file or directory
Booting has failed
Boot works fine with kernel 2.6.27-0.382 but fails also with 2.6.27-1.
I have looked at the thread related to ext4 but i am using ext3. I
have also tried a new mkinitrd on 2.6.27-1 but no change. Any idea of
what the problem could be ?
--
BeGe
15 years, 6 months
F10 Snap 3, VMware Workstation 6.5, and ThinkPad T400
by Christopher A Williams
OK - I have successfully loaded up F10 Snap 3 on my ThinkPad T400.
Twice. I had to make a couple of changes along the way, including some
specific CMOS configuration changes, but I generally have that part
working.
The first post-install boot always hangs after the firstboot
configuration screens are done and you click the Finish button. After a
hard reset, the system does come up normally. Everything seems to work
at a base level. ATI graphics configure properly in unaccelerated mode,
but only after specifically setting Discrete Graphics in CMOS.
Autoswitch between Discreet and Internal does NOT work - it confuses and
kills X. Hopefully the accelerated drivers will work better...
I'm trying now to get VMware Workstation 6.5 up and running. It installs
without incident from the Bundle file. The RPM doesn't. In both cases,
Workstation simply refuses to start. Trying from the command line, I get
messages back that several modules and services are not running. Does
anybody have this working??? This is the next critical piece for me to
solve...
Cheers,
Chris
--
==============================
"If you are calm while all around you is chaos,
then you probably haven't fully understood
the magnitude of the situation."
--Unknown
15 years, 6 months
rawhide:selinux relabeled fs, now cannot login
by Jerry Amundson
I'm not kidding. I didn't create this problem to prove a point.. I'm
serious, I didn't! :-)
Really though, I took a laptop running rawhide, just updated this morning.
In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes
time" warning like I did in f8]
Rebooted.
Relabel started. I went to fridge, folded some clothes, whatever...
I see it rebooting, seems to come to level 5 normally. But users,
root, nobody can login, graphical, tty, nothing.
I booted in rescue, start sshd.
My root ssh login gives me
"Unable to get valid context for root"
but gives me a shell anyway. [thats good!]
SElinux startup in dmesg and boot.log are normal.
****
Snippets from /var/log/secure:
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
Error! Unable to set jerry key creation context
system_u:system_r:system_chkpwd_t:s0.
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session opened for user jerry by (uid=0)
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session closed for user jerry
Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
Unable to set root key creation context
system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
opened for user root by LOGIN(uid=0)
Oct 26 19:57:29 JerryA-D600 login: Authentication failure
****
Snippets from /var/log/messages:
Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
(xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
sealert -l 06841090-2a80-4302-85fa-32121e402c57
Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
login (local_login_t) "create" system_chkpwd_t. For complete SELinux
messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
****
Upon starting setroubleshootd, I was able to get this:
[root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57
Summary:
SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.
Detailed Description:
SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:system_chkpwd_t:s0
Target Objects None [ key ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host JerryA-D600
Source RPM Packages kdebase-workspace-4.1.2-7.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-7.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name JerryA-D600
Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 4
First Seen Sun Oct 26 19:56:13 2008
Last Seen Sun Oct 26 19:59:53 2008
Local ID 06841090-2a80-4302-85fa-32121e402c57
Line Numbers
Raw Audit Messages
node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied
{ create } for pid=2227 comm="kdm"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key
node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
****
and this:
[root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
Summary:
SELinux is preventing login (local_login_t) "create" system_chkpwd_t.
Detailed Description:
SELinux denied access requested by login. It is not expected that this access is
required by login and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
Target Objects None [ key ]
Source login
Source Path /bin/login
Port <Unknown>
Host JerryA-D600
Source RPM Packages util-linux-ng-2.14.1-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-7.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name JerryA-D600
Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 3
First Seen Sun Oct 26 19:57:28 2008
Last Seen Sun Oct 26 20:00:06 2008
Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831
Line Numbers
Raw Audit Messages
node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied
{ create } for pid=2178 comm="login"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key
node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
key=(null)
Thanks,
jerry
--
There's plenty of youth in America - it's time we find the "fountain of smart".
15 years, 6 months
java plugin question
by Petrus de Calguarium
I decided to update java-1.6.0-openjdk and java-1.6.0-openjdk-plugin from koji this morning.
No problems, but a mysterious message:
/usr/lib/jvm/jre-1.6.0-openjdk/lib/i386/gcjwebplugin.so has not been configured as an alternative for libjavaplugin.so
I checked alternatives and this is true.
1. Should I set it up in alternatives, as is implied?
2. I am using the sun plugin for firefox, but konqueror needs gcjwebplugin.so, doesn't it?
15 years, 6 months
/.dbus and /.tmp - leftovers (from Snap2 install) or needed?
by Tom London
Running Snap2 installed system (no problems, thanks!).
Noticed /.dbus and /.tmp. These needed?
[root@tlondon /]# ls -lad /.tmp /.dbus
drwx------ 3 root root 4096 2008-10-17 14:06 /.dbus
drwxr-xr-x 2 root root 4096 2008-10-17 14:04 /.tmp
[root@tlondon /]#
Curious minds ....
tom
--
Tom London
15 years, 6 months
ATI-Card shows Window-Buttons false, if Desktop-effects enabled
by Roger Grosswiler
Hi,
This weekend, i got also F10Beta on my working-machine :)
it worked out of the box, but i still work on details. One of the first i saw was, that
if i enable desktopeffects on that box, there is a space between the 3 buttons
(minimize, maximize, close), the size of the space seems the same as the button itself.
Roger
15 years, 6 months
Lack of feedback from Anaconds GUI
by Chuck Forsberg WA7KGX
When the NEXT button is clicked on the GUI install, nothing
visible happens. This tempts the user to click it again. The
spurious click then causes the GUI to whizz past the next step.
Good interface design would have the button go dark when
activated. At the very least, purge the input event queue
before displaying the next button.
--
Chuck Forsberg caf(a)omen.com www.omen.com 503-614-0430
Developer of Industrial ZMODEM(Tm) for Embedded Applications
Omen Technology Inc "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231 FAX 629-0665
15 years, 6 months