Hi, I don't know whether this is new or not. I recently tried installing the nvidia-graphics256.44 packages on Fedora 12 (kernel 2.6.32.19-163). After rebooting, X would not start, and Xorg.0.log contained the following:
(II) LoadModule: "nvidia" (II) Loading /usr/lib/xorg/modules/drivers/nvidia_drv.so dlopen: /usr/lib/xorg/modules/drivers/nvidia_drv.so: cannot restore segment prot after reloc: Permission denied (EE) Failed to load /usr/lib/xorg/modules/drivers/nvidia_drv.so (II) UnloadModule: "nvidia" (EE) Failed to load module "nvidia" (loader failed, 7) (EE) No drivers available. Eventually I put selinux into permissive mode (by editing /etc/selinux/config) and rebooted in permissive mode, and X started successfully. There was indeed a SELinux security alert, containing the text copied at the bottom of this email below. Executing the two commands suggested by the alert chcon -t textrel_shlib_t '/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so' semanage fcontext -a -t textrel_shlib_t '/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so' and setting selinux back into enforcing mode and rebooting, seemed to fix the problem. If this is not a new issue, and if there is a reason why the SELinux steps cannot or should not be performed automatically upon installation of a new driver, is there a wiki page or some other documentation that describes all the things to do when installing nvidia-graphics drivers, and the sort of 'gotchas' that one might run into? Could there be a link to that sort of documentation from the ATrpms pages describing the package? Presently, it all seems to be tribal knowledge. Maybe some of it is captured in old atrpms-users archives, but searching through those isn't very convenient. - Dan Summary: SELinux is preventing /usr/bin/Xorg from loading /usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so which requires text relocation. Detailed Description: [SELinux is in permissive mode. This access was not denied.] The Xorg application attempted to load /usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so' Additional Information: Source Context system_u:system_r:xserver_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/xorg/modules/drivers/nvidia- graphics-256.44/nvidia-graphics-256.44_drv.so[ file ] Source Xorg Source Path /usr/bin/Xorg Port <Unknown> Host localhost.localdomain Source RPM Packages xorg-x11-server-Xorg-1.7.6-4.fc12 Target RPM Packages nvidia-graphics256.44-256.44-126.fc12 Policy RPM selinux-policy-3.6.32-121.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name allow_execmod Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32.19-163.fc12.i686 #1 SMP Wed Aug 18 11:39:59 UTC 2010 i686 i686 Alert Count 1 First Seen Tue 31 Aug 2010 09:47:45 AM PDT Last Seen Tue 31 Aug 2010 09:47:45 AM PDT Local ID 69b12335-a925-48f3-9a67-a6e218372a25 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1283273265.625:5): avc: denied { execmod } for pid=1500 comm="Xorg" path="/usr/lib/xorg/modules/drivers/nvidia-graphics-256.44/ nvidia-graphics-256.44_drv.so" dev=dm-0 ino=923436 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1283273265.625:5): arch=40000003 syscall=125 success=yes exit=0 a0=260d000 a1=53a000 a2=5 a3=bf890ed0 items=0 ppid=1499 pid=1500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg" subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 key=(null)
_______________________________________________ atrpms-users mailing list [email protected] http://lists.atrpms.net/mailman/listinfo/atrpms-users
