Selinux allow_execmem

aarozhkov · March 20, 2014, 12:38pm

Hello. In my configuration (redhat6 2.6.32-131.0.15.el6.x86_64, selinux-policy 3.7.19, GPU geforce 580) last linux driver compile libGL.so with RWX rights on some memory parts. Because of this i have to enable selinux variable allow_execmem to my program worked with this library. But i can’t use this seVariable enabled.

In driver Readme:

Overriding driver detection of SELinux policy booleans

On Linux, the NVIDIA GLX implementation will attempt to detect whether SELinux is enabled and modify its behavior to respect SELinux policy. By default, the driver adheres to SELinux policy boolean settings at the beginning of a client process’s execution; due to shared library limitations, these settings remain fixed throughout the lifetime of the driver instance. Additionally, the driver will adhere to policy boolean settings regardless of whether SELinux is running in permissive mode or enforcing mode. The __GL_SELINUX_BOOLEANS environment variable allows the user to override driver detection of specified SELinux booleans so the driver acts as if these booleans were set or unset. This allows the user, for example, to run the driver under a more restrictive policy than specified by SELinux, or to work around problems when running the driver under SELinux while operating in permissive mode.

__GL_SELINUX_BOOLEANS should be set to a comma-separated list of key/value pairs:

__GL_SELINUX_BOOLEANS=“key1=val1,key2=val2,key3=val3,…”

Valid keys are any SELinux booleans specified by “getsebool -a”, and valid values are 1, true, yes, or on to enable the boolean, and 0, false, no, or off to disable it. There should be no whitespace between any key, value, or delimiter. Currently, the driver only uses the allow_execmem boolean to determine whether it can apply optimizations that use executable memory.

Does this mean that driver have to compile libraries according to selinux policy configuration? But if i have allow_execmem(and all other execmem variable) off why libGL.so compile with such parameters? How can i avoid this?

sandipt · March 25, 2014, 4:18am

__GL_SELINUX_BOOLEANS has no effect on the permissions of libGL.so. It only tells the NVIDIA driver whether to behave as if the allow_execmem policy boolean has been enabled or disabled on an SELinux system. As stated in the README, the correct syntax for using this environment variable is to specify a comma-separated list of key/value pairs; e.g.:

__GL_SELINUX_BOOLEANS=“allow_execmem=on” glxgears

The driver does not re-compile libraries based on SELinux policy configuration at runtime. For now, libGL requires some of its components to retain rwx permissions (implying that allow_execmem must be enabled for applications using libGL), and the allow_execmem boolean only influences whether libGL attempts to make anonymous memory allocations via mmap(2).