Results 1 to 7 of 7

Thread: AppArmor blocking OpenGL in KDM

  1. #1

    Default AppArmor blocking OpenGL in KDM

    In openSUSE 12.3, I have an issue that I have tracked down to a point but cannot resolve. With AppArmor enabled and /usr/sbin/nscd set to Enforce, then Compositing Type OpenGL under Configure Desktops | Desktop Effects | Advanced will not work.

    I get errors that several of my effects will not load. When I restart the computer then Compositing is changed back to XRender.

    If I change /usr/sbin/nscd from Enforce to Complain in the AppArmor configuration and restart the computer, then OpenGL works fine.

    Is there a setting within the /usr/sbin/mscd configuration that complains with KDM and OpenGL enabled?

    The following is the contents of /etc/apparmor.d/usr.sbin.nscd

    # Last Modified: Sun Jul 28 09:21:47 2013
    # ------------------------------------------------------------------
    #
    # Copyright (C) 2002-2005 Novell/SUSE
    # Copyright (C) 2009-2010 Canonical Ltd.
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of version 2 of the GNU General Public
    # License published by the Free Software Foundation.
    #
    # ------------------------------------------------------------------

    #include <tunables/global>

    /usr/sbin/nscd flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/ssl_certs>
    #include <local/usr.sbin.nscd>


    capability block_suspend,
    capability net_bind_service,
    capability setgid,
    capability setuid,

    network inet dgram,
    network inet stream,


    /etc/netgroup r,
    /etc/nscd.conf r,
    /proc/sys/vm/overcommit_memory r,
    /tmp/.winbindd/pipe rw,
    /usr/sbin/nscd mrix,
    /var/lib/samba/winbindd_privileged/pipe rw,
    /var/log/nscd.log rw,
    /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
    /{,var/}run/.nscd_socket wl,
    /{,var/}run/avahi-daemon/socket w,
    /{,var/}run/nscd/ rw,
    /{,var/}run/nscd/db* wl,
    /{,var/}run/nscd/socket wl,
    /{,var/}run/{nscd/,}nscd.pid rwl,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/fd/* r,
    @{PROC}/[0-9]*/maps r,
    @{PROC}/[0-9]*/mounts r,
    @{PROC}/filesystems r,

    }


    Thank you

    Tony

  2. #2

    Default Re: AppArmor blocking OpenGL in KDM

    This doesn't make sense but I have OpenGL working again. I tried various attempts to enforce and complain /usr/sbin/nscd through YaST with no effect. I tried the GUI and the command line. When I entered su aa-status I can see that the /usr/sbin/nscd profile is set to enforce but 1 process is in complain mode, namely /usr/sbin/nscd. I can use the enforce command to set the process /usr/sbin/nscd to enforce but it reverts on reboot.

    From the AppArmor Failures - AppArmor I set the audit log to All using sudo sh -c 'echo -n "all" > /sys/module/apparmor/parameters/audit' When I rebooted my computer I got a kernel panic on boot before grub2 kicked in. When I did a hard reboot the system booted correctly and now the OpenGL function is working from the Configure Desktop | Desktop Effects | Advanced | Compositing Type

    I have rebooted several times and it remains working. When I run aa-status, it still shows the /usr/sbin/nscd profile as enforced but the process as complain. I do not know if I fixed something or inadvertently found a bug in AppArmor.
    Here is my aa-status output.

    apparmor module is loaded.
    29 profiles are loaded.
    28 profiles are in enforce mode.
    /sbin/klogd /sbin/syslog-ng
    /sbin/syslogd
    /usr/lib/apache2/mpm-prefork/apache2
    /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
    /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
    /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
    /usr/lib/dovecot/deliver
    /usr/lib/dovecot/dovecot-auth
    /usr/lib/dovecot/imap
    /usr/lib/dovecot/imap-login
    /usr/lib/dovecot/managesieve-login
    /usr/lib/dovecot/pop3
    /usr/lib/dovecot/pop3-login
    /usr/lib64/libvirt/virt-aa-helper
    /usr/sbin/avahi-daemon
    /usr/sbin/dnsmasq
    /usr/sbin/dovecot
    /usr/sbin/identd
    /usr/sbin/libvirtd
    /usr/sbin/mdnsd
    /usr/sbin/nmbd
    /usr/sbin/ntpd
    /usr/sbin/smbd
    /usr/sbin/smbldap-useradd
    /usr/sbin/smbldap-useradd///etc/init.d/nscd
    /usr/sbin/winbindd
    /usr/{sbin/traceroute,bin/traceroute.db}
    1 profiles are in complain mode.
    /usr/sbin/nscd
    3 processes have profiles defined.
    2 processes are in enforce mode.
    /usr/sbin/avahi-daemon (1058)
    /usr/sbin/libvirtd (1918)
    1 processes are in complain mode.
    /usr/sbin/nscd (1135)
    0 processes are unconfined but have a profile defined.

    Is there anyone with some AppArmor experience that can explain what is happening? Thanks again. Tony

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,634
    Blog Entries
    3

    Default Re: AppArmor blocking OpenGL in KDM

    Quote Originally Posted by tsultana View Post
    Is there anyone with some AppArmor experience that can explain what is happening? Thanks again. Tony
    I can't actually help.

    I would guess that nobody else is having the same problem, else we would have heard about it.

    I am puzzled on why you think "nscd" would have anything to do with opengl. It is just a caching daemon for a hostname, passwd and group lookups.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4

    Default Re: AppArmor blocking OpenGL in KDM

    I traced it to nscd because opengl would work when I disabled AppArmor. Further testing by changing settings in AppArmor and rebooting reduced it to only nscd being enabled resulting in opengl not working. The actions I posted on 20-Oct-2013 corrected the issue for 12.3.

    I have just upgraded to 13.1 and unfortunately the opengl does not work again. I disabled AppArmor and that did not help, so I am back to troubleshooting opengl. It is possible something broke on the 12.3 -> 13.1 upgrade.

  5. #5

    Default Re: AppArmor blocking OpenGL in KDM

    Quote Originally Posted by tsultana View Post
    I have just upgraded to 13.1 and unfortunately the opengl does not work again. I disabled AppArmor and that did not help, so I am back to troubleshooting opengl. It is possible something broke on the 12.3 -> 13.1 upgrade.
    And what graphics card do you have?

    Please post your /var/log/Xorg.0.log (upload it to SUSE Paste and post a link).

    And install "Mesa-demo-x" and post the output of:
    Code:
    glxinfo | grep render

  6. #6

    Default Re: AppArmor blocking OpenGL in KDM

    I installed 13.1 from scratch and the problem is gone. OpenGL is working with AppArmor (and nscd) enabled.

    The problem first appeared, either after the update to 12.2 or 12.3, or moving back and forth from the open source to AMD proprietary drivers may have created the problem.

    I have an AMD Radeon HD 6670 on an AMD ASUS mb. I saved my /var folder before I reformatted the drive and have attached the old Xorg.0.log from the upgrade attempt -> SUSE Paste. It has one error listed for fglrx.

    This is not the current Xorg.0.log but I can provide that if it will help. I don't think the Mesa demo will help since I reinstalled but I can run that too.

  7. #7

    Default Re: AppArmor blocking OpenGL in KDM

    Quote Originally Posted by tsultana View Post
    I have an AMD Radeon HD 6670 on an AMD ASUS mb. I saved my /var folder before I reformatted the drive and have attached the old Xorg.0.log from the upgrade attempt -> SUSE Paste. It has one error listed for fglrx.
    Error?
    No, it only says it can't load fglrx (module does not exist), which is normal if you don't have it installed of course.

    One thing though:
    Maybe Apparmor logged the problem to /var/log/messages?
    AFAIK, if /var/log/audit exists, this is used by aa-status and /var/log/messages ignored, so it won't show anything from there.

    Anyway, if it works now, it's ok I think...

    PS: I'm using radeon (old Radeon 9600) and apparmor (with default settings) and never had a problem with OpenGL...

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •