AppArmor blocking OpenGL in KDM

English Applications
#1

In openSUSE 12.3, I have an issue that I have tracked down to a point but cannot resolve. With AppArmor enabled and /usr/sbin/nscd set to Enforce, then Compositing Type OpenGL under Configure Desktops | Desktop Effects | Advanced will not work.

I get errors that several of my effects will not load. When I restart the computer then Compositing is changed back to XRender.

If I change /usr/sbin/nscd from Enforce to Complain in the AppArmor configuration and restart the computer, then OpenGL works fine.

Is there a setting within the /usr/sbin/mscd configuration that complains with KDM and OpenGL enabled?

The following is the contents of /etc/apparmor.d/usr.sbin.nscd

Last Modified: Sun Jul 28 09:21:47 2013

------------------------------------------------------------------

Copyright (C) 2002-2005 Novell/SUSE

Copyright (C) 2009-2010 Canonical Ltd.

This program is free software; you can redistribute it and/or

modify it under the terms of version 2 of the GNU General Public

License published by the Free Software Foundation.

------------------------------------------------------------------

#include <tunables/global>

/usr/sbin/nscd flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <local/usr.sbin.nscd>

capability block_suspend,
capability net_bind_service,
capability setgid,
capability setuid,

network inet dgram,
network inet stream,

/etc/netgroup r,
/etc/nscd.conf r,
/proc/sys/vm/overcommit_memory r,
/tmp/.winbindd/pipe rw,
/usr/sbin/nscd mrix,
/var/lib/samba/winbindd_privileged/pipe rw,
/var/log/nscd.log rw,
/var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
/{,var/}run/.nscd_socket wl,
/{,var/}run/avahi-daemon/socket w,
/{,var/}run/nscd/ rw,
/{,var/}run/nscd/db* wl,
/{,var/}run/nscd/socket wl,
/{,var/}run/{nscd/,}nscd.pid rwl,
@{PROC}/[0-9]/fd/ r,
@{PROC}/[0-9]/fd/* r,
@{PROC}/[0-9]/maps r,
@{PROC}/[0-9]/mounts r,
@{PROC}/filesystems r,

}

Thank you

Tony

#2

This doesn’t make sense but I have OpenGL working again. I tried various attempts to enforce and complain /usr/sbin/nscd through YaST with no effect. I tried the GUI and the command line. When I entered su aa-status I can see that the /usr/sbin/nscd profile is set to enforce but 1 process is in complain mode, namely /usr/sbin/nscd. I can use the enforce command to set the process /usr/sbin/nscd to enforce but it reverts on reboot.

From the AppArmor Failures - AppArmor I set the audit log to All using sudo sh -c ‘echo -n “all” > /sys/module/apparmor/parameters/audit’ When I rebooted my computer I got a kernel panic on boot before grub2 kicked in. When I did a hard reboot the system booted correctly and now the OpenGL function is working from the Configure Desktop | Desktop Effects | Advanced | Compositing Type

I have rebooted several times and it remains working. When I run aa-status, it still shows the /usr/sbin/nscd profile as enforced but the process as complain. I do not know if I fixed something or inadvertently found a bug in AppArmor.
Here is my aa-status output.

apparmor module is loaded.
29 profiles are loaded.
28 profiles are in enforce mode.
/sbin/klogd /sbin/syslog-ng
/sbin/syslogd
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib64/libvirt/virt-aa-helper
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/libvirtd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/ntpd
/usr/sbin/smbd
/usr/sbin/smbldap-useradd
/usr/sbin/smbldap-useradd///etc/init.d/nscd
/usr/sbin/winbindd
/usr/{sbin/traceroute,bin/traceroute.db}
1 profiles are in complain mode.
/usr/sbin/nscd
3 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/avahi-daemon (1058)
/usr/sbin/libvirtd (1918)
1 processes are in complain mode.
/usr/sbin/nscd (1135)
0 processes are unconfined but have a profile defined.

Is there anyone with some AppArmor experience that can explain what is happening? Thanks again. Tony

#3

I can’t actually help.

I would guess that nobody else is having the same problem, else we would have heard about it.

I am puzzled on why you think “nscd” would have anything to do with opengl. It is just a caching daemon for a hostname, passwd and group lookups.

#4

I traced it to nscd because opengl would work when I disabled AppArmor. Further testing by changing settings in AppArmor and rebooting reduced it to only nscd being enabled resulting in opengl not working. The actions I posted on 20-Oct-2013 corrected the issue for 12.3.

I have just upgraded to 13.1 and unfortunately the opengl does not work again. I disabled AppArmor and that did not help, so I am back to troubleshooting opengl. It is possible something broke on the 12.3 -> 13.1 upgrade.

#5

And what graphics card do you have?

Please post your /var/log/Xorg.0.log (upload it to SUSE Paste and post a link).

And install “Mesa-demo-x” and post the output of:

glxinfo | grep render
#6

I installed 13.1 from scratch and the problem is gone. OpenGL is working with AppArmor (and nscd) enabled.

The problem first appeared, either after the update to 12.2 or 12.3, or moving back and forth from the open source to AMD proprietary drivers may have created the problem.

I have an AMD Radeon HD 6670 on an AMD ASUS mb. I saved my /var folder before I reformatted the drive and have attached the old Xorg.0.log from the upgrade attempt -> SUSE Paste. It has one error listed for fglrx.

This is not the current Xorg.0.log but I can provide that if it will help. I don’t think the Mesa demo will help since I reinstalled but I can run that too.

#7

Error?
No, it only says it can’t load fglrx (module does not exist), which is normal if you don’t have it installed of course.

One thing though:
Maybe Apparmor logged the problem to /var/log/messages?
AFAIK, if /var/log/audit exists, this is used by aa-status and /var/log/messages ignored, so it won’t show anything from there.

Anyway, if it works now, it’s ok I think… :wink:

PS: I’m using radeon (old Radeon 9600) and apparmor (with default settings) and never had a problem with OpenGL…