Bug 1130596
| Summary: | SELinux is preventing gnome-session-c from read, write access on the chr_file nvidiactl. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stefan Ringel <mail> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, igeorgex, lvrabec, mgrepl, moez.roy, p.malishev |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:7095cb86daa476d5032c402a1fd9401d81368e96c834bf1ed17ac95dde23f2ff | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-19 12:01:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
ls -lZ /dev/nvidiactl What every created this device, it created it with the wrong label. type_transition puppetagent_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition udev_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition kernel_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition authconfig_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition init_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition unconfined_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition sysadm_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition xserver_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition rpm_script_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition pegasus_t device_t : chr_file xserver_misc_device_t "nvidiactl"; type_transition neutron_t device_t : chr_file xserver_misc_device_t "nvidiactl"; Looks like we have lots of domains setup to create this device with the correct label. *** Bug 1130595 has been marked as a duplicate of this bug. *** *** Bug 1130519 has been marked as a duplicate of this bug. *** *** Bug 1130522 has been marked as a duplicate of this bug. *** This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 Just faced the issue with Fedora 22 $ LANG=C ls -lZ /dev/nvidiactl crw-rw-rw-. 1 root root system_u:object_r:device_t:s0 195, 255 Jul 1 18:01 /dev/nvidiactl Workaround, just for reference: $ sudo restorecon -r -vv /dev/nvidiactl $ sudo restorecon -r -vv /dev/nvidia0 Expected labels: $ LANG=C ls -lZ /dev/nvidia* crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 0 Jul 1 18:01 /dev/nvidia0 crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 255 Jul 1 18:01 /dev/nvidiactl Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: SELinux is preventing gnome-session-c from read, write access on the chr_file nvidiactl. ***** Plugin device (91.4 confidence) suggests **************************** If you want to allow gnome-session-c to have read write access on the nvidiactl chr_file Then sie müssen die Kennzeichnung von nvidiactl auf einen Typ eines ähnlichen Elementes ändern Do # semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' # restorecon -v 'nvidiactl' ***** Plugin catchall (9.59 confidence) suggests ************************** If sie denken, dass es gnome-session-c standardmässig erlaubt sein sollte, read write Zugriff auf nvidiactl chr_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects nvidiactl [ chr_file ] Source gnome-session-c Source Path gnome-session-c Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-72.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.0-1.fc22.x86_64 #1 SMP Mon Aug 4 10:01:23 UTC 2014 x86_64 x86_64 Alert Count 36 First Seen 2014-08-09 23:15:36 CEST Last Seen 2014-08-15 14:31:11 CEST Local ID ce470f75-9afb-4b42-89b9-188026049c85 Raw Audit Messages type=AVC msg=audit(1408105871.775:388): avc: denied { read write } for pid=1345 comm="gnome-shell" name="nvidiactl" dev="devtmpfs" ino=18366 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 Hash: gnome-session-c,xdm_t,device_t,chr_file,read,write Version-Release number of selected component: selinux-policy-3.13.1-72.fc22.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.0-1.fc22.x86_64 type: libreport Potential duplicate: bug 694918