Bug 1571373
Summary: | SELinux is preventing nvidia-modprobe from create access on the chr_file nvidiactl. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Henry <chturne> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore, tovilyis | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-283.35.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-07-06 15:43:38 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Forgot to mention, when I follow the first commands, $ sudo semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' [sudo] password for henry: ValueError: Type SIMILAR_TYPE is invalid, must be a file or device type $ sudo restorecon -v 'nvidiactl' restorecon: lstat(/home/henry/nvidiactl) failed: No such file or directory Doesn't make sense to me... I feel this might be causing flatpak applications to fail somehow.. If I try to run epiphany tech preview, it always fails to load a page with libEGL warning: DRI2: failed to authenticate selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1 selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1 selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. My apologies for adding comments to a closed issue, but the problem has not been resolved in my case. I've had to downgrade 3.13.1-283.35.fc27 to 3.13.1-283.14.fc27 to recover my graphical desktop. |
Created attachment 1426134 [details] lspci log Description of problem: When I boot my laptop, I get an "SELinux" security alert. SELinux is preventing nvidia-modprobe from create access on the chr_file nvidiactl. ***** Plugin device (91.4 confidence) suggests **************************** If you want to allow nvidia-modprobe to have create access on the nvidiactl chr_file Then you need to change the label on nvidiactl to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' # restorecon -v 'nvidiactl' ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that nvidia-modprobe should be allowed create access on the nvidiactl chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nvidia-modprobe' --raw | audit2allow -M my-nvidiamodprobe # semodule -X 300 -i my-nvidiamodprobe.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects nvidiactl [ chr_file ] Source nvidia-modprobe Source Path nvidia-modprobe Port Host rollo Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rollo Platform Linux rollo 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-24 16:39:29 BST Last Seen 2018-04-24 16:39:29 BST Local ID d13cb8aa-d83f-446e-9576-00019d368dd3 Raw Audit Messages type=AVC msg=audit(1524584369.651:197): avc: denied { create } for pid=1693 comm="nvidia-modprobe" name="nvidiactl" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 Hash: nvidia-modprobe,xdm_t,device_t,chr_file,create Version-Release number of selected component (if applicable): I have followed the instructions, # ausearch -c 'nvidia-modprobe' --raw | audit2allow -M my-nvidiamodprobe # semodule -X 300 -i my-nvidiamodprobe.pp Several times, but each time I boot I keep getting a security exception. I don't understand much of the error message, can anyone help me solve this? I have a laptop with Intel & Nvidia graphics. I attached lspci to this report if it helps... I don't know how to debug this, the other bug report I found said the fedora version they were reported against is end of life, 27 isn't though which is what I run.