Bug 1571373

Summary: SELinux is preventing nvidia-modprobe from create access on the chr_file nvidiactl.
Product: [Fedora] Fedora Reporter: Henry <chturne>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, tovilyis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.35.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-06 15:43:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
lspci log none

Description Henry 2018-04-24 15:48:34 UTC
Created attachment 1426134 [details]
lspci log

Description of problem:
When I boot my laptop, I get an "SELinux" security alert.

SELinux is preventing nvidia-modprobe from create access on the chr_file nvidiactl.

***** Plugin device (91.4 confidence) suggests ****************************

If you want to allow nvidia-modprobe to have create access on the nvidiactl chr_file
Then you need to change the label on nvidiactl to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
# restorecon -v 'nvidiactl'

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that nvidia-modprobe should be allowed create access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nvidia-modprobe' --raw | audit2allow -M my-nvidiamodprobe
# semodule -X 300 -i my-nvidiamodprobe.pp

Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:device_t:s0
Target Objects nvidiactl [ chr_file ]
Source nvidia-modprobe
Source Path nvidia-modprobe
Port
Host rollo
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rollo
Platform Linux rollo 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr
12 18:19:17 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2018-04-24 16:39:29 BST
Last Seen 2018-04-24 16:39:29 BST
Local ID d13cb8aa-d83f-446e-9576-00019d368dd3

Raw Audit Messages
type=AVC msg=audit(1524584369.651:197): avc: denied { create } for pid=1693 comm="nvidia-modprobe" name="nvidiactl" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


Hash: nvidia-modprobe,xdm_t,device_t,chr_file,create


Version-Release number of selected component (if applicable):



I have followed the instructions,

# ausearch -c 'nvidia-modprobe' --raw | audit2allow -M my-nvidiamodprobe
# semodule -X 300 -i my-nvidiamodprobe.pp

Several times, but each time I boot I keep getting a security exception.

I don't understand much of the error message, can anyone help me solve this? I have a laptop with Intel & Nvidia graphics. I attached lspci to this report if it helps... I don't know how to debug this, the other bug report I found said the fedora version they were reported against is end of life, 27 isn't though which is what I run.

Comment 1 Henry 2018-04-24 15:50:18 UTC
Forgot to mention, when I follow the first commands,

$ sudo semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
[sudo] password for henry: 
ValueError: Type SIMILAR_TYPE is invalid, must be a file or device type
$ sudo restorecon -v 'nvidiactl'
restorecon: lstat(/home/henry/nvidiactl) failed: No such file or directory

Doesn't make sense to me...

Comment 2 Henry 2018-04-24 16:27:36 UTC
I feel this might be causing flatpak applications to fail somehow.. If I try to run epiphany tech preview, it always fails to load a page with

libEGL warning: DRI2: failed to authenticate

Comment 3 Fedora Update System 2018-05-28 07:41:18 UTC
selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 4 Fedora Update System 2018-05-28 14:24:26 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 5 Fedora Update System 2018-07-06 15:43:38 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Bernard 2018-07-17 21:00:25 UTC
My apologies for adding comments to a closed issue, but the problem has not been resolved in my case. I've had to downgrade 3.13.1-283.35.fc27 to 3.13.1-283.14.fc27 to recover my graphical desktop.