Bug 595092
Summary: | SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23 el acceso "read write" on nvidiactl | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Felipe Hommen <felibank> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | bugzilla, dlstripes-fedorabugs, dwalsh, gilboad, mgrepl, mickey.mouse-1985, misek, vitor.dominor |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:53e64719e0c46f8d69073ccfc15ae012eb8cd4d3e350b3c5f7d442548627bd46 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-28 06:12:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Felipe Hommen
2010-05-23 10:23:07 UTC
*** Bug 595090 has been marked as a duplicate of this bug. *** *** Bug 596573 has been marked as a duplicate of this bug. *** This appears to not be restricted to the Einstein project client. I have never run the Einstein project and am seeing this issue with "read write" and "open" on nvidiactl. I'm seeing it on seti@home BOINC project on multiple F13/x86_64 machines. (rpmfusion nVidia proprietary drivers) It seems that if you're using a recent project binary coupled with nvidia hardware and proprietary driver, it'll automatically attempt to enable CUDA processing. However, as the open source driver does not support CUDA, I doubt that this is a Fedora-proper issue. (Problem is - its not an rpmfusion issue either...) - Gilboa This is fixed in the latest selinux-policy. The problem reappeared in Fedora 14 Alpha. I also see this issue with the latest boinc client, on Fedora 13, even though I updated to selinux policy version 3.7.19-62.fc13 (updates-testing), in order to solve other selinux policy bugs. I still get these raw avcs among others (related to the project cosmology@home): node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc: denied { read write } for pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc: denied { open } for pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=perfect-tuxie type=SYSCALL msg=audit(1285712657.647:32929): arch=c000003e syscall=2 success=yes exit=6 a0=7fffa8e340d0 a1=2 a2=7fffa8e340de a3=0 items=0 ppid=1 pid=5012 auid=500 uid=491 gid=476 euid=491 suid=491 fsuid=491 egid=476 sgid=476 fsgid=476 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null) I have already tried to do restorecon -v /dev/nvidia* and semanage fcontext -m -t xserver_misc_device_t "/dev/nvidia*" (in an attempt to make the change more permanent). By using system-config-selinux, I verified this change to the policy is inserted and I also verified that there is already by default a file context labelling xserver_misc_device_t:s0 to /dev/nvidia.*. However, after restart the two files /dev/nvidia0 and /dev/nvdiactl are relabelled to device_t:s0. Then that is either a bug in udev or the kernel module that creates the device. udev is supposed to make sure files in /dev are labelled correctly. |