Bug 729451

Summary: Restorecond isn't allowed to relabel to xserver_misc_device_t
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-39.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-06 00:01:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2011-08-09 18:59:52 UTC 
Description of problem:
The proprietary Nvidia graphics drivers creates the device files /dev/nvidiactl and /dev/nvidia0 in some way that gives them an incorrect SELinux context.  Since these drivers are proprietary, we can't fix the bug at the source.  As a workaround, Miroslav Grepl suggested in bug 694918, comment 1, to let restorecond take care of it.

It seems however that restorecond isn't allowed to do that.  When I try it I get an AVC about it not allowed to "relabelto" that context.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-35.fc15.noarch

How reproducible:
Every time

Steps to Reproduce:
Assuming a machine with the proprietary Nvidia drivers:
1. Add /dev/nvidiactl and /dev/nvidia0 to /etc/selinux/restorecond.conf
2. Reboot

Actual results:
The devices are not relabeled but remain device_t and this AVC is reported:

type=AVC msg=audit(1312575006.803:33): avc:  denied  { relabelto } for  pid=905 comm="restorecond" name="nvidiactl" dev=devtmpfs ino=18490 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file


Expected results:
The devices should be relabeled by restorecond.
Comment 1 Miroslav Grepl 2011-08-10 06:37:18 UTC 
Fixed in selinux-policy-3.9.16-38.fc15
Comment 2 Fedora Update System 2011-09-08 08:11:10 UTC 
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Comment 3 Fedora Update System 2011-09-09 05:27:30 UTC 
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).
Comment 4 Göran Uddeborg 2011-09-19 17:37:47 UTC 
My machine with Nvidia graphics hardware is using selinux policy 3.10.0-28.fc16 from the F16 alpha now, so I can't easily verify the F15 update.

It does seem, however, that this fix didn't make it into the F16 policy.  Do you want a separate bugzilla about that?  Or do you handle it within this one?
Comment 5 Miroslav Grepl 2011-09-20 11:38:01 UTC 
It should be fixed by file name transition in Fedora16.
Comment 6 Göran Uddeborg 2011-09-20 13:42:17 UTC 
Is there something more than just a recent selinux-policy needed for file name transitions to work?  I removed the /dev/nvidia* entries from restorecond.conf, and the additional relabelto permission from a local policy module.

Now the /dev/nvidia* files are back to device_t again.

Since rpmfusion hasn't started packaging nvidia drivers for F16 yet, I'm still running a 2.6.40.3 kernel from F15, and the matching nvidia packages.  Would that prevent this from working?  Or is there a remaining bug for F16 here?

selinux-policy-targeted-3.10.0-28.fc16.noarch
kernel-2.6.40.3-0.fc15.x86_64
kmod-nvidia-2.6.40.3-0.fc15.x86_64-280.13-2.fc15.1.x86_64
Comment 7 Miroslav Grepl 2011-09-20 15:08:22 UTC 
Well, you need to be on Fedora16 with F16 pkgs to get this feature.
Comment 8 Göran Uddeborg 2011-09-20 15:15:41 UTC 
I see.  I thought the F16 packages would have worked on a slightly older kernel too.  But then I'll try again when I can upgrade to an F16 kernel.
Comment 9 Fedora Update System 2011-10-06 00:01:17 UTC 
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.