Bug 732221

Summary: Please add /dev/nvidia0 and /dev/nvidiactl to /etc/selinux/restorecond.conf for nvidia user
Product: [Fedora] Fedora Reporter: sangu <sangu.fedora>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, eparis, mgrepl, vshebordaev
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-07 22:58:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description sangu 2011-08-21 00:16:28 UTC
Description of problem:
Please add /dev/nvidia0 and /dev/nvidiactl to /etc/selinux/restorecond.conf for nvidia vga user.

# matchpathcon /dev/nvidia0/dev/nvidia0	system_u:object_r:xserver_misc_device_t:s0
# ls -Z /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidia0
# restorecon  -R -v /dev/nvidia0
restorecon reset /dev/nvidia0 context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0

# matchpathcon /dev/nvidiactl 
/dev/nvidiactl	system_u:object_r:xserver_misc_device_t:s0
# ls -Z /dev/nvidiactl 
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidiactl
# restorecon  -R -v /dev/nvidiactl 
restorecon reset /dev/nvidiactl context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0

bug 94918, comment 1 is difficult task for End User to resolve the issue.

Version-Release number of selected component (if applicable):
2.0.86


How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
See bug 94918 comment 1

Comment 1 sangu 2011-08-21 00:55:27 UTC
Sorry, my mistake.

bug 694918, comment 1

Comment 2 Miroslav Grepl 2011-08-22 11:43:10 UTC
Well it should work in F16 without restorecond.

what does

# rpm -q selinux-policy

show

Comment 3 sangu 2011-08-22 12:00:38 UTC
(In reply to comment #2)
> Well it should work in F16 without restorecond.
> 
> what does
> 
> # rpm -q selinux-policy
> 
> show

$ rpm -q selinux-policy
selinux-policy-3.10.0-18.fc16.noarch

Comment 4 Miroslav Grepl 2011-08-22 12:40:57 UTC
and you end up with /dev/nvidia0 labeled as device_t always? This is strange.

Comment 5 Daniel Walsh 2011-08-22 16:13:17 UTC
What process is creating these devices?

Comment 6 Eric Paris 2011-08-22 16:21:38 UTC
maybe one could determine what is creating these files by adding the following line to /etc/audit/audit.rules

-a exit,always -F path=/dev/nvidiact -F perm=rwxa

make sure audit is enabled and reboot.  attach /var/log/audit/audit.log and hopefully we can see what is creating it....

Comment 7 Vladimir Shebordaev 2011-11-07 22:06:34 UTC
(In reply to comment #5)
> What process is creating these devices?

Well, I guess it is their Xorg server module that creates those /dev entries via inotify() as long as their kernel module does nothing special but register_chrdev() completely bypassing kobject infrastructure. So, it seems that proper restorecond configuration currently is the only way to set the correct security labels.

Comment 8 Vladimir Shebordaev 2011-11-07 22:14:52 UTC
I also confirm that as of 07-NOV-11 this nasty bug persists in Fedora 16

Comment 9 Eric Paris 2011-11-07 22:58:57 UTC
closing as a dup, fixed in selinux-policy-3.10.0-52.fc16.noarch

*** This bug has been marked as a duplicate of bug 748069 ***