Bug 751194

Summary: SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from ioctl access on the chr_file /dev/nvidiactl
Product: [Fedora] Fedora Reporter: cornel panceac <cpanceac>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, igeorgex, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-55.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-10 17:30:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description cornel panceac 2011-11-03 20:01:28 UTC 
Description of problem:
gdm is no longer starting because selinux prevents gnome-session-check-accelerated-helper from accessing  /dev/nvidiactl

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-46.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
putting selinux in permissive mode allows gdm to start

# grep gnome-session-c /var/log/audit/audit.log

type=AVC msg=audit(1320360668.316:60): avc:  denied  { ioctl } for  pid=1339 comm="gnome-session-c" path="/dev/nvidiactl" dev=devtmpfs ino=20568 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1320360668.316:60): arch=40000003 syscall=54 success=yes exit=0 a0=4 a1=c04846d2 a2=bff6ac08 a3=c04846d2 items=0 ppid=1338 pid=1339 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-session-c" exe="/usr/libexec/gnome-session-check-accelerated-helper" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Miroslav Grepl 2011-11-04 11:31:35 UTC 
This is fixed in selinux-policy-3.10.0-52.fc16

But we also need you to update to the latest libsepol.

libsepol-2.1.3-2.fc16


You can download packages from koji for now 

http://koji.fedoraproject.org/koji/
Comment 2 cornel panceac 2011-11-05 05:49:57 UTC 
Unfortunately the update requires updated selinux-policy-targeted which i didn't found neither in koji or updates-testing repo.
Comment 3 Miroslav Grepl 2011-11-07 11:06:32 UTC 
# rpm -Uvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/54.fc16/noarch/selinux-policy-3.10.0-54.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/54.fc16/noarch/selinux-policy-targeted-3.10.0-54.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/libsepol/2.1.3/2.fc16/x86_64/libsepol-2.1.3-2.fc16.x86_64.rpm --force

should work
Comment 4 Fedora Update System 2011-11-08 14:06:10 UTC 
selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16
Comment 5 Fedora Update System 2011-11-10 17:30:48 UTC 
selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.