Bug 752754

Summary: Wrong security context type for /dev/ati/card0 caused gdm crash with fglrx driver
Product: [Fedora] Fedora Reporter: jammy.zhou
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-23 22:50:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description jammy.zhou 2011-11-10 10:23:23 UTC 
Description of problem:
For AMD fglrx driver, the GPU device node is /dev/ati/card*. But with the selinux policy on Fedora 16, the security context type for "/dev/ati/card*" is device_t, which should be dri_device_t instead, similar as "/dev/radeon". And then the gdm crashed because of no permission to open this dri device.

Version-Release number of selected component (if applicable):
26

How reproducible:
Everytime

Steps to Reproduce:
1.Install latest fglrx driver support Xserver 1.11
2.reboot the system to graphics mode
3.
  
Actual results:
The greeter UI didn't showup

Expected results:
The greeter UI should show normally for user to login

Additional info:
Comment 1 Miroslav Grepl 2011-11-10 11:31:34 UTC 
Execute

# restorecon -R -v /dev/ati/card*

should fix. Try to update to the latest policy

# yum update selinux-policy-targeted --enablerepo=updates-testing


If you see this issue again, please reopen the bug.
Comment 2 jammy.zhou 2011-11-11 01:27:09 UTC 
Forgot to mention that the device node /dev/ati/card* is created at runtime when start X server. Is there any method to change the context type when creating the node by mknod?

After update the selinux policy, the problem is still there. And run "matchpathcon /dev/ati/card0", I got the results below:
/dev/ati/card0 system_u:object_r:device_t:s0

The gdm crash problem with fglrx is caused by the display manager is started by /etc/X11/prefdm (with ininrc_exec_t security context type). And it seems that initrc_exec_t has no permission to access device_t type device node. If I change prefdm to bin_t or change /dev/ati/card0 to dri_device_t, the problem doesn't happen. I think this problem can be solved from selinux policy side.
Comment 3 Daniel Walsh 2011-11-11 15:40:49 UTC 
Miroslav

f9ba2da4a6449f14aaf13dca0335d33e254ad52a should fix this.