Bug 1130595 - SELinux is preventing gnome-session-c from 'getattr' accesses on the chr_file /dev/nvidiactl.
Summary: SELinux is preventing gnome-session-c from 'getattr' accesses on the chr_file...
Keywords:
Status: CLOSED DUPLICATE of bug 1130596
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d834ebc58c4950d00b8feb58c44...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-15 15:44 UTC by Stefan Ringel
Modified: 2014-08-15 16:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-15 16:04:32 UTC


Attachments (Terms of Use)

Description Stefan Ringel 2014-08-15 15:44:08 UTC
Description of problem:
SELinux is preventing gnome-session-c from 'getattr' accesses on the chr_file /dev/nvidiactl.

*****  Plugin restorecon (90.5 confidence) suggests   ************************

If sie die Kennzeichnung korrigieren möchten.
/dev/nvidiactl Standard-Kennzeichnung sollte xserver_misc_device_t sein.
Then sie können restorecon ausführen.
Do
# /sbin/restorecon -v /dev/nvidiactl

*****  Plugin device (9.50 confidence) suggests   ****************************

If you want to allow gnome-session-c to have getattr access on the nvidiactl chr_file
Then sie müssen die Kennzeichnung von /dev/nvidiactl auf einen Typ eines ähnlichen Elementes ändern
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl'
# restorecon -v '/dev/nvidiactl'

*****  Plugin catchall (1.40 confidence) suggests   **************************

If sie denken, dass es gnome-session-c standardmässig erlaubt sein sollte, getattr Zugriff auf nvidiactl chr_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/nvidiactl [ chr_file ]
Source                        gnome-session-c
Source Path                   gnome-session-c
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-72.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-1.fc22.x86_64 #1 SMP Mon
                              Aug 4 10:01:23 UTC 2014 x86_64 x86_64
Alert Count                   72
First Seen                    2014-08-09 23:15:36 CEST
Last Seen                     2014-08-15 14:31:11 CEST
Local ID                      fd54444e-77dc-44c8-b7a9-4b3aceeb6b38

Raw Audit Messages
type=AVC msg=audit(1408105871.775:387): avc:  denied  { getattr } for  pid=1370 comm="nvidia-modprobe" path="/dev/nvidiactl" dev="devtmpfs" ino=18366 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


Hash: gnome-session-c,xdm_t,device_t,chr_file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-72.fc22.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-1.fc22.x86_64
type:           libreport

Potential duplicate: bug 706667

Comment 1 Daniel Walsh 2014-08-15 16:04:32 UTC

*** This bug has been marked as a duplicate of bug 1130596 ***


Note You need to log in before you can comment on or make changes to this bug.