Bug 1130596 - SELinux is preventing gnome-session-c from read, write access on the chr_file nvidiactl.
Summary: SELinux is preventing gnome-session-c from read, write access on the chr_file...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7095cb86daa476d5032c402a1fd...
: 1130519 1130522 1130595 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-15 15:45 UTC by Stefan Ringel
Modified: 2016-07-19 12:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 12:01:26 UTC


Attachments (Terms of Use)

Description Stefan Ringel 2014-08-15 15:45:49 UTC
Description of problem:
SELinux is preventing gnome-session-c from read, write access on the chr_file nvidiactl.

*****  Plugin device (91.4 confidence) suggests   ****************************

If you want to allow gnome-session-c to have read write access on the nvidiactl chr_file
Then sie müssen die Kennzeichnung von nvidiactl auf einen Typ eines ähnlichen Elementes ändern
Do
# semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
# restorecon -v 'nvidiactl'

*****  Plugin catchall (9.59 confidence) suggests   **************************

If sie denken, dass es gnome-session-c standardmässig erlaubt sein sollte, read write Zugriff auf nvidiactl chr_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        gnome-session-c
Source Path                   gnome-session-c
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-72.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-1.fc22.x86_64 #1 SMP Mon
                              Aug 4 10:01:23 UTC 2014 x86_64 x86_64
Alert Count                   36
First Seen                    2014-08-09 23:15:36 CEST
Last Seen                     2014-08-15 14:31:11 CEST
Local ID                      ce470f75-9afb-4b42-89b9-188026049c85

Raw Audit Messages
type=AVC msg=audit(1408105871.775:388): avc:  denied  { read write } for  pid=1345 comm="gnome-shell" name="nvidiactl" dev="devtmpfs" ino=18366 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


Hash: gnome-session-c,xdm_t,device_t,chr_file,read,write

Version-Release number of selected component:
selinux-policy-3.13.1-72.fc22.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-1.fc22.x86_64
type:           libreport

Potential duplicate: bug 694918

Comment 1 Daniel Walsh 2014-08-15 16:04:08 UTC
ls -lZ  /dev/nvidiactl


What every created this device, it created it with the wrong label.

type_transition puppetagent_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition udev_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition kernel_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition authconfig_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition init_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition unconfined_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition sysadm_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition xserver_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition rpm_script_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition pegasus_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 
type_transition neutron_t device_t : chr_file xserver_misc_device_t "nvidiactl"; 

Looks like we have lots of domains setup to create this device with the correct label.

Comment 2 Daniel Walsh 2014-08-15 16:04:32 UTC
*** Bug 1130595 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2014-08-15 16:07:04 UTC
*** Bug 1130519 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2014-08-15 16:07:08 UTC
*** Bug 1130522 has been marked as a duplicate of this bug. ***

Comment 5 Jaroslav Reznik 2015-03-03 16:12:38 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 6 Pavel Malyshev 2015-07-01 15:09:55 UTC
Just faced the issue with Fedora 22

Comment 7 Pavel Malyshev 2015-07-01 15:11:27 UTC
$ LANG=C ls -lZ /dev/nvidiactl
crw-rw-rw-. 1 root root system_u:object_r:device_t:s0 195, 255 Jul  1 18:01 /dev/nvidiactl

Comment 8 Pavel Malyshev 2015-07-01 15:16:09 UTC
Workaround, just for reference:
$ sudo restorecon -r -vv /dev/nvidiactl
$ sudo restorecon -r -vv /dev/nvidia0

Expected labels:
$ LANG=C ls -lZ /dev/nvidia*
crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195,   0 Jul  1 18:01 /dev/nvidia0
crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 255 Jul  1 18:01 /dev/nvidiactl

Comment 9 Fedora End Of Life 2016-07-19 12:01:26 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.