Bug 1287288 - SELinux is preventing cinnamon from read, write access on the chr_file nvidiactl.
SELinux is preventing cinnamon from read, write access on the chr_file nvidia...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:01def96530b28b1702953633570...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-01 16:51 EST by Garrett Holmstrom
Modified: 2016-07-19 14:33 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 14:33:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garrett Holmstrom 2015-12-01 16:51:18 EST
Description of problem:
This happened at login when I rebooted after installing version 358.16 of nvidia.  This forces cinnamon into fallback mode.
SELinux is preventing cinnamon from read, write access on the chr_file nvidiactl.

*****  Plugin device (91.4 confidence) suggests   ****************************

If you want to allow cinnamon to have read write access on the nvidiactl chr_file
Then you need to change the label on nvidiactl to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
# restorecon -v 'nvidiactl'

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that cinnamon should be allowed read write access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cinnamon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        cinnamon
Source Path                   cinnamon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.18.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-200.fc22.x86_64 #1 SMP Tue
                              Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   11
First Seen                    2015-11-25 15:52:59 PST
Last Seen                     2015-12-01 13:43:49 PST
Local ID                      54c7f84c-baae-4fc1-ba14-10290dabcdcf

Raw Audit Messages
type=AVC msg=audit(1449006229.32:631): avc:  denied  { read write } for  pid=2465 comm="cinnamon" name="nvidiactl" dev="devtmpfs" ino=18142 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


Hash: cinnamon,staff_t,device_t,chr_file,read,write

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-200.fc22.x86_64
type:           libreport

Potential duplicate: bug 1199367
Comment 1 Miroslav Grepl 2016-01-21 10:34:00 EST
How is labeled /dev/nvidiactl now?

ls -Z /dev/nvidiactl
Comment 2 Garrett Holmstrom 2016-02-15 01:04:21 EST
Oops, sorry for the delay.  Everything nvidia-related is xserver_misc_device_t.

crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195,   0 Dec 22 16:36 /dev/nvidia0
crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 255 Dec 22 16:36 /dev/nvidiactl
crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 254 Dec 22 16:36 /dev/nvidia-modeset
Comment 3 Fedora End Of Life 2016-07-19 14:33:14 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.