Bug 1581790 - SELinux is preventing gnome-session-c from 'map' accesses on the chr_file /dev/nvidiactl.
Summary: SELinux is preventing gnome-session-c from 'map' accesses on the chr_file /de...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:856a72d8120a82e02d32d975287...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-23 15:48 UTC by Charles Barto
Modified: 2018-05-26 21:40 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-26 20:45:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Charles Barto 2018-05-23 15:48:33 UTC
Description of problem:
Just updated my system, looks like mabe a policy update or gnome shell update.
SELinux is preventing gnome-session-c from 'map' accesses on the chr_file /dev/nvidiactl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-session-c should be allowed map access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-session-c' --raw | audit2allow -M my-gnomesessionc
# semodule -X 300 -i my-gnomesessionc.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xserver_misc_device_t:s0
Target Objects                /dev/nvidiactl [ chr_file ]
Source                        gnome-session-c
Source Path                   gnome-session-c
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-25.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.16.10-300.fc28.x86_64 #1 SMP Mon
                              May 21 14:41:48 UTC 2018 x86_64 x86_64
Alert Count                   31
First Seen                    2018-05-23 11:28:53 EDT
Last Seen                     2018-05-23 11:43:45 EDT
Local ID                      75b88966-a219-4879-80c2-33607bb7315f

Raw Audit Messages
type=AVC msg=audit(1527090225.505:324): avc:  denied  { map } for  pid=8137 comm="gnome-shell" path="/dev/nvidiactl" dev="devtmpfs" ino=31707 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file permissive=1


Hash: gnome-session-c,xdm_t,xserver_misc_device_t,chr_file,map

Version-Release number of selected component:
selinux-policy-3.14.1-25.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.10-300.fc28.x86_64
type:           libreport

Comment 1 Stephen Tweedie 2018-05-24 10:52:04 UTC
I'm also seeing this on the same selinux policy version (selinux-policy-targeted-3.14.1-25.fc28).  gdm fails to start and I get a boot-to-crash ("something went wrong" splash screen from gdm on boot).

"dnf downgrade selinux-policy-targeted" took me back to selinux-policy-targeted-3.14.1-21.fc28.noarch and I can boot to graphical login again.

Comment 2 Fedora Update System 2018-05-24 14:38:20 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 3 William Temple 2018-05-25 15:12:43 UTC
I experienced this issue this morning, updating from Fedora 27 to Fedora 28 on my workstation PC. Same selinux-policy-targeted version.

NVIDIA driver version: nvidia-driver-390.59-1.fc28.x86_64

I'm using the package from negativo17.org, not the one hosted on RPMFusion.

$ getfattr -d -m ".*" /dev/nvidiactl
getfattr: Removing leading '/' from absolute path names
# file: dev/nvidiactl
security.selinux="system_u:object_r:xserver_misc_device_t:s0"

$ dnf repoquery -i nvidia-driver-390.59-1.fc28
Last metadata expiration check: 0:00:36 ago on Fri 25 May 2018 09:04:49 AM MDT.
Name         : nvidia-driver
Epoch        : 3
Version      : 390.59
Release      : 1.fc28
Arch         : x86_64
Size         : 2.5 M
Source       : nvidia-driver-390.59-1.fc28.src.rpm
Repo         : fedora-nvidia
Summary      : NVIDIA's proprietary display driver for NVIDIA graphic cards
URL          : http://www.nvidia.com/object/unix.html
License      : NVIDIA License
Description  : This package provides the most recent NVIDIA display driver which
             : allows for hardware accelerated rendering with recent NVIDIA
             : chipsets.
             : 
             : For the full product support list, please consult the release
             : notes for driver version 390.59.


I've worked around this by putting SELinux into permissive mode for the time being.

Comment 4 Fedora Update System 2018-05-25 18:43:58 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 5 Fedora Update System 2018-05-26 20:45:43 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.