1582203 – SELinux is preventing sddm-greeter from map access on the chr_file /dev/nvidiactl

Bug 1582203 - SELinux is preventing sddm-greeter from map access on the chr_file /dev/nvidiactl

Summary: SELinux is preventing sddm-greeter from map access on the chr_file /dev/nvidi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-24 13:57 UTC by Vitaly
Modified:	2018-05-26 20:44 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.1-29.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-26 20:44:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vitaly 2018-05-24 13:57:59 UTC

Description of problem:
SELinux is preventing sddm-greeter from map access on the chr_file /dev/nvidiactl

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-25.fc28

How reproducible:
Always.

Steps to Reproduce:
1. Install NVIDIA drivers (from RPMFusion).
2. Reboot.

Actual results:
SDDM hangs on login screen.

Expected results:
Successful boot.

Additional info:

kernel: audit: type=1400 audit(1527169499.626:160): avc:  denied  { map } for  pid=976 comm="sddm-greeter" path="/dev/nvidiactl" dev="devtmpfs" ino=19511 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file permissive=1
audit[976]: AVC avc:  denied  { map } for  pid=976 comm="sddm-greeter" path="/dev/nvidiactl" dev="devtmpfs" ino=19511 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file permissive=1
audit[976]: SYSCALL arch=c000003e syscall=9 success=yes exit=140621817901056 a0=0 a1=105000 a2=3 a3=1 items=0 ppid=968 pid=976 auid=4294967295 uid=982 gid=975 euid=982 suid=982 fsuid=982 egid=975 sgid=975 fsgid=975 tty=(none) ses=4294967295 comm="sddm-greeter" exe="/usr/bin/sddm-greeter" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Full log from another Bodhi user: https://paste.fedoraproject.org/paste/iVsH2eyhwjgnqMs4d9Behg

Comment 1 Fedora Update System 2018-05-24 14:36:07 UTC

selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 2 John W Smith 2018-05-25 14:29:47 UTC

Same problem here. Changing SELINUX=permissive in /etc/selinux/config is a temporary workaround.

Comment 3 Fedora Update System 2018-05-25 18:42:38 UTC

selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 4 Fedora Update System 2018-05-26 20:44:29 UTC

selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.