Bug 221278 - selinux errors with nVidia video driver
Summary: selinux errors with nVidia video driver
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-01-03 15:09 UTC by Need Real Name
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2007-08-22 14:14:01 UTC

Attachments (Terms of Use)

Description Need Real Name 2007-01-03 15:09:27 UTC
Description of problem:
Axel Thimm (from atrpms) suggested that I pass this one on to you to see if it
is appropriate to solve at the general selinux policy level...
Here is the buzilla entry that I originally entered on the atrpms bugzilla system.


The nvidia driver module has an selinux conflict when run under the (default)
'targeted' selinux policy.

Specifically, I get the following "avc: denied" errors:

avc:  denied  { execmod } comm=Xorg name=nvidia-1.0-9631_drv.o
tcontext=system_u:object_r:lib_t:s0 tclass=file
avc:  denied  { execmod } comm=Xorg name=nvidia-1.0-9631_drv.o
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lib_t:s0

audit2allow gives the following suggested additions to the policy:

require {
        class file execmod;
        type init_t;
        type lib_t;
        type xdm_t;
        role system_r;

allow init_t lib_t:file execmod;
allow xdm_t lib_t:file execmod;


Please let me know what you think is the most practical way to correct this.
(i.e., even if technically this is an nvidia company problem but if they are
unlikely to correct this, then I would prefer an alternative practical solution
such as either fixing the selinux policy or making suggestions for how to fix
the rpm compiled by Axel)

Comment 1 Daniel Walsh 2007-01-03 21:28:10 UTC
chcon -t textrel_shlib_t nvidia-1.0-9631_drv.o

Also please update to the latest policy.  Also if you install setroubleshoot, it
will help you diagnose selinux-errors.

Comment 2 Axel Thimm 2007-01-04 02:47:47 UTC
If I were to update the rpm to include this, how would I express this in the
specfile? For rpm to record the context it would have to be part of %install or
an attribute to the %files section. Since %install runs as a non-root user, can
this user use chcon w/o limitations (under %{buildroot})?


Comment 3 Daniel Walsh 2007-01-08 20:41:34 UTC
The best idea is to tell me what the path is and to get it into the base policy.

you could use semanage and restorecon

semanage fcontext -a -t textrel_shlib_t PATH
restorecon PATH

Comment 4 Axel Thimm 2007-01-08 21:51:39 UTC
> The best idea is to tell me what the path is and to get it into the base
> policy.

OK, the modules and libs are located under


with symlinks to higher folders w/o the nvidia-graphics-[^/]* part, e.g.


The above covers both conventional nvidia installs, too. But I don't really know
which libs need special selinux treatment. For example libnvidia-wfb is a very
fresh part of the driver only used with nv80 hardware, so s/o with such a
hardware would have to report on selinux issues I guess, or not?


Comment 5 Need Real Name 2007-01-08 22:10:03 UTC
Of course, to perhaps state the obvious, "9746" is the current version number.
There are other legacy versions still out there and new one no doubt on the way...

Comment 6 Need Real Name 2007-01-14 17:32:51 UTC
Has this been fixed yet?
I am still a little unsure whether this is to be fixed (by you :) in the base
policy or by Axel in his rpm spec file.


Comment 7 Daniel Walsh 2007-01-15 15:06:35 UTC
The specificatons have been fixed in the base policy.  nvidia should fix their
libraries.  Axel should not need to change anything.

Comment 8 Need Real Name 2007-03-28 00:27:26 UTC
It seems that this is still not fixed.
What exactly does nvidia need to change or if they are unresponsive is there
anything Axel could possibly do (if he is willing) to fix this?

If you tell me exactly what needs to be done by nvidia, I would be happy to file
a bug report on their forum

Comment 9 Daniel Walsh 2007-03-28 12:44:40 UTC
The best source of information on this topic is at


I have added Uli to the CC list to see if he has any other comments.

Comment 10 Ulrich Drepper 2007-03-29 16:29:36 UTC
It's not possible to exactly tell NVidia what is needed since we don't have
access to the sources.  Given their goal of speed I assume they have
hand-written asm code which is not PIC safe.  Or C/C++ code could miss the
-fpic/-fPIC option since they think it eats up too much performance.


Comment 11 Daniel Walsh 2007-08-22 14:14:01 UTC
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.