2219166 – SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl.

Bug 2219166 - SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl.

Summary: SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:cfd909b08f7249b9181382e2dc9...
Duplicates (2):	2218990 2219165 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-02 16:00 UTC by jplie
Modified:	2023-07-18 01:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-38.21-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-18 01:24:27 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.89 KB, text/plain) 2023-07-02 16:00 UTC, jplie	no flags	Details
File: os_info (690 bytes, text/plain) 2023-07-02 16:00 UTC, jplie	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1337	0	None	Merged	Set the abrt_handle_event boolean to on	2023-07-11 20:07:02 UTC

Description jplie 2023-07-02 16:00:41 UTC

Description of problem:
I've tried to mirror nvidia virtual display and my monitor
SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdb should be allowed read access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xserver_misc_device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        gdb
Source Path                   gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.20-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.20-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.10-201.fsync.fc38.x86_64 #1
                              SMP PREEMPT_DYNAMIC Sat Jul 1 17:41:47 UTC 2023
                              x86_64
Alert Count                   62
First Seen                    2023-07-02 15:41:05 MSK
Last Seen                     2023-07-02 18:56:01 MSK
Local ID                      85015c89-e6cb-418c-8acf-30c5f88c44dd

Raw Audit Messages
type=AVC msg=audit(1688313361.856:259): avc:  denied  { read } for  pid=3039 comm="gdb" name="nvidiactl" dev="devtmpfs" ino=911 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file permissive=0


Hash: gdb,abrt_t,xserver_misc_device_t,chr_file,read

Version-Release number of selected component:
selinux-policy-targeted-38.20-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl.
package:        selinux-policy-targeted-38.20-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.3.10-201.fsync.fc38.x86_64
comment:        I've tried to mirror nvidia virtual display and my monitor
component:      selinux-policy

Comment 1 jplie 2023-07-02 16:00:44 UTC

Created attachment 1973761 [details]
File: description

Comment 2 jplie 2023-07-02 16:00:46 UTC

Created attachment 1973762 [details]
File: os_info

Comment 3 Nikola Knazekova 2023-07-07 16:38:33 UTC

*** Bug 2218990 has been marked as a duplicate of this bug. ***

Comment 4 Nikola Knazekova 2023-07-07 16:40:52 UTC

*** Bug 2219165 has been marked as a duplicate of this bug. ***

Comment 5 Nikola Knazekova 2023-07-07 16:41:16 UTC

Similar bz#2219165:

Raw Audit Messages
type=AVC msg=audit(1688312521.536:146): avc:  denied  { read } for  pid=1191 comm="gdb" name="card0" dev="devtmpfs" ino=168 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0

Comment 6 Fedora Update System 2023-07-14 11:59:50 UTC

FEDORA-2023-2663818afd has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd

Comment 7 Fedora Update System 2023-07-15 01:32:30 UTC

FEDORA-2023-2663818afd has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-2663818afd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-07-18 01:24:27 UTC

FEDORA-2023-2663818afd has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.