Description of problem: I'm hitting the following denials whenever kwin starts when logging in to a KDE Wayland session after a reboot. This is with the proprietary nvidia drivers installed. type=AVC msg=audit(1730072197.188:289): avc: denied { getattr } for pid=2287 comm="kwin_wayland" path="/dev/nvidia-modeset" dev="devtmpfs" ino=1313 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1730072197.189:290): avc: denied { read write } for pid=2287 comm="kwin_wayland" name="nvidia-modeset" dev="devtmpfs" ino=1313 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 I see in https://github.com/fedora-selinux/selinux-policy/blob/1b1476d69726b6a487d743925a4498737fe6fadb/policy/modules/kernel/devices.fc#L105 that anything beginning with "/dev/nvidia" should be labelled as xserver_misc_device_t, but on my system it's labeled as the generic device_t: ❯ ls -lZd /dev/nvidia* crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 0 Oct 27 19:36 /dev/nvidia0 drwxr-xr-x. 2 root root unconfined_u:object_r:device_t:s0 80 Oct 27 19:37 /dev/nvidia-caps crw-rw-rw-. 1 root root system_u:object_r:xserver_misc_device_t:s0 195, 255 Oct 27 19:36 /dev/nvidiactl crw-rw-rw-. 1 root root system_u:object_r:device_t:s0 195, 254 Oct 27 19:36 /dev/nvidia-modeset crw-rw-rw-. 1 root root unconfined_u:object_r:xserver_misc_device_t:s0 508, 0 Oct 27 19:37 /dev/nvidia-uvm crw-rw-rw-. 1 root root unconfined_u:object_r:xserver_misc_device_t:s0 508, 1 Oct 27 19:37 /dev/nvidia-uvm-tools I do not have anything that overrides the contexts: ❯ matchpathcon /dev/nvidia-modeset /dev/nvidia-modeset system_u:object_r:xserver_misc_device_t:s0 I'm not sure how /dev/nvidia-modeset gets created, but is there any chance an additional file transition rule need to be added here? https://github.com/fedora-selinux/selinux-policy/blob/1b1476d69726b6a487d743925a4498737fe6fadb/policy/modules/kernel/devices.if#L7710-L7721 Version-Release number of selected component (if applicable): selinux-policy-41.24-1.fc41.noarch kwin-6.2.2-1.fc41.x86_64 xorg-x11-drv-nvidia-565.57.01-2.fc41.x86_64 How reproducible: Always Steps to Reproduce: 1. Reboot 2. Log into KDE Wayland session 3. Observe audit log Actual results: kwin_wayland fails to access /dev/nvidia-modeset Expected results: kwin_wayland should be able to access /dev/nvidia-modeset. Additional info: (Included above)
Confirmed that adding the file transition rule fixes the problem. I've submitted a PR here: https://github.com/fedora-selinux/selinux-policy/pull/2417
FEDORA-2024-bbef94e809 (selinux-policy-41.25-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-bbef94e809
FEDORA-2024-bbef94e809 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bbef94e809` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bbef94e809 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
It seems that this got automatically linked to FEDORA-2024-bbef94e809, but it shouldn't have, since that update doesn't include the commit with the fix.
FEDORA-2024-bbef94e809 (selinux-policy-41.25-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
Reopening this per my previous comment.
Correct, fix will be in the next build, sorry for that.
FEDORA-2024-ee068c46d3 (selinux-policy-41.26-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-ee068c46d3
FEDORA-2024-ee068c46d3 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ee068c46d3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ee068c46d3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Thanks! I've tested selinux-policy-41.26-1.fc41 and everything looks good.
FEDORA-2024-ee068c46d3 (selinux-policy-41.26-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.