Bug 422001 - selinux /dev/dri/card0 policy
selinux /dev/dri/card0 policy
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-12 12:05 EST by Dr. Firas Swidan
Modified: 2008-01-30 14:05 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:05:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dr. Firas Swidan 2007-12-12 12:05:15 EST
Description of problem:

When enabling selinux with default settings, the graphic card DRI interface
/dev/dri/card0 cannot be opened with fglrx - ATI proprietary driver. The problem
is not present when turning off selinux all together. I attached below some
info, but I am not sure which parts of selinux policy to submit or how to
produce them. 


*************** from Xorg.0.log *************
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: Open failed
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: Open failed
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: open result is -1, (Permission denied)
drmOpenDevice: Open failed

******************************************

This results in no DRI

************** from Xorg.0.log *************

(EE) fglrx(0): atiddxDriScreenInit failed, GPS not been initialized.
(WW) fglrx(0): ***********************************************
(WW) fglrx(0): * DRI initialization failed! *
(WW) fglrx(0): * (maybe driver kernel module missing or bad) *
(WW) fglrx(0): * 2D acceleraton available (MMIO) *
(WW) fglrx(0): * no 3D acceleration available *
(WW) fglrx(0): ********************************************* *

*****************************************

The permissions of /dev/dri/card0 are:

crw------- 1 root root 226, 0 2007-12-10 07:52 card0


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.0.8-64.fc8

How reproducible:

Enable selinux and reboot.

Steps to Reproduce:
1. enable default selinux policy.
2. reboot machine.
3.
  
Actual results:

/dev/dri/card0 cannot be opened and there is no DRI as a result.

Expected results:

/dev/dri/card0 should be opened and DRI should work.

Additional info:
Comment 1 Daniel Walsh 2007-12-12 17:16:29 EST
What avc messages are you seeing in /var/log/audit/audit.log?
Comment 2 Daniel Walsh 2007-12-12 17:17:20 EST
What does

ls -lZ /dev/dri/card0

show?
Comment 3 Dr. Firas Swidan 2007-12-13 04:07:40 EST
This is rather weird, but I could not find a /var/log/audit/ directory (???). I
found, however, some card0-related avc messages in /var/log/messages and
attached those instead.

#ls -lZ /dev/dri/card0 
crw-------  root root system_u:object_r:device_t       /dev/dri/card0

***************** avc messages from /var/log/messages ************
Dec 13 10:50:56 localhost kernel: audit(1197535856.795:6): avc:  denied  {
getattr } for  pid=2555 comm="X" path="/dev/dri/card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.796:7): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.796:8): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.796:9): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.796:10): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.797:11): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.797:12): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.797:13): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.798:14): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.798:15): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.798:16): avc:  denied  {
getattr } for  pid=2555 comm="X" path="/dev/dri/card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:17): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:18): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:19): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:20): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:21): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.799:22): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.800:23): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.800:24): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.800:25): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.800:26): avc:  denied  {
getattr } for  pid=2555 comm="X" path="/dev/dri/card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.800:27): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.801:28): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.801:29): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.801:30): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.801:31): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.801:32): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.802:33): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.802:34): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.802:35): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.805:36): avc:  denied  {
getattr } for  pid=2555 comm="X" path="/dev/dri/card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.805:37): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.805:38): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.805:39): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.805:40): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.806:41): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.806:42): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.806:43): avc:  denied  {
setattr } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.806:44): avc:  denied  { read
write } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:56 localhost kernel: audit(1197535856.807:45): avc:  denied  {
unlink } for  pid=2555 comm="X" name="card0" dev=tmpfs ino=6617
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Dec 13 10:50:59 localhost kernel: audit(1197535859.277:46): avc:  denied  {
execute } for  pid=2557 comm="X" name="firegl1.isse.002b4110.4760f273.00043bd4"
dev=dm-0 ino=5439499 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_xserver_tmp_t:s0 tclass=file
Dec 13 10:50:59 localhost kernel: audit(1197535859.282:47): avc:  denied  {
execute } for  pid=2558 comm="X" name="firegl1.isse.002b4110.4760f273.000450cd"
dev=dm-0 ino=5439499 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_xserver_tmp_t:s0 tclass=file
Comment 4 Daniel Walsh 2007-12-13 14:49:07 EST
Looks like who ever created the device did not label it correctly.

# matchpathcon /dev/dri/card0 
/dev/dri/card0	system_u:object_r:dri_device_t

The file context should have been dri_device_t.

If you run restorecon on it you will get this label.

Also looks like the xserver is trying to execute

 firegl1.isse.002b4110.4760f273.000450cd

from /tmp/

I would guess the closed driver is creating the device and the executable on the
fly and then trying to execute it.

Please report this as a bug to ATI.

selinux-policy-3.0.8-68 will have an unconfined xserver so this will work in
enforcing mode then.  But it would be nice if ATI fixed their drivers.
Comment 5 Dr. Firas Swidan 2007-12-13 23:06:11 EST
I am a bit confused: When I run matchpathcon i get an output similar to yours:

# /usr/sbin/matchpathcon /dev/dri/card0 
/dev/dri/card0  system_u:object_r:dri_device_t

When I run ls -lZ I get a different output:

# ls -lZ /dev/dri/card0 
crw-------  root root system_u:object_r:device_t       /dev/dri/card0

How to interpret this?
Comment 6 Daniel Walsh 2007-12-14 07:30:45 EST
In SELinux all files/devices/directories get created by default with the context
of their parend directory in this case device_t.   Rules can be written that say
certain applications creating certain file typs in certain directories get
different file context.  Also SELinux aware applications can create files in a
directory and set the context automatically.

udev created most files/devices in /dev and asks the system (matchpathcon) how
to label the devices before creating them.   In this case the XDriver creates
the device itself and did not ask the system how to label the device.  So since
the device gets created with the wrong label, SELinux prevents other confined
applications from using the device.  SELinux does not know what the device is.
Comment 7 Daniel Walsh 2008-01-30 14:05:31 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.