Description of problem: The proprietary Nvidia graphics drivers creates the device files /dev/nvidiactl and /dev/nvidia0 in some way that gives them an incorrect SELinux context. Since these drivers are proprietary, we can't fix the bug at the source. As a workaround, Miroslav Grepl suggested in bug 694918, comment 1, to let restorecond take care of it. It seems however that restorecond isn't allowed to do that. When I try it I get an AVC about it not allowed to "relabelto" that context. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.9.16-35.fc15.noarch How reproducible: Every time Steps to Reproduce: Assuming a machine with the proprietary Nvidia drivers: 1. Add /dev/nvidiactl and /dev/nvidia0 to /etc/selinux/restorecond.conf 2. Reboot Actual results: The devices are not relabeled but remain device_t and this AVC is reported: type=AVC msg=audit(1312575006.803:33): avc: denied { relabelto } for pid=905 comm="restorecond" name="nvidiactl" dev=devtmpfs ino=18490 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file Expected results: The devices should be relabeled by restorecond.
Fixed in selinux-policy-3.9.16-38.fc15
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
My machine with Nvidia graphics hardware is using selinux policy 3.10.0-28.fc16 from the F16 alpha now, so I can't easily verify the F15 update. It does seem, however, that this fix didn't make it into the F16 policy. Do you want a separate bugzilla about that? Or do you handle it within this one?
It should be fixed by file name transition in Fedora16.
Is there something more than just a recent selinux-policy needed for file name transitions to work? I removed the /dev/nvidia* entries from restorecond.conf, and the additional relabelto permission from a local policy module. Now the /dev/nvidia* files are back to device_t again. Since rpmfusion hasn't started packaging nvidia drivers for F16 yet, I'm still running a 2.6.40.3 kernel from F15, and the matching nvidia packages. Would that prevent this from working? Or is there a remaining bug for F16 here? selinux-policy-targeted-3.10.0-28.fc16.noarch kernel-2.6.40.3-0.fc15.x86_64 kmod-nvidia-2.6.40.3-0.fc15.x86_64-280.13-2.fc15.1.x86_64
Well, you need to be on Fedora16 with F16 pkgs to get this feature.
I see. I thought the F16 packages would have worked on a slightly older kernel too. But then I'll try again when I can upgrade to an F16 kernel.
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.