Bug 729451 - Restorecond isn't allowed to relabel to xserver_misc_device_t
Summary: Restorecond isn't allowed to relabel to xserver_misc_device_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 15
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-09 18:59 UTC by Göran Uddeborg
Modified: 2011-10-06 00:01 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.9.16-39.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-06 00:01:17 UTC


Attachments (Terms of Use)

Description Göran Uddeborg 2011-08-09 18:59:52 UTC
Description of problem:
The proprietary Nvidia graphics drivers creates the device files /dev/nvidiactl and /dev/nvidia0 in some way that gives them an incorrect SELinux context.  Since these drivers are proprietary, we can't fix the bug at the source.  As a workaround, Miroslav Grepl suggested in bug 694918, comment 1, to let restorecond take care of it.

It seems however that restorecond isn't allowed to do that.  When I try it I get an AVC about it not allowed to "relabelto" that context.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-35.fc15.noarch

How reproducible:
Every time

Steps to Reproduce:
Assuming a machine with the proprietary Nvidia drivers:
1. Add /dev/nvidiactl and /dev/nvidia0 to /etc/selinux/restorecond.conf
2. Reboot

Actual results:
The devices are not relabeled but remain device_t and this AVC is reported:

type=AVC msg=audit(1312575006.803:33): avc:  denied  { relabelto } for  pid=905 comm="restorecond" name="nvidiactl" dev=devtmpfs ino=18490 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file


Expected results:
The devices should be relabeled by restorecond.

Comment 1 Miroslav Grepl 2011-08-10 06:37:18 UTC
Fixed in selinux-policy-3.9.16-38.fc15

Comment 2 Fedora Update System 2011-09-08 08:11:10 UTC
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 3 Fedora Update System 2011-09-09 05:27:30 UTC
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 4 Göran Uddeborg 2011-09-19 17:37:47 UTC
My machine with Nvidia graphics hardware is using selinux policy 3.10.0-28.fc16 from the F16 alpha now, so I can't easily verify the F15 update.

It does seem, however, that this fix didn't make it into the F16 policy.  Do you want a separate bugzilla about that?  Or do you handle it within this one?

Comment 5 Miroslav Grepl 2011-09-20 11:38:01 UTC
It should be fixed by file name transition in Fedora16.

Comment 6 Göran Uddeborg 2011-09-20 13:42:17 UTC
Is there something more than just a recent selinux-policy needed for file name transitions to work?  I removed the /dev/nvidia* entries from restorecond.conf, and the additional relabelto permission from a local policy module.

Now the /dev/nvidia* files are back to device_t again.

Since rpmfusion hasn't started packaging nvidia drivers for F16 yet, I'm still running a 2.6.40.3 kernel from F15, and the matching nvidia packages.  Would that prevent this from working?  Or is there a remaining bug for F16 here?

selinux-policy-targeted-3.10.0-28.fc16.noarch
kernel-2.6.40.3-0.fc15.x86_64
kmod-nvidia-2.6.40.3-0.fc15.x86_64-280.13-2.fc15.1.x86_64

Comment 7 Miroslav Grepl 2011-09-20 15:08:22 UTC
Well, you need to be on Fedora16 with F16 pkgs to get this feature.

Comment 8 Göran Uddeborg 2011-09-20 15:15:41 UTC
I see.  I thought the F16 packages would have worked on a slightly older kernel too.  But then I'll try again when I can upgrade to an F16 kernel.

Comment 9 Fedora Update System 2011-10-06 00:01:17 UTC
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.