Bug 732221 - Please add /dev/nvidia0 and /dev/nvidiactl to /etc/selinux/restorecond.conf for nvidia user
Summary: Please add /dev/nvidia0 and /dev/nvidiactl to /etc/selinux/restorecond.conf f...
Keywords:
Status: CLOSED DUPLICATE of bug 748069
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 16
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-21 00:16 UTC by sangu
Modified: 2011-11-07 22:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-07 22:58:57 UTC


Attachments (Terms of Use)

Description sangu 2011-08-21 00:16:28 UTC
Description of problem:
Please add /dev/nvidia0 and /dev/nvidiactl to /etc/selinux/restorecond.conf for nvidia vga user.

# matchpathcon /dev/nvidia0/dev/nvidia0	system_u:object_r:xserver_misc_device_t:s0
# ls -Z /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidia0
# restorecon  -R -v /dev/nvidia0
restorecon reset /dev/nvidia0 context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0

# matchpathcon /dev/nvidiactl 
/dev/nvidiactl	system_u:object_r:xserver_misc_device_t:s0
# ls -Z /dev/nvidiactl 
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidiactl
# restorecon  -R -v /dev/nvidiactl 
restorecon reset /dev/nvidiactl context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0

bug 94918, comment 1 is difficult task for End User to resolve the issue.

Version-Release number of selected component (if applicable):
2.0.86


How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
See bug 94918 comment 1

Comment 1 sangu 2011-08-21 00:55:27 UTC
Sorry, my mistake.

bug 694918, comment 1

Comment 2 Miroslav Grepl 2011-08-22 11:43:10 UTC
Well it should work in F16 without restorecond.

what does

# rpm -q selinux-policy

show

Comment 3 sangu 2011-08-22 12:00:38 UTC
(In reply to comment #2)
> Well it should work in F16 without restorecond.
> 
> what does
> 
> # rpm -q selinux-policy
> 
> show

$ rpm -q selinux-policy
selinux-policy-3.10.0-18.fc16.noarch

Comment 4 Miroslav Grepl 2011-08-22 12:40:57 UTC
and you end up with /dev/nvidia0 labeled as device_t always? This is strange.

Comment 5 Daniel Walsh 2011-08-22 16:13:17 UTC
What process is creating these devices?

Comment 6 Eric Paris 2011-08-22 16:21:38 UTC
maybe one could determine what is creating these files by adding the following line to /etc/audit/audit.rules

-a exit,always -F path=/dev/nvidiact -F perm=rwxa

make sure audit is enabled and reboot.  attach /var/log/audit/audit.log and hopefully we can see what is creating it....

Comment 7 Vladimir Shebordaev 2011-11-07 22:06:34 UTC
(In reply to comment #5)
> What process is creating these devices?

Well, I guess it is their Xorg server module that creates those /dev entries via inotify() as long as their kernel module does nothing special but register_chrdev() completely bypassing kobject infrastructure. So, it seems that proper restorecond configuration currently is the only way to set the correct security labels.

Comment 8 Vladimir Shebordaev 2011-11-07 22:14:52 UTC
I also confirm that as of 07-NOV-11 this nasty bug persists in Fedora 16

Comment 9 Eric Paris 2011-11-07 22:58:57 UTC
closing as a dup, fixed in selinux-policy-3.10.0-52.fc16.noarch

*** This bug has been marked as a duplicate of bug 748069 ***


Note You need to log in before you can comment on or make changes to this bug.