Hide Forgot
Description of problem: For AMD fglrx driver, the GPU device node is /dev/ati/card*. But with the selinux policy on Fedora 16, the security context type for "/dev/ati/card*" is device_t, which should be dri_device_t instead, similar as "/dev/radeon". And then the gdm crashed because of no permission to open this dri device. Version-Release number of selected component (if applicable): 26 How reproducible: Everytime Steps to Reproduce: 1.Install latest fglrx driver support Xserver 1.11 2.reboot the system to graphics mode 3. Actual results: The greeter UI didn't showup Expected results: The greeter UI should show normally for user to login Additional info:
Execute # restorecon -R -v /dev/ati/card* should fix. Try to update to the latest policy # yum update selinux-policy-targeted --enablerepo=updates-testing If you see this issue again, please reopen the bug.
Forgot to mention that the device node /dev/ati/card* is created at runtime when start X server. Is there any method to change the context type when creating the node by mknod? After update the selinux policy, the problem is still there. And run "matchpathcon /dev/ati/card0", I got the results below: /dev/ati/card0 system_u:object_r:device_t:s0 The gdm crash problem with fglrx is caused by the display manager is started by /etc/X11/prefdm (with ininrc_exec_t security context type). And it seems that initrc_exec_t has no permission to access device_t type device node. If I change prefdm to bin_t or change /dev/ati/card0 to dri_device_t, the problem doesn't happen. I think this problem can be solved from selinux policy side.
Miroslav f9ba2da4a6449f14aaf13dca0335d33e254ad52a should fix this.