Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-6772

wrong SELinux context for /dev/nvidiactl and /dev/nvidia0

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • CatPkg:
      x11-drivers/nvidia-kernel-modules
    • Kit/Branch:
      core-gl-kit/1.4-release

      Description

      /dev/nvidiactl and /dev/nvidia0 have wrong SELinux type

      # ls -lZ /dev/nvidia0 /dev/nvidiactl
      crw-rw----. 1 root video system_u:object_r:device_t 195,   0 Oct 16 20:48 /dev/nvidia0
      crw-rw----. 1 root video system_u:object_r:device_t 195, 255 Oct 16 20:48 /dev/nvidiactl
      
      # restorecon /dev/nvidia0 /dev/nvidiactl && ls -lZ /dev/nvidia0 /dev/nvidiactl
      crw-rw----. 1 root video system_u:object_r:xserver_misc_device_t 195,   0 Oct 16 20:48 /dev/nvidia0
      crw-rw----. 1 root video system_u:object_r:xserver_misc_device_t 195, 255 Oct 16 20:48 /dev/nvidiactl
      

      the reason is that OpenRC devfs init script restores default SELinux security contexts in /dev during sysinit runlevel but the /dev/nvidiactl and /dev/nvidia0 are created later in boot runlevel (while /etc/init.d/modules script is starting)

      it was possible to debug this issue with a great help of this blogpost: http://blog.siphos.be/2017/08/using-nvidia-with-selinux/

      one of the drawbacks are xorg/xserver error on a machine that has SELinux strict mode enabled:

      $ startx
      # cat /var/log/Xorg.0.log | grep EE
      	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
      [  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
      [  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
      [  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
      [  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
      [  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
      [  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
      [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
      [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
      [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
      [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
      [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
      [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
      [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
      [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
      [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
      [  4173.978] (EE) No devices detected.
      [  4173.978] (EE) 
      [  4173.978] (EE) no screens found(EE) 
      [  4173.978] (EE) 
      [  4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
      [  4173.978] (EE) 
      [  4174.074] (EE) Server terminated with error (1). Closing log file.
      
      # cat /var/log/audit/audit.log | grep nvidiactl
      type=AVC msg=audit(1570959889.809:2328): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.809:2329): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2330): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2331): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2332): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2333): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2334): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2335): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2336): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      type=AVC msg=audit(1570959889.813:2337): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mrl5 mrl5
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: