-
Bug
-
Resolution: Fixed
-
Normal
-
None
-
None
-
None
/dev/nvidiactl and /dev/nvidia0 have wrong SELinux type
# ls -lZ /dev/nvidia0 /dev/nvidiactl crw-rw----. 1 root video system_u:object_r:device_t 195, 0 Oct 16 20:48 /dev/nvidia0 crw-rw----. 1 root video system_u:object_r:device_t 195, 255 Oct 16 20:48 /dev/nvidiactl # restorecon /dev/nvidia0 /dev/nvidiactl && ls -lZ /dev/nvidia0 /dev/nvidiactl crw-rw----. 1 root video system_u:object_r:xserver_misc_device_t 195, 0 Oct 16 20:48 /dev/nvidia0 crw-rw----. 1 root video system_u:object_r:xserver_misc_device_t 195, 255 Oct 16 20:48 /dev/nvidiactl
the reason is that OpenRC devfs init script restores default SELinux security contexts in /dev during sysinit runlevel but the /dev/nvidiactl and /dev/nvidia0 are created later in boot runlevel (while /etc/init.d/modules script is starting)
it was possible to debug this issue with a great help of this blogpost: http://blog.siphos.be/2017/08/using-nvidia-with-selinux/
one of the drawbacks are xorg/xserver error on a machine that has SELinux strict mode enabled:
$ startx # cat /var/log/Xorg.0.log | grep EE (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.977] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.977] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.977] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.977] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) No devices detected. [ 4173.978] (EE) [ 4173.978] (EE) no screens found(EE) [ 4173.978] (EE) [ 4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information. [ 4173.978] (EE) [ 4174.074] (EE) Server terminated with error (1). Closing log file.
# cat /var/log/audit/audit.log | grep nvidiactl type=AVC msg=audit(1570959889.809:2328): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.809:2329): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2330): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2331): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2332): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2333): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2334): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2335): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2336): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2337): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
- relates to
-
FL-6779 SELinux - command prompt instead of xdm when started by OpenRC
- Work Queue