nVIDIA binary driver audits generated by OpenGL apps

Tue Apr 27 01:39:44 UTC 2004

I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties.  I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:

Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied  { read write } for  pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file

Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied  { read write } for  pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file

The X server can start up as normal user without any audit of X itself
startinghen X is started in permissive mode only these audits appear,
but glxgears and glxinfo work as expected.  These programs, and all my
other openGL apps, need access to /dev/nvidiactl.

The error message generated at command prompt in enforcing mode is:
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive.  Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.

Although the unix perms of the device nodes are all identical as below:
crw-rw-rw-  0 0   system_u:object_r:xserver_misc_device_t /dev/nvidiactl
crw-rw-rw-  1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl

To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.*        system_u:object_r:xserver_misc_device_t

And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };

When running enforcing with the /dev/nvidia* devices labeled as
dri_device_t (had to try), the same behavior exists, X runs.. but
glxgears/glxinfo (and GL games) cannot access the nvidiactl device.

-- 
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora at andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)