nVIDIA binary driver audits generated by OpenGL apps

Daniel J Walsh dwalsh at redhat.com
Wed Apr 28 15:40:59 UTC 2004 

Andrew Farris wrote:

>I am working toward getting Enforcing mode to work with the nvidia
>binary drivers, and having some difficulties.  I see that there is some
>policy with this intention , but it is not quite adequate yet, as below.
>Some hints how to proceed, or solutions to this would be appreciated.
>Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
>
>Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
>denied  { read write } for  pid=15200 exe=/usr/X11R6/bin/glxinfo
>name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
>tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
>
>Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
>denied  { read write } for  pid=15209 exe=/usr/X11R6/bin/glxgears
>name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
>tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
>
>The X server can start up as normal user without any audit of X itself
>startinghen X is started in permissive mode only these audits appear,
>but glxgears and glxinfo work as expected.  These programs, and all my
>other openGL apps, need access to /dev/nvidiactl.
>
>The error message generated at command prompt in enforcing mode is:
>Error: Could not open /dev/nvidiactl because the permissions
>are too resticitive.  Please see the FREQUENTLY ASKED QUESTIONS
>section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
>to correct.
>
>Although the unix perms of the device nodes are all identical as below:
>crw-rw-rw-  0 0   system_u:object_r:xserver_misc_device_t /dev/nvidiactl
>crw-rw-rw-  1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl
>
>To relabel the devices I uncommented the definition of
>xserver_misc_device_t from ./types/device.te, and added the following
>line to ./file_contexts/program/xserver.fc (then make reload, followed
>by setfiles on these devices).
>/dev/nvidia.*        system_u:object_r:xserver_misc_device_t
>
>And I rely on these (there are 4) lines in policy.conf after the make (I
>do not understand how these are generated yet).
>allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
>lock write append };
>
>When running enforcing with the /dev/nvidia* devices labeled as
>dri_device_t (had to try), the same behavior exists, X runs.. but
>glxgears/glxinfo (and GL games) cannot access the nvidiactl device.
>
>  
>
Did setting the context to

xserver_misc_device_t
get it to work?

Dan

More information about the fedora-selinux-list mailing list