[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: nVIDIA binary driver audits generated by OpenGL apps



Andrew Farris wrote:

On Wed, 2004-04-28 at 11:40 -0400, Daniel J Walsh wrote:


Andrew Farris wrote:



I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties.  I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:

Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied  { read write } for  pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file

Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file





To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.* system_u:object_r:xserver_misc_device_t





And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };





Did setting the context to

xserver_misc_device_t
get it to work?

Dan



Sorry about the extra size email, it is confusing. Yes, running with the /dev/nvidia* devices labeled as xserver_misc_device_t will allow the X server to run and login.. etc. However it does NOT allow glxinfo or glxgears to run (they complain about access permissions to /dev/nvidiactl). I need policy that will allow user programs access { read write } to /dev/nvidiactl before any OpenGL apps will run with these drivers (the same issue happens for Quake3, AAOps.. not just these GL test tools).

Perhaps the solution involves including each game in games.fc?

The same problem may exist for running with the new nvidia dri software
for OpenGL, I did not check yet, but will. If the problem does not
exist for that then a similar setup for nvidiactl may work, I'm not
sure.


Not sure of the security ramifications, but does adding the following fix your problem? This might
need to be a tunable.



diff -u base_user_macros.te~ base_user_macros.te --- base_user_macros.te~ 2004-04-29 09:18:03.882721648 -0400 +++ base_user_macros.te 2004-04-29 09:18:58.802372592 -0400 @@ -250,6 +250,9 @@

')dnl end ifdef xdm.te

+# Access the special XServer devices.
+allow $1_t xserver_misc_device_t:chr_file rw_file_perms;
+
# Access the sound device.
allow $1_t sound_device_t:chr_file { getattr read write ioctl };




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]