nVidia device label and permissions?

[Tom Mitchell]

Someday nVidia will have a driver that loads and this might matter.

# fixfiles relabel
Cleaning out /tmp
/usr/sbin/setfiles:  read 1461 specifications
/usr/sbin/setfiles:  labeling files under /
/dev/nvidia0: Permission denied
/usr/sbin/setfiles:  unable to relabel /dev/nvidia0 to system_u:object_r:device_t
/dev/nvidia1: Permission denied
/usr/sbin/setfiles:  unable to relabel /dev/nvidia1 to system_u:object_r:device_t
/dev/nvidia2: Permission denied
# ls -Z  /dev/nvid*
crw-rw-rw-+ root     root     root:object_r:device_t           /dev/nvidia0
...
crw-rw-rw-  root     root     root:object_r:device_t           /dev/nvidia7
crw-rw-rw-  root     root     root:object_r:device_t           /dev/nvidiactl

Seen in var/log/messages

 audit(1081879792.549:0): avc:  denied  { relabelto } for  pid=2283 exe=/usr/sbin/setfiles name=nvidiactl dev=hda2 ino=71864 scontext=root:sysadm_r:setfiles_t tcontext=system_u:object_r:device_t tclass=chr_file

Does anyone have nVidia tainted drivers running in enforcing mode, yet?


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.