On Tue, 07 Jun 2011 12:28:03 -0700, Joe Zeff wrote:
> On 06/07/2011 06:46 AM, Lawrence E Graves wrote:
>> SELinux is preventing
>> /usr/libexec/gnome-session-check-accelerated-helper from 'read, write'
>> accesses on the chr_file nvidiactl.
>
> Have you tried following the instructions SELinux gives you? If so,
> what happens; if not, why not?
I've added a local policy following the instructions given in the alert.
This fixes the problem.
Since this is an NVidia installer problem, I guess the bug should be
reported to NVidia. The installer already does a lot of SELinux
modifications, so I imagine adding one more shouldn't be a problem.
>From audit.log:
type=AVC msg=audit(1307125809.403:55): avc: denied { read write } for
pid=1596 comm="gnome-session-c" name="nvidiactl" dev=devtmpfs ino=18991
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1307125809.403:55): avc: denied { open } for
pid=1596 comm="gnome-session-c" name="nvidiactl" dev=devtmpfs ino=18991
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>From the recommendations:
# semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
# restorecon -v 'nvidiactl'
Currently:
ls -Z /dev/nvidiactl
crw-rw-rw-. root root system_u:object_r:device_t:s0 nvidiactl
ls -Z /usr/libexec/gnome-session-check-accelerated-helper
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 gnome-session-
check-accelerated-helper
So what should the SIMILAR_TYPE be?
I really need to sit down and study the SELinux documents . . . .
Thanks for any pointers.
/mde/
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
