Andrew Farris wrote:
I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties. I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied { read write } for pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
The X server can start up as normal user without any audit of X itself
startinghen X is started in permissive mode only these audits appear,
but glxgears and glxinfo work as expected. These programs, and all my
other openGL apps, need access to /dev/nvidiactl.
The error message generated at command prompt in enforcing mode is:
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive. Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.
Although the unix perms of the device nodes are all identical as below:
crw-rw-rw- 0 0 system_u:object_r:xserver_misc_device_t /dev/nvidiactl
crw-rw-rw- 1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl
To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.* system_u:object_r:xserver_misc_device_t
And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };
When running enforcing with the /dev/nvidia* devices labeled as
dri_device_t (had to try), the same behavior exists, X runs.. but
glxgears/glxinfo (and GL games) cannot access the nvidiactl device.
Did setting the context to
xserver_misc_device_t
get it to work?
Dan