nVIDIA binary driver audits generated by OpenGL apps

Andrew Farris fedora at andrewfarris.com
Wed Apr 28 22:05:19 UTC 2004


On Wed, 2004-04-28 at 11:40 -0400, Daniel J Walsh wrote:
> Andrew Farris wrote:
> 
> >I am working toward getting Enforcing mode to work with the nvidia
> >binary drivers, and having some difficulties.  I see that there is some
> >policy with this intention , but it is not quite adequate yet, as below.
> >Some hints how to proceed, or solutions to this would be appreciated.
> >Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
> >
> >Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
> >denied  { read write } for  pid=15200 exe=/usr/X11R6/bin/glxinfo
> >name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
> >tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
> >
> >Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
> >denied  { read write } for  pid=15209 exe=/usr/X11R6/bin/glxgears
> >name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
> >tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file

> >To relabel the devices I uncommented the definition of
> >xserver_misc_device_t from ./types/device.te, and added the following
> >line to ./file_contexts/program/xserver.fc (then make reload, followed
> >by setfiles on these devices).
> >/dev/nvidia.*        system_u:object_r:xserver_misc_device_t

> >And I rely on these (there are 4) lines in policy.conf after the make (I
> >do not understand how these are generated yet).
> >allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
> >lock write append };

> Did setting the context to
> 
> xserver_misc_device_t
> get it to work?
> 
> Dan

Sorry about the extra size email, it is confusing.  Yes, running with
the /dev/nvidia* devices labeled as xserver_misc_device_t will allow the
X server to run and login.. etc.  However it does NOT allow glxinfo or
glxgears to run (they complain about access permissions
to /dev/nvidiactl).  I need policy that will allow user programs access
{ read write } to /dev/nvidiactl before any OpenGL apps will run with
these drivers (the same issue happens for Quake3, AAOps.. not just these
GL test tools).

Perhaps the solution involves including each game in games.fc?

The same problem may exist for running with the new nvidia dri software
for OpenGL, I did not check yet, but will.  If the problem does not
exist for that then a similar setup for nvidiactl may work, I'm not
sure.
-- 
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora at andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)




More information about the fedora-selinux-list mailing list