nVIDIA binary driver audits generated by OpenGL apps

Thu Apr 29 13:20:24 UTC 2004

Andrew Farris wrote:

>On Wed, 2004-04-28 at 11:40 -0400, Daniel J Walsh wrote:
>  
>
>>Andrew Farris wrote:
>>
>>    
>>
>>>I am working toward getting Enforcing mode to work with the nvidia
>>>binary drivers, and having some difficulties.  I see that there is some
>>>policy with this intention , but it is not quite adequate yet, as below.
>>>Some hints how to proceed, or solutions to this would be appreciated.
>>>Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
>>>
>>>Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
>>>denied  { read write } for  pid=15200 exe=/usr/X11R6/bin/glxinfo
>>>name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
>>>tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
>>>
>>>Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
>>>denied  { read write } for  pid=15209 exe=/usr/X11R6/bin/glxgears
>>>name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
>>>tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
>>>      
>>>
>
>  
>
>>>To relabel the devices I uncommented the definition of
>>>xserver_misc_device_t from ./types/device.te, and added the following
>>>line to ./file_contexts/program/xserver.fc (then make reload, followed
>>>by setfiles on these devices).
>>>/dev/nvidia.*        system_u:object_r:xserver_misc_device_t
>>>      
>>>
>
>  
>
>>>And I rely on these (there are 4) lines in policy.conf after the make (I
>>>do not understand how these are generated yet).
>>>allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
>>>lock write append };
>>>      
>>>
>
>  
>
>>Did setting the context to
>>
>>xserver_misc_device_t
>>get it to work?
>>
>>Dan
>>    
>>
>
>Sorry about the extra size email, it is confusing.  Yes, running with
>the /dev/nvidia* devices labeled as xserver_misc_device_t will allow the
>X server to run and login.. etc.  However it does NOT allow glxinfo or
>glxgears to run (they complain about access permissions
>to /dev/nvidiactl).  I need policy that will allow user programs access
>{ read write } to /dev/nvidiactl before any OpenGL apps will run with
>these drivers (the same issue happens for Quake3, AAOps.. not just these
>GL test tools).
>
>Perhaps the solution involves including each game in games.fc?
>
>The same problem may exist for running with the new nvidia dri software
>for OpenGL, I did not check yet, but will.  If the problem does not
>exist for that then a similar setup for nvidiactl may work, I'm not
>sure.
>  
>
Not sure of the security ramifications, but does adding the following 
fix your problem?  This might
need to be a tunable.


diff -u base_user_macros.te~ base_user_macros.te

--- base_user_macros.te~    2004-04-29 09:18:03.882721648 -0400
+++ base_user_macros.te    2004-04-29 09:18:58.802372592 -0400
@@ -250,6 +250,9 @@
 
 ')dnl end ifdef xdm.te
 
+# Access the special XServer devices.
+allow $1_t xserver_misc_device_t:chr_file rw_file_perms;
+
 # Access the sound device.
 allow $1_t sound_device_t:chr_file { getattr read write ioctl };
 



