SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from 'read, write' accesses on the chr_file nvidiactl.
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 7 13:53:24 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/07/2011 09:46 AM, Lawrence E Graves wrote:
> SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from 'read, write' accesses on the chr_file nvidiactl.
>
> ***** Plugin device (91.4 confidence) suggests *****************************
>
> If you want to allow gnome-session-check-accelerated-helper to have read write access on the nvidiactl chr_file
> Then you need to change the label on nvidiactl to a type of a similar device.
> Do
> # semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
> # restorecon -v 'nvidiactl'
>
> ***** Plugin catchall (9.59 confidence) suggests ***************************
>
> If you believe that gnome-session-check-accelerated-helper should be allowed read write access on the nvidiactl chr_file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:device_t:s0
> Target Objects nvidiactl [ chr_file ]
> Source gnome-session-c
> Source Path /usr/libexec/gnome-session-check-accelerated-
> helper
> Port <Unknown>
> Host Jehovah.localdomain
> Source RPM Packages gnome-session-3.0.1-2.fc15
> Target RPM Packages
> Policy RPM selinux-policy-3.9.16-26.fc15
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name Jehovah.localdomain
> Platform Linux Jehovah.localdomain 2.6.38.7-30.fc15.x86_64
> #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
> Alert Count 5
> First Seen Mon 06 Jun 2011 06:40:55 AM MDT
> Last Seen Tue 07 Jun 2011 05:20:46 AM MDT
> Local ID e2321259-3895-45f0-8eaa-1d2294ce8e89
>
> Raw Audit Messages
> type=AVC msg=audit(1307445646.599:49): avc: denied { read write } for pid=1630 comm="gnome-session-c" name="nvidiactl" dev=devtmpfs ino=15320 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
>
> type=SYSCALL msg=audit(1307445646.599:49): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff4eae8860 a1=2 a2=7fff4eae886e a3=7fff4eae81f0 items=0 ppid=1623 pid=1630 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gnome-session-c exe=/usr/libexec/gnome-session-check-accelerated-helper subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
> Hash: gnome-session-c,xdm_t,device_t,chr_file,read,write
>
> audit2allow
>
> #============= xdm_t ==============
> allow xdm_t device_t:chr_file { read write };
>
> audit2allow -R
>
> #============= xdm_t ==============
> allow xdm_t device_t:chr_file { read write };
>
>
Please do not spam the list with these. Open a bugzilla and someone
will take care of you. In this case you are using a proprietary driver
that is not creating the device with the correct label. You can either
create a local custom module to allow this access, or you can try to run
a restorecon on the device during boot to get it labeled correctly.
In F16 we have added filename transition labeling which should allow us
to get this label correct even when proprietary apps do not create
devices correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3uLVQACgkQrlYvE4MpobMZhACdE/3ERW9YRRu6MetaKN2IV0dV
0rsAoMV1nMyD+65s2uCN7G+6ktBPIeYt
=LYko
-----END PGP SIGNATURE-----
More information about the users
mailing list