697886 – x11-drivers/nvidia-drivers: wrong SELinux context for /dev/nvidiactl and /dev/nvidia0

Bug 697886 - x11-drivers/nvidia-drivers: wrong SELinux context for /dev/nvidiactl and /dev/nvidia0

Summary: x11-drivers/nvidia-drivers: wrong SELinux context for /dev/nvidiactl and /dev...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2019-10-16 20:04 UTC by mrl5
Modified:	2023-01-29 03:04 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/13350
Package list:
Runtime testing required:	---

Attachments
ls -lZ of /dev files (nvidia_sec_context.log,495 bytes, text/plain) 2019-10-16 20:09 UTC, mrl5	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mrl5 2019-10-16 20:04:41 UTC

`/dev/nvidiactl` and `/dev/nvidia0` have wrong SELinux context (see attached nvidia_sec_context.log)

the reason is that OpenRC devfs init script restores default SELinux security contexts in /dev during sysinit runlevel: https://github.com/OpenRC/openrc/blob/882c6bf3bcaba6903d9dc593f8ae41e505b4e4e7/init.d/devfs.in#L118

but the /dev/nvidiactl and /dev/nvidia0 are created later in boot runlevel (while /etc/init.d/modules script is starting)

it was possible to debug this issue with a great help of this blogpost: http://blog.siphos.be/2017/08/using-nvidia-with-selinux/

one of the drawbacks are xorg/xserver errors on a machine that has SELinux strict mode enabled

Comment 1 mrl5 2019-10-16 20:09:02 UTC

Created attachment 592958 [details]
ls -lZ of /dev files

Comment 2 Jason Zaman gentoo-dev

2019-10-18 12:16:08 UTC

Give this a shot and lemme know:

#  cat /etc/tmpfiles.d/nvidia.conf 
#Type Path		Mode	UID	GID	Age	Argument
z     /dev/nvidia*	0660	root	video	-	-

Comment 3 mrl5 2019-10-19 19:52:16 UTC

(In reply to Jason Zaman from comment #2)
> Give this a shot and lemme know:
> 
> #  cat /etc/tmpfiles.d/nvidia.conf 
> #Type Path		Mode	UID	GID	Age	Argument
> z     /dev/nvidia*	0660	root	video	-	-

I dont have this file (I'm on funtoo)

# find / -name *nvidia.conf
/etc/modprobe.d/nvidia.conf

Comment 4 mrl5 2019-10-19 20:43:48 UTC

(In reply to Jason Zaman from comment #2)
> Give this a shot and lemme know:
> 
> #  cat /etc/tmpfiles.d/nvidia.conf 
> #Type Path		Mode	UID	GID	Age	Argument
> z     /dev/nvidia*	0660	root	video	-	-

... but creating this file did not help. just in case this is the context of dir and file

# ls -lZ /etc/ | grep tmpfiles
drwxr-xr-x.  2 root root  system_u:object_r:tmpfiles_conf_t       4096 Oct 19 22:36 tmpfiles.d

# ls -lZ /etc/tmpfiles.d/
total 4
-rw-r--r--. 1 root root system_u:object_r:tmpfiles_conf_t 77 Oct 19 22:36 nvidia.conf

Comment 5 mrl5 2019-10-19 22:25:19 UTC

proposed bugfix: https://github.com/gentoo/gentoo/pull/13350

Comment 6 mrl5 2019-10-19 22:32:22 UTC

the fix would not be possible without great help of @Zero_Chaos who pointed to https://gitweb.gentoo.org/repo/gentoo.git/plain/x11-drivers/nvidia-drivers/files/nvidia-udev.sh-r1

Comment 7 Ionen Wolkens gentoo-dev

2021-03-22 00:44:28 UTC

Not familiar with SELinux (or these issues), so I'll need a proposed solution.

However, nvidia-udev.sh is gone so the previous can't be used.

Currently devices are created whenever they are needed by nvidia-modprobe (suid root) called by nvidia's libraries (udev doesn't do anything).

With recent changes it's now possible to modify nvidia-modprobe[1] (built from source unlike before), would that be useful?

[1] https://github.com/NVIDIA/nvidia-modprobe