mrl5 Posted October 13, 2019 Report Share Posted October 13, 2019 some questions regarding @drobbins announcement: https://forums.funtoo.org/topic/2997-selinux-packages-updated-in-14-and-selinux-next-development/ 1. If I (as funtoo user) report bugs (found on funtoo machine) to Gentoo Hardened SELinux project . Do I also need to report them to bugs.funtoo.org? (example: FL-6753 and 697564). Thats not a problem for me but I don't know what about devs? 2. I think that I found one sec-policy bug related to nvidia which I suspect is funtoo specific. I connect it with this change Quote Another important change for NVIDIA proprietary graphics users -- a new package nvidia-kernel-modules is now used to install the NVIDIA kernel modules. nvidia-drivers will only install the userland components. but I can't tell if it's valid for Gentoo and should I bother @perfinion from #gentoo-hardened EDIT: regarding Q#2 if someone is interested in logs: I believie it's /dev/nvidiactl related $ startx # cat /var/log/Xorg.0.log [ 4173.919] X.Org X Server 1.20.5 X Protocol Version 11, Revision 0 [ 4173.919] Build Operating System: Linux 4.19.67_p2-r1-debian-sources-lts x86_64 Gentoo [ 4173.920] Current Operating System: Linux pc 4.19.67_p2-r1-debian-sources-lts #1 SMP Fri Sep 27 13:23:14 CEST 2019 x86_64 [ 4173.920] Kernel command line: BOOT_IMAGE=/kernel-debian-sources-lts-x86_64-4.19.67_p2-r1 real_root=/dev/sdc6 rootfstype=ext4 rand_id=FI38EHQ7 pci=nocrs security=selinux enforcing=1 [ 4173.921] Build Date: 11 October 2019 06:19:53PM [ 4173.921] [ 4173.921] Current version of pixman: 0.34.0 [ 4173.921] Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 4173.921] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 4173.922] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Oct 13 11:44:49 2019 [ 4173.923] (==) Using config file: "/etc/X11/xorg.conf" [ 4173.923] (==) Using config directory: "/etc/X11/xorg.conf.d" [ 4173.923] (==) Using system config directory "/usr/share/X11/xorg.conf.d" [ 4173.924] (==) ServerLayout "X.org Configured" [ 4173.924] (**) |-->Screen "Screen0" (0) [ 4173.924] (**) | |-->Monitor "Monitor0" [ 4173.924] (**) | |-->Device "Card0" [ 4173.924] (**) |-->Input Device "Mouse0" [ 4173.924] (**) |-->Input Device "Keyboard0" [ 4173.924] (==) Automatically adding devices [ 4173.924] (==) Automatically enabling devices [ 4173.924] (==) Automatically adding GPU devices [ 4173.924] (==) Max clients allowed: 256, resource mask: 0x1fffff [ 4173.924] (**) FontPath set to: /usr/share/fonts/misc/, /usr/share/fonts/TTF/, /usr/share/fonts/OTF/, /usr/share/fonts/Type1/, /usr/share/fonts/100dpi/, /usr/share/fonts/75dpi/, /usr/share/fonts/misc/, /usr/share/fonts/TTF/, /usr/share/fonts/OTF/, /usr/share/fonts/Type1/, /usr/share/fonts/100dpi/, /usr/share/fonts/75dpi/ [ 4173.924] (**) ModulePath set to "/usr/lib64/xorg/modules" [ 4173.924] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 'vmmouse' will be disabled. [ 4173.924] (WW) Disabling Mouse0 [ 4173.924] (WW) Disabling Keyboard0 [ 4173.924] (II) Loader magic: 0x5631abd5ac40 [ 4173.924] (II) Module ABI versions: [ 4173.924] X.Org ANSI C Emulation: 0.4 [ 4173.924] X.Org Video Driver: 24.0 [ 4173.924] X.Org XInput driver : 24.1 [ 4173.924] X.Org Server Extension : 10.0 [ 4173.924] (II) xfree86: Adding drm device (/dev/dri/card0) [ 4173.927] (**) OutputClass "nvidia" ModulePath extended to "/opt/nvidia/nvidia-drivers-435.21/lib64,/opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules,/opt/nvidia/nvidia-drivers-435.21/lib64/opengl/nvidia/extensions,/usr/lib64/xorg/modules" [ 4173.930] (--) PCI:*(1@0:0:0) 10de:1c03:10de:1c03 rev 161, Mem @ 0xe9000000/16777216, 0xd0000000/268435456, 0xe0000000/33554432, I/O @ 0x00003000/128, BIOS @ 0x????????/131072 [ 4173.930] (II) "glx" will be loaded. This was enabled by default and also specified in the config file. [ 4173.930] (II) LoadModule: "glx" [ 4173.930] (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so [ 4173.931] (II) Module glx: vendor="X.Org Foundation" [ 4173.931] compiled for 1.20.5, module version = 1.0.0 [ 4173.931] ABI class: X.Org Server Extension, version 10.0 [ 4173.931] (II) LoadModule: "nvidia" [ 4173.932] (II) Loading /opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules/drivers/nvidia_drv.so [ 4173.932] (II) Module nvidia: vendor="NVIDIA Corporation" [ 4173.932] compiled for 1.6.99.901, module version = 1.0.0 [ 4173.932] Module class: X.Org Video Driver [ 4173.932] (II) NVIDIA dlloader X Driver 435.21 Sun Aug 25 08:17:08 CDT 2019 [ 4173.932] (II) NVIDIA Unified Driver for all Supported NVIDIA GPUs [ 4173.932] (--) using VT number 7 [ 4173.932] (WW) xf86OpenConsole: setpgid failed: Invalid argument [ 4173.932] (WW) xf86OpenConsole: setsid failed: Operation not permitted [ 4173.975] (II) Loading sub module "fb" [ 4173.975] (II) LoadModule: "fb" [ 4173.976] (II) Loading /usr/lib64/xorg/modules/libfb.so [ 4173.976] (II) Module fb: vendor="X.Org Foundation" [ 4173.976] compiled for 1.20.5, module version = 1.0.0 [ 4173.976] ABI class: X.Org ANSI C Emulation, version 0.4 [ 4173.976] (II) Loading sub module "wfb" [ 4173.976] (II) LoadModule: "wfb" [ 4173.977] (II) Loading /usr/lib64/xorg/modules/libwfb.so [ 4173.977] (II) Module wfb: vendor="X.Org Foundation" [ 4173.977] compiled for 1.20.5, module version = 1.0.0 [ 4173.977] ABI class: X.Org ANSI C Emulation, version 0.4 [ 4173.977] (II) Loading sub module "ramdac" [ 4173.977] (II) LoadModule: "ramdac" [ 4173.977] (II) Module "ramdac" already built-in [ 4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.977] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.977] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.977] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.977] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 4173.978] (EE) NVIDIA: system's kernel log for additional error messages and [ 4173.978] (EE) NVIDIA: consult the NVIDIA README for details. [ 4173.978] (EE) No devices detected. [ 4173.978] (EE) Fatal server error: [ 4173.978] (EE) no screens found(EE) [ 4173.978] (EE) Please consult the The X.Org Foundation support at http://wiki.x.org for help. [ 4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information. [ 4173.978] (EE) [ 4174.074] (EE) Server terminated with error (1). Closing log file. # cat /var/log/audit/audit.log type=AVC msg=audit(1570959889.745:2325): avc: denied { read } for pid=7911 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 type=SYSCALL msg=audit(1570959889.745:2325): arch=c000003e syscall=21 success=no exit=-13 a0=7fffc6865100 a1=4 a2=7fffc6865106 a3=1 items=1 ppid=7910 pid=7911 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null) type=CWD msg=audit(1570959889.745:2325): cwd="/home/kuba" type=PATH msg=audit(1570959889.745:2325): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1570959889.745:2325): proctitle=7861757468006C6973740070633A30 type=AVC msg=audit(1570959889.745:2326): avc: denied { read } for pid=7913 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 type=SYSCALL msg=audit(1570959889.745:2326): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe1358c600 a1=4 a2=7ffe1358c606 a3=1 items=1 ppid=7898 pid=7913 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null) type=CWD msg=audit(1570959889.745:2326): cwd="/home/kuba" type=PATH msg=audit(1570959889.745:2326): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1570959889.745:2326): proctitle=7861757468002D71 type=AVC msg=audit(1570959889.765:2327): avc: denied { getpgid } for pid=7915 comm="X" scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=process permissive=0 type=SYSCALL msg=audit(1570959889.765:2327): arch=c000003e syscall=121 success=no exit=-13 a0=1eea a1=7fff69fd9da0 a2=3 a3=5631abb3752d items=0 ppid=7914 pid=7915 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="X" exe="/usr/bin/Xorg" subj=staff_u:staff_r:xserver_t key=(null) type=PROCTITLE msg=audit(1570959889.765:2327): proctitle=2F7573722F62696E2F58002D6E6F6C697374656E00746370003A30002D61757468002F686F6D652F6B7562612F2E736572766572617574682E37383938 type=AVC msg=audit(1570959889.809:2328): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.809:2329): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2330): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2331): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2332): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2333): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2334): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2335): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2336): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959889.813:2337): avc: denied { getattr } for pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0 type=AVC msg=audit(1570959904.753:2338): avc: denied { read } for pid=7919 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 type=SYSCALL msg=audit(1570959904.753:2338): arch=c000003e syscall=21 success=no exit=-13 a0=7fff56b3b2f0 a1=4 a2=7fff56b3b2f6 a3=1 items=1 ppid=7898 pid=7919 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null) type=CWD msg=audit(1570959904.753:2338): cwd="/home/kuba" type=PATH msg=audit(1570959904.753:2338): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1570959904.753:2338): proctitle=78617574680072656D6F76650070633A30003A30 # audit2why -al | grep xserver allow staff_t xserver_tmp_t:file map; #============= xserver_t ============== allow xserver_t chromium_t:file { open read }; allow xserver_t device_t:chr_file { getattr ioctl map open read write }; allow xserver_t staff_t:file { open read }; allow xserver_t urandom_device_t:chr_file { getattr ioctl open read }; allow xserver_t xdm_t:file { open read }; allow xserver_t xscreensaver_t:file { open read }; allow xserver_t xserver_tmp_t:file map; Link to comment Share on other sites More sharing options...
mrl5 Posted October 15, 2019 Author Report Share Posted October 15, 2019 regarding question #2: I've found this cool blogpost and method described there fixes the problem. All I have to do is to run this command after every boot restorecon /dev/nvidiactl /dev/nvidia0 at this moment I've added it to /etc/init.d/xdm but I'll dig further for better solution so the question no #1 is still open. @drobbins any thoughts? EDIT: Q#1: answered here Q#2: opened bug FL-6772 related to OpenRC Link to comment Share on other sites More sharing options...
zdavatz Posted April 4, 2020 Report Share Posted April 4, 2020 I am also crosslinking this thread from Nvidia here: https://forums.developer.nvidia.com/t/nvidia-driver-does-not-work-for-kernel-5-6-nvidia-gp107/118413/4 Link to comment Share on other sites More sharing options...
Funtoo Linux BDFL drobbins Posted April 12, 2020 Funtoo Linux BDFL Report Share Posted April 12, 2020 @mrl5 sorry I missed this thread, but you should always report bugs to bugs.funtoo.org and we will take it upstream as needed. Link to comment Share on other sites More sharing options...
mrl5 Posted April 12, 2020 Author Report Share Posted April 12, 2020 (edited) @zdavatz so I've checked your nvidia thread and I did not see any info that you are using SELinux. This forum topic is SELinux related and the described issue was fixed in FL-6772 Sorry if I missed something - did you cross-link this thread because of similarities in logs or there is some other reason? (EE) NVIDIA: Failed to initialize the NVIDIA kernel module BTW when I experienced this bug I was on kernel version 4 (4.9 afair) and you mentioned problems with 5.6 that do not occur in 5.5 BTW2 I see that gentoo did not merge my fix yet: https://github.com/gentoo/gentoo/pull/13350 and the bug is still open in their bugzilla: https://bugs.gentoo.org/697886 Edited April 12, 2020 by mrl5 Link to comment Share on other sites More sharing options...
Recommended Posts