SELinux-next development

[mrl5]

some questions regarding @drobbins announcement: https://forums.funtoo.org/topic/2997-selinux-packages-updated-in-14-and-selinux-next-development/

1. If I (as funtoo user) report bugs (found on funtoo machine) to Gentoo Hardened SELinux project . Do I also need to report them to bugs.funtoo.org? (example: FL-6753 and 697564). Thats not a problem for me but I don't know what about devs?

2. I think that I found one sec-policy bug related to nvidia which I suspect is funtoo specific.

    I connect it with this change

Quote

Another important change for NVIDIA proprietary graphics users -- a new package nvidia-kernel-modules is now used to install the NVIDIA kernel modules. nvidia-drivers will only install the userland components.

    but I can't tell if it's valid for Gentoo and should I bother @perfinion from #gentoo-hardened

EDIT: regarding Q#2 if someone is interested in logs:

I believie it's /dev/nvidiactl related

$ startx

# cat /var/log/Xorg.0.log
[  4173.919] 
X.Org X Server 1.20.5
X Protocol Version 11, Revision 0
[  4173.919] Build Operating System: Linux 4.19.67_p2-r1-debian-sources-lts x86_64 Gentoo
[  4173.920] Current Operating System: Linux pc 4.19.67_p2-r1-debian-sources-lts #1 SMP Fri Sep 27 13:23:14 CEST 2019 x86_64
[  4173.920] Kernel command line: BOOT_IMAGE=/kernel-debian-sources-lts-x86_64-4.19.67_p2-r1 real_root=/dev/sdc6 rootfstype=ext4 rand_id=FI38EHQ7 pci=nocrs security=selinux enforcing=1
[  4173.921] Build Date: 11 October 2019  06:19:53PM
[  4173.921]  
[  4173.921] Current version of pixman: 0.34.0
[  4173.921] 	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
[  4173.921] Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[  4173.922] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Oct 13 11:44:49 2019
[  4173.923] (==) Using config file: "/etc/X11/xorg.conf"
[  4173.923] (==) Using config directory: "/etc/X11/xorg.conf.d"
[  4173.923] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
[  4173.924] (==) ServerLayout "X.org Configured"
[  4173.924] (**) |-->Screen "Screen0" (0)
[  4173.924] (**) |   |-->Monitor "Monitor0"
[  4173.924] (**) |   |-->Device "Card0"
[  4173.924] (**) |-->Input Device "Mouse0"
[  4173.924] (**) |-->Input Device "Keyboard0"
[  4173.924] (==) Automatically adding devices
[  4173.924] (==) Automatically enabling devices
[  4173.924] (==) Automatically adding GPU devices
[  4173.924] (==) Max clients allowed: 256, resource mask: 0x1fffff
[  4173.924] (**) FontPath set to:
	/usr/share/fonts/misc/,
	/usr/share/fonts/TTF/,
	/usr/share/fonts/OTF/,
	/usr/share/fonts/Type1/,
	/usr/share/fonts/100dpi/,
	/usr/share/fonts/75dpi/,
	/usr/share/fonts/misc/,
	/usr/share/fonts/TTF/,
	/usr/share/fonts/OTF/,
	/usr/share/fonts/Type1/,
	/usr/share/fonts/100dpi/,
	/usr/share/fonts/75dpi/
[  4173.924] (**) ModulePath set to "/usr/lib64/xorg/modules"
[  4173.924] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 'vmmouse' will be disabled.
[  4173.924] (WW) Disabling Mouse0
[  4173.924] (WW) Disabling Keyboard0
[  4173.924] (II) Loader magic: 0x5631abd5ac40
[  4173.924] (II) Module ABI versions:
[  4173.924] 	X.Org ANSI C Emulation: 0.4
[  4173.924] 	X.Org Video Driver: 24.0
[  4173.924] 	X.Org XInput driver : 24.1
[  4173.924] 	X.Org Server Extension : 10.0
[  4173.924] (II) xfree86: Adding drm device (/dev/dri/card0)
[  4173.927] (**) OutputClass "nvidia" ModulePath extended to "/opt/nvidia/nvidia-drivers-435.21/lib64,/opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules,/opt/nvidia/nvidia-drivers-435.21/lib64/opengl/nvidia/extensions,/usr/lib64/xorg/modules"
[  4173.930] (--) PCI:*(1@0:0:0) 10de:1c03:10de:1c03 rev 161, Mem @ 0xe9000000/16777216, 0xd0000000/268435456, 0xe0000000/33554432, I/O @ 0x00003000/128, BIOS @ 0x????????/131072
[  4173.930] (II) "glx" will be loaded. This was enabled by default and also specified in the config file.
[  4173.930] (II) LoadModule: "glx"
[  4173.930] (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so
[  4173.931] (II) Module glx: vendor="X.Org Foundation"
[  4173.931] 	compiled for 1.20.5, module version = 1.0.0
[  4173.931] 	ABI class: X.Org Server Extension, version 10.0
[  4173.931] (II) LoadModule: "nvidia"
[  4173.932] (II) Loading /opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules/drivers/nvidia_drv.so
[  4173.932] (II) Module nvidia: vendor="NVIDIA Corporation"
[  4173.932] 	compiled for 1.6.99.901, module version = 1.0.0
[  4173.932] 	Module class: X.Org Video Driver
[  4173.932] (II) NVIDIA dlloader X Driver  435.21  Sun Aug 25 08:17:08 CDT 2019
[  4173.932] (II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
[  4173.932] (--) using VT number 7

[  4173.932] (WW) xf86OpenConsole: setpgid failed: Invalid argument
[  4173.932] (WW) xf86OpenConsole: setsid failed: Operation not permitted
[  4173.975] (II) Loading sub module "fb"
[  4173.975] (II) LoadModule: "fb"
[  4173.976] (II) Loading /usr/lib64/xorg/modules/libfb.so
[  4173.976] (II) Module fb: vendor="X.Org Foundation"
[  4173.976] 	compiled for 1.20.5, module version = 1.0.0
[  4173.976] 	ABI class: X.Org ANSI C Emulation, version 0.4
[  4173.976] (II) Loading sub module "wfb"
[  4173.976] (II) LoadModule: "wfb"
[  4173.977] (II) Loading /usr/lib64/xorg/modules/libwfb.so
[  4173.977] (II) Module wfb: vendor="X.Org Foundation"
[  4173.977] 	compiled for 1.20.5, module version = 1.0.0
[  4173.977] 	ABI class: X.Org ANSI C Emulation, version 0.4
[  4173.977] (II) Loading sub module "ramdac"
[  4173.977] (II) LoadModule: "ramdac"
[  4173.977] (II) Module "ramdac" already built-in
[  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) No devices detected.
[  4173.978] (EE) 
Fatal server error:
[  4173.978] (EE) no screens found(EE) 
[  4173.978] (EE) 
Please consult the The X.Org Foundation support 
	 at http://wiki.x.org
 for help. 
[  4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[  4173.978] (EE) 
[  4174.074] (EE) Server terminated with error (1). Closing log file.

# cat /var/log/audit/audit.log
type=AVC msg=audit(1570959889.745:2325): avc:  denied  { read } for  pid=7911 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959889.745:2325): arch=c000003e syscall=21 success=no exit=-13 a0=7fffc6865100 a1=4 a2=7fffc6865106 a3=1 items=1 ppid=7910 pid=7911 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959889.745:2325): cwd="/home/kuba"
type=PATH msg=audit(1570959889.745:2325): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959889.745:2325): proctitle=7861757468006C6973740070633A30
type=AVC msg=audit(1570959889.745:2326): avc:  denied  { read } for  pid=7913 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959889.745:2326): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe1358c600 a1=4 a2=7ffe1358c606 a3=1 items=1 ppid=7898 pid=7913 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959889.745:2326): cwd="/home/kuba"
type=PATH msg=audit(1570959889.745:2326): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959889.745:2326): proctitle=7861757468002D71
type=AVC msg=audit(1570959889.765:2327): avc:  denied  { getpgid } for  pid=7915 comm="X" scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=process permissive=0
type=SYSCALL msg=audit(1570959889.765:2327): arch=c000003e syscall=121 success=no exit=-13 a0=1eea a1=7fff69fd9da0 a2=3 a3=5631abb3752d items=0 ppid=7914 pid=7915 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="X" exe="/usr/bin/Xorg" subj=staff_u:staff_r:xserver_t key=(null)
type=PROCTITLE msg=audit(1570959889.765:2327): proctitle=2F7573722F62696E2F58002D6E6F6C697374656E00746370003A30002D61757468002F686F6D652F6B7562612F2E736572766572617574682E37383938
type=AVC msg=audit(1570959889.809:2328): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.809:2329): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2330): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2331): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2332): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2333): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2334): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2335): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2336): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2337): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959904.753:2338): avc:  denied  { read } for  pid=7919 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959904.753:2338): arch=c000003e syscall=21 success=no exit=-13 a0=7fff56b3b2f0 a1=4 a2=7fff56b3b2f6 a3=1 items=1 ppid=7898 pid=7919 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959904.753:2338): cwd="/home/kuba"
type=PATH msg=audit(1570959904.753:2338): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959904.753:2338): proctitle=78617574680072656D6F76650070633A30003A30

# audit2why -al | grep xserver
allow staff_t xserver_tmp_t:file map;
#============= xserver_t ==============
allow xserver_t chromium_t:file { open read };
allow xserver_t device_t:chr_file { getattr ioctl map open read write };
allow xserver_t staff_t:file { open read };
allow xserver_t urandom_device_t:chr_file { getattr ioctl open read };
allow xserver_t xdm_t:file { open read };
allow xserver_t xscreensaver_t:file { open read };
allow xserver_t xserver_tmp_t:file map;

 

[mrl5]

regarding question #2:

I've found this cool blogpost and method described there fixes the problem. All I have to do is to run this command after every boot

restorecon /dev/nvidiactl /dev/nvidia0

at this moment I've added it to /etc/init.d/xdm but I'll dig further for better solution

 

so the question no #1 is still open. @drobbins any thoughts?

EDIT:

Q#1: answered here
Q#2: opened bug FL-6772 related to OpenRC

[zdavatz]

I am also crosslinking this thread from Nvidia here: https://forums.developer.nvidia.com/t/nvidia-driver-does-not-work-for-kernel-5-6-nvidia-gp107/118413/4

[drobbins]

@mrl5 sorry I missed this thread, but you should always report bugs to bugs.funtoo.org and we will take it upstream as needed.

[mrl5]

@zdavatz so I've checked your nvidia thread and I did not see any info that you are using SELinux. This forum topic is SELinux related and the described issue was fixed in FL-6772

Sorry if I missed something - did you cross-link this thread because of similarities in logs or there is some other reason?

(EE) NVIDIA: Failed to initialize the NVIDIA kernel module

BTW when I experienced this bug I was on kernel version 4 (4.9 afair) and you mentioned problems with 5.6 that do not occur in 5.5
BTW2 I see that gentoo did not merge my fix yet: https://github.com/gentoo/gentoo/pull/13350 and the bug is still open in their bugzilla: https://bugs.gentoo.org/697886

Edited April 12, 2020 by mrl5