Jump to content
funtoo forums

Recommended Posts

some questions regarding @drobbins announcement: https://forums.funtoo.org/topic/2997-selinux-packages-updated-in-14-and-selinux-next-development/

1. If I (as funtoo user) report bugs (found on funtoo machine) to Gentoo Hardened SELinux project . Do I also need to report them to bugs.funtoo.org? (example: FL-6753 and 697564). Thats not a problem for me but I don't know what about devs?

2. I think that I found one sec-policy bug related to nvidia which I suspect is funtoo specific.

    I connect it with this change

Quote

Another important change for NVIDIA proprietary graphics users -- a new package nvidia-kernel-modules is now used to install the NVIDIA kernel modules. nvidia-drivers will only install the userland components.

    but I can't tell if it's valid for Gentoo and should I bother @perfinion from #gentoo-hardened

EDIT: regarding Q#2 if someone is interested in logs:

I believie it's /dev/nvidiactl related

$ startx

# cat /var/log/Xorg.0.log
[  4173.919] 
X.Org X Server 1.20.5
X Protocol Version 11, Revision 0
[  4173.919] Build Operating System: Linux 4.19.67_p2-r1-debian-sources-lts x86_64 Gentoo
[  4173.920] Current Operating System: Linux pc 4.19.67_p2-r1-debian-sources-lts #1 SMP Fri Sep 27 13:23:14 CEST 2019 x86_64
[  4173.920] Kernel command line: BOOT_IMAGE=/kernel-debian-sources-lts-x86_64-4.19.67_p2-r1 real_root=/dev/sdc6 rootfstype=ext4 rand_id=FI38EHQ7 pci=nocrs security=selinux enforcing=1
[  4173.921] Build Date: 11 October 2019  06:19:53PM
[  4173.921]  
[  4173.921] Current version of pixman: 0.34.0
[  4173.921] 	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
[  4173.921] Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[  4173.922] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Oct 13 11:44:49 2019
[  4173.923] (==) Using config file: "/etc/X11/xorg.conf"
[  4173.923] (==) Using config directory: "/etc/X11/xorg.conf.d"
[  4173.923] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
[  4173.924] (==) ServerLayout "X.org Configured"
[  4173.924] (**) |-->Screen "Screen0" (0)
[  4173.924] (**) |   |-->Monitor "Monitor0"
[  4173.924] (**) |   |-->Device "Card0"
[  4173.924] (**) |-->Input Device "Mouse0"
[  4173.924] (**) |-->Input Device "Keyboard0"
[  4173.924] (==) Automatically adding devices
[  4173.924] (==) Automatically enabling devices
[  4173.924] (==) Automatically adding GPU devices
[  4173.924] (==) Max clients allowed: 256, resource mask: 0x1fffff
[  4173.924] (**) FontPath set to:
	/usr/share/fonts/misc/,
	/usr/share/fonts/TTF/,
	/usr/share/fonts/OTF/,
	/usr/share/fonts/Type1/,
	/usr/share/fonts/100dpi/,
	/usr/share/fonts/75dpi/,
	/usr/share/fonts/misc/,
	/usr/share/fonts/TTF/,
	/usr/share/fonts/OTF/,
	/usr/share/fonts/Type1/,
	/usr/share/fonts/100dpi/,
	/usr/share/fonts/75dpi/
[  4173.924] (**) ModulePath set to "/usr/lib64/xorg/modules"
[  4173.924] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 'vmmouse' will be disabled.
[  4173.924] (WW) Disabling Mouse0
[  4173.924] (WW) Disabling Keyboard0
[  4173.924] (II) Loader magic: 0x5631abd5ac40
[  4173.924] (II) Module ABI versions:
[  4173.924] 	X.Org ANSI C Emulation: 0.4
[  4173.924] 	X.Org Video Driver: 24.0
[  4173.924] 	X.Org XInput driver : 24.1
[  4173.924] 	X.Org Server Extension : 10.0
[  4173.924] (II) xfree86: Adding drm device (/dev/dri/card0)
[  4173.927] (**) OutputClass "nvidia" ModulePath extended to "/opt/nvidia/nvidia-drivers-435.21/lib64,/opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules,/opt/nvidia/nvidia-drivers-435.21/lib64/opengl/nvidia/extensions,/usr/lib64/xorg/modules"
[  4173.930] (--) PCI:*(1@0:0:0) 10de:1c03:10de:1c03 rev 161, Mem @ 0xe9000000/16777216, 0xd0000000/268435456, 0xe0000000/33554432, I/O @ 0x00003000/128, BIOS @ 0x????????/131072
[  4173.930] (II) "glx" will be loaded. This was enabled by default and also specified in the config file.
[  4173.930] (II) LoadModule: "glx"
[  4173.930] (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so
[  4173.931] (II) Module glx: vendor="X.Org Foundation"
[  4173.931] 	compiled for 1.20.5, module version = 1.0.0
[  4173.931] 	ABI class: X.Org Server Extension, version 10.0
[  4173.931] (II) LoadModule: "nvidia"
[  4173.932] (II) Loading /opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules/drivers/nvidia_drv.so
[  4173.932] (II) Module nvidia: vendor="NVIDIA Corporation"
[  4173.932] 	compiled for 1.6.99.901, module version = 1.0.0
[  4173.932] 	Module class: X.Org Video Driver
[  4173.932] (II) NVIDIA dlloader X Driver  435.21  Sun Aug 25 08:17:08 CDT 2019
[  4173.932] (II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
[  4173.932] (--) using VT number 7

[  4173.932] (WW) xf86OpenConsole: setpgid failed: Invalid argument
[  4173.932] (WW) xf86OpenConsole: setsid failed: Operation not permitted
[  4173.975] (II) Loading sub module "fb"
[  4173.975] (II) LoadModule: "fb"
[  4173.976] (II) Loading /usr/lib64/xorg/modules/libfb.so
[  4173.976] (II) Module fb: vendor="X.Org Foundation"
[  4173.976] 	compiled for 1.20.5, module version = 1.0.0
[  4173.976] 	ABI class: X.Org ANSI C Emulation, version 0.4
[  4173.976] (II) Loading sub module "wfb"
[  4173.976] (II) LoadModule: "wfb"
[  4173.977] (II) Loading /usr/lib64/xorg/modules/libwfb.so
[  4173.977] (II) Module wfb: vendor="X.Org Foundation"
[  4173.977] 	compiled for 1.20.5, module version = 1.0.0
[  4173.977] 	ABI class: X.Org ANSI C Emulation, version 0.4
[  4173.977] (II) Loading sub module "ramdac"
[  4173.977] (II) LoadModule: "ramdac"
[  4173.977] (II) Module "ramdac" already built-in
[  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
[  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
[  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
[  4173.978] (EE) No devices detected.
[  4173.978] (EE) 
Fatal server error:
[  4173.978] (EE) no screens found(EE) 
[  4173.978] (EE) 
Please consult the The X.Org Foundation support 
	 at http://wiki.x.org
 for help. 
[  4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[  4173.978] (EE) 
[  4174.074] (EE) Server terminated with error (1). Closing log file.
# cat /var/log/audit/audit.log
type=AVC msg=audit(1570959889.745:2325): avc:  denied  { read } for  pid=7911 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959889.745:2325): arch=c000003e syscall=21 success=no exit=-13 a0=7fffc6865100 a1=4 a2=7fffc6865106 a3=1 items=1 ppid=7910 pid=7911 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959889.745:2325): cwd="/home/kuba"
type=PATH msg=audit(1570959889.745:2325): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959889.745:2325): proctitle=7861757468006C6973740070633A30
type=AVC msg=audit(1570959889.745:2326): avc:  denied  { read } for  pid=7913 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959889.745:2326): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe1358c600 a1=4 a2=7ffe1358c606 a3=1 items=1 ppid=7898 pid=7913 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959889.745:2326): cwd="/home/kuba"
type=PATH msg=audit(1570959889.745:2326): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959889.745:2326): proctitle=7861757468002D71
type=AVC msg=audit(1570959889.765:2327): avc:  denied  { getpgid } for  pid=7915 comm="X" scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=process permissive=0
type=SYSCALL msg=audit(1570959889.765:2327): arch=c000003e syscall=121 success=no exit=-13 a0=1eea a1=7fff69fd9da0 a2=3 a3=5631abb3752d items=0 ppid=7914 pid=7915 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="X" exe="/usr/bin/Xorg" subj=staff_u:staff_r:xserver_t key=(null)
type=PROCTITLE msg=audit(1570959889.765:2327): proctitle=2F7573722F62696E2F58002D6E6F6C697374656E00746370003A30002D61757468002F686F6D652F6B7562612F2E736572766572617574682E37383938
type=AVC msg=audit(1570959889.809:2328): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.809:2329): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2330): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2331): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2332): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2333): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2334): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2335): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2336): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959889.813:2337): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
type=AVC msg=audit(1570959904.753:2338): avc:  denied  { read } for  pid=7919 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
type=SYSCALL msg=audit(1570959904.753:2338): arch=c000003e syscall=21 success=no exit=-13 a0=7fff56b3b2f0 a1=4 a2=7fff56b3b2f6 a3=1 items=1 ppid=7898 pid=7919 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
type=CWD msg=audit(1570959904.753:2338): cwd="/home/kuba"
type=PATH msg=audit(1570959904.753:2338): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1570959904.753:2338): proctitle=78617574680072656D6F76650070633A30003A30
# audit2why -al | grep xserver
allow staff_t xserver_tmp_t:file map;
#============= xserver_t ==============
allow xserver_t chromium_t:file { open read };
allow xserver_t device_t:chr_file { getattr ioctl map open read write };
allow xserver_t staff_t:file { open read };
allow xserver_t urandom_device_t:chr_file { getattr ioctl open read };
allow xserver_t xdm_t:file { open read };
allow xserver_t xscreensaver_t:file { open read };
allow xserver_t xserver_tmp_t:file map;

 

Share this post


Link to post
Share on other sites

regarding question #2:

I've found this cool blogpost and method described there fixes the problem. All I have to do is to run this command after every boot

restorecon /dev/nvidiactl /dev/nvidia0

at this moment I've added it to /etc/init.d/xdm but I'll dig further for better solution

 

so the question no #1 is still open. @drobbins any thoughts?

EDIT:

Q#1: answered here
Q#2: opened bug FL-6772 related to OpenRC

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...