From 29e9a329268de4706e7801b69c33b134a3e67f53 Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Singh Date: Sun, 1 Mar 2026 00:08:28 +0530 Subject: [PATCH 1/2] Fix SELinux detection in driver scripts Make chcon calls non-fatal by appending '|| true' so that the script does not abort when SELinux is disabled but /sys/fs/selinux is still mounted. This avoids requiring libselinux-utils (which provides selinuxenabled) to be installed in the container images. For nvidia-driver scripts (rhel8, rhel9, rhel10, precompiled): retain the existing [ -e /sys/fs/selinux ] check and add '|| true' to chcon. For ocp_dtk_entrypoint scripts: keep the original unconditional chcon call but make it non-fatal with '|| true'. For vgpu-manager scripts: keep the original unconditional chcon call but make it non-fatal with '|| true'. Resolves #1489. Signed-off-by: Ashutosh Kumar Singh --- rhel10/nvidia-driver | 2 +- rhel10/ocp_dtk_entrypoint | 2 +- rhel10/precompiled/nvidia-driver | 2 +- rhel8/nvidia-driver | 2 +- rhel8/ocp_dtk_entrypoint | 2 +- rhel8/precompiled/nvidia-driver | 2 +- rhel9/nvidia-driver | 2 +- rhel9/ocp_dtk_entrypoint | 2 +- rhel9/precompiled/nvidia-driver | 2 +- vgpu-manager/rhel8/nvidia-driver | 2 +- vgpu-manager/rhel9/nvidia-driver | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rhel10/nvidia-driver b/rhel10/nvidia-driver index f1e8d0615..72bd1dcc7 100755 --- a/rhel10/nvidia-driver +++ b/rhel10/nvidia-driver @@ -583,7 +583,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/rhel10/ocp_dtk_entrypoint b/rhel10/ocp_dtk_entrypoint index 50d3f65ed..12cdc2552 100755 --- a/rhel10/ocp_dtk_entrypoint +++ b/rhel10/ocp_dtk_entrypoint @@ -74,7 +74,7 @@ nv-ctr-run-with-dtk() { # Tell SELinux to allow loading these files find . -type f \ \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; + -exec chcon -t modules_object_t "{}" \; || true echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel10/precompiled/nvidia-driver b/rhel10/precompiled/nvidia-driver index 8b9c29a9f..489e22594 100755 --- a/rhel10/precompiled/nvidia-driver +++ b/rhel10/precompiled/nvidia-driver @@ -327,7 +327,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/rhel8/nvidia-driver b/rhel8/nvidia-driver index 58753091b..7508f8dd8 100755 --- a/rhel8/nvidia-driver +++ b/rhel8/nvidia-driver @@ -562,7 +562,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/rhel8/ocp_dtk_entrypoint b/rhel8/ocp_dtk_entrypoint index 9de26e7d0..97d793b1c 100755 --- a/rhel8/ocp_dtk_entrypoint +++ b/rhel8/ocp_dtk_entrypoint @@ -70,7 +70,7 @@ nv-ctr-run-with-dtk() { # Tell SELinux to allow loading these files find . -type f \ \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; + -exec chcon -t modules_object_t "{}" \; || true echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel8/precompiled/nvidia-driver b/rhel8/precompiled/nvidia-driver index de85549bc..465a0e435 100755 --- a/rhel8/precompiled/nvidia-driver +++ b/rhel8/precompiled/nvidia-driver @@ -304,7 +304,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/rhel9/nvidia-driver b/rhel9/nvidia-driver index e1cf01a38..88363345c 100755 --- a/rhel9/nvidia-driver +++ b/rhel9/nvidia-driver @@ -579,7 +579,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/rhel9/ocp_dtk_entrypoint b/rhel9/ocp_dtk_entrypoint index ff876384f..b58b4e79a 100755 --- a/rhel9/ocp_dtk_entrypoint +++ b/rhel9/ocp_dtk_entrypoint @@ -74,7 +74,7 @@ nv-ctr-run-with-dtk() { # Tell SELinux to allow loading these files find . -type f \ \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; + -exec chcon -t modules_object_t "{}" \; || true echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel9/precompiled/nvidia-driver b/rhel9/precompiled/nvidia-driver index 8b22e440a..f5faced9f 100755 --- a/rhel9/precompiled/nvidia-driver +++ b/rhel9/precompiled/nvidia-driver @@ -353,7 +353,7 @@ _mount_rootfs() { if [ -e /sys/fs/selinux ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true else echo "SELinux is disabled, skipping..." fi diff --git a/vgpu-manager/rhel8/nvidia-driver b/vgpu-manager/rhel8/nvidia-driver index b15a1085a..8499f9b35 100755 --- a/vgpu-manager/rhel8/nvidia-driver +++ b/vgpu-manager/rhel8/nvidia-driver @@ -19,7 +19,7 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true } # Unmount the driver rootfs from the run directory. diff --git a/vgpu-manager/rhel9/nvidia-driver b/vgpu-manager/rhel9/nvidia-driver index 5efc0376d..37b851bfa 100755 --- a/vgpu-manager/rhel9/nvidia-driver +++ b/vgpu-manager/rhel9/nvidia-driver @@ -31,7 +31,7 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev + chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true } # Unmount the driver rootfs from the run directory. From f8ea995fddce1bf3116d3100e053f6acabc7b3ab Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Singh Date: Mon, 8 Jun 2026 21:04:20 +0530 Subject: [PATCH 2/2] Fix SELinux detection check in driver scripts by verifying mount status and enforce file presence --- rhel10/nvidia-driver | 4 ++-- rhel10/ocp_dtk_entrypoint | 12 +++++++++--- rhel10/precompiled/nvidia-driver | 4 ++-- rhel8/nvidia-driver | 4 ++-- rhel8/ocp_dtk_entrypoint | 12 +++++++++--- rhel8/precompiled/nvidia-driver | 4 ++-- rhel9/nvidia-driver | 4 ++-- rhel9/ocp_dtk_entrypoint | 12 +++++++++--- rhel9/precompiled/nvidia-driver | 4 ++-- vgpu-manager/rhel8/nvidia-driver | 10 ++++++++-- vgpu-manager/rhel9/nvidia-driver | 10 ++++++++-- 11 files changed, 55 insertions(+), 25 deletions(-) diff --git a/rhel10/nvidia-driver b/rhel10/nvidia-driver index 72bd1dcc7..6fdddd7ff 100755 --- a/rhel10/nvidia-driver +++ b/rhel10/nvidia-driver @@ -580,10 +580,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/rhel10/ocp_dtk_entrypoint b/rhel10/ocp_dtk_entrypoint index 12cdc2552..25dfb2b7a 100755 --- a/rhel10/ocp_dtk_entrypoint +++ b/rhel10/ocp_dtk_entrypoint @@ -72,9 +72,15 @@ nv-ctr-run-with-dtk() { cp -rv "${MODULES_SHARED}"/* "${MODULES_LOCAL}" # Tell SELinux to allow loading these files - find . -type f \ - \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; || true + echo "Check SELinux status" + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then + echo "SELinux is enabled" + find . -type f \ + \( -name "*.txt" -or -name "*.go" \) \ + -exec chcon -t modules_object_t "{}" \; + else + echo "SELinux is disabled, skipping..." + fi echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel10/precompiled/nvidia-driver b/rhel10/precompiled/nvidia-driver index 489e22594..ec2438f97 100755 --- a/rhel10/precompiled/nvidia-driver +++ b/rhel10/precompiled/nvidia-driver @@ -324,10 +324,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/rhel8/nvidia-driver b/rhel8/nvidia-driver index 7508f8dd8..71c5f6fea 100755 --- a/rhel8/nvidia-driver +++ b/rhel8/nvidia-driver @@ -559,10 +559,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/rhel8/ocp_dtk_entrypoint b/rhel8/ocp_dtk_entrypoint index 97d793b1c..6ccbfcc9c 100755 --- a/rhel8/ocp_dtk_entrypoint +++ b/rhel8/ocp_dtk_entrypoint @@ -68,9 +68,15 @@ nv-ctr-run-with-dtk() { cp -rv "${MODULES_SHARED}"/* "${MODULES_LOCAL}" # Tell SELinux to allow loading these files - find . -type f \ - \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; || true + echo "Check SELinux status" + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then + echo "SELinux is enabled" + find . -type f \ + \( -name "*.txt" -or -name "*.go" \) \ + -exec chcon -t modules_object_t "{}" \; + else + echo "SELinux is disabled, skipping..." + fi echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel8/precompiled/nvidia-driver b/rhel8/precompiled/nvidia-driver index 465a0e435..d09393eee 100755 --- a/rhel8/precompiled/nvidia-driver +++ b/rhel8/precompiled/nvidia-driver @@ -301,10 +301,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/rhel9/nvidia-driver b/rhel9/nvidia-driver index 88363345c..d626c4ba8 100755 --- a/rhel9/nvidia-driver +++ b/rhel9/nvidia-driver @@ -576,10 +576,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/rhel9/ocp_dtk_entrypoint b/rhel9/ocp_dtk_entrypoint index b58b4e79a..65682f62d 100755 --- a/rhel9/ocp_dtk_entrypoint +++ b/rhel9/ocp_dtk_entrypoint @@ -72,9 +72,15 @@ nv-ctr-run-with-dtk() { cp -rv "${MODULES_SHARED}"/* "${MODULES_LOCAL}" # Tell SELinux to allow loading these files - find . -type f \ - \( -name "*.txt" -or -name "*.go" \) \ - -exec chcon -t modules_object_t "{}" \; || true + echo "Check SELinux status" + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then + echo "SELinux is enabled" + find . -type f \ + \( -name "*.txt" -or -name "*.go" \) \ + -exec chcon -t modules_object_t "{}" \; + else + echo "SELinux is disabled, skipping..." + fi echo "#" echo "# Executing nvidia-driver load script ..." diff --git a/rhel9/precompiled/nvidia-driver b/rhel9/precompiled/nvidia-driver index f5faced9f..90e1fefdc 100755 --- a/rhel9/precompiled/nvidia-driver +++ b/rhel9/precompiled/nvidia-driver @@ -350,10 +350,10 @@ _mount_rootfs() { mount --rbind / ${RUN_DIR}/driver echo "Check SELinux status" - if [ -e /sys/fs/selinux ]; then + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then echo "SELinux is enabled" echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + chcon -R -t container_file_t ${RUN_DIR}/driver/dev else echo "SELinux is disabled, skipping..." fi diff --git a/vgpu-manager/rhel8/nvidia-driver b/vgpu-manager/rhel8/nvidia-driver index 8499f9b35..0e3f31d1c 100755 --- a/vgpu-manager/rhel8/nvidia-driver +++ b/vgpu-manager/rhel8/nvidia-driver @@ -18,8 +18,14 @@ _mount_rootfs() { mkdir -p ${RUN_DIR}/driver mount --rbind / ${RUN_DIR}/driver - echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + echo "Check SELinux status" + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then + echo "SELinux is enabled" + echo "Change device files security context for selinux compatibility" + chcon -R -t container_file_t ${RUN_DIR}/driver/dev + else + echo "SELinux is disabled, skipping..." + fi } # Unmount the driver rootfs from the run directory. diff --git a/vgpu-manager/rhel9/nvidia-driver b/vgpu-manager/rhel9/nvidia-driver index 37b851bfa..9aa270ba5 100755 --- a/vgpu-manager/rhel9/nvidia-driver +++ b/vgpu-manager/rhel9/nvidia-driver @@ -30,8 +30,14 @@ _mount_rootfs() { mkdir -p ${RUN_DIR}/driver mount --rbind / ${RUN_DIR}/driver - echo "Change device files security context for selinux compatibility" - chcon -R -t container_file_t ${RUN_DIR}/driver/dev || true + echo "Check SELinux status" + if grep -qsw "selinuxfs" /proc/mounts && [ -f /sys/fs/selinux/enforce ]; then + echo "SELinux is enabled" + echo "Change device files security context for selinux compatibility" + chcon -R -t container_file_t ${RUN_DIR}/driver/dev + else + echo "SELinux is disabled, skipping..." + fi } # Unmount the driver rootfs from the run directory.