/dev/dri/* and SE Linux
Russell Coker
russell at coker.com.au
Sat Sep 11 09:34:19 UTC 2004
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts.
dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since
we changed /dev/dri to have type device_t instead of dri_device_t it seems
that attempts to create /dev/dri/whatever will be permitted on the
device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that
we have udev doing so much? Can't udev do this for us?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list