/dev/dri/* and SE Linux

Daniel J Walsh dwalsh at redhat.com
Mon Sep 13 14:38:33 UTC 2004


Russell Coker wrote:

>In the latest CVS SE Linux policy xserver_macros.te has:
>
># Create and access /dev/dri devices.
>allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
>allow $1_xserver_t dri_device_t:chr_file create_file_perms;
>
>[...]
>
># Do not flood audit logs due to device node creation attempts.
>dontaudit $1_xserver_t device_t:chr_file create;
>
>[...]
>
>allow $1_xserver_t device_t:dir { create };
>
>It seems that the first and second sections don't work well together.  Since 
>we changed /dev/dri to have type device_t instead of dri_device_t it seems 
>that attempts to create /dev/dri/whatever will be permitted on the 
>device_t:dir access but dontaudit'd on the device_t:chr_file access.
>
>Does it even make sense to allow creating device nodes under /dev/dri now that 
>we have udev doing so much?  Can't udev do this for us?
>
>  
>
It should in the future, but it doesn't right now.  (Might need to add 
the broken software tunable.  :^)

Dan





More information about the fedora-devel-list mailing list