/dev/dri/* and SE Linux
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 13 14:38:33 UTC 2004
Russell Coker wrote:
>In the latest CVS SE Linux policy xserver_macros.te has:
>
># Create and access /dev/dri devices.
>allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
>allow $1_xserver_t dri_device_t:chr_file create_file_perms;
>
>[...]
>
># Do not flood audit logs due to device node creation attempts.
>dontaudit $1_xserver_t device_t:chr_file create;
>
>[...]
>
>allow $1_xserver_t device_t:dir { create };
>
>It seems that the first and second sections don't work well together. Since
>we changed /dev/dri to have type device_t instead of dri_device_t it seems
>that attempts to create /dev/dri/whatever will be permitted on the
>device_t:dir access but dontaudit'd on the device_t:chr_file access.
>
>Does it even make sense to allow creating device nodes under /dev/dri now that
>we have udev doing so much? Can't udev do this for us?
>
>
>
It should in the future, but it doesn't right now. (Might need to add
the broken software tunable. :^)
Dan
More information about the fedora-devel-list
mailing list