/dev/dri/* and SE Linux

Russell Coker russell at coker.com.au
Mon Sep 13 15:24:10 UTC 2004


On Tue, 14 Sep 2004 00:38, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Russell Coker wrote:
> >In the latest CVS SE Linux policy xserver_macros.te has:
> >
> ># Create and access /dev/dri devices.
> >allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
> >allow $1_xserver_t dri_device_t:chr_file create_file_perms;
> >
> >[...]
> >
> ># Do not flood audit logs due to device node creation attempts.
> >dontaudit $1_xserver_t device_t:chr_file create;
> >
> >[...]
> >
> >allow $1_xserver_t device_t:dir { create };

# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir create;
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)

OK, the above should do all that's needed, replacing the other rules above.  
You can replace the current policy with that, the current policy definately 
doesn't work while the above should give the same result that the old policy 
did before we changed the type of /dev/dri.

Of course it would be nice to get this tested by someone who uses and 
understands DRI...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page





More information about the fedora-devel-list mailing list