/dev/dri/* and SE Linux

W. Michael Petullo mike at flyn.org
Mon Sep 13 19:50:43 UTC 2004


>>> In the latest CVS SE Linux policy xserver_macros.te has:
>>>
>>> # Create and access /dev/dri devices.
>>> allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
>>> allow $1_xserver_t dri_device_t:chr_file create_file_perms;
>>>
>>> [...]
>>>
>>> # Do not flood audit logs due to device node creation attempts.
>>> dontaudit $1_xserver_t device_t:chr_file create;
>>>
>>> [...]
>>>
>>> allow $1_xserver_t device_t:dir { create };

> # Create and access /dev/dri devices.
> allow $1_xserver_t device_t:dir create;
> file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
>
> OK, the above should do all that's needed, replacing the other rules
> above.  You can replace the current policy with that, the current policy
> definately  doesn't work while the above should give the same result that
> the old policy did before we changed the type of /dev/dri.
>
> Of course it would be nice to get this tested by someone who uses and
> understands DRI...

For what its worth, I entered a bug into bugzilla about this a while ago:

DRI use denied by Red Hat SELinux policy
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124837

--
Mike





More information about the fedora-devel-list mailing list