[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /dev/dri/* and SE Linux



On Tue, 14 Sep 2004 00:38, Daniel J Walsh <dwalsh redhat com> wrote:
> Russell Coker wrote:
> >In the latest CVS SE Linux policy xserver_macros.te has:
> >
> ># Create and access /dev/dri devices.
> >allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
> >allow $1_xserver_t dri_device_t:chr_file create_file_perms;
> >
> >[...]
> >
> ># Do not flood audit logs due to device node creation attempts.
> >dontaudit $1_xserver_t device_t:chr_file create;
> >
> >[...]
> >
> >allow $1_xserver_t device_t:dir { create };

# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir create;
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)

OK, the above should do all that's needed, replacing the other rules above.  
You can replace the current policy with that, the current policy definately 
doesn't work while the above should give the same result that the old policy 
did before we changed the type of /dev/dri.

Of course it would be nice to get this tested by someone who uses and 
understands DRI...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]