/dev/dri/* and SE Linux

[Russell Coker <russell coker com au>]

In the latest CVS SE Linux policy xserver_macros.te has:

# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;

[...]

# Do not flood audit logs due to device node creation attempts.
dontaudit $1_xserver_t device_t:chr_file create;

[...]

allow $1_xserver_t device_t:dir { create };

It seems that the first and second sections don't work well together.  Since 
we changed /dev/dri to have type device_t instead of dri_device_t it seems 
that attempts to create /dev/dri/whatever will be permitted on the 
device_t:dir access but dontaudit'd on the device_t:chr_file access.

Does it even make sense to allow creating device nodes under /dev/dri now that 
we have udev doing so much?  Can't udev do this for us?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page