[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: /dev/dri/* and SE Linux

From: Daniel J Walsh <dwalsh redhat com>
To: russell coker com au, "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Cc: fedora-devel-list redhat com
Subject: Re: /dev/dri/* and SE Linux
Date: Mon, 13 Sep 2004 10:38:33 -0400

Russell Coker wrote:

In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts.
dontaudit $1_xserver_t device_t:chr_file create;
[...]

allow $1_xserver_t device_t:dir { create };

It seems that the first and second sections don't work well together. Since we changed /dev/dri to have type device_t instead of dri_device_t it seems that attempts to create /dev/dri/whatever will be permitted on the device_t:dir access but dontaudit'd on the device_t:chr_file access.

Does it even make sense to allow creating device nodes under /dev/dri now that we have udev doing so much? Can't udev do this for us?

It should in the future, but it doesn't right now. (Might need to add the broken software tunable. :^)

Dan

Follow-Ups:
- Re: /dev/dri/* and SE Linux
  - From: Russell Coker

References:
- /dev/dri/* and SE Linux
  - From: Russell Coker

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]