In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since we changed /dev/dri to have type device_t instead of dri_device_t it seems that attempts to create /dev/dri/whatever will be permitted on the device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that we have udev doing so much? Can't udev do this for us?
Russell Coker wrote:
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since we changed /dev/dri to have type device_t instead of dri_device_t it seems that attempts to create /dev/dri/whatever will be permitted on the device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that we have udev doing so much? Can't udev do this for us?
It should in the future, but it doesn't right now. (Might need to add the broken software tunable. :^)
Dan
On Tue, 14 Sep 2004 00:38, Daniel J Walsh dwalsh@redhat.com wrote:
Russell Coker wrote:
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir create; file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
OK, the above should do all that's needed, replacing the other rules above. You can replace the current policy with that, the current policy definately doesn't work while the above should give the same result that the old policy did before we changed the type of /dev/dri.
Of course it would be nice to get this tested by someone who uses and understands DRI...
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir create; file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
OK, the above should do all that's needed, replacing the other rules above. You can replace the current policy with that, the current policy definately doesn't work while the above should give the same result that the old policy did before we changed the type of /dev/dri.
Of course it would be nice to get this tested by someone who uses and understands DRI...
For what its worth, I entered a bug into bugzilla about this a while ago:
DRI use denied by Red Hat SELinux policy https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124837
-- Mike
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir create; file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
OK, the above should do all that's needed, replacing the other rules above. You can replace the current policy with that, the current policy definately doesn't work while the above should give the same result that the old policy did before we changed the type of /dev/dri.
Of course it would be nice to get this tested by someone who uses and understands DRI...
For what its worth, I entered a bug into bugzilla about this a while ago:
DRI use denied by Red Hat SELinux policy https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124837
-- Mike
On Tue, 14 Sep 2004 05:52, "W. Michael Petullo" mike@flyn.org wrote:
For what its worth, I entered a bug into bugzilla about this a while ago:
DRI use denied by Red Hat SELinux policy https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124837
The AVC messages in that bugzilla don't reference the DRI device, they indicate that a game was not running in user_games_t domain.