On Thu, 2008-09-25 at 09:13 -0400, Eric Paris wrote:
On Thu, 2008-09-25 at 14:15 +1000, James Morris wrote:
> On Wed, 24 Sep 2008, Francis K Shim wrote:
>
> >
> > I could disable SELinux and I would not have this problem; however, I
> > was hoping that there was a much secure or safer work-around to this
> > problem.
>
> The video driver is inherently dangerous, so the safe approach is not to
> use it.
James isn't exactly being helpful, but the reason is because as you
guessed the problem lies squarely and obviously with AMD/ATI and there
isn't much we can do to help with closed source proprietary software.
AMD/ATI is obviously doing it wrong and when it comes to security doing
it wrong is never a good idea. Sadly we don't have their source so I
can't show you the line of code (or do anything to fix it), but your
backtrace should make it pretty obvious if anyone inside ATI decides to
care.
Stephen James, what do the two of you think about something like this?
Maybe a WARN_ONCE() ?
Maybe instead of returning -EPERM unconditionally, returning based on
the unknown_perms setting? Of course what to do if its set to reject
would be a question (my suggestion would be deny on that too).
security/selinux/hooks.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 03fc6a8..14f1242 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1385,7 +1385,8 @@ static int task_has_capability(struct task_struct *tsk,
default:
printk(KERN_ERR
"SELinux: out of range capability %d\n", cap);
- BUG();
+ WARN();
+ return -EPERM;
}
return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
}
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list --
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150