SELinux detects problem with proprietary binary fglrx driver; however, AMD/ATI will not help
Christopher J. PeBenito
cpebenito at tresys.com
Thu Sep 25 14:28:27 UTC 2008
On Thu, 2008-09-25 at 09:13 -0400, Eric Paris wrote:
> On Thu, 2008-09-25 at 14:15 +1000, James Morris wrote:
> > On Wed, 24 Sep 2008, Francis K Shim wrote:
> >
> > >
> > > I could disable SELinux and I would not have this problem; however, I
> > > was hoping that there was a much secure or safer work-around to this
> > > problem.
> >
> > The video driver is inherently dangerous, so the safe approach is not to
> > use it.
>
> James isn't exactly being helpful, but the reason is because as you
> guessed the problem lies squarely and obviously with AMD/ATI and there
> isn't much we can do to help with closed source proprietary software.
> AMD/ATI is obviously doing it wrong and when it comes to security doing
> it wrong is never a good idea. Sadly we don't have their source so I
> can't show you the line of code (or do anything to fix it), but your
> backtrace should make it pretty obvious if anyone inside ATI decides to
> care.
>
> Stephen James, what do the two of you think about something like this?
> Maybe a WARN_ONCE() ?
Maybe instead of returning -EPERM unconditionally, returning based on
the unknown_perms setting? Of course what to do if its set to reject
would be a question (my suggestion would be deny on that too).
> security/selinux/hooks.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 03fc6a8..14f1242 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1385,7 +1385,8 @@ static int task_has_capability(struct task_struct *tsk,
> default:
> printk(KERN_ERR
> "SELinux: out of range capability %d\n", cap);
> - BUG();
> + WARN();
> + return -EPERM;
> }
> return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
> }
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the selinux
mailing list