Russell Coker wrote:
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts.
dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since
we changed /dev/dri to have type device_t instead of dri_device_t it seems
that attempts to create /dev/dri/whatever will be permitted on the
device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that
we have udev doing so much? Can't udev do this for us?
It should in the future, but it doesn't right now. (Might need to add
the broken software tunable. :^)
Dan
