Russell Coker wrote:
It should in the future, but it doesn't right now. (Might need to add the broken software tunable. :^)In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { setattr rw_dir_perms }; allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts. dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since we changed /dev/dri to have type device_t instead of dri_device_t it seems that attempts to create /dev/dri/whatever will be permitted on the device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that we have udev doing so much? Can't udev do this for us?
Dan
