On Tue, 14 Sep 2004 00:38, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> Russell Coker wrote:
> >In the latest CVS SE Linux policy xserver_macros.te has:
> >
> ># Create and access /dev/dri devices.
> >allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
> >allow $1_xserver_t dri_device_t:chr_file create_file_perms;
> >
> >[...]
> >
> ># Do not flood audit logs due to device node creation attempts.
> >dontaudit $1_xserver_t device_t:chr_file create;
> >
> >[...]
> >
> >allow $1_xserver_t device_t:dir { create };
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir create;
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
OK, the above should do all that's needed, replacing the other rules above.
You can replace the current policy with that, the current policy definately
doesn't work while the above should give the same result that the old policy
did before we changed the type of /dev/dri.
Of course it would be nice to get this tested by someone who uses and
understands DRI...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
