On Thu, 2008-09-25 at 09:13 -0400, Eric Paris wrote: > On Thu, 2008-09-25 at 14:15 +1000, James Morris wrote: > > On Wed, 24 Sep 2008, Francis K Shim wrote: > > > > > > > > I could disable SELinux and I would not have this problem; however, I > > > was hoping that there was a much secure or safer work-around to this > > > problem. > > > > The video driver is inherently dangerous, so the safe approach is not to > > use it. > > James isn't exactly being helpful, but the reason is because as you > guessed the problem lies squarely and obviously with AMD/ATI and there > isn't much we can do to help with closed source proprietary software. > AMD/ATI is obviously doing it wrong and when it comes to security doing > it wrong is never a good idea. Sadly we don't have their source so I > can't show you the line of code (or do anything to fix it), but your > backtrace should make it pretty obvious if anyone inside ATI decides to > care. > > Stephen James, what do the two of you think about something like this? > Maybe a WARN_ONCE() ? Maybe instead of returning -EPERM unconditionally, returning based on the unknown_perms setting? Of course what to do if its set to reject would be a question (my suggestion would be deny on that too). > security/selinux/hooks.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 03fc6a8..14f1242 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1385,7 +1385,8 @@ static int task_has_capability(struct task_struct *tsk, > default: > printk(KERN_ERR > "SELinux: out of range capability %d\n", cap); > - BUG(); > + WARN(); > + return -EPERM; > } > return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); > } > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
