ls -Z /dev/mem
crw-r----- root kmem system_u:object_r:memory_device_t:SystemHigh /
dev/mem
In our MLS X policy, we are giving the X server
mls_file_read_all_levels and mls_file_write_all_levels to be able to
access the SystemHigh /dev/mem. I would prefer not to give X general
file MLS override if possible.
Is there a way to assign MLS read up/write up on just one type (i.e.
allow X to read up only on memory_device_t)?
Is there a potential refactoring of the X server that eliminates the
need for /dev/mem access? Dan hinted at this at the developer summit
to allow X to run as the user.
Would it be better to mls_file_write_within_range(memory_device_t)
(i.e. make it a trusted object) and pull the MLS override out of the X
policy?
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
