From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 Aug 2016 20:52:38 -0400 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: <1471704751.17584.8.camel@trentalancia.net> References: <1471704751.17584.8.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/20/16 10:52, Guido Trentalancia wrote: > Modify the xserver role, so that the Direct Rendering Infrastructure > devices can be opened read/write (used for graphic acceleration, > for example, by Mesa/libGL). > > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.if | 2 ++ > 1 file changed, 2 insertions(+) > > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if 2016-08-06 21:26:43.295774282 +0200 > +++ refpolicy-git-06082016/policy/modules/services/xserver.if 2016-08-19 15:52:41.712830041 +0200 > @@ -163,6 +163,8 @@ interface(`xserver_role',` > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > > + # for the accelerated graphic drivers > + dev_rw_dri($2) > ') > > ####################################### I'm fine with this change, but I think it should be conditional. Then people that don't want users to have direct access to hardware, like this, can disable it. -- Chris PeBenito