From: jason@perfinion.com (Jason Zaman) Date: Tue, 23 Aug 2016 18:30:36 +0800 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: References: <1471704751.17584.8.camel@trentalancia.net> Message-ID: <20160823103036.GA2449@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Aug 22, 2016 at 08:52:38PM -0400, Chris PeBenito wrote: > On 08/20/16 10:52, Guido Trentalancia wrote: > > Modify the xserver role, so that the Direct Rendering Infrastructure > > devices can be opened read/write (used for graphic acceleration, > > for example, by Mesa/libGL). > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/services/xserver.if | 2 ++ > > 1 file changed, 2 insertions(+) > > > > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if 2016-08-06 21:26:43.295774282 +0200 > > +++ refpolicy-git-06082016/policy/modules/services/xserver.if 2016-08-19 15:52:41.712830041 +0200 > > @@ -163,6 +163,8 @@ interface(`xserver_role',` > > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > > > > + # for the accelerated graphic drivers > > + dev_rw_dri($2) > > ') > > > > ####################################### > > I'm fine with this change, but I think it should be conditional. Then > people that don't want users to have direct access to hardware, like > this, can disable it. I have this locally as dev_rw_dri(x_domain) instead. since chromium_t and mplayer_t and other things than just the user roles need hardware acceleration. I agree it should be in a boolean too since i have not found anything that *requires* it, and people might want it off. -- Jason > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy