From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 23 Aug 2016 15:21:21 +0200 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: References: <1471704751.17584.8.camel@trentalancia.net> Message-ID: <1471958481.9254.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 22/08/2016 at 20.52 -0400, Chris PeBenito wrote: > On 08/20/16 10:52, Guido Trentalancia wrote: > > > > Modify the xserver role, so that the Direct Rendering > > Infrastructure > > devices can be opened read/write (used for graphic acceleration, > > for example, by Mesa/libGL). > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/services/xserver.if |????2 ++ > > ?1 file changed, 2 insertions(+) > > > > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if > > 2016-08-06 21:26:43.295774282 +0200 > > +++ refpolicy-git-06082016/policy/modules/services/xserver.if > > 2016-08-19 15:52:41.712830041 +0200 > > @@ -163,6 +163,8 @@ interface(`xserver_role',` > > ? relabel_dirs_pattern($2, user_fonts_config_t, > > user_fonts_config_t) > > ? relabel_files_pattern($2, user_fonts_config_t, > > user_fonts_config_t) > > > > + # for the accelerated graphic drivers > > + dev_rw_dri($2) > > ?') > > > > ?####################################### > > I'm fine with this change, but I think it should be > conditional.??Then? > people that don't want users to have direct access to hardware, like? > this, can disable it. What's the point ? DRI can already be disabled in the X server configuration file easily and using it should not pose a security risk. So, why increasing the complexity for little or no gain ? Regards, Guido