From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 23:26:14 +1000
Subject: [refpolicy] [PATCH] login related stuff
In-Reply-To: <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net>
References: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au>
	<49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net>
Message-ID: <201704172326.14182.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote:
> It is not clear to me the reason why a daemon such as the system dbus
> instance needs to write the DRI graphical devices (dev_rw_dri())...

It always seemed strange to me too.

> Is such permission really critical for running gdm?

My recollection is that the last time I tested it aborted when it didn't have 
such access.

> And, by the way, I am aware of the fact that gnome-session also requires
> such permission, although it does not fail to run without it.
> 
> The point is that, on one hand gnome-session runs as user_u and therefore
> it might not be advisable to let user_u write the DRI device, but on the
> other hand I suppose gnome-session checks for accelerated graphical
> capabilities and therefore a failure to write the DRI device might imply
> that the accelerated graphical capabilities are always disabled! 
> 
> What is your experience, if any, with the latter? 

I don't have a lot of experience with it, I prefer not to use GNOME.  Sddm is 
the dm I recommend for use in Debian, but I put in a minimal effort to get 
others working too.

If the general feeling is against that part of the patch then I'll just drop 
it and let someone else who uses gdm take it up at some future time.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/