From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 17 Apr 2017 15:54:18 +0200 Subject: [refpolicy] [PATCH] login related stuff In-Reply-To: <201704172326.14182.russell@coker.com.au> References: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au> <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net> <201704172326.14182.russell@coker.com.au> Message-ID: <8A7EBC4F-0811-465F-88B1-CA8B1C370219@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi. Thanks for getting back. Sounds like a bug triggered by systems that use systemd. As a first precaution, please enclose it within the appropriate ifdef statement (systemd) in the policy. Apart from that, it shouldn't happen, but without testing it more carefully, I don't know what else to say... How about the other issue that I mentioned to you? Have you ever experienced the same permission request from gnome-session? I suspect denying it, might prevent the use of accelerated graphical capabilities for every session. But, as already explained, we are limited by gnome-session running in the user domain (already discussed not long time ago). Regards, Guido On the 17th of April 2017 15:26:14 CEST, Russell Coker wrote: >On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote: >> It is not clear to me the reason why a daemon such as the system dbus >> instance needs to write the DRI graphical devices (dev_rw_dri())... > >It always seemed strange to me too. > >> Is such permission really critical for running gdm? > >My recollection is that the last time I tested it aborted when it >didn't have >such access. > >> And, by the way, I am aware of the fact that gnome-session also >requires >> such permission, although it does not fail to run without it. >> >> The point is that, on one hand gnome-session runs as user_u and >therefore >> it might not be advisable to let user_u write the DRI device, but on >the >> other hand I suppose gnome-session checks for accelerated graphical >> capabilities and therefore a failure to write the DRI device might >imply >> that the accelerated graphical capabilities are always disabled! >> >> What is your experience, if any, with the latter? > >I don't have a lot of experience with it, I prefer not to use GNOME. >Sddm is >the dm I recommend for use in Debian, but I put in a minimal effort to >get >others working too. > >If the general feeling is against that part of the patch then I'll just >drop >it and let someone else who uses gdm take it up at some future time.