Bug 124837

Summary: DRI use denied by Red Hat SELinux policy
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: policyAssignee: Russell Coker <rcoker>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: mharris
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-28 13:42:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 131774    

Description W. Michael Petullo 2004-05-31 04:04:20 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6)
Gecko/20040312 Epiphany/1.1.12

Description of problem:
Red Hat's SELinux policy does not seem to allow users to access X's
DRI device.  Here is a log of an attempt to run glxgears:

May 30 22:51:55 imp kernel: audit(1085975515.923:0): avc:  denied  {
getattr } for  pid=3781 exe=/bin/bash path=/usr/games dev=dm-0
ino=136677 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:games_data_t tclass=dir
May 30 22:51:55 imp kernel: audit(1085975515.924:0): avc:  denied  {
read } for  pid=3781 exe=/bin/bash name=games dev=dm-0 ino=136677
scontext=user_u:user_r:user_t tcontext=system_u:object_r:games_data_t
tclass=dir

Glxinfo says:

[...]
direct rendering: No
[...]

until I do a "echo 0 > /selinux/enforce.  Once SELinux is not longer
enforcing its policy, glxinfo says:

[...]
direct rendering: Yes
[...]

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
Try to query DRI as a user with glxinfo when SELinux is enforcing Red
Hat's policy.
    

Additional info:
Comment 1 Mike A. Harris 2004-06-01 08:58:56 UTC 
Reassigning to "policy" component.
Comment 2 Alan Cox 2004-06-19 12:34:32 UTC 
This is probably correct behaviour. DRI clients can read the X display
which might be an issue in a highly secure setup.
Comment 3 Russell Coker 2004-09-28 13:42:02 UTC 
Fixed in selinux-policy-default-1.17.21-1.