Bug 124837 - DRI use denied by Red Hat SELinux policy
DRI use denied by Red Hat SELinux policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Ben Levenson
:
Depends On:
Blocks: FC3SELinux
  Show dependency treegraph
 
Reported: 2004-05-31 00:04 EDT by W. Michael Petullo
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-28 09:42:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2004-05-31 00:04:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6)
Gecko/20040312 Epiphany/1.1.12

Description of problem:
Red Hat's SELinux policy does not seem to allow users to access X's
DRI device.  Here is a log of an attempt to run glxgears:

May 30 22:51:55 imp kernel: audit(1085975515.923:0): avc:  denied  {
getattr } for  pid=3781 exe=/bin/bash path=/usr/games dev=dm-0
ino=136677 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:games_data_t tclass=dir
May 30 22:51:55 imp kernel: audit(1085975515.924:0): avc:  denied  {
read } for  pid=3781 exe=/bin/bash name=games dev=dm-0 ino=136677
scontext=user_u:user_r:user_t tcontext=system_u:object_r:games_data_t
tclass=dir

Glxinfo says:

[...]
direct rendering: No
[...]

until I do a "echo 0 > /selinux/enforce.  Once SELinux is not longer
enforcing its policy, glxinfo says:

[...]
direct rendering: Yes
[...]

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
Try to query DRI as a user with glxinfo when SELinux is enforcing Red
Hat's policy.
    

Additional info:
Comment 1 Mike A. Harris 2004-06-01 04:58:56 EDT
Reassigning to "policy" component.
Comment 2 Alan Cox 2004-06-19 08:34:32 EDT
This is probably correct behaviour. DRI clients can read the X display
which might be an issue in a highly secure setup.
Comment 3 Russell Coker 2004-09-28 09:42:02 EDT
Fixed in selinux-policy-default-1.17.21-1. 

Note You need to log in before you can comment on or make changes to this bug.