From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6) Gecko/20040312 Epiphany/1.1.12 Description of problem: Red Hat's SELinux policy does not seem to allow users to access X's DRI device. Here is a log of an attempt to run glxgears: May 30 22:51:55 imp kernel: audit(1085975515.923:0): avc: denied { getattr } for pid=3781 exe=/bin/bash path=/usr/games dev=dm-0 ino=136677 scontext=user_u:user_r:user_t tcontext=system_u:object_r:games_data_t tclass=dir May 30 22:51:55 imp kernel: audit(1085975515.924:0): avc: denied { read } for pid=3781 exe=/bin/bash name=games dev=dm-0 ino=136677 scontext=user_u:user_r:user_t tcontext=system_u:object_r:games_data_t tclass=dir Glxinfo says: [...] direct rendering: No [...] until I do a "echo 0 > /selinux/enforce. Once SELinux is not longer enforcing its policy, glxinfo says: [...] direct rendering: Yes [...] Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Try to query DRI as a user with glxinfo when SELinux is enforcing Red Hat's policy. Additional info:
Reassigning to "policy" component.
This is probably correct behaviour. DRI clients can read the X display which might be an issue in a highly secure setup.
Fixed in selinux-policy-default-1.17.21-1.