Re: shm denials

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Mon, 2005-02-14 at 10:40, Ivan Gyurdiev wrote:
> True, this seems to cut OpenGL performance in half. 
> 
> Enforcing mode:
> 
> 8071 frames in 5.0 seconds = 1614.200 FPS
> 9480 frames in 5.0 seconds = 1896.000 FPS
> 9480 frames in 5.0 seconds = 1896.000 FPS
> 
> Permissive mode / Enforcing mode with this allowed:
> 
> 13682 frames in 5.0 seconds = 2736.400 FPS
> 14729 frames in 5.0 seconds = 2945.800 FPS
> 14694 frames in 5.0 seconds = 2938.800 FPS
> 14718 frames in 5.0 seconds = 2943.600 FPS
> 14640 frames in 5.0 seconds = 2928.000 FPS
> 
> audit(1108395306.088:0): avc:  denied  { write } for  pid=11720
> comm=glxgears path=/SYSV00000000 (deleted) dev=tmpfs ino=38338560
> scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:xdm_xserver_tmpfs_t tclass=file

Yes, no surprise there.  Again, someone would need to assess the risk
posed by allowing it (e.g. does X create any shared memory objects that
should not be directly writable by the user domains, what safeguards
does X apply in handling the potentially malicious data from the shared
memory object, etc).  Possibly a candidate for a boolean.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.