On my intel gfx card, running glxgears gives: $ glxgears libGL error: failed to open drm device: Permission denied libGL error: failed to load driver: i965 LLVM ERROR: Allocation failed when allocating new memory in the JIT Can't allocate RWX Memory: Permission denied type=AVC msg=audit(1441174330.223:105916): avc: denied { execmem } for pid=20612 comm="glxgears" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c511 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c511 tclass=process permissive=0 adding dev_rw_dri(staff_t) and running glxgears works perfectly fine. On the other hand if I do not have dri access, glxgears appears to fall back to something in MESA which does JIT and requires execmem perms and PaX marking. out of the two options dri access seems preferred. Using mpv with -vo=opengl leads to exactly the same issue of execmem if no dri access. Now the questions is should this just be granted on all X domains through one of the xserver interfaces? or do we give it to individual domains? or give it everywhere but use a boolean? It would also be good to confirm if this applies to other graphics drivers or if they need different rules.
> It would also be good to confirm if this applies to other graphics drivers or if they need different rules. With the proprietary nvidia drivers I do not need this rule, but I needed to set allow_mplayer_execstack to true to get -vo opengl working. glxgears worked out of the box for me.
