From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=blF0jI/k; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id C7EA55A0262 for ; Mon, 30 Mar 2026 17:15:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774883754; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aRHq2HnN5niXlOOhhK93MVDE1PVB/1D66KNoEBcDKrY=; b=blF0jI/koqePjU+aUxVOpBYwNdC4V2MSa+oeyTZlA32zdFWQ4CCHTrHbNPdr7cvxz1n/YA gDesD1IY0tZ3SaqKP6pMGehBRPKIEvD3vpLHBBW2P/IB4wnjkw4bWBxV7vAsovNnNUdLPL CT1d4VKdvRVSd3KVP8F6d0kGzp6pBg8= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-661-a1E8V-Q3Nj6BfcxYdlI02w-1; Mon, 30 Mar 2026 11:15:52 -0400 X-MC-Unique: a1E8V-Q3Nj6BfcxYdlI02w-1 X-Mimecast-MFC-AGG-ID: a1E8V-Q3Nj6BfcxYdlI02w_1774883752 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-43cf5b4dac8so1800129f8f.0 for ; Mon, 30 Mar 2026 08:15:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774883749; x=1775488549; h=date:content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aRHq2HnN5niXlOOhhK93MVDE1PVB/1D66KNoEBcDKrY=; b=PEoPyISkyLPpuMWb7C+1hOHaRjV387kjtTXCKRINZ122M5LTU3tWSueg6ZDtGnrXLR OKWXgdRNYB/YhKul/Osg1TZhMFlp1XEYhIC+Pde5zdPPtTR9p9SOiKRJGC4jMxxjpaGE x4vhMEWsAhR0qi/QKufj/2uhJRGhblBZUDY7l6b70K8+5upNyJaEvFCmMmJ8oRZyCOep fkrGCD0FIIh9VpiWUIx+OOv0mx8IGW/cElP4Mdr1b5wgCgB5WbZcaO5/S2sDxIIaYlaO eVG54CcbxJDTsYNrKPXwevJCmjBDo3r4PZtffogubqjHr6h4bzlhNj7ROju6nOL+0/ST r7vg== X-Gm-Message-State: AOJu0YxFMe3tpr+5DVLv8vEdQcaSEG/nywWvTAVmZXFRfeGYlO7gTuh7 p9tJSFAI44Z2EAZIz7KBMNvic4xReqYrsB5ChyFxZa9C5miDa61XW58CKCyag1X3UUSt0Evq1b1 xuaYhtdJI9dDLkeak5pM6vs61wS4BoOdy1FPkmHWOk504u2izM5wt8mko03gFeDVu7+lOXwRfAZ AB9R1Fx+xL9vAbETrhc93waIkhGgG9yrmn3KISbzw= X-Gm-Gg: ATEYQzyVXgKvr4bO3GRV2xJjoH/gBmmuoHTyyzbHyp+esiF2eQitNR1XG07F/AaM4om /0W5msZCbcGA5dJG5gh8FgZ1pIi3yEHIpuRrZNaDTt8I8FQ4IkW+bIsei054mQeRV0YHnmAoQYY aH+cXkT36D9BnzAzHnvC5pxLqzEz0E6yboE9r+SQUf12wVKaSBxSkaiEu8QYPJ93avtvei7744V vV4uFB60prSw2eeTDXH424DcvI9O/AWiiGZsAtQIBaU6JoZ16e3Ws/y7qJ2Xqg+O6+lEy1IV6xH iQM4LSDrqcFxGJmsn4P67g/wO5MgDD7Zp93bH4yUCTNPfABe5fDj0q4ZRQfoxIdz+FBPHhDqzm7 SPmsPCDhnwlis0AZlmhpBPdKcT7EBO2eK X-Received: by 2002:a05:6000:420b:b0:43b:3d80:b0b9 with SMTP id ffacd0b85a97d-43b9e99734dmr21554908f8f.12.1774883748762; Mon, 30 Mar 2026 08:15:48 -0700 (PDT) X-Received: by 2002:a05:6000:420b:b0:43b:3d80:b0b9 with SMTP id ffacd0b85a97d-43b9e99734dmr21554786f8f.12.1774883747991; Mon, 30 Mar 2026 08:15:47 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf257cbc3sm19693194f8f.35.2026.03.30.08.15.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Mar 2026 08:15:43 -0700 (PDT) From: Stefano Brivio To: Johannes Segitz Subject: Re: [PATCH] SELinux: Dontaudit access to dri devices Message-ID: <20260330171541.15a8b5d0@elisabeth> In-Reply-To: <20260330110557.2569119-1-jsegitz@suse.de> References: <20260330110557.2569119-1-jsegitz@suse.de> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Mon, 30 Mar 2026 17:15:42 +0200 (CEST) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: A0vF0vej8p5pWF6qxO958zPxO_WdD7l1GirA86OZW6A_1774883752 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: E3FIRNKKQ2AGZJ7YEOBJQWPYIV4O42DE X-Message-ID-Hash: E3FIRNKKQ2AGZJ7YEOBJQWPYIV4O42DE X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: [Adding Paul as he might know why this happens] Hi Johannes, On Mon, 30 Mar 2026 13:05:57 +0200 Johannes Segitz wrote: > Currently podman can pass a FD to a DRI device to pasta, leading to AVCs > like this: > avc: denied { read write } > comm="pasta" path="/dev/dri/renderD128" > scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:dri_device_t:s0 > tclass=chr_file > These are harmless, so dontaudit them > > Signed-off-by: Johannes Segitz Thanks for the patch. I'm wondering how can this still happen though, as commit 09603cab28f9 ("passt, util: Close any open file that the parent might have leaked") should take care of those. Do you happen to know? Perhaps the access happens before we call isolate_initial()... but then I guess we should try to close leaked files before that point, to be on the safe side? -- Stefano