Re: [PATCH] SELinux: Dontaudit access to dri devices

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>
Cc: Johannes Segitz <jsegitz@suse.de>, passt-dev@passt.top
Subject: Re: [PATCH] SELinux: Dontaudit access to dri devices
Date: Thu, 02 Apr 2026 15:46:13 +0200 (CEST)	[thread overview]
Message-ID: <20260402154612.3e034802@elisabeth> (raw)
In-Reply-To: <3b5af0d8-1f88-4190-b4ac-5bab780b2781@redhat.com>

On Thu, 2 Apr 2026 14:24:49 +0200
Paul Holzinger <pholzing@redhat.com> wrote:

> On 31/03/2026 21:47, Stefano Brivio wrote:
>
> [...]
>
> > By the way I wonder if it's similar to this report:
> >
> >    https://bugzilla.redhat.com/show_bug.cgi?id=2374197
> >
> > which I never really tried to figure out.  
> 
> I described here I think: 
> https://bugzilla.redhat.com/show_bug.cgi?id=2374291#c10

Gosh, I missed that, thanks.

I wonder how many of these other tickets (especially the ones in NEW)
around SELinux:

  https://bugzilla.redhat.com/buglist.cgi?cmdtype=runnamed&list_id=13663808&namedcmd=passt&sharer_id=410109

might also be caused by that. We would need to triage them at some
point.

> There is never time to close fds earlier, it validates sometime during 
> execve(). My guess because that is the point where it transitions into 
> the pasta_t context so it checks all files against the new policy?

What's mildly interesting (and what tricked me here) is that in this
case we get { read write }, in some other cases we get "read" or
"append" access only... but I suppose that simply depends on how the
file was opened by the leaking process in the first place.

But I didn't really track this down in the SELinux hooks in the kernel,
so I'd still be a bit curious to see what happens if we close_range()
things right away.

-- 
Stefano

next prev parent reply	other threads:[~2026-04-02 13:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-30 11:05 Johannes Segitz
2026-03-30 15:15 ` Stefano Brivio
2026-03-31  7:00   ` Johannes Segitz
2026-03-31 19:47     ` Stefano Brivio
2026-04-01 12:12       ` Johannes Segitz
2026-04-02 12:24       ` Paul Holzinger
2026-04-02 13:36         ` Paul Holzinger
2026-04-02 13:46         ` Stefano Brivio [this message]
2026-04-02 14:07           ` Johannes Segitz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260402154612.3e034802@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=jsegitz@suse.de \
    --cc=passt-dev@passt.top \
    --cc=pholzing@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).