From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=A7UsWB5l;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id 386645A0262
	for <passt-dev@passt.top>; Thu, 02 Apr 2026 15:46:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1775137585;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8OHV+j1GpUCsHS7qqq5z9j+UcDhBNd9gd3KRT0yFzKg=;
	b=A7UsWB5lCsAP82Hdr5Rgla5LPBCdX05lbXX+5+cXcgrykwH5pITyTJgI/qCkK+X1jv/QXU
	kt6SwvlA2jSmA3lGuoRtUQF4EtpFC7OI1aA+VIFCoAcBClkYij1EEPyZ/j24/dqklRkPeU
	fOTV6K8tEtwFBHu8KS3bjdx2/LcpCRM=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-655-Bj60DgR9PxChcBh3XqELxQ-1; Thu, 02 Apr 2026 09:46:16 -0400
X-MC-Unique: Bj60DgR9PxChcBh3XqELxQ-1
X-Mimecast-MFC-AGG-ID: Bj60DgR9PxChcBh3XqELxQ_1775137576
Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-487219e0800so6105405e9.2
        for <passt-dev@passt.top>; Thu, 02 Apr 2026 06:46:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775137575; x=1775742375;
        h=date:content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=8OHV+j1GpUCsHS7qqq5z9j+UcDhBNd9gd3KRT0yFzKg=;
        b=PxHXzy34b2FGSe2gf3XcdkXapuBAqGjwb1/vVYeDnEwqzUdTJMhOvQSKa8GiYof7vw
         bufbYFenY8SvpXWey9CnQPm6upPI3jnAZz8VW+V9AdLZ9eTDDmLJs1ECStk10NpjfoI2
         sDVyWqpTS/ULu5myqibVKqQPjDZv9HReQrbeL6gonnBw28QJwTevAcOPgaLsrLiqFZMe
         5ADQk+8MZ1O55m2cC3YEQxbw8vx+wjLzWccMm3BwRfHbaUX08KGIWh5b/b8Vx2uUj5Xv
         f5hP8o3fzI+rvdl4RC/eqB1S7Li8LMcddPHUusNnc80ppNe8AQDKZKWnX6IpxLLaNa9p
         ktDg==
X-Forwarded-Encrypted: i=1; AJvYcCUhiLKuUUqWJs1Nwa76bVTG+L6ojcTCP1wXd+bpOPDxk6JRrltrz5xFSHstShXFOrQQ2+9npzhKtuk=@passt.top
X-Gm-Message-State: AOJu0YwIN40wFGzBd69mFJHMIWs7ZVm9JEj3zG+C4NFxrk3l9Z0VZATj
	TLb/IjfWeoV4zLH/UGKZZNY9E9Zcfag7QaOY0Eaa5iSWmFL6UHy2TlYMDI0cm+RYE2twV4i05jl
	zePBx92QX4ptteQ7LrZ/vtQXkKvNoqiFJBxluDM3uCeCJmML/USmWiAajTUhX7HYwj3q1k7zCS+
	3Qg45RS2oSA3FlGnp/kNwXOqldCFk67UP53Fpb
X-Gm-Gg: ATEYQzzvyIkruDfPrPv6XPMILclurkCPtWU1I+aXrJEiIJjnbLe9LpcCvpC8UQJrUHP
	RxkxIchTFCSl+fIHJ8WCbtv3t6t+O9AWusA9Xrc26OdJ01QrgVnkGW01XJRG0eo6FKpww2B6boH
	S/VGALvHaZzuAuPOmEDNGKkAfv3LmpzyMUVNh6k71iwu+c17gYtzwb2CzD3RAl+ps/hJ8GNGL1L
	eFhtFSkAgbL5hc4UA7Ozbl2Ey2A2OHggI19CNuOEtDBs8jPsCINt8dNnk7/N7ldV0OLqYAEZ7MB
	ShWovCnW8PV269EccjSC7/p8BLyUQAvFJ+TITul0AViKkN0JDD9mTvneXEZjqdoSZixyjaxRA7k
	Y9nh7/bJr7pFYZrTR7X6JWVwlOCqcy+0L
X-Received: by 2002:a05:600c:4744:b0:485:2a4b:7bc3 with SMTP id 5b1f17b1804b1-488835684c8mr125844635e9.4.1775137574701;
        Thu, 02 Apr 2026 06:46:14 -0700 (PDT)
X-Received: by 2002:a05:600c:4744:b0:485:2a4b:7bc3 with SMTP id 5b1f17b1804b1-488835684c8mr125843935e9.4.1775137574046;
        Thu, 02 Apr 2026 06:46:14 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e2c3a01sm7871101f8f.12.2026.04.02.06.46.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Apr 2026 06:46:13 -0700 (PDT)
From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH] SELinux: Dontaudit access to dri devices
Message-ID: <20260402154612.3e034802@elisabeth>
In-Reply-To: <3b5af0d8-1f88-4190-b4ac-5bab780b2781@redhat.com>
References: <20260330110557.2569119-1-jsegitz@suse.de>
	<20260330171541.15a8b5d0@elisabeth>
	<actxHwXyTdc1OWic@suse.com>
	<20260331214758.227f3fac@elisabeth>
	<3b5af0d8-1f88-4190-b4ac-5bab780b2781@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Date: Thu, 02 Apr 2026 15:46:13 +0200 (CEST)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: M4aDUOZdmeh1x13sRTZw6W8_7rYlekNY7hpyyEC6xD4_1775137576
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: H3BR3AYPVOPCZRIMJRI6ZM6QPUW2NSOQ
X-Message-ID-Hash: H3BR3AYPVOPCZRIMJRI6ZM6QPUW2NSOQ
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Johannes Segitz <jsegitz@suse.de>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260402154612.3e034802@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/H3BR3AYPVOPCZRIMJRI6ZM6QPUW2NSOQ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu, 2 Apr 2026 14:24:49 +0200
Paul Holzinger <pholzing@redhat.com> wrote:

> On 31/03/2026 21:47, Stefano Brivio wrote:
>
> [...]
>
> > By the way I wonder if it's similar to this report:
> >
> >    https://bugzilla.redhat.com/show_bug.cgi?id=2374197
> >
> > which I never really tried to figure out.  
> 
> I described here I think: 
> https://bugzilla.redhat.com/show_bug.cgi?id=2374291#c10

Gosh, I missed that, thanks.

I wonder how many of these other tickets (especially the ones in NEW)
around SELinux:

  https://bugzilla.redhat.com/buglist.cgi?cmdtype=runnamed&list_id=13663808&namedcmd=passt&sharer_id=410109

might also be caused by that. We would need to triage them at some
point.

> There is never time to close fds earlier, it validates sometime during 
> execve(). My guess because that is the point where it transitions into 
> the pasta_t context so it checks all files against the new policy?

What's mildly interesting (and what tricked me here) is that in this
case we get { read write }, in some other cases we get "read" or
"append" access only... but I suppose that simply depends on how the
file was opened by the leaking process in the first place.

But I didn't really track this down in the SELinux hooks in the kernel,
so I'd still be a bit curious to see what happens if we close_range()
things right away.

-- 
Stefano