From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DEnnOG4b;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id E23435A0269
	for <passt-dev@passt.top>; Tue, 07 Apr 2026 11:11:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1775553076;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=iJuq6ZPz+Js77Vwua+rlZwMUHplbOD2S49hZoy7uzrc=;
	b=DEnnOG4bCuH59Dxo37kWGTqIuyO3NcOvBw8J7g71YQZECBHkKqMmWgq7PMryz7uPKETBWG
	XxnSjW2rCGsw8j7serk+9yzMgEexVegvxbKkdWtnktYiKjjOYefYYmbXk77Y5bV41gwIT6
	obKXAEReqaCRT+Xp2HTrzJx9BAWnhek=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-497-wMdLMFkEOTqJkMCjCeswDw-1; Tue, 07 Apr 2026 05:11:15 -0400
X-MC-Unique: wMdLMFkEOTqJkMCjCeswDw-1
X-Mimecast-MFC-AGG-ID: wMdLMFkEOTqJkMCjCeswDw_1775553074
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-43d02fa5860so4894879f8f.0
        for <passt-dev@passt.top>; Tue, 07 Apr 2026 02:11:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775553073; x=1776157873;
        h=date:content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=iJuq6ZPz+Js77Vwua+rlZwMUHplbOD2S49hZoy7uzrc=;
        b=C45mmFWNC/80qjVlyUxMHfPZG7dMysAbl64vTOG/cRWvoaZPB/9cyFHruXX9tK4Xiw
         uVH/oFy16btR3AFNrRRUZ5BCB5Wyzkel/FCKf2+krUKfSv8TG8xj5PSWYRsMpWw51njj
         ozh9wSc4jwd8IUlqpmBBAfV0vjdo2esmDSpqZfc3Wi16eohKBcBdxm6zNg8djC433dSW
         XZUXrZW1Bd+ZdxcQg0OCBCyxGm3hWCfG8LBpQIx33SQ7BmS/HxvQ7n1QF++wQ/XFUvFi
         M20skt696oKoRURpbQCoR3yezahwRZOuza1oyT0y7NjX2NsAksPwmx7QJLYuBZWBBUA6
         VDhg==
X-Gm-Message-State: AOJu0Yx0dk2kES6XB/f0j5XvaOnPtldAuFfuVje6p/GnYOOIsMd4HzCY
	uMm0V9mD7ouw0ri9D7gUfmAOUAewNOfxGoBzqCbJXTBxMTpbG8ND0bgZ4VG7SKYQG2VflQB2ibD
	WWIrqGGAylIfaqajjd3rEKcleomFkB4EmFZokDv2dGPuR1lXDSC21hcqIG0LgK/i5Dc7Ii91f5b
	xGubCtdzz1DJ8zxEsJg6shf72apQ/2vfB5fqRI
X-Gm-Gg: AeBDieuJBJ9CDzJ/A/jBquRhc0HWP/u6iQzfjZYObvMHExWCHd0awt0XJiWL49VSkvk
	mALjyxoWC2P4U+HXO7Qm92fj5Il9dHTaZx4fG24qgZNDkUMNhwziL0nWOhriyReJGKot/nptbz8
	1E+mEP/cUHkXI6Xd3w1x9M8/bkPnvI924L/Y2Wa5NV7vJOCank4GdoIfrMVTNK5BywaIM3zmZlh
	h8LMokSyO1m8PAIRHPs328+JgLu0bf1SwAOizPSAWiVPXga3dfqOHf3za8Xu8X++sQkL98ZrWPH
	inik/Ha2Fg1mRJOACYuCraeL0w7n7MkpEhdohUUipt5kYWeLZe5hSsxdcur3/AfNTybt/eAXPC1
	rvSFgz4x2u8xkGm8Le8h5gRIwNYw8zPr8
X-Received: by 2002:a05:6000:1446:b0:43d:4c:22be with SMTP id ffacd0b85a97d-43d292d4789mr23484046f8f.36.1775553072878;
        Tue, 07 Apr 2026 02:11:12 -0700 (PDT)
X-Received: by 2002:a05:6000:1446:b0:43d:4c:22be with SMTP id ffacd0b85a97d-43d292d4789mr23483938f8f.36.1775553072165;
        Tue, 07 Apr 2026 02:11:12 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e2c54bdsm49673311f8f.16.2026.04.07.02.11.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Apr 2026 02:11:11 -0700 (PDT)
From: Stefano Brivio <sbrivio@redhat.com>
To: Johannes Segitz <jsegitz@suse.de>, Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH] SELinux: Dontaudit access to dri devices
Message-ID: <20260407111110.4153e21b@elisabeth>
In-Reply-To: <adS_2Kr8pGSEAS23@suse.com>
References: <20260330110557.2569119-1-jsegitz@suse.de>
	<20260330171541.15a8b5d0@elisabeth>
	<actxHwXyTdc1OWic@suse.com>
	<20260331214758.227f3fac@elisabeth>
	<3b5af0d8-1f88-4190-b4ac-5bab780b2781@redhat.com>
	<243f48b3-ccfa-437f-ac46-9229519b206b@redhat.com>
	<adS_2Kr8pGSEAS23@suse.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Date: Tue, 07 Apr 2026 11:11:11 +0200 (CEST)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: sTQaY04PAMNa3OUE1EQumnS7B6aNUPcjQUCgBiWZmg4_1775553074
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: FYZFLP365N5BEARZOHLWF4STW3WMVVCY
X-Message-ID-Hash: FYZFLP365N5BEARZOHLWF4STW3WMVVCY
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260407111110.4153e21b@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/FYZFLP365N5BEARZOHLWF4STW3WMVVCY/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 7 Apr 2026 10:27:04 +0200
Johannes Segitz <jsegitz@suse.de> wrote:

> On Thu, Apr 02, 2026 at 03:36:58PM +0200, Paul Holzinger wrote:
> > I did a quick spot check in Podman and found a few places where a fd might
> > be leaked: https://github.com/containers/podman/pull/28434
> > 
> > That said I do not think any of these would explain an open /dev/dri path.  
> 
> I build podman with the change (and passt with the broader fd closing
> logic) and asked the reporter to test them. The denial is still shown with
> this unfortunately

Johannes, thanks for reporting back.

Paul, I was wondering: would there be a way to do something equivalent
to that close_range() directly in Podman, before it starts pasta? I
think it's a separate thread (or even a forked process) starting it,
but I haven't really checked.

-- 
Stefano