Re: [PATCH] SELinux: Dontaudit access to dri devices

[Johannes Segitz <jsegitz@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 2212 bytes --]

On Thu, Apr 02, 2026 at 03:46:13PM +0200, Stefano Brivio wrote:
> On Thu, 2 Apr 2026 14:24:49 +0200
> Paul Holzinger <pholzing@redhat.com> wrote:
> 
> > On 31/03/2026 21:47, Stefano Brivio wrote:
> >
> > [...]
> >
> > > By the way I wonder if it's similar to this report:
> > >
> > >    https://bugzilla.redhat.com/show_bug.cgi?id=2374197
> > >
> > > which I never really tried to figure out.  
> > 
> > I described here I think: 
> > https://bugzilla.redhat.com/show_bug.cgi?id=2374291#c10
> 
> Gosh, I missed that, thanks.
> 
> I wonder how many of these other tickets (especially the ones in NEW)
> around SELinux:
> 
>   https://bugzilla.redhat.com/buglist.cgi?cmdtype=runnamed&list_id=13663808&namedcmd=passt&sharer_id=410109
> 
> might also be caused by that. We would need to triage them at some
> point.
> 
> > There is never time to close fds earlier, it validates sometime during 
> > execve(). My guess because that is the point where it transitions into 
> > the pasta_t context so it checks all files against the new policy?
> 
> What's mildly interesting (and what tricked me here) is that in this
> case we get { read write }, in some other cases we get "read" or
> "append" access only... but I suppose that simply depends on how the
> file was opened by the leaking process in the first place.
> 
> But I didn't really track this down in the SELinux hooks in the kernel,
> so I'd still be a bit curious to see what happens if we close_range()
> things right away.

The first patch version didn't help, now asked the reporter to test the
second version and also patched podman with the change Paul sent upstream.

I unfortunately can't test it myself since it doesn't happen for me, but I
hope to be able to provide the test packages to the reporter before I leave
for easter and will report back next week then

Johannes
-- 
GPG Key                EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nürnberg, Germany
Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 870 bytes --]