Re: [PATCH] SELinux: Dontaudit access to dri devices

[Johannes Segitz <jsegitz@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]

Hi,

On Mon, Mar 30, 2026 at 05:15:42PM +0200, Stefano Brivio wrote:
> On Mon, 30 Mar 2026 13:05:57 +0200 Johannes Segitz <jsegitz@suse.de> wrote:
> > Currently podman can pass a FD to a DRI device to pasta, leading to AVCs
> > like this:
> > avc:  denied  { read write }
> > comm="pasta" path="/dev/dri/renderD128"
> > scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:dri_device_t:s0
> > tclass=chr_file
> > These are harmless, so dontaudit them
> > 
> > Signed-off-by: Johannes Segitz <jsegitz@suse.de>
> 
> Thanks for the patch.
> 
> I'm wondering how can this still happen though, as commit 09603cab28f9
> ("passt, util: Close any open file that the parent might have leaked")
> should take care of those. Do you happen to know?

No, I just read the code and it seems like this should prevent this. I
unfortunately can't debug this in depth, because it doesn't happen on my
system. The reporter is helpful with debugging, but going into gdb sessions
with remote hands doesn't sound feasible ;)

> Perhaps the access happens before we call isolate_initial()... but then
> I guess we should try to close leaked files before that point, to be on
> the safe side?

Would be worth a try. If you have a patch for that I can provide an updated
package to the reporter and ask him to test it

Johannes
-- 
GPG Key                EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nürnberg, Germany
Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 870 bytes --]