Hi, On Mon, Mar 30, 2026 at 05:15:42PM +0200, Stefano Brivio wrote: > On Mon, 30 Mar 2026 13:05:57 +0200 Johannes Segitz wrote: > > Currently podman can pass a FD to a DRI device to pasta, leading to AVCs > > like this: > > avc: denied { read write } > > comm="pasta" path="/dev/dri/renderD128" > > scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:dri_device_t:s0 > > tclass=chr_file > > These are harmless, so dontaudit them > > > > Signed-off-by: Johannes Segitz > > Thanks for the patch. > > I'm wondering how can this still happen though, as commit 09603cab28f9 > ("passt, util: Close any open file that the parent might have leaked") > should take care of those. Do you happen to know? No, I just read the code and it seems like this should prevent this. I unfortunately can't debug this in depth, because it doesn't happen on my system. The reporter is helpful with debugging, but going into gdb sessions with remote hands doesn't sound feasible ;) > Perhaps the access happens before we call isolate_initial()... but then > I guess we should try to close leaked files before that point, to be on > the safe side? Would be worth a try. If you have a patch for that I can provide an updated package to the reporter and ask him to test it Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nürnberg, Germany Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)