From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=IetwUOVA; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=7NaOSg/d; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Jm+lSjzN; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=NwYKSewY; dkim-atps=neutral Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) by passt.top (Postfix) with ESMTPS id 6A56C5A0265 for ; Tue, 31 Mar 2026 09:00:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6EF085BEA4; Tue, 31 Mar 2026 07:00:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1774940455; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8Kbptx1VQ5lC5KIeczQwfufVNzBkPnwV7qLu6mGcAiM=; b=IetwUOVA4q6DoMb1ybP3D4LnniAVYRmyOuAhwUKJIhhsOgt63JHLcIDVsQOdtzsC0x8yQ4 dHq+LY+B1B7FlUpV0vpeE15u6qdhIE7AXUgfFX6LMEW+RMqKjzCy1rpkA2CXCxQD6o8dLe BIaqsNAaTxm/0FXklS96ySmon+zuK7E= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1774940455; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8Kbptx1VQ5lC5KIeczQwfufVNzBkPnwV7qLu6mGcAiM=; b=7NaOSg/dFHGJbXqapHzvS8mGtTkOn4a7Z4SOcd2Z2yTMn2AcVhHOPonFgX52MjJOKS1qUj KqaNwGtXN7W+3vCw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1774940452; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8Kbptx1VQ5lC5KIeczQwfufVNzBkPnwV7qLu6mGcAiM=; b=Jm+lSjzNCi4lsT9Xwu3DBy9spVytm/0OUkAsi/D68F67mMCFLHlMVnxxPsI+72p12X+wXf /JcFPQOl3X1xvdrp6liitAfVAY/kbj+Hse/G+swEh5c6peFbRGPHSZrfML9JSJS/fDL+Hx 1l5u9/of2s8ANCXRed/ijzdrJohuu9E= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1774940452; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8Kbptx1VQ5lC5KIeczQwfufVNzBkPnwV7qLu6mGcAiM=; b=NwYKSewYDjyEUKTsepdEz1T5OH80Yg95/EBZFZxe2nW7J2Dsfyslx30OaSGymj73isCJQc +U4DBSBxsnT7hqBg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 54BDF4A0A2; Tue, 31 Mar 2026 07:00:52 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id i82VEyRxy2kuPAAAD6G6ig (envelope-from ); Tue, 31 Mar 2026 07:00:52 +0000 Date: Tue, 31 Mar 2026 09:00:47 +0200 From: Johannes Segitz To: Stefano Brivio Subject: Re: [PATCH] SELinux: Dontaudit access to dri devices Message-ID: References: <20260330110557.2569119-1-jsegitz@suse.de> <20260330171541.15a8b5d0@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="oA8H/3XmGSUOoq7B" Content-Disposition: inline In-Reply-To: <20260330171541.15a8b5d0@elisabeth> X-Spamd-Result: default: False [-6.40 / 50.00]; BAYES_HAM(-3.00)[100.00%]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; NEURAL_HAM_SHORT(-0.20)[-1.000]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MISSING_XM_UA(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:mid,suse.de:email,imap1.dmz-prg2.suse.org:helo] X-Spam-Flag: NO X-Spam-Score: -6.40 X-Spam-Level: X-MailFrom: jsegitz@suse.de X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: 54EALGCS6UPPDKX5U2NXT4WK5QDCR2IT X-Message-ID-Hash: 54EALGCS6UPPDKX5U2NXT4WK5QDCR2IT X-Mailman-Approved-At: Tue, 31 Mar 2026 09:46:18 +0200 CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --oA8H/3XmGSUOoq7B Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Mon, Mar 30, 2026 at 05:15:42PM +0200, Stefano Brivio wrote: > On Mon, 30 Mar 2026 13:05:57 +0200 Johannes Segitz wrot= e: > > Currently podman can pass a FD to a DRI device to pasta, leading to AVCs > > like this: > > avc: denied { read write } > > comm=3D"pasta" path=3D"/dev/dri/renderD128" > > scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 > > tcontext=3Dsystem_u:object_r:dri_device_t:s0 > > tclass=3Dchr_file > > These are harmless, so dontaudit them > >=20 > > Signed-off-by: Johannes Segitz >=20 > Thanks for the patch. >=20 > I'm wondering how can this still happen though, as commit 09603cab28f9 > ("passt, util: Close any open file that the parent might have leaked") > should take care of those. Do you happen to know? No, I just read the code and it seems like this should prevent this. I unfortunately can't debug this in depth, because it doesn't happen on my system. The reporter is helpful with debugging, but going into gdb sessions with remote hands doesn't sound feasible ;) > Perhaps the access happens before we call isolate_initial()... but then > I guess we should try to close leaked files before that point, to be on > the safe side? Would be worth a try. If you have a patch for that I can provide an updated package to the reporter and ask him to test it Johannes --=20 GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 N=FCrnberg, Ge= rmany Gesch=E4ftsf=FChrer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 3= 6809, AG N=FCrnberg) --oA8H/3XmGSUOoq7B Content-Type: application/pgp-signature; name=signature.asc Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEJQ9D9ffObx6cWU+VvCfdnSzE/WYFAmnLcR4bFIAAAAAABAAO bWFudTIsMi41KzEuMTEsMiwyAAoJELwn3Z0sxP1mLuAQAIZocbrTD3XEVJkp0427 opxWii6KxZ9PFd8rtIrZAjKWa8A/h6+Wxuty4KD2uMRcsY+DcY9L6eG9znAXdplc yewJ9l4IXtdxyfoRLAZFupvPp9Y5uM/KVwjVwSRUwprkO4+G2lxJED9cok4rKcn4 R3DrAALUGp132WN1mS4Q/LtvmpjVvsioq8z2d34h9qTWzpPxfTWHjv1m+wnGvH0c GmsEcKPhPeSUJpxq0hgBbtOGGCghQzbRZ+weBKFLZTdHULwn1CNDGtcK58mG8C3e bGjdQ+Dooa658YGXSP44rH2VQzejgsBZ+MRg+E4cVvUGZSJoX89rOG24Bx/jLHUs 69xNsNohyC7p/AQTQpawKf0fwYpkjY5PX9BrzvP6Qd7UewPj+/arsw+ILR9NHhIY cOS2Bk26sbdVDcBqYPxK+rnhaAqevj6NaCYP8CMG+IP2IH6uvuy7fOFlHzk3ySq5 AEAUZj/5osXK5ieyRZIdHMAIbJu7hoQtBrsLXh/Wjomf9EKG3lr+7u8EZwYapI7d t+zYYBrZg1ZB7+2KpAkqcPl2v7N27K8RnUgNR8NM24RA2/l+VVg55hpBuMwyBgFj uutKmVCcgEMbO5AaMgx3jYS6QURg5QFQmufT/kgscmFj1GVV6BSeONit06yP2Img Oe+SqwAw/JBULLVuIbXb1gsF =BwM/ -----END PGP SIGNATURE----- --oA8H/3XmGSUOoq7B--