[Adding Paul as he might know why this happens]
Hi Johannes,
On Mon, 30 Mar 2026 13:05:57 +0200
Johannes Segitz
Currently podman can pass a FD to a DRI device to pasta, leading to AVCs like this: avc: denied { read write } comm="pasta" path="/dev/dri/renderD128" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file These are harmless, so dontaudit them
Signed-off-by: Johannes Segitz
Thanks for the patch. I'm wondering how can this still happen though, as commit 09603cab28f9 ("passt, util: Close any open file that the parent might have leaked") should take care of those. Do you happen to know? Perhaps the access happens before we call isolate_initial()... but then I guess we should try to close leaked files before that point, to be on the safe side? -- Stefano