Re: [PATCH] SELinux: Dontaudit access to dri devices

On Thu, Apr 02, 2026 at 03:46:13PM +0200, Stefano Brivio wrote:

On Thu, 2 Apr 2026 14:24:49 +0200 Paul Holzinger wrote:

...

On 31/03/2026 21:47, Stefano Brivio wrote:

[...]

...

By the way I wonder if it's similar to this report:

https://bugzilla.redhat.com/show_bug.cgi?id=2374197

which I never really tried to figure out.

I described here I think: https://bugzilla.redhat.com/show_bug.cgi?id=2374291#c10

Gosh, I missed that, thanks.

I wonder how many of these other tickets (especially the ones in NEW) around SELinux:

https://bugzilla.redhat.com/buglist.cgi?cmdtype=runnamed&list_id=13663808&namedcmd=passt&sharer_id=410109

might also be caused by that. We would need to triage them at some point.

...

There is never time to close fds earlier, it validates sometime during execve(). My guess because that is the point where it transitions into the pasta_t context so it checks all files against the new policy?

What's mildly interesting (and what tricked me here) is that in this case we get { read write }, in some other cases we get "read" or "append" access only... but I suppose that simply depends on how the file was opened by the leaking process in the first place.

But I didn't really track this down in the SELinux hooks in the kernel, so I'd still be a bit curious to see what happens if we close_range() things right away.

The first patch version didn't help, now asked the reporter to test the second version and also patched podman with the change Paul sent upstream. I unfortunately can't test it myself since it doesn't happen for me, but I hope to be able to provide the test packages to the reporter before I leave for easter and will report back next week then Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nürnberg, Germany Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)