Bug 2214567

Description of problem:

When trying to run a GPU-accelerated program in a rootless container on RHEL 9.2, the program segfaults and the following AVC is thrown:

SELinux is preventing /opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device from map access on the chr_file /dev/dri/renderD128.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hello_query_device should be allowed map access on the renderD128 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hello_query_dev' --raw | audit2allow -M my-helloquerydev
# semodule -X 300 -i my-helloquerydev.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c43,c166
Target Context                system_u:object_r:dri_device_t:s0
Target Objects                /dev/dri/renderD128 [ chr_file ]
Source                        hello_query_dev
Source Path                   /opt/intel/openvino_2023.0.0.10926/samples/cpp/sam
                              ples_bin/hello_query_device
Port                          <Unknown>
Host                          samael
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Local Policy RPM              selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     samael
Platform                      Linux samael 5.14.0-284.11.1.el9_2.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Apr 12 10:45:03 EDT 2023
                              x86_64 x86_64
Alert Count                   1
First Seen                    2023-06-12 17:57:45 CEST
Last Seen                     2023-06-12 17:57:45 CEST
Local ID                      bfde035a-960c-44a4-a04e-008e8558dfde

Raw Audit Messages
type=AVC msg=audit(1686585465.712:116): avc:  denied  { map } for  pid=2923 comm="hello_query_dev" path="/dev/dri/renderD128" dev="devtmpfs" ino=356 scontext=system_u:system_r:container_t:s0:c43,c166 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1686585465.712:116): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fd822188000 a1=1000 a2=3 a3=11 items=0 ppid=2882 pid=2923 auid=1000 uid=100999 gid=100999 euid=100999 suid=100999 fsuid=100999 egid=100999 sgid=100999 fsgid=100999 tty=pts0 ses=3 comm=hello_query_dev exe=/opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device subj=system_u:system_r:container_t:s0:c43,c166 key=(null)

Hash: hello_query_dev,container_t,dri_device_t,chr_file,map


Version-Release number of selected component (if applicable): 2.205.0-1.el9_2.noarch


How reproducible: Always


Steps to Reproduce:

$ podman run --rm -i --device /dev/dri --group-add keep-groups registry.connect.redhat.com/intel/openvino-dev ./samples/cpp/samples_bin/hello_query_dev

Actual results: Segmentation fault and AVC


Expected results: The program display info about CPU and GPU


Additional info:

This is apparently solved in container-selinux 2.213.0: https://paste.centos.org/view/683a5bda.

The following custom module provides a workaround:

module dev_dri 1.0;

require {
        type dri_device_t;
        type container_t;
        class chr_file map;
}

#============= container_t =============
allow container_t dri_device_t:chr_file map;