2214567 – The container_use_devices boolean doesn't allow the map operation on /dev/dri

Bug 2214567 - The container_use_devices boolean doesn't allow the map operation on /dev/dri [NEEDINFO]

Summary: The container_use_devices boolean doesn't allow the map operation on /dev/dri

Keywords:
Status:	ON_QA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Edward Shen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-13 12:25 UTC by Fabien Dupont
Modified:	2023-07-03 15:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	container-selinux-2.218.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	weshen: needinfo? (dwalsh)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-159709	0	None	None	None	2023-06-13 12:38:11 UTC

Description Fabien Dupont 2023-06-13 12:25:34 UTC

Description of problem:

When trying to run a GPU-accelerated program in a rootless container on RHEL 9.2, the program segfaults and the following AVC is thrown:

SELinux is preventing /opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device from map access on the chr_file /dev/dri/renderD128.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hello_query_device should be allowed map access on the renderD128 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hello_query_dev' --raw | audit2allow -M my-helloquerydev
# semodule -X 300 -i my-helloquerydev.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c43,c166
Target Context                system_u:object_r:dri_device_t:s0
Target Objects                /dev/dri/renderD128 [ chr_file ]
Source                        hello_query_dev
Source Path                   /opt/intel/openvino_2023.0.0.10926/samples/cpp/sam
                              ples_bin/hello_query_device
Port                          <Unknown>
Host                          samael
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Local Policy RPM              selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     samael
Platform                      Linux samael 5.14.0-284.11.1.el9_2.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Apr 12 10:45:03 EDT 2023
                              x86_64 x86_64
Alert Count                   1
First Seen                    2023-06-12 17:57:45 CEST
Last Seen                     2023-06-12 17:57:45 CEST
Local ID                      bfde035a-960c-44a4-a04e-008e8558dfde

Raw Audit Messages
type=AVC msg=audit(1686585465.712:116): avc:  denied  { map } for  pid=2923 comm="hello_query_dev" path="/dev/dri/renderD128" dev="devtmpfs" ino=356 scontext=system_u:system_r:container_t:s0:c43,c166 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1686585465.712:116): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fd822188000 a1=1000 a2=3 a3=11 items=0 ppid=2882 pid=2923 auid=1000 uid=100999 gid=100999 euid=100999 suid=100999 fsuid=100999 egid=100999 sgid=100999 fsgid=100999 tty=pts0 ses=3 comm=hello_query_dev exe=/opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device subj=system_u:system_r:container_t:s0:c43,c166 key=(null)

Hash: hello_query_dev,container_t,dri_device_t,chr_file,map


Version-Release number of selected component (if applicable): 2.205.0-1.el9_2.noarch


How reproducible: Always


Steps to Reproduce:

$ podman run --rm -i --device /dev/dri --group-add keep-groups registry.connect.redhat.com/intel/openvino-dev ./samples/cpp/samples_bin/hello_query_dev

Actual results: Segmentation fault and AVC


Expected results: The program display info about CPU and GPU


Additional info:

This is apparently solved in container-selinux 2.213.0: https://paste.centos.org/view/683a5bda.

The following custom module provides a workaround:

module dev_dri 1.0;

require {
        type dri_device_t;
        type container_t;
        class chr_file map;
}

#============= container_t =============
allow container_t dri_device_t:chr_file map;

Comment 1 Daniel Walsh 2023-06-13 12:37:32 UTC

Fixed in rpm -q container-selinux-2.218.0

Comment 2 Tom Sweeney 2023-06-13 15:20:16 UTC

Assigning to @jnovy for any further packaging or BZ needs.

Comment 3 Fabien Dupont 2023-06-13 16:25:49 UTC

Could the fix be backported to RHEL 9.2, so it can benefit to Red Hat Device Edge and customers who want to stick to EUS versions?

Note You need to log in before you can comment on or make changes to this bug.