Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When trying to run a GPU-accelerated program in a rootless container on RHEL 9.2, the program segfaults and the following AVC is thrown:
SELinux is preventing /opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device from map access on the chr_file /dev/dri/renderD128.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that hello_query_device should be allowed map access on the renderD128 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hello_query_dev' --raw | audit2allow -M my-helloquerydev
# semodule -X 300 -i my-helloquerydev.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c43,c166
Target Context system_u:object_r:dri_device_t:s0
Target Objects /dev/dri/renderD128 [ chr_file ]
Source hello_query_dev
Source Path /opt/intel/openvino_2023.0.0.10926/samples/cpp/sam
ples_bin/hello_query_device
Port <Unknown>
Host samael
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Local Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name samael
Platform Linux samael 5.14.0-284.11.1.el9_2.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Apr 12 10:45:03 EDT 2023
x86_64 x86_64
Alert Count 1
First Seen 2023-06-12 17:57:45 CEST
Last Seen 2023-06-12 17:57:45 CEST
Local ID bfde035a-960c-44a4-a04e-008e8558dfde
Raw Audit Messages
type=AVC msg=audit(1686585465.712:116): avc: denied { map } for pid=2923 comm="hello_query_dev" path="/dev/dri/renderD128" dev="devtmpfs" ino=356 scontext=system_u:system_r:container_t:s0:c43,c166 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1686585465.712:116): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fd822188000 a1=1000 a2=3 a3=11 items=0 ppid=2882 pid=2923 auid=1000 uid=100999 gid=100999 euid=100999 suid=100999 fsuid=100999 egid=100999 sgid=100999 fsgid=100999 tty=pts0 ses=3 comm=hello_query_dev exe=/opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device subj=system_u:system_r:container_t:s0:c43,c166 key=(null)
Hash: hello_query_dev,container_t,dri_device_t,chr_file,map
Version-Release number of selected component (if applicable): 2.205.0-1.el9_2.noarch
How reproducible: Always
Steps to Reproduce:
$ podman run --rm -i --device /dev/dri --group-add keep-groups registry.connect.redhat.com/intel/openvino-dev ./samples/cpp/samples_bin/hello_query_dev
Actual results: Segmentation fault and AVC
Expected results: The program display info about CPU and GPU
Additional info:
This is apparently solved in container-selinux 2.213.0: https://paste.centos.org/view/683a5bda.
The following custom module provides a workaround:
module dev_dri 1.0;
require {
type dri_device_t;
type container_t;
class chr_file map;
}
#============= container_t =============
allow container_t dri_device_t:chr_file map;
Hello Fabien Dupont, this is a GPU-accelerated program related issue, we may not have the appropriate environment to test it, may I have your favor to verify it? Thanks!
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (container-selinux bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:6328
Comment 12Red Hat Bugzilla
2024-03-07 04:25:54 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Description of problem: When trying to run a GPU-accelerated program in a rootless container on RHEL 9.2, the program segfaults and the following AVC is thrown: SELinux is preventing /opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device from map access on the chr_file /dev/dri/renderD128. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hello_query_device should be allowed map access on the renderD128 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hello_query_dev' --raw | audit2allow -M my-helloquerydev # semodule -X 300 -i my-helloquerydev.pp Additional Information: Source Context system_u:system_r:container_t:s0:c43,c166 Target Context system_u:object_r:dri_device_t:s0 Target Objects /dev/dri/renderD128 [ chr_file ] Source hello_query_dev Source Path /opt/intel/openvino_2023.0.0.10926/samples/cpp/sam ples_bin/hello_query_device Port <Unknown> Host samael Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch Local Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name samael Platform Linux samael 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Apr 12 10:45:03 EDT 2023 x86_64 x86_64 Alert Count 1 First Seen 2023-06-12 17:57:45 CEST Last Seen 2023-06-12 17:57:45 CEST Local ID bfde035a-960c-44a4-a04e-008e8558dfde Raw Audit Messages type=AVC msg=audit(1686585465.712:116): avc: denied { map } for pid=2923 comm="hello_query_dev" path="/dev/dri/renderD128" dev="devtmpfs" ino=356 scontext=system_u:system_r:container_t:s0:c43,c166 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(1686585465.712:116): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fd822188000 a1=1000 a2=3 a3=11 items=0 ppid=2882 pid=2923 auid=1000 uid=100999 gid=100999 euid=100999 suid=100999 fsuid=100999 egid=100999 sgid=100999 fsgid=100999 tty=pts0 ses=3 comm=hello_query_dev exe=/opt/intel/openvino_2023.0.0.10926/samples/cpp/samples_bin/hello_query_device subj=system_u:system_r:container_t:s0:c43,c166 key=(null) Hash: hello_query_dev,container_t,dri_device_t,chr_file,map Version-Release number of selected component (if applicable): 2.205.0-1.el9_2.noarch How reproducible: Always Steps to Reproduce: $ podman run --rm -i --device /dev/dri --group-add keep-groups registry.connect.redhat.com/intel/openvino-dev ./samples/cpp/samples_bin/hello_query_dev Actual results: Segmentation fault and AVC Expected results: The program display info about CPU and GPU Additional info: This is apparently solved in container-selinux 2.213.0: https://paste.centos.org/view/683a5bda. The following custom module provides a workaround: module dev_dri 1.0; require { type dri_device_t; type container_t; class chr_file map; } #============= container_t ============= allow container_t dri_device_t:chr_file map;