On 05/19/2016 08:21 AM, Daniel P. Berrange wrote:
On Thu, May 19, 2016 at 01:29:07PM +0200, Ján Tomko wrote:
Allow access to /dev/dri/render* devices for domains using <graphics type="spice"> with <gl enable="yes"/>
Ignoring cgroups for a minute, how exactly does QEMU get access to the /dev/dri/render* devices in general ? ie when QEMU is running as the 'qemu:qemu' user/group account, with selinux enforcing I don't see how it can possibly open these files, as we're not granting access to them in any of the security drivers. Given this, allowing them in cgroups seems like the least of our problems.
The svirt bits can at least be temporarily worked around with chmod 666 /dev/dri/render* and setenforce 0. The cgroup bit requires duplicating the entire cgroup_device_acl block in qemu.conf which is less friendly and not very future proof. Seems like an easy win But yes, there needs to be a larger discussion about how to correctly handle this WRT svirt for both qemu:///system and qemu:///session. selinux bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1337333 - Cole