Allow virtqemud setattr dri devices

zpytela · zpytela · commit a15b4cc7d1fc · 2025-10-14T09:46:13.000+02:00
Steps to reproduce: 1. Create a vm. 2. Enable 3D acceleration under `Video Virtio`. 3. Enable OpenGL and set Listen type to "None" under `Display Spice`. 4. Start the vm. The commit addresses the following AVC denials: type=AVC msg=audit(1760415907.810:959): avc: denied { open } for pid=8333 comm="rpc-virtqemud" path="/dev/dri/renderD128" dev="tmpfs" ino=10 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1760415907.810:960): avc: denied { setattr } for pid=8333 comm="rpc-virtqemud" name="renderD128" dev="tmpfs" ino=10 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2403689
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2266,7 +2266,8 @@ dev_delete_urand(virtqemud_t)
 dev_getattr_fs(virtqemud_t)
 dev_read_cpuid(virtqemud_t)
 dev_rw_sysfs(virtqemud_t)
-dev_rw_inherited_dri(virtqemud_t)
+dev_rw_dri(virtqemud_t)
+dev_setattr_dri_dev(virtqemud_t)
 dev_read_urand(virtqemud_t)
 dev_rw_sgx_vepc(virtqemud_t)
 dev_rw_vfio_dev(virtqemud_t)
