On 05/19/2016 08:21 AM, Daniel P. Berrange wrote: > On Thu, May 19, 2016 at 01:29:07PM +0200, Ján Tomko wrote: >> Allow access to /dev/dri/render* devices for domains >> using <graphics type="spice"> with <gl enable="yes"/> >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1337290 > > Ignoring cgroups for a minute, how exactly does QEMU get access to > the /dev/dri/render* devices in general ? ie when QEMU is running > as the 'qemu:qemu' user/group account, with selinux enforcing I > don't see how it can possibly open these files, as we're not granting > access to them in any of the security drivers. Given this, allowing > them in cgroups seems like the least of our problems. > The svirt bits can at least be temporarily worked around with chmod 666 /dev/dri/render* and setenforce 0. The cgroup bit requires duplicating the entire cgroup_device_acl block in qemu.conf which is less friendly and not very future proof. Seems like an easy win But yes, there needs to be a larger discussion about how to correctly handle this WRT svirt for both qemu:///system and qemu:///session. selinux bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1337333 - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list