Hi there, I am the co-maintainer of boinc-client [1]. boinc-client runs as a service, and both it and its working units run as 'boinc' user and they are confined by SELinux. Recently, I investigated to figure out why boinc-client, while running as a service, could not detect videocard for GPU calculus. In order to fix this problem I had to add Group=video to boinc-client systemd unit file. I have not yet pushed such change to boinc-client Fedora git, because I would like to ask you if this can cause a breach into boinc-client confinement. I mean, I am wondering if a process that can have access to videocard, could for example read what you are doing on your machine, the passwords you copy and paste, etc. What do you think about? Best regards For convenience I attached boinc-client unit file ================================= [Unit] Description=Berkeley Open Infrastructure Network Computing Client Documentation=man:boinc(1) After=network-online.target [Service] Type=forking Nice=10 User=boinc WorkingDirectory=/var/lib/boinc ExecStart=/usr/bin/boinc_client --daemon --start_delay 1 ExecStop=/usr/bin/boinccmd --quit ExecReload=/usr/bin/boinccmd --read_cc_config ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile IOSchedulingClass=idle Environment=LD_LIBRARY_PATH=/opt/amdgpu-pro/lib64 Group=video [Install] WantedBy=multi-user.target ================================= [1]: https://admin.fedoraproject.org/pkgdb/package/rpms/boinc-client/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
