Podman container access to /dev/dri blocked by SELinux

Hi everyone. I’m running Fedora 36.

I’m trying to pass through /dev/dri to my jellyfin podman container using:

--device /dev/dri

I’ve enabled the container_use_devices boolean:

sudo setsebool -P container_use_devices=true

When the device is accessed, it’s failing with this in the logs:

setroubleshoot[1663]: SELinux is preventing ffmpeg from map access on the chr_file /dev/dri/renderD128.
                                                 
                                                 *****  Plugin catchall (100. confidence) suggests   **************************
                                                 
                                                 If you believe that ffmpeg should be allowed map access on the renderD128 chr_file by default.
                                                 Then you should report this as a bug.
                                                 You can generate a local policy module to allow this access.
                                                 Do
                                                 allow this access for now by executing:
                                                 # ausearch -c 'ffmpeg' --raw | audit2allow -M my-ffmpeg
                                                 # semodule -X 300 -i my-ffmpeg.pp

Does anyone have any pointers?

Did you follow the suggested steps to generate a local policy to allow access?

If not then try that.
This clearly appears to be an selinux issue and the reported fix should work. It also seems likely a bug that should be reported.

3 Likes

It looks like it initially did work but now needs a policy update now that ffmpeg is trying to use the device (which is now present in the container). Unfortunately, many container images aren’t built/labeled for SELinux. For volumes, that gets worked around with :z :Z, but I’m not sure how that gets handled with devices.