[libvirt] [PATCH 2/2] qemu_cgroup: allow access to /dev/dri/render*

Cole Robinson crobinso at redhat.com
Thu May 19 12:36:35 UTC 2016

On 05/19/2016 08:21 AM, Daniel P. Berrange wrote:
> On Thu, May 19, 2016 at 01:29:07PM +0200, Ján Tomko wrote:
>> Allow access to /dev/dri/render* devices for domains
>> using <graphics type="spice"> with <gl enable="yes"/>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1337290
> Ignoring cgroups for a minute, how exactly does QEMU get access to
> the /dev/dri/render* devices in general ?  ie when QEMU is running
> as the 'qemu:qemu' user/group account, with selinux enforcing I
> don't see how it can possibly open these files, as we're not granting
> access to them in any of the security drivers. Given this, allowing
> them in cgroups seems like the least of our problems.

The svirt bits can at least be temporarily worked around with chmod 666
/dev/dri/render* and setenforce 0. The cgroup bit requires duplicating the
entire cgroup_device_acl block in qemu.conf which is less friendly and not
very future proof. Seems like an easy win

But yes, there needs to be a larger discussion about how to correctly handle
this WRT svirt for both qemu:///system and qemu:///session. selinux bug here:


- Cole

More information about the libvir-list mailing list