From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id EB58A5A026F for ; Wed, 16 Aug 2023 11:06:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692176767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QEjnw3sY58ynYfULelnvelzbl3WFij3EK6Y7HO7uteQ=; b=G11sW7cowlBbiRllJ/+N7gB7YIhu1TaQLgqpR3LEgiOhsA2K0IH+FsB3H7QlL6nOBl/SBw xUkdxkmu2MDpHMoGI3P04RUlXnpfr+n9we3IefyTsqMa72Y4HzCeYCwaqMuUlXkKmpWREL qoWJV19JYMfoRukxmeFRCONB3P9eygg= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-590-holAxlA4PnKNAswCkxGHNg-1; Wed, 16 Aug 2023 05:06:03 -0400 X-MC-Unique: holAxlA4PnKNAswCkxGHNg-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8B8212806066; Wed, 16 Aug 2023 09:06:03 +0000 (UTC) Received: from localhost (unknown [10.42.28.15]) by smtp.corp.redhat.com (Postfix) with ESMTP id 572A54A9004; Wed, 16 Aug 2023 09:06:03 +0000 (UTC) Date: Wed, 16 Aug 2023 10:06:02 +0100 From: "Richard W.M. Jones" To: Stefano Brivio Subject: Re: [PATCH 4/7] selinux: Update policy to fix user/group settings Message-ID: <20230816090602.GD7636@redhat.com> References: <20230816060038.870746-1-sbrivio@redhat.com> <20230816060038.870746-5-sbrivio@redhat.com> MIME-Version: 1.0 In-Reply-To: <20230816060038.870746-5-sbrivio@redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Message-ID-Hash: JS4V4E7YHPVWNNJEGH6NIPBUT5FDZIY4 X-Message-ID-Hash: JS4V4E7YHPVWNNJEGH6NIPBUT5FDZIY4 X-MailFrom: rjones@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, Aug 16, 2023 at 08:00:35AM +0200, Stefano Brivio wrote: > Somehow most of this used to work on older kernels, but now we need > to explicitly permit setuid, setgid, and setcap capabilities, as well > as read-only access to passwd (as we support running under a given > login name) and sssd library facilities. > > Signed-off-by: Stefano Brivio > --- > contrib/selinux/passt.te | 7 +++++-- > contrib/selinux/pasta.te | 8 ++++++-- > 2 files changed, 11 insertions(+), 4 deletions(-) > > diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te > index 5868a41..a0c0526 100644 > --- a/contrib/selinux/passt.te > +++ b/contrib/selinux/passt.te > @@ -49,7 +49,7 @@ require { > > class netlink_route_socket { bind create nlmsg_read }; > > - class capability sys_tty_config; > + class capability { sys_tty_config setuid setgid }; > class cap_userns { setpcap sys_admin sys_ptrace }; > class user_namespace create; > } > @@ -89,10 +89,13 @@ logging_send_syslog_msg(passt_t) > allow syslogd_t self:cap_userns sys_ptrace; > > allow passt_t self:process setcap; > -allow passt_t self:capability { sys_tty_config setpcap net_bind_service }; > +allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; > allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; > allow passt_t self:user_namespace create; > > +auth_read_passwd_file(passt_t) > +sssd_search_lib(passt_t) > + > allow passt_t proc_net_t:file read; > allow passt_t net_conf_t:file { open read }; > allow passt_t net_conf_t:lnk_file read; > diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te > index 645ccee..28265dc 100644 > --- a/contrib/selinux/pasta.te > +++ b/contrib/selinux/pasta.te > @@ -79,6 +79,7 @@ require { > type shell_exec_t; > type init_t; > > + class capability { sys_tty_config setuid setgid }; > class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; > class user_namespace create; > } > @@ -103,10 +104,13 @@ allow unconfined_t pasta_t : process transition ; > > init_daemon_domain(pasta_t, pasta_exec_t) > > -allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource }; > +allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; > allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; > allow pasta_t self:user_namespace create; > > +auth_read_passwd_file(pasta_t) > +sssd_search_lib(pasta_t) > + > allow pasta_t bin_t:file { execute execute_no_trans map }; > allow pasta_t nsfs_t:file { open read }; > > @@ -162,7 +166,7 @@ allow pasta_t unconfined_t:dir search; > allow pasta_t unconfined_t:file read; > allow pasta_t unconfined_t:lnk_file read; > allow pasta_t passwd_file_t:file { getattr open read }; > -allow pasta_t self:process setpgid; > +allow pasta_t self:process { setpgid setcap }; > allow pasta_t shell_exec_t:file { execute execute_no_trans map }; > > allow pasta_t sssd_var_lib_t:dir search; Usual kind of SELinux churn as new features are added so: Reviewed-by: Richard W.M. Jones -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit