From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id DBD075A0274; Wed, 16 Aug 2023 20:17:30 +0200 (CEST)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH v2 2/7] selinux: Use explicit paths for binaries in file context
Date: Wed, 16 Aug 2023 20:17:25 +0200
Message-Id: <20230816181730.2165306-3-sbrivio@redhat.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230816181730.2165306-1-sbrivio@redhat.com>
References: <20230816181730.2165306-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: FYHX76RACPCLHBPTGQKHZ2LGRADKGIP3
X-Message-ID-Hash: FYHX76RACPCLHBPTGQKHZ2LGRADKGIP3
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "'Richard W . M . Jones'" <rjones@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230816181730.2165306-3-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/FYHX76RACPCLHBPTGQKHZ2LGRADKGIP3/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

There's no reason to use wildcards, and we don't want any
similarly-named binary (not that I'm aware of any) to risk being
associated to passt_exec_t and pasta_exec_t by accident.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
---
 contrib/selinux/passt.fc | 3 ++-
 contrib/selinux/pasta.fc | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc
index fb5b5d4..09bcaab 100644
--- a/contrib/selinux/passt.fc
+++ b/contrib/selinux/passt.fc
@@ -8,5 +8,6 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-/usr/bin/passt(\.*)?		system_u:object_r:passt_exec_t:s0
+/usr/bin/passt			system_u:object_r:passt_exec_t:s0
+/usr/bin/passt.avx2		system_u:object_r:passt_exec_t:s0
 /tmp/passt\.pcap		system_u:object_r:passt_log_t:s0
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index 2ffb41a..41ee46d 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -8,6 +8,7 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-/usr/bin/pasta(\.*)?		system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta			system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2		system_u:object_r:pasta_exec_t:s0
 /tmp/pasta\.pcap		system_u:object_r:pasta_log_t:s0
 /var/run/pasta\.pid		system_u:object_r:pasta_pid_t:s0
-- 
2.39.2