[PATCH v2 3/7] selinux: Fix user namespace creation after breaking kernel change

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Cc: "'Richard W . M . Jones'" <rjones@redhat.com>
Subject: [PATCH v2 3/7] selinux: Fix user namespace creation after breaking kernel change
Date: Wed, 16 Aug 2023 20:17:26 +0200	[thread overview]
Message-ID: <20230816181730.2165306-4-sbrivio@redhat.com> (raw)
In-Reply-To: <20230816181730.2165306-1-sbrivio@redhat.com>

Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
seems to just introduce a new functionality, but given that SELinux
implements a form of mandatory access control, introducing the new
permission breaks any application (shipping with SELinux policies)
that needs to create user namespaces, such as passt and pasta for
sandboxing purposes.

Add the new 'allow' rules. They appear to be backward compatible,
kernel-wise, and the policy now requires the new 'user_namespace'
class to build, but that's something distributions already ship.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
---
 contrib/selinux/passt.te | 2 ++
 contrib/selinux/pasta.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 687ae40..5868a41 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -51,6 +51,7 @@ require {
 
 	class capability sys_tty_config;
 	class cap_userns { setpcap sys_admin sys_ptrace };
+	class user_namespace create;
 }
 
 type passt_t;
@@ -90,6 +91,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
 allow passt_t self:process setcap;
 allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
 allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
+allow passt_t self:user_namespace create;
 
 allow passt_t proc_net_t:file read;
 allow passt_t net_conf_t:file { open read };
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 367d09f..645ccee 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -80,6 +80,7 @@ require {
 	type init_t;
 
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
+	class user_namespace create;
 }
 
 type pasta_t;
@@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+allow pasta_t self:user_namespace create;
 
 allow pasta_t bin_t:file { execute execute_no_trans map };
 allow pasta_t nsfs_t:file { open read };
-- 
@@ -80,6 +80,7 @@ require {
 	type init_t;
 
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
+	class user_namespace create;
 }
 
 type pasta_t;
@@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+allow pasta_t self:user_namespace create;
 
 allow pasta_t bin_t:file { execute execute_no_trans map };
 allow pasta_t nsfs_t:file { open read };
-- 
2.39.2

next prev parent reply	other threads:[~2023-08-16 18:17 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-16 18:17 [PATCH v2 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
2023-08-16 18:17 ` [PATCH v2 1/7] fedora: Install pasta as hard link to ensure SELinux file context match Stefano Brivio
2023-08-17  7:53   ` Richard W.M. Jones
2023-08-17 10:53     ` Stefano Brivio
2023-08-16 18:17 ` [PATCH v2 2/7] selinux: Use explicit paths for binaries in file context Stefano Brivio
2023-08-16 18:17 ` Stefano Brivio [this message]
2023-08-16 18:17 ` [PATCH v2 4/7] selinux: Update policy to fix user/group settings Stefano Brivio
2023-08-16 18:17 ` [PATCH v2 5/7] selinux: Add rules for sysctl and /proc/net accesses Stefano Brivio
2023-08-16 18:17 ` [PATCH v2 6/7] selinux: Allow pasta_t to read nsfs entries Stefano Brivio
2023-08-16 18:17 ` [PATCH v2 7/7] selinux: Fix domain transitions for typical commands pasta might run Stefano Brivio

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:687ae40 dfblob:367d09f dfblob:5868a41 dfblob:645ccee
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230816181730.2165306-4-sbrivio@redhat.com \
    --to=sbrivio@redhat.com \
    --cc=passt-dev@passt.top \
    --cc=rjones@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).