From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id F42175A004C
	for <passt-dev@passt.top>; Tue, 28 May 2024 10:13:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1716884014;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YYy0yBEERfo7VOIQ2draQDhsSP4RfMfxAYwshY1NUqQ=;
	b=YKZy8nmUSCVAzksbE2KM0K3o7Gs9oBdhbR/0O+/i/dwurY78T8jPN7Zhxx39uO4e04gesx
	ZaDhtVfBz4m8wjtg/+iM3AVIFQdS5I+NJoJukxp/YSe5cxS7uqvgPZby9yalcCiLCRj8H0
	z8ud4ddYpI03ceY774YICF8h+D+qSY8=
Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com
 [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-498-GtQAx7dvMGSRVYlx_EQT2g-1; Tue, 28 May 2024 04:13:33 -0400
X-MC-Unique: GtQAx7dvMGSRVYlx_EQT2g-1
Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a5a84e7c884so27296866b.3
        for <passt-dev@passt.top>; Tue, 28 May 2024 01:13:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716884012; x=1717488812;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=YYy0yBEERfo7VOIQ2draQDhsSP4RfMfxAYwshY1NUqQ=;
        b=E6jUe7SIC8CLIed9bSoWvKgZtltAn7StN+AKRf9O+bwa9IMD8o2KFsV05zTbnEkqA8
         VBbXKKhu0dT1X413kNJBEGgUyki7FUUFlRes6ga/xraAIZmrK4HhfzU42SbRtGXHdn3a
         /x+QNedq2CFhvDnSlFpZ4xekvlsUG+1WMugDVGYFK3TUHaXoEUffvSaY/2mQrpcxiXgx
         dodMiIENAkaXFZF8+K9mo/puTCkvQtyYw4x5VAd5xdJZAFSTO/2gb+Fs0uS4EFFhY6ij
         9MFc9fi4msY4s9pLuzyMI+EUAofqCS69j7Vi8Ol+r37V+UM3HneTXRWyxIgkEoMasNxX
         FauA==
X-Gm-Message-State: AOJu0YzWAuzhXn3B+qymMgxmBD6Nw3s1GgVfj/Gqdd95prFHdxIsiMO0
	Zaam22Awkqv02GhxYvR+fqt4Wd/qt//KQVVQCwu6Mol89p9DL69jYysSu4Yz74qRMDbqYE5hKvn
	ImDu9BWtJSkg3IPBUFCduFAkXYaLRzcJYubTvCWwBsQK4qADXTKWFcOkR0KQi
X-Received: by 2002:a05:6402:2313:b0:579:c1fc:b953 with SMTP id 4fb4d7f45d1cf-579c1fcbc4amr4726936a12.22.1716884011683;
        Tue, 28 May 2024 01:13:31 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHPHpP5hASXFxfWDqKGB0IRrJWW0ZUlWRAxUiKDoxMjMwpMRMN3n+Boq9nby6m18pbW0WNYaQ==
X-Received: by 2002:a05:6402:2313:b0:579:c1fc:b953 with SMTP id 4fb4d7f45d1cf-579c1fcbc4amr4726918a12.22.1716884011092;
        Tue, 28 May 2024 01:13:31 -0700 (PDT)
Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33])
        by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-578523cba01sm6968483a12.35.2024.05.28.01.13.29
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 28 May 2024 01:13:29 -0700 (PDT)
Date: Tue, 28 May 2024 10:12:56 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>, Derek Schrock
 <dereks@lifeofadishwasher.com>
Subject: Re: [PATCH] selinux: Allow access to user_devpts
Message-ID: <20240528101256.37a74bc8@elisabeth>
In-Reply-To: <ZlV_-9elViO72i2n@zatzit>
References: <ZlO3mubsVTI51BmM@ircbsd.lifeofadishwasher.com>
	<ZlV_-9elViO72i2n@zatzit>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.36; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: C4TECUTXPVLNHQOUFRUDSZROTTRKFLWX
X-Message-ID-Hash: C4TECUTXPVLNHQOUFRUDSZROTTRKFLWX
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240528101256.37a74bc8@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/C4TECUTXPVLNHQOUFRUDSZROTTRKFLWX/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 28 May 2024 16:55:55 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote:
> > Allow access to user_devpts.
> > 
> > 	$ pasta --version
> > 	pasta 0^20240510.g7288448-1.fc40.x86_64
> > 	...
> > 	$ awk '' < /dev/null
> > 	$ pasta --version
> > 	$
> > 
> > While this might be a awk bug it appears pasta should still have access
> > to devpts.  

Derek, thanks for the patch!

> It's not clear to me why pasta would need any access to /dev/pts.  The
> shell that pasta spawns does, of course, but it should already live in
> a difference security context.

Note that that doesn't happen in a shell pasta spawned: pasta --version
doesn't do that.

It's just that after that awk comamnd, enabling access to
user_tty_device_t doesn't seem to be enough anymore, we need
user_devpts_t then. Which is probably something reasonable to enable
anyway.

-- 
Stefano