From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=jannau.net Authentication-Results: passt.top; dkim=pass (2048-bit key; unprotected) header.d=jannau.net header.i=@jannau.net header.a=rsa-sha256 header.s=fm1 header.b=LaXQGrzj; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm3 header.b=ABoGGSrI; dkim-atps=neutral Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) by passt.top (Postfix) with ESMTPS id C7E8A5A0271 for ; Thu, 01 May 2025 11:54:13 +0200 (CEST) Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfout.stl.internal (Postfix) with ESMTP id 164B911401EE; Thu, 1 May 2025 05:54:12 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Thu, 01 May 2025 05:54:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jannau.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to; s=fm1; t=1746093251; x=1746179651; bh=wlmAAA6y34iHbmwgogtmo XdJiYVYjIj3aoGQSBam4/I=; b=LaXQGrzjfHragFmDdbbnqjKbmHF0WDNKoSsKU LUsvWMvK3WD3WABpi2nv2WYXgGny2duQXuShFYQRLGbM8AVFp442dkLeYn8jAxWB UtBPVvEIfVqBTjZMqhyVNdKEcNdtYlQVxEgBjG11vHQu7Bpiz33NHJooz2WhI2+V 2kZjpoVNe8N0R4gx/K7SbHELudEJkV+NtXArlXl6Owx0630T8VUtbuGe+Wvospjv dAx7c86ATivdQAjLJSRntTpiHWUXXy9rCqVCDHo/giBGYdx86usm/EE1LVb3Ns8E 9J60uy7SwcjZjyVOEypHcUzmQU3pAM+qHfBvR+2WqCPu9e5/g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746093251; x=1746179651; bh=wlmAAA6y34iHbmwgogtmoXdJiYVYjIj3aoG QSBam4/I=; b=ABoGGSrIectZHML1z6Uxhn3GFZGgpqank7ZHbKlqnUfQkmtqD/D YWmoLfahqy5j75CRnrhLrw0JZotG0GODBlH0DT3M10cop8vWKfNtMMngsoY+i5CQ IjmcSkY9WDMTqvh+8xqGsoFpMi2NHuuYUro+YQGySbW0gys0/hbKULt4qoVhZgww s18laREcgr/ygGj0wGtMlYgE5oy2dh/ZTmoUmRiunWpmk9qb8wAjIW0N7WnNs8Di ziKMkf2x0Lm9gbr4dUH7x5cj1F5XJnYiWD7h5EqNkdQmpm8uknD6h10Jk/3nbie+ mfR3rz9l8DY8SjvYU1Co33nruSCRml02R3w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvieelvdejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeflrghnnhgvucfirhhunhgruhcu oehjrghnnhgvqdhpshhsthesjhgrnhhnrghurdhnvghtqeenucggtffrrghtthgvrhhnpe ehueekudduleetteefvedvudeutdejtdelfeevieevhfeggffghfehheeujeeujeenucev lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehjrghnnhgvse hjrghnnhgruhdrnhgvthdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhht pdhrtghpthhtohepphgrshhsthdquggvvhesphgrshhsthdrthhophdprhgtphhtthhope hjrghnnhgvqdhpshhsthesjhgrnhhnrghurdhnvght X-ME-Proxy: Feedback-ID: i479149f6:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 May 2025 05:54:10 -0400 (EDT) From: Janne Grunau To: passt-dev@passt.top Subject: [PATCH 1/1] selinx: Add getattr to class udp_socket Date: Thu, 1 May 2025 11:54:07 +0200 Message-ID: <20250501095407.606439-1-janne-psst@jannau.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MailFrom: janne@jannau.net X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: 6VV7T4TEBFUBGPGGNH5MK2LHCULI4IDY X-Message-ID-Hash: 6VV7T4TEBFUBGPGGNH5MK2LHCULI4IDY X-Mailman-Approved-At: Fri, 02 May 2025 08:57:35 +0200 CC: Janne Grunau X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Commit 59cc89f ("udp, udp_flow: Track our specific address on socket interfaces") added a getsockname() call in udp_flow_new(). This requires getattr. Fixes "Flow 0 (UDP flow): Unable to determine local address: Permission denied" errors in muvm/passt on Fedora Linux 42 with SELinux. The SELinux audit message is | type=AVC msg=audit(1746083799.606:235): avc: denied { getattr } for | pid=2961 comm="passt" laddr=127.0.0.1 lport=49221 | faddr=127.0.0.53 fport=53 | scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tclass=udp_socket permissive=0 Fixes: 59cc89f ("udp, udp_flow: Track our specific address on socket interfaces") Signed-off-by: Janne Grunau --- contrib/selinux/passt.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index f8ea672..eb9ce72 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -49,7 +49,7 @@ require { type proc_net_t; type node_t; class tcp_socket { create accept listen name_bind name_connect getattr ioctl }; - class udp_socket { create accept listen }; + class udp_socket { create accept listen getattr }; class icmp_socket { bind create name_bind node_bind setopt read write }; class sock_file { create unlink write }; @@ -133,7 +133,7 @@ allow passt_t node_t:icmp_socket { name_bind node_bind }; allow passt_t port_t:icmp_socket name_bind; allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write getattr ioctl }; -allow passt_t self:udp_socket { create getopt setopt connect bind read write }; +allow passt_t self:udp_socket { create getopt setopt connect bind read write getattr }; allow passt_t self:icmp_socket { bind create setopt read write }; allow passt_t user_tmp_t:dir { add_name write }; -- 2.49.0