From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LFw5O5f/;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id 25DE45A0008
	for <passt-dev@passt.top>; Fri, 02 May 2025 19:26:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1746206815;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=XCmUHe61dURl59wVUj13anpeyTBIHAAuYeaEvRYiCns=;
	b=LFw5O5f/EE0QAR4rQaVUHr3rwGQ1JEzUpLuP89g1qe/fBzUyGWP1CgHQJNCWRu0SMWJkL7
	JwRhZLhFDEqJ24MjBuXOiJH99AWhqJgnwkJFDCrS56Lqa8vRu/H6CSkjW6xAvVoNHjN1WU
	vlZgPCq+2C2fIVN6OTeylNlFZe8EVlI=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-492-lhrvyhGxODiCU8785GTmXw-1; Fri, 02 May 2025 13:26:53 -0400
X-MC-Unique: lhrvyhGxODiCU8785GTmXw-1
X-Mimecast-MFC-AGG-ID: lhrvyhGxODiCU8785GTmXw_1746206812
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43d0830c3f7so15721845e9.2
        for <passt-dev@passt.top>; Fri, 02 May 2025 10:26:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746206812; x=1746811612;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=XCmUHe61dURl59wVUj13anpeyTBIHAAuYeaEvRYiCns=;
        b=rS75xkpePgefMoJEYlVRLxIBsHfu67LTz0sCFgYOXXzHHmxvJdD8SG171m4clr1nHG
         YnUZ1vRxphuCwJmWMOXr9FrMK/KDdt+t0jB7uOl68kfSB8L8nDorsUNTNVGuAMpmJ6qD
         7Z0VterYPyqO9vmoFhS9zaGkN9Hb1KRYq80+ydQj17Rw3Cxae0D2JBgRJJFB3w0VaKqF
         52mxUJPCnFhBgSXWW/miEpkQgHzN7StrfBaF0uLxwnktEW4GxaHmeUThiVVuOl0n06oA
         Pg39grGpDUzJv8mIESkOPq/SiFJU9ByfRkgbE+N9ivGGGjy4DAYRFyYITrUgAY8C4JeE
         GbMQ==
X-Gm-Message-State: AOJu0Ywny6VarE98CU/6eKyhroJDeAKGCFbQsVlT5mlBj9oRrjhYsNYA
	PFCJSL64crMVujjqTyQumIX2l3di0+diue8GhbLvX0Xm6FeoewRRGQcDUoRsrECCGpVnyP7phlz
	LtQWbAR3PqplY1FvhDmag+/LU+/fndJ5f1pRWm8ebw9ndqf21cg==
X-Gm-Gg: ASbGncttSwXGfd84d+VEQeAIERUv9zhhjEN1VpvdUyAl1DcSqRR5rap9iTvOMrlWcLP
	sNcTdT9qVi0j56Nd7zT0j/v0J55NKwtd3PzAzdDTD2stbfRT96x2sp6gvx84Rq5MeQwlwWOOFRz
	oSAp6TILAyN2E1YX68G+hESnywNZ/Gbtudfx2rTPAQUkUMnKHZ+H/6LbZnQzKnfnAnc7h3WvLmM
	lywhIqmYf+p9kBP4UWp9Ut/Ul456/+DNNvfskLE1iNXGCYvNpO2U2oWLPINKBs4cuj1/TAGxxJc
	/qquysNSb8w+MPquh84mFA+oM6KaJWEXtiutivpE
X-Received: by 2002:a05:600c:698c:b0:43d:738:4a9 with SMTP id 5b1f17b1804b1-441bbf3a181mr30027425e9.27.1746206812384;
        Fri, 02 May 2025 10:26:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFdmVOgFxk+85qa8Npo30p7zCTSHdj9t7RkQCHjfy7gvEZE8myYnriA4fbgvra6UsdIoiDlwQ==
X-Received: by 2002:a05:600c:698c:b0:43d:738:4a9 with SMTP id 5b1f17b1804b1-441bbf3a181mr30027215e9.27.1746206811996;
        Fri, 02 May 2025 10:26:51 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-441b8a315d3sm50837585e9.36.2025.05.02.10.26.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 02 May 2025 10:26:51 -0700 (PDT)
Date: Fri, 2 May 2025 19:26:50 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Janne Grunau <janne-psst@jannau.net>
Subject: Re: [PATCH 1/1] selinx: Add getattr to class udp_socket
Message-ID: <20250502192650.03880498@elisabeth>
In-Reply-To: <20250501095407.606439-1-janne-psst@jannau.net>
References: <20250501095407.606439-1-janne-psst@jannau.net>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: LTyMgMbvqLbUScgaVAFIxuAZymHUqQLA1UiMPtQLKzc_1746206812
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: T2B5FFZXABYCAAMGMWAQKDI4X3UG6MEA
X-Message-ID-Hash: T2B5FFZXABYCAAMGMWAQKDI4X3UG6MEA
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250502192650.03880498@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/T2B5FFZXABYCAAMGMWAQKDI4X3UG6MEA/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu,  1 May 2025 11:54:07 +0200
Janne Grunau <janne-psst@jannau.net> wrote:

> Commit 59cc89f ("udp, udp_flow: Track our specific address on socket
> interfaces") added a getsockname() call in udp_flow_new(). This requires
> getattr. Fixes "Flow 0 (UDP flow): Unable to determine local address:
> Permission denied" errors in muvm/passt on Fedora Linux 42 with SELinux.
> 
> The SELinux audit message is
> 
> | type=AVC msg=audit(1746083799.606:235): avc:  denied  { getattr } for
> |   pid=2961 comm="passt" laddr=127.0.0.1 lport=49221
> |   faddr=127.0.0.53 fport=53
> |   scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023
> |   tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023
> |   tclass=udp_socket permissive=0
> 
> Fixes: 59cc89f ("udp, udp_flow: Track our specific address on socket interfaces")
> Signed-off-by: Janne Grunau <janne-psst@jannau.net>

Whoops. Applied. Thanks for fixing this, and welcome to the git log!

By the way, if somebody is wondering:

> ---
>  contrib/selinux/passt.te | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
> index f8ea672..eb9ce72 100644
> --- a/contrib/selinux/passt.te
> +++ b/contrib/selinux/passt.te
> @@ -49,7 +49,7 @@ require {
>  	type proc_net_t;
>  	type node_t;
>  	class tcp_socket { create accept listen name_bind name_connect getattr ioctl };
> -	class udp_socket { create accept listen };
> +	class udp_socket { create accept listen getattr };
>  	class icmp_socket { bind create name_bind node_bind setopt read write };
>  	class sock_file { create unlink write };
>  
> @@ -133,7 +133,7 @@ allow passt_t node_t:icmp_socket { name_bind node_bind };
>  allow passt_t port_t:icmp_socket name_bind;
>  
>  allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write getattr ioctl };
> -allow passt_t self:udp_socket { create getopt setopt connect bind read write };
> +allow passt_t self:udp_socket { create getopt setopt connect bind read write getattr };

...this already works with pasta's (pasta_t) profile because there we
need a bunch of other things (for "spliced" sockets) and I used the
create_stream_socket_perms macro instead, which already includes getattr.

But including getattr here is enough for passt, no need to allow
everything else.

>  allow passt_t self:icmp_socket { bind create setopt read write };
>  
>  allow passt_t user_tmp_t:dir { add_name write };

-- 
Stefano