From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NXk51wBx; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 576B85A027E for ; Wed, 14 May 2025 14:26:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747225572; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fPYH6PhXADZ26QRgImUserKLPsGUEiMJvRdfwh/rvEk=; b=NXk51wBxWFHLCdlbtMfm9vF7B9EqQZ+qU8LQHwqR5N/VwlvFoaa75wbkClvAY5ehQbjFtP WNyXABRBKN0XroehD+iQLGQsIGA1uAHVlif+3v/pH78bgib8jS9Qo4pIw7e/hG3JCjGxqs VkUTEH6iLKEe15UBgGTVXvNbWoR7tEU= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-589-XC75z4wZPrWvtiZ0jCmUPA-1; Wed, 14 May 2025 08:26:10 -0400 X-MC-Unique: XC75z4wZPrWvtiZ0jCmUPA-1 X-Mimecast-MFC-AGG-ID: XC75z4wZPrWvtiZ0jCmUPA_1747225570 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-3a2046b5e75so1359469f8f.1 for ; Wed, 14 May 2025 05:26:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747225569; x=1747830369; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fPYH6PhXADZ26QRgImUserKLPsGUEiMJvRdfwh/rvEk=; b=UBton9SgsTZoQNF5Z9JenD5QP/byCnfreJOLvwXaw5ydkzEB3M+LvLrCgGymOhtisc rbsi8XAlq/HnqaArX1n5peG1aGEtsvSazZo5LJ37of5tKXaVRPTDwLzZivKRqsQcyIDI YyDa43coPvsNzSMTtUgO68u6uuIVMPfMY6inK7LWqjDuunnid8ihPLb0fpL0f687tJra zYtD2t6bcmFnkZ4A2g2jzK+wIHf/Q+x3bqtRyvn2EPMqmRTFsCWEtKJD5ziiJVxWENVt hz1R1GYgtu+bAOMZ929nK6lIj4fbdTebcDKLHEBXUvekZuYt459juiLVlLxrlu6HOU5+ EA8g== X-Gm-Message-State: AOJu0YyQe1Rv9Mku2CeiA6AZgDvFPjTmOHJDUJ7EPoS2Gu6FcQ5OYX0+ ecwexD0iJiuPRYwAQU9jnlCR7INkKl078OuKM6pbEerPkCf85ESmYFaRFjpu1H7vZBLn662Z/tz wAzv90Mjq0PbU6Bl/eM3foiRIZ6Fc/WIc+kiM0rpQczDUkBuSR70ja8P8QQ== X-Gm-Gg: ASbGncvG8rn8srpo+ADbLkij9IPXrKCtPH+wWtOZjjyehYKAdPy7A4BDUGxmuGi6aXL 4UQ8O+o0T6wNvJjB0NdyW93qgL/Rrond54I9A8TojpVJibKsQCrMALZJW47c2lt+uoY6SWTxb8Y KVRKqNbFCTOYMmcQIfClc7/ingiY9X7mWV+c5VtJPXKybXHa1bLc/MQlvizaqN5XXd+r5UrBNVE OjJHtHYeCCd7ovZBpte5vdHHooCk8pQWuZTZrGMe/62hS+52dTbB3T4XTbcYLBRujWTFntMfEAO FSEq5scFDO76OictuFCu+N+IX8x8wDCxEwMOv0K5 X-Received: by 2002:a05:6000:2406:b0:3a2:25d3:3912 with SMTP id ffacd0b85a97d-3a3499528d8mr2526014f8f.57.1747225568781; Wed, 14 May 2025 05:26:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG4YFQmq0/TO5ST1+pmourGYHv8eSVBQvshInWfkmiyypaE1UMnlgmhCdQttvjS5MhW/xteEg== X-Received: by 2002:a05:6000:2406:b0:3a2:25d3:3912 with SMTP id ffacd0b85a97d-3a3499528d8mr2525991f8f.57.1747225568340; Wed, 14 May 2025 05:26:08 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a1f58ecaf5sm19214203f8f.29.2025.05.14.05.26.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 May 2025 05:26:08 -0700 (PDT) Date: Wed, 14 May 2025 14:26:06 +0200 From: Stefano Brivio To: Max Chernoff Subject: Re: [PATCH 0/1] selinux: Transition to pasta_t in containers Message-ID: <20250514142606.46e60f3e@elisabeth> In-Reply-To: <20250514104413.197448-2-git@maxchernoff.ca> References: <20250514104413.197448-2-git@maxchernoff.ca> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: jzPbj17QpEPlHYv7Afq2Ou0cZrGqNbvxIderzblsxxQ_1747225570 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: 36TLVPL2Z2TYHF6GMCUD5QOJU44UXVAV X-Message-ID-Hash: 36TLVPL2Z2TYHF6GMCUD5QOJU44UXVAV X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 14 May 2025 04:44:11 -0600 Max Chernoff wrote: > Hi, > > Currently, pasta runs in the container_runtime_exec_t context when > running in a container. This commit updates the SELinux policy so that > pasta instead runs in the pasta_t context. > > I'm more familiar with CIL, so I initially developed the modified policy > in CIL, and then later ported it to the kernel policy language. My > original CIL source is available here: > > https://github.com/gucci-on-fleek/maxchernoff.ca/blob/master/etc/selinux/local-policies/local-pasta.cil > > I've tested this on Fedora 42 with rootless Podman, with both unconfined > (unconfined_u) and confined (user_u) users, and with both TCP and UDP. > > I've never actually used the email workflow for Git before, so please > let me know if I've done something wrong. Thanks a lot! Nothing wrong workflow-wise, I'll look at your patch in a bit. I have to admit I hadn't thought of using 'type_transition' directly in pasta's policy, as opposed to having that in selinux-container, but it actually makes sense and it's nice to have everything managed here. -- Stefano