Re: [PATCH 1/1] selinux: Transition to pasta_t in containers

[Stefano Brivio <sbrivio@redhat.com>]

On Wed, 14 May 2025 04:44:12 -0600
Max Chernoff <git@maxchernoff.ca> wrote:

> Currently, pasta runs in the container_runtime_exec_t context when
> running in a container. This is not ideal since it means that pasta runs
> with more privileges than strictly necessary. This commit updates the
> SELinux policy to have pasta transition to the pasta_t context when
> started from the container_runtime_t context, adds the appropriate
> labels to $XDG_RUNTIME_DIR/netns and
> $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the
> necessary permissions to the pasta_t context.
> 
> Link: https://bugs.passt.top/show_bug.cgi?id=81
> Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
> Signed-off-by: Max Chernoff <git@maxchernoff.ca>

Thanks, I think that with your patch we're almost there. (!)

I ran Podman tests covering pasta on Fedora Rawhide, with the updated
profile (that is, 'bats test/system/505-networking-pasta.bats' from a
Podman tree) and it looks like there are a couple of minor things
missing, though.

Tests pass, but on a number of tests I'm getting these in the audit
log:

type=AVC msg=audit(1747313163.407:129988): avc:  denied  { nlmsg_read } for  pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0
type=AVC msg=audit(1747313164.090:129989): avc:  denied  { getattr } for  pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=AVC msg=audit(1747313164.209:129990): avc:  denied  { getattr } for  pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

The 'ss' thing is unrelated, and might be something to add to
container-selinux, perhaps. I'm not really sure if containers should
reasonably be able to access netlink_tcpdiag_socket.

The getattr on pipes, though, is pasta trying to read out attributes of
pipes that are used for loopback connections, that is, the path
represented here (orange square on top) as "tap bypass":

  https://passt.top/#pasta-pack-a-subtle-tap-abstraction

if those fail, by the way, things still work (I guess it's just what we
do to probe / tune the size of the pipes).

A summary from audit2allow:

#============= container_t ==============

#!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink'
allow container_t self:netlink_tcpdiag_socket nlmsg_read;

#============= pasta_t ==============
allow pasta_t container_runtime_t:fifo_file getattr;

I plan to try again later (probably in a few hours) to add what's
missing (it could very well be just this rule) and get back to you. Of
course, if you manage to fix / re-test meanwhile, before I get to it,
feel free to re-post this.

-- 
Stefano