From: Stefano Brivio <sbrivio@redhat.com>
To: Max Chernoff <git@maxchernoff.ca>
Cc: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH 1/1] selinux: Transition to pasta_t in containers
Date: Thu, 15 May 2025 15:40:35 +0200 [thread overview]
Message-ID: <20250515154035.51eb8d14@elisabeth> (raw)
In-Reply-To: <20250514104413.197448-3-git@maxchernoff.ca>
On Wed, 14 May 2025 04:44:12 -0600
Max Chernoff <git@maxchernoff.ca> wrote:
> Currently, pasta runs in the container_runtime_exec_t context when
> running in a container. This is not ideal since it means that pasta runs
> with more privileges than strictly necessary. This commit updates the
> SELinux policy to have pasta transition to the pasta_t context when
> started from the container_runtime_t context, adds the appropriate
> labels to $XDG_RUNTIME_DIR/netns and
> $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the
> necessary permissions to the pasta_t context.
>
> Link: https://bugs.passt.top/show_bug.cgi?id=81
> Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
> Signed-off-by: Max Chernoff <git@maxchernoff.ca>
Thanks, I think that with your patch we're almost there. (!)
I ran Podman tests covering pasta on Fedora Rawhide, with the updated
profile (that is, 'bats test/system/505-networking-pasta.bats' from a
Podman tree) and it looks like there are a couple of minor things
missing, though.
Tests pass, but on a number of tests I'm getting these in the audit
log:
type=AVC msg=audit(1747313163.407:129988): avc: denied { nlmsg_read } for pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0
type=AVC msg=audit(1747313164.090:129989): avc: denied { getattr } for pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=AVC msg=audit(1747313164.209:129990): avc: denied { getattr } for pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
The 'ss' thing is unrelated, and might be something to add to
container-selinux, perhaps. I'm not really sure if containers should
reasonably be able to access netlink_tcpdiag_socket.
The getattr on pipes, though, is pasta trying to read out attributes of
pipes that are used for loopback connections, that is, the path
represented here (orange square on top) as "tap bypass":
https://passt.top/#pasta-pack-a-subtle-tap-abstraction
if those fail, by the way, things still work (I guess it's just what we
do to probe / tune the size of the pipes).
A summary from audit2allow:
#============= container_t ==============
#!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink'
allow container_t self:netlink_tcpdiag_socket nlmsg_read;
#============= pasta_t ==============
allow pasta_t container_runtime_t:fifo_file getattr;
I plan to try again later (probably in a few hours) to add what's
missing (it could very well be just this rule) and get back to you. Of
course, if you manage to fix / re-test meanwhile, before I get to it,
feel free to re-post this.
--
Stefano
next prev parent reply other threads:[~2025-05-15 13:40 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40 ` Stefano Brivio [this message]
2025-05-15 15:55 ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 " Max Chernoff
2025-05-16 6:22 ` Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59 ` Paul Holzinger
2025-05-16 12:22 ` Max Chernoff
2025-05-16 12:35 ` Paul Holzinger
2025-05-16 16:11 ` Stefano Brivio
2025-05-17 9:34 ` Max Chernoff
2025-05-19 7:39 ` Stefano Brivio
2025-05-20 10:37 ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08 ` Stefano Brivio
2025-05-24 7:16 ` [PATCH v4 " Max Chernoff
2025-05-24 7:16 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37 ` [PATCH v3 " Max Chernoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250515154035.51eb8d14@elisabeth \
--to=sbrivio@redhat.com \
--cc=git@maxchernoff.ca \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).