From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JkkxbUkp; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id BC8825A027C for ; Thu, 15 May 2025 15:40:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747316440; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v3PiAlFAy5lnWftrIa7PnCjlA2XomdTa20k+vw3A4qc=; b=JkkxbUkputjtZyBLlfNdsNluDdRmc4gR4zlPKFxUrK9AFCMJ+p9oxE9sFe7pPWOpghpf/e Kg7Yj6qEhii4UdCGJxYetWJoMRD5zViH479ObVqr7U3ZQyS54n7gh05WXBB5pKGVGC2y/G znz6y8EF8ycn1hsDenEYDU/XFSlTj+8= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-668-sNIUZdPNM_-GyvE2SeOMTA-1; Thu, 15 May 2025 09:40:39 -0400 X-MC-Unique: sNIUZdPNM_-GyvE2SeOMTA-1 X-Mimecast-MFC-AGG-ID: sNIUZdPNM_-GyvE2SeOMTA_1747316438 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-442f90418b0so3379845e9.2 for ; Thu, 15 May 2025 06:40:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747316438; x=1747921238; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=v3PiAlFAy5lnWftrIa7PnCjlA2XomdTa20k+vw3A4qc=; b=lh2VjScc3LqcAFdUoBmFglZV3znBgAgIG8XrP8nIqDInEArnu6CcqYaXRsX8qt5dbk 0VTcf3+SgbQcIEgYCiP7w/QJlq3SEEjKypWf8V+iSNFU6LoU1MVMxA69XRjb/S32z11Y REF/aAZNhTvxcUSff9AH9THJE1W8dIA1GCRyfe9gnUL3JrZmPn/Zc9rRuSi57aBES8wH 1XXbuknN86lR6akj4L8KinhJZ5dbgqTaIg1W0hrRaAPr9gdYRkY6+Xzso5TaFa/2YBco h9t+uiphqcgA9ZEU1hHjD+EdTst/TfhZ36WzSRXChg9dTlWW4u9p/DsNOYkSb4RhiTAN anDQ== X-Gm-Message-State: AOJu0YwSJiauI6/hQk7fzO99JIC3CGLt1BoB3UlyUG6s1zCPrNNLOLN0 gSe1k+ZPCC3sJpb3RiZK4hbgerP8q3xMswGlxb2/C7rjiZI6FghL8iRjDWjivUeRV6iIsEByaBJ zKaDvWmVvLdiU7kLhhQ3BlUDuEWs04rIojmoOUr+ZmyjYcLVZ8Q== X-Gm-Gg: ASbGncskm1ThU8KdNe2VZ0VACBuEf1D+Ad5riGwgnNH9Hcgq/7wGpATZIZcEVM7oYak dzWF+1zDezgjjCgrgh0BXDZKR7mmG77fHjIfjyVYfl0N1mYpjQzYCLym4366HM+92tMECWM5hF6 pUrXCQsB+Pm+nGcVnrKqfTc1zEJFIhfByoDu80oavlMJ+QxA2zav22c1V1SEcsmjljUOzMcksLl nSU7SCgnG2P8ov5uJAWj55yFAMJc9rB6AJGnsB/658BGgJLHOwBDkfkEyNikrQAyLD1WnTw3rHg /jeLEStmvRlRWsAIaTZsClo= X-Received: by 2002:a05:600c:a12:b0:43d:36c:f24 with SMTP id 5b1f17b1804b1-442f20da017mr64782575e9.13.1747316437956; Thu, 15 May 2025 06:40:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGr+5mufR/SOtUPGIbOmQKpLJ4ADQhpMXscP44764gg71nfcTeYs5r9iTDgw8U0jU2+cX1e1g== X-Received: by 2002:a05:600c:a12:b0:43d:36c:f24 with SMTP id 5b1f17b1804b1-442f20da017mr64782275e9.13.1747316437531; Thu, 15 May 2025 06:40:37 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442f3951b62sm72496755e9.22.2025.05.15.06.40.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 May 2025 06:40:37 -0700 (PDT) Date: Thu, 15 May 2025 15:40:35 +0200 From: Stefano Brivio To: Max Chernoff Subject: Re: [PATCH 1/1] selinux: Transition to pasta_t in containers Message-ID: <20250515154035.51eb8d14@elisabeth> In-Reply-To: <20250514104413.197448-3-git@maxchernoff.ca> References: <20250514104413.197448-2-git@maxchernoff.ca> <20250514104413.197448-3-git@maxchernoff.ca> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: uOeEnZPipg5Wfb9Dty_seRnyYeQRvMsYSdadl10Uu0Y_1747316438 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: YW2IIOXNKF6PVKDRWGWN3NHU56IF3E3F X-Message-ID-Hash: YW2IIOXNKF6PVKDRWGWN3NHU56IF3E3F X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 14 May 2025 04:44:12 -0600 Max Chernoff wrote: > Currently, pasta runs in the container_runtime_exec_t context when > running in a container. This is not ideal since it means that pasta runs > with more privileges than strictly necessary. This commit updates the > SELinux policy to have pasta transition to the pasta_t context when > started from the container_runtime_t context, adds the appropriate > labels to $XDG_RUNTIME_DIR/netns and > $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the > necessary permissions to the pasta_t context. > > Link: https://bugs.passt.top/show_bug.cgi?id=81 > Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 > Signed-off-by: Max Chernoff Thanks, I think that with your patch we're almost there. (!) I ran Podman tests covering pasta on Fedora Rawhide, with the updated profile (that is, 'bats test/system/505-networking-pasta.bats' from a Podman tree) and it looks like there are a couple of minor things missing, though. Tests pass, but on a number of tests I'm getting these in the audit log: type=AVC msg=audit(1747313163.407:129988): avc: denied { nlmsg_read } for pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0 type=AVC msg=audit(1747313164.090:129989): avc: denied { getattr } for pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 type=AVC msg=audit(1747313164.209:129990): avc: denied { getattr } for pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 The 'ss' thing is unrelated, and might be something to add to container-selinux, perhaps. I'm not really sure if containers should reasonably be able to access netlink_tcpdiag_socket. The getattr on pipes, though, is pasta trying to read out attributes of pipes that are used for loopback connections, that is, the path represented here (orange square on top) as "tap bypass": https://passt.top/#pasta-pack-a-subtle-tap-abstraction if those fail, by the way, things still work (I guess it's just what we do to probe / tune the size of the pipes). A summary from audit2allow: #============= container_t ============== #!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink' allow container_t self:netlink_tcpdiag_socket nlmsg_read; #============= pasta_t ============== allow pasta_t container_runtime_t:fifo_file getattr; I plan to try again later (probably in a few hours) to add what's missing (it could very well be just this rule) and get back to you. Of course, if you manage to fix / re-test meanwhile, before I get to it, feel free to re-post this. -- Stefano