From: Max Chernoff <git@maxchernoff.ca>
To: passt-dev@passt.top
Cc: Max Chernoff <git@maxchernoff.ca>
Subject: [PATCH v2 0/1] selinux: Transition to pasta_t in containers
Date: Thu, 15 May 2025 23:11:02 -0600 [thread overview]
Message-ID: <20250516051105.432590-1-git@maxchernoff.ca> (raw)
In-Reply-To: <20250514104413.197448-2-git@maxchernoff.ca>
Hi Stefano,
On Thu, 2025-05-15 at 17:55 +0200, Stefano Brivio wrote:
> Instead of these three "unsorted" rules:
>
> > +allow pasta_t container_runtime_t:fifo_file write;
>
> ...as I mentioned, changing this to:
>
> allow pasta_t container_runtime_t:fifo_file { write getattr };
>
> fixes the remaining warning. And I think it should be "grouped"
> together with the TCP socket stuff above, that is, just after:
>
> corenet_tcp_bind_generic_node(pasta_t)
>
> because it's something we need for (loopback) TCP connections, together
> with TCP sockets.
Done.
> > +allow pasta_t self:cap_userns { setgid setuid };
>
> Strictly speaking, this part shouldn't be needed, see points 7. and c.
> at:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
>
> ...unfortunately, I never got any feedback about those and I haven't
> found the time to fix this in kernel either, so, sure, let's keep this
> rule to avoid noise. We could group this together with capabilities
> stuff, that is, just after:
>
> allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
>
> (but separated, so that we can drop them without code churn) and maybe
> add a comment referencing:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
>
> and the fact that setuid() and setgid() are always called with the current
> UID and GID in the detached user namespace.
If the denial is harmless (as mentioned in the bug), why not make it
"dontaudit"? I've tested it out and it seems to work fine for me.
> > +allow pasta_t tmpfs_t:filesystem getattr;
>
> This is needed regardless of Podman, getattr was simply missing from:
>
> allow pasta_t tmpfs_t:filesystem mount;
>
> so I would rather add it there, together with mount.
Done.
> > +# Allow pasta to bind to any port
> > +bool pasta_allow_bind_any_port true;
> > +if (pasta_allow_bind_any_port) {
> > + allow pasta_t port_type:icmp_socket { accept getopt name_bind };
> > + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
> > + allow pasta_t port_type:udp_socket { accept getopt name_bind };
> > +}
I renamed this to "pasta_bind_all_ports" since that better matches the
preexisting booleans "git_session_bind_all_unreserved_ports",
"mozilla_plugin_bind_unreserved_ports", and "tor_bind_all_unreserved_ports".
> > -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
> > -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
> > -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
> > -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
> > +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
> > +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
> > +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
> > +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
> > +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0
> > +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
I also corrected the whitespace here to use tabs (instead of the awful tab-space
mix that I accidentally used).
Also, when this commit is eventually packaged, you'll need to run restorecon on
/run/; otherwise you won't be able to start any containers until you log out and
back in. I think that %selinux_relabel_post should handle this, but I'm not sure
if it excludes /run/ or not.
Thanks,
-- Max
Max Chernoff (1):
selinux: Transition to pasta_t in containers
contrib/selinux/pasta.fc | 10 ++++++----
contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++-
2 files changed, 42 insertions(+), 5 deletions(-)
--
2.49.0
next prev parent reply other threads:[~2025-05-16 5:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40 ` Stefano Brivio
2025-05-15 15:55 ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16 5:11 ` Max Chernoff [this message]
2025-05-16 6:22 ` [PATCH v2 " Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59 ` Paul Holzinger
2025-05-16 12:22 ` Max Chernoff
2025-05-16 12:35 ` Paul Holzinger
2025-05-16 16:11 ` Stefano Brivio
2025-05-17 9:34 ` Max Chernoff
2025-05-19 7:39 ` Stefano Brivio
2025-05-20 10:37 ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08 ` Stefano Brivio
2025-05-24 7:16 ` [PATCH v4 " Max Chernoff
2025-05-24 7:16 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37 ` [PATCH v3 " Max Chernoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516051105.432590-1-git@maxchernoff.ca \
--to=git@maxchernoff.ca \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).