From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=maxchernoff.ca Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=maxchernoff.ca header.i=@maxchernoff.ca header.a=rsa-sha256 header.s=key1 header.b=7JpDUq6f; dkim-atps=neutral Received: from out-171.mta0.migadu.com (out-171.mta0.migadu.com [91.218.175.171]) by passt.top (Postfix) with ESMTPS id B61995A027E for ; Fri, 16 May 2025 07:11:16 +0200 (CEST) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca; s=key1; t=1747372276; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IJIgZSvwzDIGig5JtibsEcBv03TH/HlQkJG1+N5DEUs=; b=7JpDUq6f0iMcsUXGRez92PgJ2ii5OqABmrfHR8/wSL3dLnwQirElQCEYp0eHWkgw8lkhqp fSCgnbADpK4xfVVKvqGkWK753vNNtK8zyOaZcwYiU1LB8rdbUx0L6z8CDcmhstA9wRGj7W asJfNTrbYyM/4LhQZCWWxTGwgskioCrPLsFHQt+VbzijZqb5insZd2lvaLi8PwDQdSr0m5 VUnKBriQEpHUUGPEKX1IqV+zgkAUQHKgCKvsIQkv9GZPCK8BaZc6L5mru2Aw9eEzAtkXu4 xZ1YSR+NuJga6pmuEeQQeXy7BTYdNvNPecjCuxASt09tgQW9K52NJ77qD+vAjA== From: Max Chernoff To: passt-dev@passt.top Subject: [PATCH v2 0/1] selinux: Transition to pasta_t in containers Date: Thu, 15 May 2025 23:11:02 -0600 Message-ID: <20250516051105.432590-1-git@maxchernoff.ca> In-Reply-To: <20250514104413.197448-2-git@maxchernoff.ca> References: <20250514104413.197448-2-git@maxchernoff.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-MailFrom: git@maxchernoff.ca X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: RGXAJBKKIC3WWW3HIYSD52IQESPA4ZKC X-Message-ID-Hash: RGXAJBKKIC3WWW3HIYSD52IQESPA4ZKC X-Mailman-Approved-At: Fri, 16 May 2025 07:58:10 +0200 CC: Max Chernoff X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi Stefano, On Thu, 2025-05-15 at 17:55 +0200, Stefano Brivio wrote: > Instead of these three "unsorted" rules: > > > +allow pasta_t container_runtime_t:fifo_file write; > > ...as I mentioned, changing this to: > > allow pasta_t container_runtime_t:fifo_file { write getattr }; > > fixes the remaining warning. And I think it should be "grouped" > together with the TCP socket stuff above, that is, just after: > > corenet_tcp_bind_generic_node(pasta_t) > > because it's something we need for (loopback) TCP connections, together > with TCP sockets. Done. > > +allow pasta_t self:cap_userns { setgid setuid }; > > Strictly speaking, this part shouldn't be needed, see points 7. and c. > at: > > https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 > > ...unfortunately, I never got any feedback about those and I haven't > found the time to fix this in kernel either, so, sure, let's keep this > rule to avoid noise. We could group this together with capabilities > stuff, that is, just after: > > allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; > > (but separated, so that we can drop them without code churn) and maybe > add a comment referencing: > > https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 > > and the fact that setuid() and setgid() are always called with the current > UID and GID in the detached user namespace. If the denial is harmless (as mentioned in the bug), why not make it "dontaudit"? I've tested it out and it seems to work fine for me. > > +allow pasta_t tmpfs_t:filesystem getattr; > > This is needed regardless of Podman, getattr was simply missing from: > > allow pasta_t tmpfs_t:filesystem mount; > > so I would rather add it there, together with mount. Done. > > +# Allow pasta to bind to any port > > +bool pasta_allow_bind_any_port true; > > +if (pasta_allow_bind_any_port) { > > + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; > > + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; > > + allow pasta_t port_type:udp_socket { accept getopt name_bind }; > > +} I renamed this to "pasta_bind_all_ports" since that better matches the preexisting booleans "git_session_bind_all_unreserved_ports", "mozilla_plugin_bind_unreserved_ports", and "tor_bind_all_unreserved_ports". > > -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 > > -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 > > -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 > > -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 > > +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 > > +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 > > +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 > > +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 > > +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 > > +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 I also corrected the whitespace here to use tabs (instead of the awful tab-space mix that I accidentally used). Also, when this commit is eventually packaged, you'll need to run restorecon on /run/; otherwise you won't be able to start any containers until you log out and back in. I think that %selinux_relabel_post should handle this, but I'm not sure if it excludes /run/ or not. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 5 deletions(-) -- 2.49.0