public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: Stefano Brivio <sbrivio@redhat.com>
To: Max Chernoff <git@maxchernoff.ca>
Cc: Paul Holzinger <pholzing@redhat.com>, passt-dev@passt.top
Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers
Date: Mon, 19 May 2025 09:39:41 +0200	[thread overview]
Message-ID: <20250519093941.4503ae47@elisabeth> (raw)
In-Reply-To: <3eaa88568e808eed15c49a05515954b51cf35c4e.camel@maxchernoff.ca>

On Sat, 17 May 2025 03:34:42 -0600
Max Chernoff <git@maxchernoff.ca> wrote:

> Hi Stefano
> 
> On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
> > Max, could it be that you're running stuff with some customised SELinux
> > policy? By the way, with "unconfined disabled":  
> 
> Simpler than that: I was testing something with SELinux permissive, and
> I forgot to reenable it. Whoops. I'm getting the same results as you
> now.
> 
> > Running with SELinux in permissive mode, I'm getting:
> >
> > # cat /var/log/audit/audit.log
> > type=AVC msg=audit(1747410763.621:130615): avc:  denied  { search } for  pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410763.621:130616): avc:  denied  { read } for  pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1
> > type=AVC msg=audit(1747410763.622:130617): avc:  denied  { read } for  pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1
> > type=AVC msg=audit(1747410763.622:130618): avc:  denied  { read } for  pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410763.622:130619): avc:  denied  { open } for  pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410764.622:130620): avc:  denied  { read } for  pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1
> >
> > and:
> >
> > # audit2allow  -a
> >
> >
> > #============= pasta_t ==============
> > allow pasta_t container_runtime_t:dir { open read search };
> > allow pasta_t container_runtime_t:file read;
> > allow pasta_t container_runtime_t:lnk_file read;
> > allow pasta_t container_t:lnk_file read;
> >
> > If I add those rules, everything works  
> 
> Yes, adding those rules also fixes things for me.
> 
> > To me those denials look reasonable, in the sense that I would expect
> > the namespace links to have container_runtime_t type.  
> 
> I'm a little surprised that "container_runtime_t:file read" is necessary
> since I thought that "container_runtime_t:lnk_file read" would be
> sufficient to get the target of the link, but it indeed does not work
> without it.
> 
> > (well, I'm not saying that's the solution...).  
> 
> I guess the options are:
> 
> 1. Add the above rules to the pasta SELinux policy
> 
> 2. Have Podman change the context of /proc/self/ns/net to pasta_t
> 
> 3. Have Podman pass a file descriptor to the netns instead of the path
>    to the netns.
> 
> (1) is arguably the least secure, but is probably fine in practice?

Well:

2. is probably the most restrictive but it doesn't really feel
   correct to me (pasta is not, at least conceptually, the exclusive
   user of the network namespace link)

3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't
   see this, done)

...so I would opt for 1.

I see why you mention it's less secure: we didn't really want to be
able to open and read *any* container_runtime_t:dir or
container_t:lnk_file. But that's not really the part of "fine-grained"
security that we typically delegate to SELinux anyway.

> > Max, could it be that you're running stuff with some customised SELinux
> > policy? By the way, with "unconfined disabled":
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=2330512
> >
> > we seem to have unconfined_t as type for those links:
> >
> > type=AVC msg=audit(1733378482.320:31258): avc:  denied  { open } for  pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
> >
> > ...but I'm not sure at which point in time exactly.  
> 
> Ah, I wonder if that might be related to this:
> 
>     https://github.com/containers/buildah/issues/6160
> 
> But with the workaround documented there, and the rules from above,
> "podman build" works as expected with the unconfined module disabled.

Ah, great, then I guess we don't need to fix something that's not
broken.

> > Wait a moment. I don't think something SELinux-specific belongs to
> > pasta's man page, because that's not relevant for all users and
> > distributions.
> >
> > We could maintain that as an addition for Fedora and perhaps Gentoo,
> > but I wonder if it's really worth the effort.  
> 
> +1

...so I guess the only remaining point, other than adding those rules,
is to figure out why %selinux_relabel_post isn't enough and what we can
add to the spec file instead. I'll try to have a look at it within a
couple of days unless you find an explanation / solution before then.

-- 
Stefano


  reply	other threads:[~2025-05-19  7:39 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40   ` Stefano Brivio
2025-05-15 15:55     ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16  5:11 ` [PATCH v2 " Max Chernoff
2025-05-16  6:22   ` Stefano Brivio
2025-05-16  5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59   ` Paul Holzinger
2025-05-16 12:22     ` Max Chernoff
2025-05-16 12:35       ` Paul Holzinger
2025-05-16 16:11         ` Stefano Brivio
2025-05-17  9:34           ` Max Chernoff
2025-05-19  7:39             ` Stefano Brivio [this message]
2025-05-20 10:37               ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08                 ` Stefano Brivio
2025-05-24  7:16                 ` [PATCH v4 " Max Chernoff
2025-05-24  7:16                 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37               ` [PATCH v3 " Max Chernoff

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250519093941.4503ae47@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=git@maxchernoff.ca \
    --cc=passt-dev@passt.top \
    --cc=pholzing@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).