From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=maxchernoff.ca
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=maxchernoff.ca header.i=@maxchernoff.ca header.a=rsa-sha256 header.s=key1 header.b=r4fPbmoU;
	dkim-atps=neutral
Received: from out-177.mta1.migadu.com (out-177.mta1.migadu.com [IPv6:2001:41d0:203:375::b1])
	by passt.top (Postfix) with ESMTPS id 8F1EC5A027E
	for <passt-dev@passt.top>; Tue, 20 May 2025 12:38:45 +0200 (CEST)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca;
	s=key1; t=1747737525;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ZGLWY2LVJFuS9UaR12gO+b4seO/fniTz4e16N5/WStI=;
	b=r4fPbmoUBg7gpAnZavvkaU/4hBMYSsZCffginNEDYhORTRK2cbxRkmos1/TZZRxysoMEzQ
	+eTzAGGjbbydUfgN73pLQ8LvxBUZp/wNUuVWeYpHC7IWvOc/uwge5JY7tMJUohm+1x2JhS
	n0UfzkN5GOQeP3fUyuLX2oy974NlRZHPFSKm7nMI3R4LqyrDnzQGvQaC0ovgPyLxlaeCow
	E6coG4WS8NQX+od+dflaw/EoDeK+q2zl5R2C/5RQftV6uuyTIV4nv5bS0M/xg306zqjd+h
	XNmtj0GNIgrW2YAgEzknTUoRMQy4SLMtMltBZBweByRsCu5dWpU655DvmidXUQ==
From: Max Chernoff <git@maxchernoff.ca>
To: passt-dev@passt.top
Subject: [PATCH v3 0/1] selinux: Transition to pasta_t in containers
Date: Tue, 20 May 2025 04:37:41 -0600
Message-ID: <20250520103758.401002-2-git@maxchernoff.ca>
In-Reply-To: <20250519093941.4503ae47@elisabeth>
References: <20250519093941.4503ae47@elisabeth>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Migadu-Flow: FLOW_OUT
X-MailFrom: git@maxchernoff.ca
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: SB7BU55LXDM6YQWEQDCHBEGSGR56M7JG
X-Message-ID-Hash: SB7BU55LXDM6YQWEQDCHBEGSGR56M7JG
X-Mailman-Approved-At: Tue, 20 May 2025 13:16:50 +0200
CC: Max Chernoff <git@maxchernoff.ca>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250520103758.401002-2-git@maxchernoff.ca/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/SB7BU55LXDM6YQWEQDCHBEGSGR56M7JG/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Hi Stefano,

On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:
> On Sat, 17 May 2025 03:34:42 -0600
> Max Chernoff <git@maxchernoff.ca> wrote:
> > On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
> > > #============= pasta_t ==============
> > > allow pasta_t container_runtime_t:dir { open read search };
> > > allow pasta_t container_runtime_t:file read;
> > > allow pasta_t container_runtime_t:lnk_file read;
> > > allow pasta_t container_t:lnk_file read;
> > >
> > > If I add those rules, everything works

> > I guess the options are:
> >
> > 1. Add the above rules to the pasta SELinux policy
> >
> > 2. Have Podman change the context of /proc/self/ns/net to pasta_t
> >
> > 3. Have Podman pass a file descriptor to the netns instead of the path
> >    to the netns.
> >
> > (1) is arguably the least secure, but is probably fine in practice?
>
> Well:
>
> 2. is probably the most restrictive but it doesn't really feel
>    correct to me (pasta is not, at least conceptually, the exclusive
>    user of the network namespace link)
>
> 3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't
>    see this, done)
>
> ...so I would opt for 1.
>
> I see why you mention it's less secure: we didn't really want to be
> able to open and read *any* container_runtime_t:dir or
> container_t:lnk_file. But that's not really the part of "fine-grained"
> security that we typically delegate to SELinux anyway.

Alright, works for me. I've added those rules into the policy in the
following commit.

> ...so I guess the only remaining point, other than adding those rules,
> is to figure out why %selinux_relabel_post isn't enough and what we can
> add to the spec file instead. I'll try to have a look at it within a
> couple of days unless you find an explanation / solution before then.

I've looked through the code and I'm also lost as to why
%selinux_relabel_post isn't working. I'll try taking a look again
tomorrow, but I doubt that I'll be able to figure it out.

Thanks,
-- Max

Max Chernoff (1):
  selinux: Transition to pasta_t in containers

 contrib/selinux/pasta.fc | 10 ++++++----
 contrib/selinux/pasta.te | 42 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 47 insertions(+), 5 deletions(-)

--
2.49.0