[PATCH v3 1/1] selinux: Transition to pasta_t in containers

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Max Chernoff <git@maxchernoff.ca>
To: passt-dev@passt.top
Cc: Max Chernoff <git@maxchernoff.ca>
Subject: [PATCH v3 1/1] selinux: Transition to pasta_t in containers
Date: Tue, 20 May 2025 04:37:43 -0600	[thread overview]
Message-ID: <20250520103758.401002-4-git@maxchernoff.ca> (raw)
In-Reply-To: <20250519093941.4503ae47@elisabeth>

Currently, pasta runs in the container_runtime_exec_t context when
running in a container. This is not ideal since it means that pasta runs
with more privileges than strictly necessary. This commit updates the
SELinux policy to have pasta transition to the pasta_t context when
started from the container_runtime_t context, adds the appropriate
labels to $XDG_RUNTIME_DIR/netns and
$XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the
necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Max Chernoff <git@maxchernoff.ca>
---
 contrib/selinux/pasta.fc | 10 ++++++----
 contrib/selinux/pasta.te | 42 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index 41ee46d..e4aefc4 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -8,7 +8,9 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-/usr/bin/pasta			system_u:object_r:pasta_exec_t:s0
-/usr/bin/pasta.avx2		system_u:object_r:pasta_exec_t:s0
-/tmp/pasta\.pcap		system_u:object_r:pasta_log_t:s0
-/var/run/pasta\.pid		system_u:object_r:pasta_pid_t:s0
+/usr/bin/pasta						system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2					system_u:object_r:pasta_exec_t:s0
+/tmp/pasta\.pcap					system_u:object_r:pasta_log_t:s0
+/var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
+/run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
+/run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 89c8043..8b46903 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -89,6 +89,14 @@ require {
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
 	class user_namespace create;
+
+	# Container requires
+	attribute_role usernetctl_roles;
+	role container_user_r;
+	role staff_r;
+	role user_r;
+	type container_runtime_t;
+	type container_t;
 }
 
 type pasta_t;
@@ -113,6 +121,9 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+# pasta only calls setuid and setgid with the current UID and GID, so this
+# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
+dontaudit pasta_t self:cap_userns { setgid setuid };
 allow pasta_t self:user_namespace create;
 
 auth_read_passwd(pasta_t)
@@ -130,7 +141,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr
 allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
 allow pasta_t user_home_dir_t:file { create open read write };
 allow pasta_t tmp_t:dir { add_name mounton remove_name write };
-allow pasta_t tmpfs_t:filesystem mount;
+allow pasta_t tmpfs_t:filesystem { getattr mount };
 allow pasta_t fs_t:filesystem unmount;
 allow pasta_t root_t:dir mounton;
 manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
@@ -156,6 +167,11 @@ allow pasta_t tmp_t:sock_file { create unlink write };
 allow pasta_t self:tcp_socket create_stream_socket_perms;
 corenet_tcp_sendrecv_generic_node(pasta_t)
 corenet_tcp_bind_generic_node(pasta_t)
+allow pasta_t container_runtime_t:dir { open read search };
+allow pasta_t container_runtime_t:fifo_file { getattr write };
+allow pasta_t container_runtime_t:file read;
+allow pasta_t container_runtime_t:lnk_file read;
+allow pasta_t container_t:lnk_file read;
 allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
 allow pasta_t pasta_port_t:udp_socket { name_bind };
 allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
@@ -213,3 +229,27 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
 allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
 allow pasta_t user_tty_device_t:chr_file { append read write };
 allow pasta_t user_devpts_t:chr_file { append read write };
+
+# Allow network administration commands for non-privileged users
+roleattribute container_user_r usernetctl_roles;
+roleattribute staff_r usernetctl_roles;
+roleattribute user_r usernetctl_roles;
+role usernetctl_roles types pasta_t;
+
+# Make pasta in a container run under the pasta_t context
+type_transition container_runtime_t pasta_exec_t : process pasta_t;
+allow container_runtime_t pasta_t:process transition;
+
+# Label the user network namespace files
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+allow pasta_t ifconfig_var_run_t:file { create open write };
+
+# Allow pasta to bind to any port
+bool pasta_bind_all_ports true;
+if (pasta_bind_all_ports) {
+	allow pasta_t port_type:icmp_socket { accept getopt name_bind };
+	allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
+	allow pasta_t port_type:udp_socket { accept getopt name_bind };
+}
-- 
@@ -89,6 +89,14 @@ require {
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
 	class user_namespace create;
+
+	# Container requires
+	attribute_role usernetctl_roles;
+	role container_user_r;
+	role staff_r;
+	role user_r;
+	type container_runtime_t;
+	type container_t;
 }
 
 type pasta_t;
@@ -113,6 +121,9 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+# pasta only calls setuid and setgid with the current UID and GID, so this
+# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
+dontaudit pasta_t self:cap_userns { setgid setuid };
 allow pasta_t self:user_namespace create;
 
 auth_read_passwd(pasta_t)
@@ -130,7 +141,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr
 allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
 allow pasta_t user_home_dir_t:file { create open read write };
 allow pasta_t tmp_t:dir { add_name mounton remove_name write };
-allow pasta_t tmpfs_t:filesystem mount;
+allow pasta_t tmpfs_t:filesystem { getattr mount };
 allow pasta_t fs_t:filesystem unmount;
 allow pasta_t root_t:dir mounton;
 manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
@@ -156,6 +167,11 @@ allow pasta_t tmp_t:sock_file { create unlink write };
 allow pasta_t self:tcp_socket create_stream_socket_perms;
 corenet_tcp_sendrecv_generic_node(pasta_t)
 corenet_tcp_bind_generic_node(pasta_t)
+allow pasta_t container_runtime_t:dir { open read search };
+allow pasta_t container_runtime_t:fifo_file { getattr write };
+allow pasta_t container_runtime_t:file read;
+allow pasta_t container_runtime_t:lnk_file read;
+allow pasta_t container_t:lnk_file read;
 allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
 allow pasta_t pasta_port_t:udp_socket { name_bind };
 allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
@@ -213,3 +229,27 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
 allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
 allow pasta_t user_tty_device_t:chr_file { append read write };
 allow pasta_t user_devpts_t:chr_file { append read write };
+
+# Allow network administration commands for non-privileged users
+roleattribute container_user_r usernetctl_roles;
+roleattribute staff_r usernetctl_roles;
+roleattribute user_r usernetctl_roles;
+role usernetctl_roles types pasta_t;
+
+# Make pasta in a container run under the pasta_t context
+type_transition container_runtime_t pasta_exec_t : process pasta_t;
+allow container_runtime_t pasta_t:process transition;
+
+# Label the user network namespace files
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+allow pasta_t ifconfig_var_run_t:file { create open write };
+
+# Allow pasta to bind to any port
+bool pasta_bind_all_ports true;
+if (pasta_bind_all_ports) {
+	allow pasta_t port_type:icmp_socket { accept getopt name_bind };
+	allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
+	allow pasta_t port_type:udp_socket { accept getopt name_bind };
+}
-- 
2.49.0

     prev parent reply	other threads:[~2025-05-20 10:39 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40   ` Stefano Brivio
2025-05-15 15:55     ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16  5:11 ` [PATCH v2 " Max Chernoff
2025-05-16  6:22   ` Stefano Brivio
2025-05-16  5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59   ` Paul Holzinger
2025-05-16 12:22     ` Max Chernoff
2025-05-16 12:35       ` Paul Holzinger
2025-05-16 16:11         ` Stefano Brivio
2025-05-17  9:34           ` Max Chernoff
2025-05-19  7:39             ` Stefano Brivio
2025-05-20 10:37               ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08                 ` Stefano Brivio
2025-05-24  7:16                 ` [PATCH v4 " Max Chernoff
2025-05-24  7:16                 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37               ` Max Chernoff [this message]

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:41ee46d dfblob:89c8043 dfblob:e4aefc4 dfblob:8b46903
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250520103758.401002-4-git@maxchernoff.ca \
    --to=git@maxchernoff.ca \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).