From: Stefano Brivio <sbrivio@redhat.com>
To: Max Chernoff <git@maxchernoff.ca>
Cc: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH v3 0/1] selinux: Transition to pasta_t in containers
Date: Tue, 20 May 2025 18:08:21 +0200 [thread overview]
Message-ID: <20250520180821.71d5eed4@elisabeth> (raw)
In-Reply-To: <20250520103758.401002-2-git@maxchernoff.ca>
On Tue, 20 May 2025 04:37:41 -0600
Max Chernoff <git@maxchernoff.ca> wrote:
> Hi Stefano,
>
> On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:
> > On Sat, 17 May 2025 03:34:42 -0600
> > Max Chernoff <git@maxchernoff.ca> wrote:
> > > On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
> > > > #============= pasta_t ==============
> > > > allow pasta_t container_runtime_t:dir { open read search };
> > > > allow pasta_t container_runtime_t:file read;
> > > > allow pasta_t container_runtime_t:lnk_file read;
> > > > allow pasta_t container_t:lnk_file read;
> > > >
> > > > If I add those rules, everything works
>
> > > I guess the options are:
> > >
> > > 1. Add the above rules to the pasta SELinux policy
> > >
> > > 2. Have Podman change the context of /proc/self/ns/net to pasta_t
> > >
> > > 3. Have Podman pass a file descriptor to the netns instead of the path
> > > to the netns.
> > >
> > > (1) is arguably the least secure, but is probably fine in practice?
> >
> > Well:
> >
> > 2. is probably the most restrictive but it doesn't really feel
> > correct to me (pasta is not, at least conceptually, the exclusive
> > user of the network namespace link)
> >
> > 3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't
> > see this, done)
> >
> > ...so I would opt for 1.
> >
> > I see why you mention it's less secure: we didn't really want to be
> > able to open and read *any* container_runtime_t:dir or
> > container_t:lnk_file. But that's not really the part of "fine-grained"
> > security that we typically delegate to SELinux anyway.
>
> Alright, works for me. I've added those rules into the policy in the
> following commit.
Thanks, this looks ready for merging, minus the spec file problem
(which we can also solve in another change, but I'd like to merge them
together).
Paul, maybe you want to give this version another try as well.
> > ...so I guess the only remaining point, other than adding those rules,
> > is to figure out why %selinux_relabel_post isn't enough and what we can
> > add to the spec file instead. I'll try to have a look at it within a
> > couple of days unless you find an explanation / solution before then.
>
> I've looked through the code and I'm also lost as to why
> %selinux_relabel_post isn't working. I'll try taking a look again
> tomorrow, but I doubt that I'll be able to figure it out.
I haven't had the chance yet, I'll tell you if / as soon as I do. My
first debugging step would have been to run 'fixfiles' manually, by the
way, after changing the file contexts...
--
Stefano
next prev parent reply other threads:[~2025-05-20 16:08 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40 ` Stefano Brivio
2025-05-15 15:55 ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 " Max Chernoff
2025-05-16 6:22 ` Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59 ` Paul Holzinger
2025-05-16 12:22 ` Max Chernoff
2025-05-16 12:35 ` Paul Holzinger
2025-05-16 16:11 ` Stefano Brivio
2025-05-17 9:34 ` Max Chernoff
2025-05-19 7:39 ` Stefano Brivio
2025-05-20 10:37 ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08 ` Stefano Brivio [this message]
2025-05-24 7:16 ` [PATCH v4 " Max Chernoff
2025-06-06 10:06 ` Stefano Brivio
2025-05-24 7:16 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37 ` [PATCH v3 " Max Chernoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250520180821.71d5eed4@elisabeth \
--to=sbrivio@redhat.com \
--cc=git@maxchernoff.ca \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).