From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DJDEyDfg;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id CFA475A027E
	for <passt-dev@passt.top>; Tue, 20 May 2025 18:08:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1747757306;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=rfQq05xQ7zVnmMAQYoThooSMe08R+jeIWyIDaVJ5XEw=;
	b=DJDEyDfgOjzN8qwte0Ji+NIEJrWf1XhMWJoxivd/vzGPRKffm+wGfZclsCrTXlQMp3ntXQ
	IEgHKx6oMFdH1w3KMYX/l8kBheI0Vcj3dSiaB/c7HVMBo/ywxUhONSkZ0fioeGwfUBGW43
	swsR+2IMtGMBi3es4uEekZpdMl314HI=
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-645-994rf0fkMcmggWoTgCJe9w-1; Tue, 20 May 2025 12:08:25 -0400
X-MC-Unique: 994rf0fkMcmggWoTgCJe9w-1
X-Mimecast-MFC-AGG-ID: 994rf0fkMcmggWoTgCJe9w_1747757304
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-3a371fb826cso1120069f8f.1
        for <passt-dev@passt.top>; Tue, 20 May 2025 09:08:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1747757304; x=1748362104;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=rfQq05xQ7zVnmMAQYoThooSMe08R+jeIWyIDaVJ5XEw=;
        b=dRJ946kHzUJjBeza3DMO2+pigTYmoFXekLix1BhYr21nsm+IYWUtvthz6xBItYqpkK
         K0lvpRTVOVwRtLityY5aJ4cEHDZWiK2ima87O2cFzVPJ1+DmSAo1lLisysvRl59bOntF
         QRAfXew1r60cxRb3tUzsF/q4Bn+BIQWnq+xNdp3zEpXU8CK+yv0UtceSKWAgJV13qyvJ
         gV1/dQ+FOKvqg+sc8VfTbJdQnlNE9Pwm5mPbRHmd6JJqnEDdLv2InBgzyAscTVoPrLY7
         zsNyq7YpNa4l7GqKcaruSOvKREQFD8QT30UoRoOJZO/PsVWL+/ybRYnX2TZhUIjfx9AI
         K5Xg==
X-Gm-Message-State: AOJu0YzELOhNVoy137PBaTXcSbDzDaO7iuejh7rF61kn+abTKToHhqHl
	Nbk5KVm2zy24V/MEMtOWMTS59yhLIQTySwh7Dpdskj6ks/OxgoaNXBNwMioRWDdR6M5HW2KV2jk
	6H1nzq5/uP/9ZlSC/cHVxfHE659hwGGpJZnsnTTw1AlPIxFjJAkuPgTJ6GRbBaw==
X-Gm-Gg: ASbGnctvBgA7HzZmOrLAmReL1X+633SDQIBxuJ3VNJID+m0hJbY2GoepwFN58GvXZyx
	ppaz3rVW7f7TWSRtjLfVjuuzK8VNwQ+dEAc73nsjVEkv2LAtb1xb/Sua9vGQdNFga2rY0f8U7Rr
	uN+mBLX738Ju9rC58qYqpJLjAj2U6j04ugXK17WhQwun+25fmP6dh8wqDW8Ir9I5IbLG/O1ihJJ
	UJWkS+1bXCvPLOe9ld0KmI8qlXTG8dU9gosC03FIZILRIooBXmuIDz8MKYH7Jqj2cpfzqLB95h1
	foQzqqUCbSBanevgjP8If+8=
X-Received: by 2002:a05:6000:2012:b0:3a0:85b5:463b with SMTP id ffacd0b85a97d-3a35c857114mr16900572f8f.48.1747757303913;
        Tue, 20 May 2025 09:08:23 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEYYCDukgFbPHXjrILp8KMsNWe1wTZqdvPMF7OPn2cmwphMJq3t4kmwwltO/xZ4ZHcdjQ1Z2A==
X-Received: by 2002:a05:6000:2012:b0:3a0:85b5:463b with SMTP id ffacd0b85a97d-3a35c857114mr16900530f8f.48.1747757303449;
        Tue, 20 May 2025 09:08:23 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a3674fed67sm12696600f8f.89.2025.05.20.09.08.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 20 May 2025 09:08:23 -0700 (PDT)
Date: Tue, 20 May 2025 18:08:21 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Max Chernoff <git@maxchernoff.ca>
Subject: Re: [PATCH v3 0/1] selinux: Transition to pasta_t in containers
Message-ID: <20250520180821.71d5eed4@elisabeth>
In-Reply-To: <20250520103758.401002-2-git@maxchernoff.ca>
References: <20250519093941.4503ae47@elisabeth>
	<20250520103758.401002-2-git@maxchernoff.ca>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: IARTxQQ1OCMqzHfs9hGDMsOzxx3XAqUN9C4JSKgGCJk_1747757304
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: MNMC45R53MX37E3GBG3I5GYA2X46HCQM
X-Message-ID-Hash: MNMC45R53MX37E3GBG3I5GYA2X46HCQM
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250520180821.71d5eed4@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/MNMC45R53MX37E3GBG3I5GYA2X46HCQM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 20 May 2025 04:37:41 -0600
Max Chernoff <git@maxchernoff.ca> wrote:

> Hi Stefano,
> 
> On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:
> > On Sat, 17 May 2025 03:34:42 -0600
> > Max Chernoff <git@maxchernoff.ca> wrote:  
> > > On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:  
> > > > #============= pasta_t ==============
> > > > allow pasta_t container_runtime_t:dir { open read search };
> > > > allow pasta_t container_runtime_t:file read;
> > > > allow pasta_t container_runtime_t:lnk_file read;
> > > > allow pasta_t container_t:lnk_file read;
> > > >
> > > > If I add those rules, everything works  
> 
> > > I guess the options are:
> > >
> > > 1. Add the above rules to the pasta SELinux policy
> > >
> > > 2. Have Podman change the context of /proc/self/ns/net to pasta_t
> > >
> > > 3. Have Podman pass a file descriptor to the netns instead of the path
> > >    to the netns.
> > >
> > > (1) is arguably the least secure, but is probably fine in practice?  
> >
> > Well:
> >
> > 2. is probably the most restrictive but it doesn't really feel
> >    correct to me (pasta is not, at least conceptually, the exclusive
> >    user of the network namespace link)
> >
> > 3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't
> >    see this, done)
> >
> > ...so I would opt for 1.
> >
> > I see why you mention it's less secure: we didn't really want to be
> > able to open and read *any* container_runtime_t:dir or
> > container_t:lnk_file. But that's not really the part of "fine-grained"
> > security that we typically delegate to SELinux anyway.  
> 
> Alright, works for me. I've added those rules into the policy in the
> following commit.

Thanks, this looks ready for merging, minus the spec file problem
(which we can also solve in another change, but I'd like to merge them
together).

Paul, maybe you want to give this version another try as well.

> > ...so I guess the only remaining point, other than adding those rules,
> > is to figure out why %selinux_relabel_post isn't enough and what we can
> > add to the spec file instead. I'll try to have a look at it within a
> > couple of days unless you find an explanation / solution before then.  
> 
> I've looked through the code and I'm also lost as to why
> %selinux_relabel_post isn't working. I'll try taking a look again
> tomorrow, but I doubt that I'll be able to figure it out.

I haven't had the chance yet, I'll tell you if / as soon as I do. My
first debugging step would have been to run 'fixfiles' manually, by the
way, after changing the file contexts...

-- 
Stefano