From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DJDEyDfg; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id CFA475A027E for ; Tue, 20 May 2025 18:08:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747757306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rfQq05xQ7zVnmMAQYoThooSMe08R+jeIWyIDaVJ5XEw=; b=DJDEyDfgOjzN8qwte0Ji+NIEJrWf1XhMWJoxivd/vzGPRKffm+wGfZclsCrTXlQMp3ntXQ IEgHKx6oMFdH1w3KMYX/l8kBheI0Vcj3dSiaB/c7HVMBo/ywxUhONSkZ0fioeGwfUBGW43 swsR+2IMtGMBi3es4uEekZpdMl314HI= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-645-994rf0fkMcmggWoTgCJe9w-1; Tue, 20 May 2025 12:08:25 -0400 X-MC-Unique: 994rf0fkMcmggWoTgCJe9w-1 X-Mimecast-MFC-AGG-ID: 994rf0fkMcmggWoTgCJe9w_1747757304 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-3a371fb826cso1120069f8f.1 for ; Tue, 20 May 2025 09:08:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747757304; x=1748362104; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=rfQq05xQ7zVnmMAQYoThooSMe08R+jeIWyIDaVJ5XEw=; b=dRJ946kHzUJjBeza3DMO2+pigTYmoFXekLix1BhYr21nsm+IYWUtvthz6xBItYqpkK K0lvpRTVOVwRtLityY5aJ4cEHDZWiK2ima87O2cFzVPJ1+DmSAo1lLisysvRl59bOntF QRAfXew1r60cxRb3tUzsF/q4Bn+BIQWnq+xNdp3zEpXU8CK+yv0UtceSKWAgJV13qyvJ gV1/dQ+FOKvqg+sc8VfTbJdQnlNE9Pwm5mPbRHmd6JJqnEDdLv2InBgzyAscTVoPrLY7 zsNyq7YpNa4l7GqKcaruSOvKREQFD8QT30UoRoOJZO/PsVWL+/ybRYnX2TZhUIjfx9AI K5Xg== X-Gm-Message-State: AOJu0YzELOhNVoy137PBaTXcSbDzDaO7iuejh7rF61kn+abTKToHhqHl Nbk5KVm2zy24V/MEMtOWMTS59yhLIQTySwh7Dpdskj6ks/OxgoaNXBNwMioRWDdR6M5HW2KV2jk 6H1nzq5/uP/9ZlSC/cHVxfHE659hwGGpJZnsnTTw1AlPIxFjJAkuPgTJ6GRbBaw== X-Gm-Gg: ASbGnctvBgA7HzZmOrLAmReL1X+633SDQIBxuJ3VNJID+m0hJbY2GoepwFN58GvXZyx ppaz3rVW7f7TWSRtjLfVjuuzK8VNwQ+dEAc73nsjVEkv2LAtb1xb/Sua9vGQdNFga2rY0f8U7Rr uN+mBLX738Ju9rC58qYqpJLjAj2U6j04ugXK17WhQwun+25fmP6dh8wqDW8Ir9I5IbLG/O1ihJJ UJWkS+1bXCvPLOe9ld0KmI8qlXTG8dU9gosC03FIZILRIooBXmuIDz8MKYH7Jqj2cpfzqLB95h1 foQzqqUCbSBanevgjP8If+8= X-Received: by 2002:a05:6000:2012:b0:3a0:85b5:463b with SMTP id ffacd0b85a97d-3a35c857114mr16900572f8f.48.1747757303913; Tue, 20 May 2025 09:08:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEYYCDukgFbPHXjrILp8KMsNWe1wTZqdvPMF7OPn2cmwphMJq3t4kmwwltO/xZ4ZHcdjQ1Z2A== X-Received: by 2002:a05:6000:2012:b0:3a0:85b5:463b with SMTP id ffacd0b85a97d-3a35c857114mr16900530f8f.48.1747757303449; Tue, 20 May 2025 09:08:23 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a3674fed67sm12696600f8f.89.2025.05.20.09.08.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 May 2025 09:08:23 -0700 (PDT) Date: Tue, 20 May 2025 18:08:21 +0200 From: Stefano Brivio To: Max Chernoff Subject: Re: [PATCH v3 0/1] selinux: Transition to pasta_t in containers Message-ID: <20250520180821.71d5eed4@elisabeth> In-Reply-To: <20250520103758.401002-2-git@maxchernoff.ca> References: <20250519093941.4503ae47@elisabeth> <20250520103758.401002-2-git@maxchernoff.ca> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: IARTxQQ1OCMqzHfs9hGDMsOzxx3XAqUN9C4JSKgGCJk_1747757304 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: MNMC45R53MX37E3GBG3I5GYA2X46HCQM X-Message-ID-Hash: MNMC45R53MX37E3GBG3I5GYA2X46HCQM X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, 20 May 2025 04:37:41 -0600 Max Chernoff wrote: > Hi Stefano, > > On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote: > > On Sat, 17 May 2025 03:34:42 -0600 > > Max Chernoff wrote: > > > On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote: > > > > #============= pasta_t ============== > > > > allow pasta_t container_runtime_t:dir { open read search }; > > > > allow pasta_t container_runtime_t:file read; > > > > allow pasta_t container_runtime_t:lnk_file read; > > > > allow pasta_t container_t:lnk_file read; > > > > > > > > If I add those rules, everything works > > > > I guess the options are: > > > > > > 1. Add the above rules to the pasta SELinux policy > > > > > > 2. Have Podman change the context of /proc/self/ns/net to pasta_t > > > > > > 3. Have Podman pass a file descriptor to the netns instead of the path > > > to the netns. > > > > > > (1) is arguably the least secure, but is probably fine in practice? > > > > Well: > > > > 2. is probably the most restrictive but it doesn't really feel > > correct to me (pasta is not, at least conceptually, the exclusive > > user of the network namespace link) > > > > 3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't > > see this, done) > > > > ...so I would opt for 1. > > > > I see why you mention it's less secure: we didn't really want to be > > able to open and read *any* container_runtime_t:dir or > > container_t:lnk_file. But that's not really the part of "fine-grained" > > security that we typically delegate to SELinux anyway. > > Alright, works for me. I've added those rules into the policy in the > following commit. Thanks, this looks ready for merging, minus the spec file problem (which we can also solve in another change, but I'd like to merge them together). Paul, maybe you want to give this version another try as well. > > ...so I guess the only remaining point, other than adding those rules, > > is to figure out why %selinux_relabel_post isn't enough and what we can > > add to the spec file instead. I'll try to have a look at it within a > > couple of days unless you find an explanation / solution before then. > > I've looked through the code and I'm also lost as to why > %selinux_relabel_post isn't working. I'll try taking a look again > tomorrow, but I doubt that I'll be able to figure it out. I haven't had the chance yet, I'll tell you if / as soon as I do. My first debugging step would have been to run 'fixfiles' manually, by the way, after changing the file contexts... -- Stefano