From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=bXXRZvPX; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 556D25A0271 for ; Wed, 17 Sep 2025 17:05:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1758121528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a6k2LqpWr4KniPhMeu7E4o/EJxosGq7YrIazno4sx1o=; b=bXXRZvPXm93Wv3i9lgxls8aWoC+ULOZ0IYTyBWr5aSiVJvIkMKA7B+HW8Hqh9MW2epnS0N KnxlCpgd0lKn9j6C5qmZqJdLAEIuVH9HNF1dOyQTxzBZ0dh3O3xUr1Ks7Ev6QW32CyI6ju HwdQaxZS/NFsrJVsyhOlZH2F2il5W30= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-379-aZAuZEw9McKZ002cIpngmA-1; Wed, 17 Sep 2025 11:05:26 -0400 X-MC-Unique: aZAuZEw9McKZ002cIpngmA-1 X-Mimecast-MFC-AGG-ID: aZAuZEw9McKZ002cIpngmA_1758121525 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-45df609b181so56296075e9.2 for ; Wed, 17 Sep 2025 08:05:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758121525; x=1758726325; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=a6k2LqpWr4KniPhMeu7E4o/EJxosGq7YrIazno4sx1o=; b=frzxp/t3qFTQhkMWNLgePiYiFSuI4NUiFm3A5c4x5I92NGlPyeA3+lzQe8EnzYqtU3 MIuKV9LUmFM+002vgMJVhu0jx5pdoSbszrWT7IO7S6PDuTOO5bartyiawtQG1AWv7GNH /uJY0rKravrkyicHraLjSQt3u1XHnY90Xt4p4u+i7CwM/dYOjuBPCR/d0tGiTqNB5E2I HnRqF5smh2J2TjR/wuzsskvLwziY0jZ078Q94/29y+PYgRmVDYtb57OYWhdsSWmLtHdE 4KdNWl4/HH5c3NZ/S+kPfqre3amo2W/HHcDkvl+0QNkCpysrgKnOQdUi/ck3aj0JTXlb pE/w== X-Gm-Message-State: AOJu0YwXt0pA4YWc2PfPGNQ00/2E+k4Hq6XVZVinu4IbTX4XOn4lEs3Y GJTdnXA/owqK05gx3TOnfqDR930IfPVCg9AcUvWQpb47FoxDkbgSGYEY3BWKhVfKsxKjrRUtJAi oGksc6A35vphvg6pptTdxarriV13xR5kN6rVZoCFXduuOzLlJ2gTxTQ== X-Gm-Gg: ASbGncu4ibqC88bn/WUTUzqNsvUI68ZezG7VbTLhajqok/lPp5IiP5ySi4re2p4/iIS cuJYbczWttae4qtK0xShSVjeVAv6b3G09OY+jVostsJqZz/QyYBaCBXffIeqBk2Cj11eLuVqsyH XxgeDoMyCK8g3cACBQX7C638oZDci3rvuiNNkbFipsQm7Zo9rMRHSg/e1lddDh3j0RsLjbhOgeR jBECJzskBIr99N3OTGsxIwlwLZhHfjXUUkSjkYMqVUt587zFG071YZD9GJB1BbyOXDmMmfHhFZe lHKNOvqRrY/pVUQ5/G3FlZLLXGl3cJWWSMpSMvTBR/8J/VJnG+3RS8VFJMOdM6aOqDYY X-Received: by 2002:a05:600c:4f03:b0:45f:bef7:670b with SMTP id 5b1f17b1804b1-463699748c5mr11618205e9.3.1758121525128; Wed, 17 Sep 2025 08:05:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH8S8k+Yw/MneJ9EfELMlk5GsukCWfwnnhkvf28vkFPMfjVVFBII9lMQtycLl7O/+G94IRA3Q== X-Received: by 2002:a05:600c:4f03:b0:45f:bef7:670b with SMTP id 5b1f17b1804b1-463699748c5mr11618015e9.3.1758121524613; Wed, 17 Sep 2025 08:05:24 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-45f321032a1sm44245805e9.2.2025.09.17.08.05.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Sep 2025 08:05:23 -0700 (PDT) Date: Wed, 17 Sep 2025 17:05:16 +0200 From: Stefano Brivio To: Paul Holzinger Subject: Re: [PATCH 1/2] selinux: add container_var_run_t type transition Message-ID: <20250917170516.35ea2a5e@elisabeth> In-Reply-To: <20250917120450.36181-2-pholzing@redhat.com> References: <20250917120450.36181-2-pholzing@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: lC60TZuZGyzMSilVt3SJkurc0ZcLSH4crxlGll6fEQk_1758121525 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: WUMAJF33TYY4B3JHPMSAOZRIYRJI4OFH X-Message-ID-Hash: WUMAJF33TYY4B3JHPMSAOZRIYRJI4OFH X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Max Chernoff , Giuseppe Scrivano , Lokesh Mandvekar , Dan Walsh X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 17 Sep 2025 14:04:50 +0200 Paul Holzinger wrote: > In some cases the podman runroot directory used to be labelled > container_var_run_t instead of user_tmp_t which was expected here. > Starting with a recent container-selinux change the runroot is now > always container_var_run_t so make the policy handle both types to allow > for a better upgrade path where passt-selinux and container-selinux are > not updated at the same time. > > Link: https://github.com/containers/container-selinux/pull/405 Even if I just proposed a revert for this one: https://github.com/containers/container-selinux/pull/405 > Link: https://github.com/containers/podman/issues/26473 it's still good to have this other issue fixed. Even though I'm not sure adding more and more labels to pasta's policy is the way to go, Podman issue #26473 has been open for way too long, so let's be pragmatic here at the slight expense of keeping profiles tight. Just a couple of nits (I can fix it all up on merge if you're fine with it, no need to re-post): > Signed-off-by: Paul Holzinger > --- > contrib/selinux/pasta.te | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te > index c0a1e9b..24e58c8 100644 > --- a/contrib/selinux/pasta.te > +++ b/contrib/selinux/pasta.te > @@ -96,6 +96,7 @@ require { > role staff_r; > role user_r; > type container_runtime_t; > + type container_var_run_t; > type container_t; > type systemd_user_runtimedir_t; > } > @@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t; > allow container_runtime_t pasta_t:process transition; > > # Label the user network namespace files > +# Note podman files used to be user_tmp_t but now are container_var_run_t since s/podman/Podman/ > +# https://github.com/containers/container-selinux/issues/404. I'd drop the . at the end because some URL parsers might miss the fact that it's not part of the URL, and require additional intervention once you press enter / click on the link. > type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; > +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; > type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; > +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; > allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; > allow pasta_t ifconfig_var_run_t:file { create open write }; > allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; -- Stefano