From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by passt.top (Postfix, from userid 1000) id B96E25A0653; Tue, 23 Dec 2025 09:31:37 +0100 (CET) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH] selinux: Enable read and watch permissions on netns directory as well Date: Tue, 23 Dec 2025 09:31:37 +0100 Message-ID: <20251223083137.1016281-1-sbrivio@redhat.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 23BPEWMKFW43SMXKNC4OX2QHBQJMDIYO X-Message-ID-Hash: 23BPEWMKFW43SMXKNC4OX2QHBQJMDIYO X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Tuomo Soini , Max Chernoff X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: With commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers"), we need to make sure that pasta can access the target namespace directory passed by Podman, and, in a general case, we have all the permissions we need. But if we now start a container without the Podman changes referenced by commit fd1bcc30af07 ("selinux: add container_var_run_t type transition"), or with them, but with the container being created before those and without a reboot in between, we'll additionally need 'read' and 'watch' permissions on user_tmp_t directory as well, as user_tmp_t is still the (inconsistent) context of the namespace entry. Otherwise, on a container start/restart, we'll get SELinux denials: type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje ct_r:user_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 This can be reproduced quite simply: $ podman create -q --name hello hello 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 [upgrade passt's SELinux policy to a version including 7aeda16a7818] $ podman start hello Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: netns dir open: Permission denied, exiting Reported-by: Tuomo Soini Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio --- contrib/selinux/pasta.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 95fe42a..3eb58f6 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) files_pid_filetrans(pasta_t, pasta_pid_t, file) -allow pasta_t user_tmp_t:dir { add_name remove_name search write }; +allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write }; allow pasta_t user_tmp_t:fifo_file append; allow pasta_t user_tmp_t:file { create open write }; allow pasta_t user_tmp_t:sock_file { create unlink }; -- 2.43.0