* [PATCH] selinux: Enable read and watch permissions on netns directory as well
@ 2025-12-23 8:31 Stefano Brivio
2025-12-24 11:36 ` Max Chernoff
0 siblings, 1 reply; 3+ messages in thread
From: Stefano Brivio @ 2025-12-23 8:31 UTC (permalink / raw)
To: passt-dev; +Cc: Tuomo Soini, Max Chernoff
With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
containers"), we need to make sure that pasta can access the target
namespace directory passed by Podman, and, in a general case, we have
all the permissions we need.
But if we now start a container without the Podman changes referenced
by commit fd1bcc30af07 ("selinux: add container_var_run_t type
transition"), or with them, but with the container being created
before those and without a reboot in between, we'll additionally need
'read' and 'watch' permissions on user_tmp_t directory as well, as
user_tmp_t is still the (inconsistent) context of the namespace entry.
Otherwise, on a container start/restart, we'll get SELinux denials:
type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
ct_r:user_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
This can be reproduced quite simply:
$ podman create -q --name hello hello
6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770
[upgrade passt's SELinux policy to a version including 7aeda16a7818]
$ podman start hello
Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
netns dir open: Permission denied, exiting
Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/pasta.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 95fe42a..3eb58f6 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
files_pid_filetrans(pasta_t, pasta_pid_t, file)
-allow pasta_t user_tmp_t:dir { add_name remove_name search write };
+allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write };
allow pasta_t user_tmp_t:fifo_file append;
allow pasta_t user_tmp_t:file { create open write };
allow pasta_t user_tmp_t:sock_file { create unlink };
--
2.43.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] selinux: Enable read and watch permissions on netns directory as well
2025-12-23 8:31 [PATCH] selinux: Enable read and watch permissions on netns directory as well Stefano Brivio
@ 2025-12-24 11:36 ` Max Chernoff
2025-12-24 12:05 ` Stefano Brivio
0 siblings, 1 reply; 3+ messages in thread
From: Max Chernoff @ 2025-12-24 11:36 UTC (permalink / raw)
To: Stefano Brivio, passt-dev; +Cc: Tuomo Soini
Hi Stefano,
On Tue, 2025-12-23 at 09:31 +0100, Stefano Brivio wrote:
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 95fe42a..3eb58f6 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
> manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
> files_pid_filetrans(pasta_t, pasta_pid_t, file)
>
> -allow pasta_t user_tmp_t:dir { add_name remove_name search write };
> +allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write };
> allow pasta_t user_tmp_t:fifo_file append;
> allow pasta_t user_tmp_t:file { create open write };
> allow pasta_t user_tmp_t:sock_file { create unlink };
I'm a bit late, but this change looks good to me.
Thanks,
-- Max
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] selinux: Enable read and watch permissions on netns directory as well
2025-12-24 11:36 ` Max Chernoff
@ 2025-12-24 12:05 ` Stefano Brivio
0 siblings, 0 replies; 3+ messages in thread
From: Stefano Brivio @ 2025-12-24 12:05 UTC (permalink / raw)
To: Max Chernoff; +Cc: passt-dev, Tuomo Soini
On Wed, 24 Dec 2025 04:36:33 -0700
Max Chernoff <git@maxchernoff.ca> wrote:
> Hi Stefano,
>
> On Tue, 2025-12-23 at 09:31 +0100, Stefano Brivio wrote:
> > diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> > index 95fe42a..3eb58f6 100644
> > --- a/contrib/selinux/pasta.te
> > +++ b/contrib/selinux/pasta.te
> > @@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
> > manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
> > files_pid_filetrans(pasta_t, pasta_pid_t, file)
> >
> > -allow pasta_t user_tmp_t:dir { add_name remove_name search write };
> > +allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write };
> > allow pasta_t user_tmp_t:fifo_file append;
> > allow pasta_t user_tmp_t:file { create open write };
> > allow pasta_t user_tmp_t:sock_file { create unlink };
>
> I'm a bit late, but this change looks good to me.
Thanks for having a look! I'm relieved. :)
--
Stefano
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-24 12:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-23 8:31 [PATCH] selinux: Enable read and watch permissions on netns directory as well Stefano Brivio
2025-12-24 11:36 ` Max Chernoff
2025-12-24 12:05 ` Stefano Brivio
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).