From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by passt.top (Postfix, from userid 1000) id EB0BB5A065B; Wed, 06 May 2026 23:31:55 +0200 (CEST) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH v11 21/23] selinux: Add file context and type enforcement for pesto Date: Wed, 6 May 2026 23:31:53 +0200 Message-ID: <20260506213155.1886983-22-sbrivio@redhat.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260506213155.1886983-1-sbrivio@redhat.com> References: <20260506213155.1886983-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: HNORIC4IVSQ5B2DBCYVHRGQC76AIH7RJ X-Message-ID-Hash: HNORIC4IVSQ5B2DBCYVHRGQC76AIH7RJ X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Jon Maloy , David Gibson , Laurent Vivier , Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Loosely inspired by passt-repair's policy: pesto needs to be able to run, check networking entries under /proc (for ip_local_port_range), talk to passt and pasta, wherever the control socket is. Signed-off-by: Stefano Brivio --- contrib/selinux/pesto.fc | 11 +++++ contrib/selinux/pesto.te | 95 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 contrib/selinux/pesto.fc create mode 100644 contrib/selinux/pesto.te diff --git a/contrib/selinux/pesto.fc b/contrib/selinux/pesto.fc new file mode 100644 index 0000000..7ec4d87 --- /dev/null +++ b/contrib/selinux/pesto.fc @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# PESTO - Programmable Extensible Socket Translation Orchestrator +# front-end for passt(1) and pasta(1) forwarding configuration +# +# contrib/selinux/pesto.fc - SELinux: File Context for pesto +# +# Copyright (c) 2026 Red Hat GmbH +# Author: Stefano Brivio + +/usr/bin/pesto system_u:object_r:pesto_exec_t:s0 diff --git a/contrib/selinux/pesto.te b/contrib/selinux/pesto.te new file mode 100644 index 0000000..991833a --- /dev/null +++ b/contrib/selinux/pesto.te @@ -0,0 +1,95 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# PESTO - Programmable Extensible Socket Translation Orchestrator +# front-end for passt(1) and pasta(1) forwarding configuration +# +# contrib/selinux/pesto.te - SELinux: Type Enforcement for pesto +# +# Copyright (c) 2026 Red Hat GmbH +# Author: Stefano Brivio + +policy_module(pesto, 0.1) + +require { + type unconfined_t; + type passt_t; + type pasta_t; + role unconfined_r; + class process transition; + + class file { read execute execute_no_trans entrypoint open map }; + class capability { dac_override dac_read_search }; + class chr_file { append open getattr read write ioctl }; + + type net_conf_t; + type proc_net_t; + type sysctl_net_t; + + class unix_stream_socket { create connect sendto }; + class sock_file { read write }; + + type console_device_t; + type user_devpts_t; + type user_tmp_t; + type tmp_t; + + # Workaround: pesto needs to needs to access socket files + # that passt, started by libvirt, might create under different + # labels, depending on whether passt is started as root or not. + # + # However, libvirt doesn't maintain its own policy, which makes + # updates particularly complicated. To avoid breakage in the short + # term, deal with that in passt's own policy. + type qemu_var_run_t; + type virt_var_run_t; +} + +type pesto_t; +domain_type(pesto_t); +type pesto_exec_t; +corecmd_executable_file(pesto_exec_t); + +role unconfined_r types pesto_t; + +allow pesto_t pesto_exec_t:file { read execute execute_no_trans entrypoint open map }; +type_transition unconfined_t pesto_exec_t:process pesto_t; +allow unconfined_t pesto_t:process transition; + +allow pesto_t self:capability { dac_override dac_read_search }; + +allow pesto_t proc_net_t:file read; +kernel_search_network_sysctl(pesto_t) +allow pesto_t sysctl_net_t:dir search; +allow pesto_t sysctl_net_t:file { open read }; + +allow pesto_t console_device_t:chr_file { append open getattr read write ioctl }; +allow pesto_t user_devpts_t:chr_file { append open getattr read write ioctl }; + +allow pesto_t unconfined_t:unix_stream_socket { connectto read write }; +allow pesto_t passt_t:unix_stream_socket { connectto read write }; +allow pesto_t pasta_t:unix_stream_socket { connectto read write }; +allow pesto_t user_tmp_t:unix_stream_socket { connectto read write }; + +allow pesto_t user_tmp_t:dir { getattr read search watch }; + +allow pesto_t unconfined_t:sock_file { getattr read write }; +allow pesto_t passt_t:sock_file { getattr read write }; +allow pesto_t pasta_t:sock_file { getattr read write }; +allow pesto_t user_tmp_t:sock_file { getattr read write }; +allow pesto_t tmp_t:sock_file { getattr read write }; + +# Workaround: pesto needs to needs to access socket files +# that passt, started by libvirt, might create under different +# labels, depending on whether passt is started as root or not. +# +# However, libvirt doesn't maintain its own policy, which makes +# updates particularly complicated. To avoid breakage in the short +# term, deal with that in passt's own policy. +allow pesto_t qemu_var_run_t:unix_stream_socket { connectto read write }; +allow pesto_t virt_var_run_t:unix_stream_socket { connectto read write }; + +allow pesto_t qemu_var_run_t:dir { getattr read search watch }; +allow pesto_t virt_var_run_t:dir { getattr read search watch }; + +allow pesto_t qemu_var_run_t:sock_file { getattr read write }; +allow pesto_t virt_var_run_t:sock_file { getattr read write }; -- 2.43.0