From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=maxchernoff.ca
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=maxchernoff.ca header.i=@maxchernoff.ca header.a=rsa-sha256 header.s=key1 header.b=V5yXv+xT;
	dkim-atps=neutral
Received: from out-186.mta0.migadu.com (out-186.mta0.migadu.com [91.218.175.186])
	by passt.top (Postfix) with ESMTPS id 7DEA55A027C
	for <passt-dev@passt.top>; Sat, 17 May 2025 11:34:48 +0200 (CEST)
Message-ID: <3eaa88568e808eed15c49a05515954b51cf35c4e.camel@maxchernoff.ca>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca;
	s=key1; t=1747474487;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=OsuuBUJVYS4FcMKA4uxMAjwB6nRbm4N+J1Gl3LmNGms=;
	b=V5yXv+xTORD02P1ZEhtXhJmNc1xtUA5mnsN2eMbbLkNyoKFRD2HyauXiGf5FaxRaKNI2df
	cuvBxujV32hoOw5Ub8/fjmvUWOa1q4jq9xxhYlQNeveicX2r9/ZinVvOCmIk8bcBh9ht5p
	gmdJECpulaV/xfmrylHTW0d/r63KYyTV11UmIomjUAuWqJbC//ZlIHbtY0t1QOW5DFCXOs
	jNO/Xu0FgEX+ypmLnN2BStRtynR8b+UB6Rf63tOxzrcO0i95EfLnyvVtLJJnqF1GzVhwUp
	vlFuYxgipjsnABXHC+z3gmx6xbT1ySVTfuDkQ1gD/IOomO/tAtIMLLL8qUzsCQ==
Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Max Chernoff <git@maxchernoff.ca>
To: Stefano Brivio <sbrivio@redhat.com>, Paul Holzinger
 <pholzing@redhat.com>,  Max Chernoff <git@maxchernoff.ca>
Date: Sat, 17 May 2025 03:34:42 -0600
In-Reply-To: <20250516181102.6647635f@elisabeth>
References: <20250514104413.197448-2-git@maxchernoff.ca>
		<20250516051105.432590-2-git@maxchernoff.ca>
		<2a88e380-05ad-44cd-93c7-b4073e72f242@redhat.com>
		<99d5f0fb46342ef9675612e64464444e187e4ee7.camel@maxchernoff.ca>
		<8703e232-0763-4d07-8803-e2f54aaed3f2@redhat.com>
	 <20250516181102.6647635f@elisabeth>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Migadu-Flow: FLOW_OUT
X-MailFrom: git@maxchernoff.ca
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: 7O4UVKROTHZZYL375AXOV2JRZJKH3SMM
X-Message-ID-Hash: 7O4UVKROTHZZYL375AXOV2JRZJKH3SMM
X-Mailman-Approved-At: Sun, 18 May 2025 12:25:16 +0200
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/3eaa88568e808eed15c49a05515954b51cf35c4e.camel@maxchernoff.ca/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/7O4UVKROTHZZYL375AXOV2JRZJKH3SMM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Hi Stefano

On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
> Max, could it be that you're running stuff with some customised SELinux
> policy? By the way, with "unconfined disabled":

Simpler than that: I was testing something with SELinux permissive, and
I forgot to reenable it. Whoops. I'm getting the same results as you
now.

> Running with SELinux in permissive mode, I'm getting:
>
> # cat /var/log/audit/audit.log
> type=3DAVC msg=3Daudit(1747410763.621:130615): avc:  denied  { search } f=
or  pid=3D1352409 comm=3D"pasta.avx2" name=3D"1352408" dev=3D"proc" ino=3D7=
022238 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=
=3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Ddi=
r permissive=3D1
> type=3DAVC msg=3Daudit(1747410763.621:130616): avc:  denied  { read } for=
  pid=3D1352409 comm=3D"pasta.avx2" name=3D"net" dev=3D"proc" ino=3D7022285=
 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Dunc=
onfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Dlnk_file=
 permissive=3D1
> type=3DAVC msg=3Daudit(1747410763.622:130617): avc:  denied  { read } for=
  pid=3D1352409 comm=3D"pasta.avx2" scontext=3Dunconfined_u:unconfined_r:pa=
sta_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:unconfined_r:container_runtime=
_t:s0-s0:c0.c1023 tclass=3Dfile permissive=3D1
> type=3DAVC msg=3Daudit(1747410763.622:130618): avc:  denied  { read } for=
  pid=3D1352409 comm=3D"pasta.avx2" name=3D"ns" dev=3D"proc" ino=3D7022284 =
scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Dunco=
nfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Ddir permi=
ssive=3D1
> type=3DAVC msg=3Daudit(1747410763.622:130619): avc:  denied  { open } for=
  pid=3D1352409 comm=3D"pasta.avx2" path=3D"/proc/1352408/ns" dev=3D"proc" =
ino=3D7022284 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 t=
context=3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcla=
ss=3Ddir permissive=3D1
> type=3DAVC msg=3Daudit(1747410764.622:130620): avc:  denied  { read } for=
  pid=3D1352417 comm=3D"pasta.avx2" name=3D"net" dev=3D"proc" ino=3D7022285=
 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Dsys=
tem_u:system_r:container_t:s0:c609,c838 tclass=3Dlnk_file permissive=3D1
>
> and:
>
> # audit2allow  -a
>
>
> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D pasta_t =3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> allow pasta_t container_runtime_t:dir { open read search };
> allow pasta_t container_runtime_t:file read;
> allow pasta_t container_runtime_t:lnk_file read;
> allow pasta_t container_t:lnk_file read;
>
> If I add those rules, everything works

Yes, adding those rules also fixes things for me.

> To me those denials look reasonable, in the sense that I would expect
> the namespace links to have container_runtime_t type.

I'm a little surprised that "container_runtime_t:file read" is necessary
since I thought that "container_runtime_t:lnk_file read" would be
sufficient to get the target of the link, but it indeed does not work
without it.

> (well, I'm not saying that's the solution...).

I guess the options are:

1. Add the above rules to the pasta SELinux policy

2. Have Podman change the context of /proc/self/ns/net to pasta_t

3. Have Podman pass a file descriptor to the netns instead of the path
   to the netns.

(1) is arguably the least secure, but is probably fine in practice?

> Max, could it be that you're running stuff with some customised SELinux
> policy? By the way, with "unconfined disabled":
>
>   https://bugzilla.redhat.com/show_bug.cgi?id=3D2330512
>
> we seem to have unconfined_t as type for those links:
>
> type=3DAVC msg=3Daudit(1733378482.320:31258): avc:  denied  { open } for =
 pid=3D651955 comm=3D"pasta.avx2" path=3D"/proc/651954/ns" dev=3D"proc" ino=
=3D2904841 scontext=3Dstaff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=
=3Dstaff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Ddir permissive=
=3D1
>
> ...but I'm not sure at which point in time exactly.

Ah, I wonder if that might be related to this:

    https://github.com/containers/buildah/issues/6160

But with the workaround documented there, and the rules from above,
"podman build" works as expected with the unconfined module disabled.

> Wait a moment. I don't think something SELinux-specific belongs to
> pasta's man page, because that's not relevant for all users and
> distributions.
>
> We could maintain that as an addition for Fedora and perhaps Gentoo,
> but I wonder if it's really worth the effort.

+1

Thanks,
-- Max