From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=maxchernoff.ca
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=maxchernoff.ca header.i=@maxchernoff.ca header.a=rsa-sha256 header.s=key1 header.b=vjW6kq/c;
	dkim-atps=neutral
Received: from out-184.mta0.migadu.com (out-184.mta0.migadu.com [91.218.175.184])
	by passt.top (Postfix) with ESMTPS id B0C435A0271
	for <passt-dev@passt.top>; Wed, 24 Dec 2025 12:36:37 +0100 (CET)
Message-ID: <7c3a0677a8c01c9f1e1ac03c868daab69e07f394.camel@maxchernoff.ca>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca;
	s=key1; t=1766576197;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=VJAIib4gNLOoMseNFTwShY0LrlX7ymTy6MJcchJ61nA=;
	b=vjW6kq/crdwGIwUStiDG71NOrngJ9s3FnR5HuQv/wRpqhXcAiqbcpwVHON4KgBxLomwzfW
	ZodjMYR0jFpPjAxVLDnpHWCwXSxAJm34edfnDEMmsaRTWub7UmvW9bpJb9jZNzwbqZRQzu
	YlRbDFAv/lTg/92jzeOQxvcXDFjmfjcsByIw9LWZtV6WcwNIE1ArxT63FzyZsYNwHWRwx1
	kxNcFSogZsqJ+uLPQT8YztLsKkIyqg2jo/0Anro7hBoPxUh20bOIwwjxA3daSxKHKBRdDi
	CXMQk/Tbxb5vA0Hn4BmLJYLpdpXt+epk3L9xoG9OoTM3hSSpcCIaLCdGXsKIfg==
Subject: Re: [PATCH] selinux: Enable read and watch permissions on netns
 directory as well
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Max Chernoff <git@maxchernoff.ca>
To: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
Date: Wed, 24 Dec 2025 04:36:33 -0700
In-Reply-To: <20251223083137.1016281-1-sbrivio@redhat.com>
References: <20251223083137.1016281-1-sbrivio@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Migadu-Flow: FLOW_OUT
Message-ID-Hash: XADIAIIX43ERVHWGUOCHWCL7OVZPW5HW
X-Message-ID-Hash: XADIAIIX43ERVHWGUOCHWCL7OVZPW5HW
X-MailFrom: git@maxchernoff.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tuomo Soini <tis@foobar.fi>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/7c3a0677a8c01c9f1e1ac03c868daab69e07f394.camel@maxchernoff.ca/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XADIAIIX43ERVHWGUOCHWCL7OVZPW5HW/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Hi Stefano,

On Tue, 2025-12-23 at 09:31 +0100, Stefano Brivio wrote:
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 95fe42a..3eb58f6 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
>  manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
>  files_pid_filetrans(pasta_t, pasta_pid_t, file)
>
> -allow pasta_t user_tmp_t:dir { add_name remove_name search write };
> +allow pasta_t user_tmp_t:dir { add_name read remove_name search watch wr=
ite };
>  allow pasta_t user_tmp_t:fifo_file append;
>  allow pasta_t user_tmp_t:file { create open write };
>  allow pasta_t user_tmp_t:sock_file { create unlink };

I'm a bit late, but this change looks good to me.

Thanks,
-- Max