From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=MVesXCLn;
	dkim-atps=neutral
Received: from mail-106102.protonmail.ch (mail-106102.protonmail.ch [79.135.106.102])
	by passt.top (Postfix) with ESMTPS id D4D4A5A026F
	for <passt-dev@passt.top>; Sun, 02 Feb 2025 20:21:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
	s=protonmail3; t=1738524086; x=1738783286;
	bh=4A1MCTZ9r91Ix0xRx1tvnKMAtyPC3Z6HocDwIG5LSfs=;
	h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
	 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector:
	 List-Unsubscribe:List-Unsubscribe-Post;
	b=MVesXCLnaIzlJoKu5YHEANH3PWENaPbEzNd15N6Dw3/y419ct0IArw+gp/5MKlHvl
	 AjDf8BgiTm21F/uJDcno7LMAMsAsuarRpzszXlF9Dw4EuRifd1JWmLOubwg6lLKW/K
	 uZYl37ByOn1bag/2y+OgACQfODo9pMjU2q1OGW83AV/fIR+IRzpUygrUCv56+QqFg8
	 uKdmjbqM0KOZg5b2AsTosslxP0bzOGXbQrl/GWckyV4C2lStzIQVVEwwR9HMSzGq7p
	 u0E7kOJiibqmRr+ysZx7J2C4SMMS++RrCREBVN36rD8/HZ+kDqoA9lkdVWcXHrJQtU
	 2t4YoPS5f9TBw==
Date: Sun, 02 Feb 2025 19:21:21 +0000
To: "passt-dev@passt.top" <passt-dev@passt.top>
From: 7ppKb5bW <pONy4THS@protonmail.com>
Subject: [PATCH] pasta.te: fix demo.sh and remove one duplicate rule
Message-ID: <BD40k8OG-5BpMWJgJn-GLY9qNZqrSUJCl3S0x2c_1cnn4DUl6azPh8w_Iiw6lIcT0BjV1T61XTalZM9rDhMT50kntShD8Jfcnj6AFjyHMuM=@protonmail.com>
Feedback-ID: 42387216:user:proton
X-Pm-Message-ID: e2aec90bd724b3ddfe4e05ac291f73895c535045
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-MailFrom: pONy4THS@protonmail.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: BX6NIWLUUQBH4RZOQFDRX4XI66COPT3K
X-Message-ID-Hash: BX6NIWLUUQBH4RZOQFDRX4XI66COPT3K
X-Mailman-Approved-At: Sun, 02 Feb 2025 20:58:03 +0100
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/BD40k8OG-5BpMWJgJn-GLY9qNZqrSUJCl3S0x2c_1cnn4DUl6azPh8w_Iiw6lIcT0BjV1T61XTalZM9rDhMT50kntShD8Jfcnj6AFjyHMuM=@protonmail.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/BX6NIWLUUQBH4RZOQFDRX4XI66COPT3K/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Fedora 41, without "allow pasta_t unconfined_t:dir read" /usr/bin/pasta =
can't open /proc/[pid]/ns , which is required by pasta_netns_quit_init() .
This patch also remove one duplicate rule "allow pasta_t nsfs_t:file read;"=
 , "allow pasta_t nsfs_t:file { open read };" at line 123 is enough.

---
 contrib/selinux/pasta.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 69be081..d0ff0cc 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -171,7 +171,7 @@ allow pasta_t init_t:lnk_file read;
 allow pasta_t init_t:unix_stream_socket connectto;
 allow pasta_t init_t:dbus send_msg;
 allow pasta_t init_t:system status;
-allow pasta_t unconfined_t:dir search;
+allow pasta_t unconfined_t:dir { read search };
 allow pasta_t unconfined_t:file read;
 allow pasta_t unconfined_t:lnk_file read;
 allow pasta_t self:process { setpgid setcap };
@@ -192,8 +192,6 @@ allow pasta_t sysctl_net_t:dir search;
 allow pasta_t sysctl_net_t:file { open read write };
 allow pasta_t kernel_t:system module_request;
=20
-allow pasta_t nsfs_t:file read;
-
 allow pasta_t proc_t:dir mounton;
 allow pasta_t proc_t:filesystem mount;
 allow pasta_t net_conf_t:lnk_file read;
--=20