On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote:
> Allow access to user_devpts.
> 
> 	$ pasta --version
> 	pasta 0^20240510.g7288448-1.fc40.x86_64
> 	...
> 	$ awk '' < /dev/null
> 	$ pasta --version
> 	$
> 
> While this might be a awk bug it appears pasta should still have access
> to devpts.

It's not clear to me why pasta would need any access to /dev/pts.  The
shell that pasta spawns does, of course, but it should already live in
a difference security context.

> ---
>  contrib/selinux/pasta.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 0ceda06..4e36c3f 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -211,3 +211,4 @@ allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
>  allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
>  allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
>  allow pasta_t user_tty_device_t:chr_file { append read write };
> +allow pasta_t user_devpts_t:chr_file { append read write };

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson