From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KBHUKamv; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id B05F75A0271 for ; Wed, 17 Sep 2025 17:54:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1758124470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+lug6gWHx9ZvWithdBcTClHEpu2hu9HFg4c+6yaIy1Y=; b=KBHUKamvDkwUchQB2thN5pCQJmeaF5zhxZNo0hAoNGp+LdDjE+Pyylb8Bq4VU5baXp9hFG 6W+g/sWZ4Ctg+78zU1zgr4euiCdmCPgiiU1lIjl7j/WduNh96yMmGjKHGSbcHYmwZFnWjg mtWCeQYT0DpZkVAAYcvLX8TJGcK9N9g= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-55-ic5k7sJJPP6idZuMoEwshA-1; Wed, 17 Sep 2025 11:54:28 -0400 X-MC-Unique: ic5k7sJJPP6idZuMoEwshA-1 X-Mimecast-MFC-AGG-ID: ic5k7sJJPP6idZuMoEwshA_1758124467 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-45f28552927so21404435e9.2 for ; Wed, 17 Sep 2025 08:54:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758124467; x=1758729267; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+lug6gWHx9ZvWithdBcTClHEpu2hu9HFg4c+6yaIy1Y=; b=kPFpe1A6XKnJyIqxkRm2AG2XLt9DPhu/jj7mQ5ASPd97U9DePXvwvw6tFmlE60gVSD 4frRt+e4q3XMxSY9V8HpZwbiRFEe9g/Jvr+BktXh0VHXKy/3Nm07XtlTCwnPRkGApPhr Bwo8n5SK3HbXiYU+nHb9HfG/VSqrV0z1gGGroMFZ1hBWIFpU0nFPIkt+OiGBe/EAioMm 88rufOas07f67PTTfltpwmVbYlCV35FGvjgrx7iQgDCD9kMKufoDccMAgcYiHGPLEzfa sdtZFnntuBC3smHRdvtIq1RXgQCmZgEZmzZO1nTe/lKcApt8TKnrQHTt/mV2+YXPHmCl 9c1g== X-Gm-Message-State: AOJu0YyLWnuXsF1MtH4zyPLLFdtiFuGPeXq9i37nzYbkmkd4GpHoN1m/ qmlpzBHA9cHc4jBGxKDaMFLW8u9lB3MFStX/yCJrjM7qkjWFz9CdFXdMJhFKrQWm8Zh3cL1fTNf 2Sk+Oek4HozciDfZgAH/1L5IhkYw+qejxmUZWRIvKjJy9o1R+wV3X7A== X-Gm-Gg: ASbGncv3oHVoDx8cp8cII8T2L/YeFsSDwt15XuEXhqEA3cKxZ6FGllMzIWnphntQCBb GRjayG8CmDgLmMi3FxROiDH+aOFTKKt2RODtEfRW8GdN1LmPAKyjV36X70EPSkcx4N+YkzTH9hK zPBt/TPXE65BGjWBpCPckYcMXs16V3NCEu+UkHHo95Po21l5JLTiiGVPT5hwf63wgBhJ8/bwXLp Ic4TMEVP7K1/4hmQxw37ULFA2NsHNr3CDEul+qnkCKKu2c5Yvrx3U+1oM3BEF4JQ2aQPtfg/Miv RqkAi9Pkb5TQE2cKZ5zyb4j2vtFv63LMC5n8Wy2MsoNXrA== X-Received: by 2002:a05:600c:4f86:b0:458:bf0a:6061 with SMTP id 5b1f17b1804b1-46205eb145amr27985565e9.24.1758124466958; Wed, 17 Sep 2025 08:54:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFapj9m3qIvPTExKyfb4oPFvrgr00u2Wy1FJeHj430wpNFrTVwDimp4P5NiLTbE4nkESTHgzw== X-Received: by 2002:a05:600c:4f86:b0:458:bf0a:6061 with SMTP id 5b1f17b1804b1-46205eb145amr27985225e9.24.1758124466457; Wed, 17 Sep 2025 08:54:26 -0700 (PDT) Received: from [192.168.188.22] ([80.243.52.136]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-464f4f9f345sm1373655e9.11.2025.09.17.08.54.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Sep 2025 08:54:25 -0700 (PDT) Message-ID: Date: Wed, 17 Sep 2025 17:54:24 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/2] selinux: add container_var_run_t type transition To: Stefano Brivio References: <20250917120450.36181-2-pholzing@redhat.com> <20250917170516.35ea2a5e@elisabeth> From: Paul Holzinger In-Reply-To: <20250917170516.35ea2a5e@elisabeth> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: LRsklQejgrU4Gijm1zB2CV-VtOMWTjO5hqV08R2fnNs_1758124467 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: XVDLRLJ3EH55YPQHB6FQ4Q5ZKSURUJAA X-Message-ID-Hash: XVDLRLJ3EH55YPQHB6FQ4Q5ZKSURUJAA X-MailFrom: pholzing@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Max Chernoff , Giuseppe Scrivano , Lokesh Mandvekar , Dan Walsh X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 17/09/2025 17:05, Stefano Brivio wrote: > On Wed, 17 Sep 2025 14:04:50 +0200 > Paul Holzinger wrote: > >> In some cases the podman runroot directory used to be labelled >> container_var_run_t instead of user_tmp_t which was expected here. >> Starting with a recent container-selinux change the runroot is now >> always container_var_run_t so make the policy handle both types to allow >> for a better upgrade path where passt-selinux and container-selinux are >> not updated at the same time. >> >> Link: https://github.com/containers/container-selinux/pull/405 > Even if I just proposed a revert for this one: > > https://github.com/containers/container-selinux/pull/405 > >> Link: https://github.com/containers/podman/issues/26473 > it's still good to have this other issue fixed. Even though I'm not > sure adding more and more labels to pasta's policy is the way to go, > Podman issue #26473 has been open for way too long, so let's be > pragmatic here at the slight expense of keeping profiles tight. > > Just a couple of nits (I can fix it all up on merge if you're fine with > it, no need to re-post): yes please fix them, just note the one comment on the different link below > >> Signed-off-by: Paul Holzinger >> --- >> contrib/selinux/pasta.te | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te >> index c0a1e9b..24e58c8 100644 >> --- a/contrib/selinux/pasta.te >> +++ b/contrib/selinux/pasta.te >> @@ -96,6 +96,7 @@ require { >> role staff_r; >> role user_r; >> type container_runtime_t; >> + type container_var_run_t; >> type container_t; >> type systemd_user_runtimedir_t; >> } >> @@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t; >> allow container_runtime_t pasta_t:process transition; >> >> # Label the user network namespace files >> +# Note podman files used to be user_tmp_t but now are container_var_run_t since > s/podman/Podman/ > >> +# https://github.com/containers/container-selinux/issues/404. > I'd drop the . at the end because some URL parsers might miss the fact > that it's not part of the URL, and require additional intervention once > you press enter / click on the link. Sure, but actually that should link https://github.com/containers/container-selinux/pull/405 instead. The issue doesn't really have a meaningful context for pasta. > >> type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; >> +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; >> type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; >> +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; >> allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; >> allow pasta_t ifconfig_var_run_t:file { create open write }; >> allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; -- Paul Holzinger