On Wed, Aug 16, 2023 at 08:00:37AM +0200, Stefano Brivio wrote:This is needed to monitor filesystem-bound namespaces and quit when they're gone -- this feature never really worked with SELinux. Fixes: 745a9ba4284c ("pasta: By default, quit if filesystem-bound net namespace goes away") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- contrib/selinux/pasta.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index b3ddc6a..31e82dc 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search; allow pasta_t sysctl_net_t:file { open write }; allow pasta_t kernel_t:system module_request; +allow pasta_t nsfs_t:file read; + allow pasta_t net_conf_t:lnk_file read; allow pasta_t proc_net_t:lnk_file read;Acked-by: Richard W.M. Jones <rjones(a)redhat.com> -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v