On Wed, Aug 16, 2023 at 08:00:33AM +0200, Stefano Brivio wrote:There's no reason to use wildcards, and we don't want any similarly-named binary (not that I'm aware of any) to risk being associated to passt_exec_t and pasta_exec_t by accident. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- contrib/selinux/passt.fc | 3 ++- contrib/selinux/pasta.fc | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc index fb5b5d4..09bcaab 100644 --- a/contrib/selinux/passt.fc +++ b/contrib/selinux/passt.fc @@ -8,5 +8,6 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio <sbrivio(a)redhat.com> -/usr/bin/passt(\.*)? system_u:object_r:passt_exec_t:s0 +/usr/bin/passt system_u:object_r:passt_exec_t:s0 +/usr/bin/passt.avx2 system_u:object_r:passt_exec_t:s0 /tmp/passt\.pcap system_u:object_r:passt_log_t:s0 diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 2ffb41a..41ee46d 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,6 +8,7 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio <sbrivio(a)redhat.com> -/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 /tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0Obviously better, so: Reviewed-by: Richard W.M. Jones <rjones(a)redhat.com> -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v