The most important fix here is actually the one that allows pasta and
passt to create user namespaces (and hence, to start -- we need that
for sandboxing) with recent kernels on e.g. Fedora Rawhide -- that's
patch 3/7.
But there are a number of other issues, some old, some new, that would
currently prevent pasta from e.g. starting a shell, or simply run
'ip address show', again at least on Fedora Rawhide. Fix them.
Stefano Brivio (7):
fedora: Install pasta as hard link to ensure SELinux file context
match
selinux: Use explicit paths for binaries in file context
selinux: Fix user namespace creation after breaking kernel change
selinux: Update policy to fix user/group settings
selinux: Add rules for sysctl and /proc/net accesses
selinux: Allow pasta_t to read nsfs entries
selinux: Fix domain transitions for typical commands pasta might run
contrib/fedora/passt.spec | 4 ++++
contrib/selinux/passt.fc | 3 ++-
contrib/selinux/passt.te | 10 ++++++++--
contrib/selinux/pasta.fc | 3 ++-
contrib/selinux/pasta.te | 33 ++++++++++++++++++++++++++++++---
5 files changed, 46 insertions(+), 7 deletions(-)
--
2.39.2