On Tue, 5 Aug 2025 15:19:26 +0200
Cathy Hu
From: Cathy Hu
pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved)
Ah, I get it now, thanks for the explanation.
this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta
Adresses:
---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 --- contrib/selinux/passt.te | 4 ++-- contrib/selinux/pasta.te | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
Applied, welcome to the git log! -- Stefano