On Tue, 5 Aug 2025 13:43:24 +0200
Cathy Hu
From: Cathy Hu
pasta accesses /etc/resolv.conf, which needs search permissions
Adresses:
---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ----
Thanks for the patch! I wonder a bit why, at least on current Fedora, I'm not getting these warnings, but surely sysnet_read_config() is the right way to do this, I didn't know about it. It looks like passt(1) (the thing for VMs) and passt.te would have the same problem, at least on openSUSE / SLES. Would you mind updating your patch to also convert passt.te to sysnet_read_config(passt_t), assuming it makes sense? -- Stefano