Hi Stefano, On Thu, 2025-05-15 at 17:55 +0200, Stefano Brivio wrote:
Instead of these three "unsorted" rules:
+allow pasta_t container_runtime_t:fifo_file write;
...as I mentioned, changing this to:
allow pasta_t container_runtime_t:fifo_file { write getattr };
fixes the remaining warning. And I think it should be "grouped" together with the TCP socket stuff above, that is, just after:
corenet_tcp_bind_generic_node(pasta_t)
because it's something we need for (loopback) TCP connections, together with TCP sockets.
Done.
+allow pasta_t self:cap_userns { setgid setuid };
Strictly speaking, this part shouldn't be needed, see points 7. and c. at:
https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
...unfortunately, I never got any feedback about those and I haven't found the time to fix this in kernel either, so, sure, let's keep this rule to avoid noise. We could group this together with capabilities stuff, that is, just after:
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
(but separated, so that we can drop them without code churn) and maybe add a comment referencing:
https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
and the fact that setuid() and setgid() are always called with the current UID and GID in the detached user namespace.
If the denial is harmless (as mentioned in the bug), why not make it "dontaudit"? I've tested it out and it seems to work fine for me.
+allow pasta_t tmpfs_t:filesystem getattr;
This is needed regardless of Podman, getattr was simply missing from:
allow pasta_t tmpfs_t:filesystem mount;
so I would rather add it there, together with mount.
Done.
+# Allow pasta to bind to any port +bool pasta_allow_bind_any_port true; +if (pasta_allow_bind_any_port) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +}
I renamed this to "pasta_bind_all_ports" since that better matches the preexisting booleans "git_session_bind_all_unreserved_ports", "mozilla_plugin_bind_unreserved_ports", and "tor_bind_all_unreserved_ports".
-/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
I also corrected the whitespace here to use tabs (instead of the awful tab-space mix that I accidentally used). Also, when this commit is eventually packaged, you'll need to run restorecon on /run/; otherwise you won't be able to start any containers until you log out and back in. I think that %selinux_relabel_post should handle this, but I'm not sure if it excludes /run/ or not. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 5 deletions(-) -- 2.49.0