From: Cathy Hu pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 --- contrib/selinux/passt.te | 4 ++-- contrib/selinux/pasta.te | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index eb9ce72..6995df8 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -110,8 +110,6 @@ allow passt_t self:user_namespace create; auth_read_passwd(passt_t) allow passt_t proc_net_t:file read; -allow passt_t net_conf_t:file { open read }; -allow passt_t net_conf_t:lnk_file read; allow passt_t tmp_t:sock_file { create unlink write }; allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt }; kernel_search_network_sysctl(passt_t) @@ -129,6 +127,8 @@ corenet_tcp_connect_all_ports(passt_t) corenet_tcp_sendrecv_all_ports(passt_t) corenet_udp_sendrecv_all_ports(passt_t) +sysnet_read_config(passt_t) + allow passt_t node_t:icmp_socket { name_bind node_bind }; allow passt_t port_t:icmp_socket name_bind; diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 9440d05..c0a1e9b 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -159,10 +159,11 @@ logging_send_syslog_msg(pasta_t) allow syslogd_t self:cap_userns sys_ptrace; allow pasta_t proc_net_t:file { open read }; -allow pasta_t net_conf_t:file { open read }; allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write }; kernel_search_network_sysctl(pasta_t) +sysnet_read_config(pasta_t) + allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; @@ -221,7 +222,6 @@ allow pasta_t kernel_t:system module_request; allow pasta_t proc_t:dir mounton; allow pasta_t proc_t:filesystem mount; -allow pasta_t net_conf_t:lnk_file read; allow pasta_t proc_net_t:lnk_file read; allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh }; -- 2.50.1