This series addresses a number of issues or inconveniences shown by
further testing against libvirt, essentially a 9.1.0 version patched
up to fix the current breakage by starting passt in the "passt_t"
domain.
Stefano Brivio (4):
contrib/selinux: Drop duplicate init_daemon_domain() rule
contrib/selinux: Let passt write to stdout and stderr when it starts
contrib/selinux: Allow binding and connecting to all UDP and TCP ports
contrib/selinux: Let interface users set paths for log, PID, socket
files
contrib/selinux/passt.if | 26 +++++++++++++++++++++++++-
contrib/selinux/passt.te | 29 ++++++++++++++++-------------
2 files changed, 41 insertions(+), 14 deletions(-)
--
2.39.2
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- contrib/selinux/passt.te | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index 7fa4fb9..593b346 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -57,7 +57,6 @@ type passt_t; domain_type(passt_t); type passt_exec_t; files_type(passt_exec_t); -init_daemon_domain(passt_t, passt_exec_t) type passt_log_t; logging_log_file(passt_log_t); type passt_etc_t; -- 2.39.2
Otherwise, it's unusable as stand-alone tool, or in foreground mode,
and it's also impossible to get output from --help or --version,
because for SELinux it's just a daemon.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
contrib/selinux/passt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 593b346..6cd61f1 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -72,6 +72,7 @@ type_transition unconfined_t passt_exec_t : process passt_t;
allow unconfined_t passt_t : process transition ;
init_daemon_domain(passt_t, passt_exec_t)
+term_use_all_inherited_terms(passt_t)
allow passt_t bin_t:file { execute execute_no_trans map };
allow passt_t user_home_dir_t:dir { search add_name write };
--
2.39.2
Laine reports that with a simple:
<portForward proto='tcp'>
<range start='2022' to='22'/>
</portForward>
in libvirt's domain XML, passt won't start as it fails to bind
arbitrary ports. That was actually the intention behind passt_port_t:
the user or system administrator should have explicitly configured
allowed ports on a given machine. But it's probably not realistic, so
just allow any port to be bound and forwarded.
Also fix up some missing operations on sockets.
Reported-by: Laine Stump <laine(a)redhat.com>
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
contrib/selinux/passt.te | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 6cd61f1..438155d 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -62,9 +62,6 @@ logging_log_file(passt_log_t);
type passt_etc_t;
files_config_file(passt_etc_t);
-type passt_port_t;
-typeattribute passt_port_t port_type;
-
role unconfined_r types passt_t;
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans
entrypoint open } ;
@@ -100,16 +97,22 @@ allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
-allow passt_t self:tcp_socket create_stream_socket_perms;
-corenet_tcp_sendrecv_generic_node(passt_t)
-corenet_tcp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:tcp_socket { name_bind name_connect };
-allow passt_t http_port_t:tcp_socket { name_bind name_connect };
-allow passt_t self:udp_socket create_stream_socket_perms;
-corenet_udp_sendrecv_generic_node(passt_t)
-corenet_udp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:udp_socket { name_bind };
+corenet_tcp_bind_all_nodes(passt_t)
+corenet_udp_bind_all_nodes(passt_t)
+
+corenet_tcp_bind_all_ports(passt_t)
+corenet_udp_bind_all_ports(passt_t)
+
+corenet_tcp_connect_all_ports(passt_t)
+
+corenet_tcp_sendrecv_all_ports(passt_t)
+corenet_udp_sendrecv_all_ports(passt_t)
+
allow passt_t node_t:icmp_socket { name_bind node_bind };
+allow passt_t port_t:icmp_socket name_bind;
+
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown
read write };
+allow passt_t self:udp_socket { create getopt setopt connect bind read write };
allow passt_t self:icmp_socket { bind create setopt read write };
allow passt_t user_tmp_t:dir { add_name write };
--
2.39.2
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.
Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
contrib/selinux/passt.if | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 893395b..6a6105c 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
--
2.39.2
On 3/6/23 6:28 PM, Stefano Brivio wrote:This series addresses a number of issues or inconveniences shown by further testing against libvirt, essentially a 9.1.0 version patched up to fix the current breakage by starting passt in the "passt_t" domain. Stefano Brivio (4): contrib/selinux: Drop duplicate init_daemon_domain() rule contrib/selinux: Let passt write to stdout and stderr when it starts contrib/selinux: Allow binding and connecting to all UDP and TCP ports contrib/selinux: Let interface users set paths for log, PID, socket files contrib/selinux/passt.if | 26 +++++++++++++++++++++++++- contrib/selinux/passt.te | 29 ++++++++++++++++------------- 2 files changed, 41 insertions(+), 14 deletions(-)Tested-by: Laine Stump <laine(a)redhat.com> Reviewed-by: Laine Stump <laine(a)redhat.com> (for what it's worth) I was going to send this along with a link to my latest libvirt patches that properly set the selinux context for passt when it is run, but am having trouble with my sendmail setup so I haven't yet been able to post them :-/