[PATCH 0/1] selinux: Transition to pasta_t in containers

newer
conf: flush stdout before early...

older
[PATCH] Correct various function...

Max Chernoff

14 May 2025 14 May '25

12:44 p.m.

Hi, Currently, pasta runs in the container_runtime_exec_t context when running in a container. This commit updates the SELinux policy so that pasta instead runs in the pasta_t context. I'm more familiar with CIL, so I initially developed the modified policy in CIL, and then later ported it to the kernel policy language. My original CIL source is available here: https://github.com/gucci-on-fleek/maxchernoff.ca/blob/master/etc/selinux/loc... I've tested this on Fedora 42 with rootless Podman, with both unconfined (unconfined_u) and confined (user_u) users, and with both TCP and UDP. I've never actually used the email workflow for Git before, so please let me know if I've done something wrong. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 4 deletions(-) -- 2.49.0

Show replies by date

Max Chernoff

14 May 14 May

12:44 p.m.

New subject: [PATCH 1/1] selinux: Transition to pasta_t in containers

Stefano Brivio

15 May 15 May

3:40 p.m.

New subject: [PATCH 1/1] selinux: Transition to pasta_t in containers

On Wed, 14 May 2025 04:44:12 -0600 Max Chernoff wrote:

...

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff

Thanks, I think that with your patch we're almost there. (!) I ran Podman tests covering pasta on Fedora Rawhide, with the updated profile (that is, 'bats test/system/505-networking-pasta.bats' from a Podman tree) and it looks like there are a couple of minor things missing, though. Tests pass, but on a number of tests I'm getting these in the audit log: type=AVC msg=audit(1747313163.407:129988): avc: denied { nlmsg_read } for pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0 type=AVC msg=audit(1747313164.090:129989): avc: denied { getattr } for pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 type=AVC msg=audit(1747313164.209:129990): avc: denied { getattr } for pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 The 'ss' thing is unrelated, and might be something to add to container-selinux, perhaps. I'm not really sure if containers should reasonably be able to access netlink_tcpdiag_socket. The getattr on pipes, though, is pasta trying to read out attributes of pipes that are used for loopback connections, that is, the path represented here (orange square on top) as "tap bypass": https://passt.top/#pasta-pack-a-subtle-tap-abstraction if those fail, by the way, things still work (I guess it's just what we do to probe / tune the size of the pipes). A summary from audit2allow: #============= container_t ============== #!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink' allow container_t self:netlink_tcpdiag_socket nlmsg_read; #============= pasta_t ============== allow pasta_t container_runtime_t:fifo_file getattr; I plan to try again later (probably in a few hours) to add what's missing (it could very well be just this rule) and get back to you. Of course, if you manage to fix / re-test meanwhile, before I get to it, feel free to re-post this. -- Stefano

Stefano Brivio

5:55 p.m.

New subject: [PATCH 1/1] selinux: Transition to pasta_t in containers

On Thu, 15 May 2025 15:40:35 +0200 Stefano Brivio wrote:

...

On Wed, 14 May 2025 04:44:12 -0600 Max Chernoff wrote:

...
Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff

Thanks, I think that with your patch we're almost there. (!)

I ran Podman tests covering pasta on Fedora Rawhide, with the updated profile (that is, 'bats test/system/505-networking-pasta.bats' from a Podman tree) and it looks like there are a couple of minor things missing, though.

Tests pass, but on a number of tests I'm getting these in the audit log:

type=AVC msg=audit(1747313163.407:129988): avc: denied { nlmsg_read } for pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0 type=AVC msg=audit(1747313164.090:129989): avc: denied { getattr } for pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 type=AVC msg=audit(1747313164.209:129990): avc: denied { getattr } for pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

The 'ss' thing is unrelated, and might be something to add to container-selinux, perhaps. I'm not really sure if containers should reasonably be able to access netlink_tcpdiag_socket.

The getattr on pipes, though, is pasta trying to read out attributes of pipes that are used for loopback connections, that is, the path represented here (orange square on top) as "tap bypass":

https://passt.top/#pasta-pack-a-subtle-tap-abstraction

if those fail, by the way, things still work (I guess it's just what we do to probe / tune the size of the pipes).

A summary from audit2allow:

#============= container_t ==============

#!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink' allow container_t self:netlink_tcpdiag_socket nlmsg_read;

#============= pasta_t ============== allow pasta_t container_runtime_t:fifo_file getattr;

I plan to try again later (probably in a few hours) to add what's missing (it could very well be just this rule) and get back to you. Of course, if you manage to fix / re-test meanwhile, before I get to it, feel free to re-post this.

Yes, adding getattr on fifo_file makes the tests pass without any SELinux warning. Full review of your patch:

...

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 41ee46d..3be7789 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,7 +8,9 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio

-/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 89c8043..e97fd88 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -89,6 +89,13 @@ require { class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; + + # Container requires + attribute_role usernetctl_roles; + role container_user_r; + role staff_r; + role user_r; + type container_runtime_t; }

type pasta_t; @@ -213,3 +220,32 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; allow pasta_t user_devpts_t:chr_file { append read write }; + +# Allow network administration commands for non-privileged users +roleattribute container_user_r usernetctl_roles; +roleattribute staff_r usernetctl_roles; +roleattribute user_r usernetctl_roles; +role usernetctl_roles types pasta_t; + +# Make pasta in a container run under the pasta_t context +type_transition container_runtime_t pasta_exec_t : process pasta_t; +allow container_runtime_t pasta_t:process transition; + +# Label the user network namespace files +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t ifconfig_var_run_t:file { create open write }; + +# From audit2allow

Instead of these three "unsorted" rules:

...

+allow pasta_t container_runtime_t:fifo_file write;

...as I mentioned, changing this to: allow pasta_t container_runtime_t:fifo_file { write getattr }; fixes the remaining warning. And I think it should be "grouped" together with the TCP socket stuff above, that is, just after: corenet_tcp_bind_generic_node(pasta_t) because it's something we need for (loopback) TCP connections, together with TCP sockets.

...

+allow pasta_t self:cap_userns { setgid setuid };

Strictly speaking, this part shouldn't be needed, see points 7. and c. at: https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 ...unfortunately, I never got any feedback about those and I haven't found the time to fix this in kernel either, so, sure, let's keep this rule to avoid noise. We could group this together with capabilities stuff, that is, just after: allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; (but separated, so that we can drop them without code churn) and maybe add a comment referencing: https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 and the fact that setuid() and setgid() are always called with the current UID and GID in the detached user namespace.

...

+allow pasta_t tmpfs_t:filesystem getattr;

This is needed regardless of Podman, getattr was simply missing from: allow pasta_t tmpfs_t:filesystem mount; so I would rather add it there, together with mount.

...

+ +# Allow pasta to bind to any port +bool pasta_allow_bind_any_port true; +if (pasta_allow_bind_any_port) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +}

Everything else looks good to me! If you want to re-post this, you can give --subject-prefix="PATCH v2" to git format-email. -- Stefano

Stefano Brivio

14 May 14 May

2:26 p.m.

On Wed, 14 May 2025 04:44:11 -0600 Max Chernoff wrote:

...

Hi,

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This commit updates the SELinux policy so that pasta instead runs in the pasta_t context.

I'm more familiar with CIL, so I initially developed the modified policy in CIL, and then later ported it to the kernel policy language. My original CIL source is available here:

https://github.com/gucci-on-fleek/maxchernoff.ca/blob/master/etc/selinux/loc...

I've tested this on Fedora 42 with rootless Podman, with both unconfined (unconfined_u) and confined (user_u) users, and with both TCP and UDP.

I've never actually used the email workflow for Git before, so please let me know if I've done something wrong.

Thanks a lot! Nothing wrong workflow-wise, I'll look at your patch in a bit. I have to admit I hadn't thought of using 'type_transition' directly in pasta's policy, as opposed to having that in selinux-container, but it actually makes sense and it's nice to have everything managed here. -- Stefano

Max Chernoff

16 May 16 May

7:11 a.m.

New subject: [PATCH v2 0/1] selinux: Transition to pasta_t in containers

Hi Stefano, On Thu, 2025-05-15 at 17:55 +0200, Stefano Brivio wrote:

...

Instead of these three "unsorted" rules:

...
+allow pasta_t container_runtime_t:fifo_file write;

...as I mentioned, changing this to:

allow pasta_t container_runtime_t:fifo_file { write getattr };

fixes the remaining warning. And I think it should be "grouped" together with the TCP socket stuff above, that is, just after:

corenet_tcp_bind_generic_node(pasta_t)

because it's something we need for (loopback) TCP connections, together with TCP sockets.

Done.

...

...
+allow pasta_t self:cap_userns { setgid setuid };

Strictly speaking, this part shouldn't be needed, see points 7. and c. at:

https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10

...unfortunately, I never got any feedback about those and I haven't found the time to fix this in kernel either, so, sure, let's keep this rule to avoid noise. We could group this together with capabilities stuff, that is, just after:

allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };

(but separated, so that we can drop them without code churn) and maybe add a comment referencing:

https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10

and the fact that setuid() and setgid() are always called with the current UID and GID in the detached user namespace.

If the denial is harmless (as mentioned in the bug), why not make it "dontaudit"? I've tested it out and it seems to work fine for me.

...

...
+allow pasta_t tmpfs_t:filesystem getattr;

This is needed regardless of Podman, getattr was simply missing from:

allow pasta_t tmpfs_t:filesystem mount;

so I would rather add it there, together with mount.

Done.

...

...
+# Allow pasta to bind to any port +bool pasta_allow_bind_any_port true; +if (pasta_allow_bind_any_port) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +}

I renamed this to "pasta_bind_all_ports" since that better matches the preexisting booleans "git_session_bind_all_unreserved_ports", "mozilla_plugin_bind_unreserved_ports", and "tor_bind_all_unreserved_ports".

...

...
-/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0

I also corrected the whitespace here to use tabs (instead of the awful tab-space mix that I accidentally used). Also, when this commit is eventually packaged, you'll need to run restorecon on /run/; otherwise you won't be able to start any containers until you log out and back in. I think that %selinux_relabel_post should handle this, but I'm not sure if it excludes /run/ or not. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 5 deletions(-) -- 2.49.0

Stefano Brivio

8:22 a.m.

New subject: [PATCH v2 0/1] selinux: Transition to pasta_t in containers

On Thu, 15 May 2025 23:11:02 -0600 Max Chernoff wrote:

...

Hi Stefano,

On Thu, 2025-05-15 at 17:55 +0200, Stefano Brivio wrote:

...
Instead of these three "unsorted" rules:

...
+allow pasta_t container_runtime_t:fifo_file write;

...as I mentioned, changing this to:

allow pasta_t container_runtime_t:fifo_file { write getattr };

fixes the remaining warning. And I think it should be "grouped" together with the TCP socket stuff above, that is, just after:

corenet_tcp_bind_generic_node(pasta_t)

because it's something we need for (loopback) TCP connections, together with TCP sockets.

Done.

...
...
+allow pasta_t self:cap_userns { setgid setuid };

Strictly speaking, this part shouldn't be needed, see points 7. and c. at:

https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10

...unfortunately, I never got any feedback about those and I haven't found the time to fix this in kernel either, so, sure, let's keep this rule to avoid noise. We could group this together with capabilities stuff, that is, just after:

allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };

(but separated, so that we can drop them without code churn) and maybe add a comment referencing:

https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10

and the fact that setuid() and setgid() are always called with the current UID and GID in the detached user namespace.

If the denial is harmless (as mentioned in the bug), why not make it "dontaudit"? I've tested it out and it seems to work fine for me.

Because it reminds me I should send a kernel fix every time I see it ;) but that's not a good reason to scare users, so I think your approach is valid.

...

...
...
+allow pasta_t tmpfs_t:filesystem getattr;

This is needed regardless of Podman, getattr was simply missing from:

allow pasta_t tmpfs_t:filesystem mount;

so I would rather add it there, together with mount.

Done.

...
...
+# Allow pasta to bind to any port +bool pasta_allow_bind_any_port true; +if (pasta_allow_bind_any_port) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +}

I renamed this to "pasta_bind_all_ports" since that better matches the preexisting booleans "git_session_bind_all_unreserved_ports", "mozilla_plugin_bind_unreserved_ports", and "tor_bind_all_unreserved_ports".

Ah, right, thanks for checking.

...

...
...
-/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0

I also corrected the whitespace here to use tabs (instead of the awful tab-space mix that I accidentally used).

Also, when this commit is eventually packaged, you'll need to run restorecon on /run/; otherwise you won't be able to start any containers until you log out and back in. I think that %selinux_relabel_post should handle this, but I'm not sure if it excludes /run/ or not.

Oops, thanks for mentioning that. I indeed ran restorecon -R /run manually to test your change, and I thought %selinux_relabel_post would indeed take care of it on upgrades. But it looks like it doesn't. I checked with /var/run/pasta.pid and the label doesn't get fixed. fixfiles(8) has a: find /var/run $ -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" $ -exec chcon --no-dereference --reference /var/run {} \; which shouldn't however affect this. I couldn't quite find out where the issue is. Worst case, I'll add an explicit restorecon(8) call in the spec file (feel free to propose a change for that too, of course...). -- Stefano

Max Chernoff

7:11 a.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff --- contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 41ee46d..e4aefc4 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,7 +8,9 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 89c8043..7bcb451 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -89,6 +89,13 @@ require { class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; + + # Container requires + attribute_role usernetctl_roles; + role container_user_r; + role staff_r; + role user_r; + type container_runtime_t; } type pasta_t; @@ -113,6 +120,9 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +# pasta only calls setuid and setgid with the current UID and GID, so this +# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 +dontaudit pasta_t self:cap_userns { setgid setuid }; allow pasta_t self:user_namespace create; auth_read_passwd(pasta_t) @@ -130,7 +140,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr allow pasta_t user_home_dir_t:dir { search getattr open add_name read write }; allow pasta_t user_home_dir_t:file { create open read write }; allow pasta_t tmp_t:dir { add_name mounton remove_name write }; -allow pasta_t tmpfs_t:filesystem mount; +allow pasta_t tmpfs_t:filesystem { getattr mount }; allow pasta_t fs_t:filesystem unmount; allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) @@ -156,6 +166,7 @@ allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_node(pasta_t) corenet_tcp_bind_generic_node(pasta_t) +allow pasta_t container_runtime_t:fifo_file { getattr write }; allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect }; allow pasta_t pasta_port_t:udp_socket { name_bind }; allow pasta_t http_port_t:tcp_socket { name_bind name_connect }; @@ -213,3 +224,27 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; allow pasta_t user_devpts_t:chr_file { append read write }; + +# Allow network administration commands for non-privileged users +roleattribute container_user_r usernetctl_roles; +roleattribute staff_r usernetctl_roles; +roleattribute user_r usernetctl_roles; +role usernetctl_roles types pasta_t; + +# Make pasta in a container run under the pasta_t context +type_transition container_runtime_t pasta_exec_t : process pasta_t; +allow container_runtime_t pasta_t:process transition; + +# Label the user network namespace files +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t ifconfig_var_run_t:file { create open write }; + +# Allow pasta to bind to any port +bool pasta_bind_all_ports true; +if (pasta_bind_all_ports) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +} -- 2.49.0

Paul Holzinger

1:59 p.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

Hi, podman maintainer here. On 16/05/2025 07:11, Max Chernoff wrote:

...

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff --- contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 5 deletions(-)

So I did test this patch with podman's system and e2e test on podman v5.5.0 on fedora rawhide and I noticed one problem that caused some failures: podman build is broken with this policy. And I assume that means buildah would not work as well. The difference is that in the build case we do not pass a bind mounted namespace path under /run but rather /proc/$pid/ns/net as path to pasta. We get this error: pasta failed with exit code 1: Couldn't open network namespace /proc/360143/ns/net: Permission denied Logged avc: denied { search } for pid=360144 comm="pasta.avx2" name="360143" dev="proc" ino=2030208 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=0 The good news is that this the only problem I found.

...

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 41ee46d..e4aefc4 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,7 +8,9 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio

-/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 89c8043..7bcb451 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -89,6 +89,13 @@ require { class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; + + # Container requires + attribute_role usernetctl_roles; + role container_user_r; + role staff_r; + role user_r; + type container_runtime_t; }

type pasta_t; @@ -113,6 +120,9 @@ init_daemon_domain(pasta_t, pasta_exec_t)

allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +# pasta only calls setuid and setgid with the current UID and GID, so this +# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 +dontaudit pasta_t self:cap_userns { setgid setuid }; allow pasta_t self:user_namespace create;

auth_read_passwd(pasta_t) @@ -130,7 +140,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr allow pasta_t user_home_dir_t:dir { search getattr open add_name read write }; allow pasta_t user_home_dir_t:file { create open read write }; allow pasta_t tmp_t:dir { add_name mounton remove_name write }; -allow pasta_t tmpfs_t:filesystem mount; +allow pasta_t tmpfs_t:filesystem { getattr mount }; allow pasta_t fs_t:filesystem unmount; allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) @@ -156,6 +166,7 @@ allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_node(pasta_t) corenet_tcp_bind_generic_node(pasta_t) +allow pasta_t container_runtime_t:fifo_file { getattr write }; allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect }; allow pasta_t pasta_port_t:udp_socket { name_bind }; allow pasta_t http_port_t:tcp_socket { name_bind name_connect }; @@ -213,3 +224,27 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; allow pasta_t user_devpts_t:chr_file { append read write }; + +# Allow network administration commands for non-privileged users +roleattribute container_user_r usernetctl_roles; +roleattribute staff_r usernetctl_roles; +roleattribute user_r usernetctl_roles; +role usernetctl_roles types pasta_t; + +# Make pasta in a container run under the pasta_t context +type_transition container_runtime_t pasta_exec_t : process pasta_t; +allow container_runtime_t pasta_t:process transition; + +# Label the user network namespace files +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t ifconfig_var_run_t:file { create open write }; + +# Allow pasta to bind to any port +bool pasta_bind_all_ports true; +if (pasta_bind_all_ports) {

I am not familiar with the selinux stuff but if this is a boolean that users can configure should this be documented in the man page here?

...

+ allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +}

-- Paul Holzinger

Max Chernoff

2:22 p.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

Hi Paul, On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote:

...

So I did test this patch with podman's system and e2e test on podman v5.5.0 on fedora rawhide and I noticed one problem that caused some failures:

podman build is broken with this policy. And I assume that means buildah would not work as well. The difference is that in the build case we do not pass a bind mounted namespace path under /run but rather /proc/$pid/ns/net as path to pasta. We get this error:

pasta failed with exit code 1: Couldn't open network namespace /proc/360143/ns/net: Permission denied

Logged avc: denied { search } for pid=360144 comm="pasta.avx2" name="360143" dev="proc" ino=2030208 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=0

Odd, it works for me: $ id -Z user_u:user_r:user_t:s0-s0:c0.c1023 $ podman --version podman version 5.4.2 $ pasta --version pasta 0^20250512.g8ec1341-1.fc42.x86_64 Copyright Red Hat GNU General Public License, version 2 or later https://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. $ cat Containerfile FROM registry.fedoraproject.org/fedora-minimal:42 RUN dnf install --assumeyes python3 $ podman build --no-cache --network=pasta . STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42 STEP 2/2: RUN dnf install --assumeyes python3 Updating and loading repositories: Fedora 42 - x86_64 - Updates 100% | 8.3 MiB/s | 6.8 MiB | 00m01s Fedora 42 openh264 (From Cisco) - x86_ 100% | 7.7 KiB/s | 6.0 KiB | 00m01s Fedora 42 - x86_64 100% | 12.3 MiB/s | 35.4 MiB | 00m03s Repositories loaded. Package Arch Version Repository Size Installing: python3 x86_64 3.13.3-2.fc42 updates 28.7 KiB Installing dependencies: expat x86_64 2.7.1-1.fc42 fedora 290.2 KiB libb2 x86_64 0.98.1-13.fc42 fedora 46.1 KiB libgomp x86_64 15.1.1-1.fc42 updates 538.5 KiB mpdecimal x86_64 4.0.1-1.fc42 updates 217.2 KiB python-pip-wheel noarch 24.3.1-2.fc42 fedora 1.2 MiB python3-libs x86_64 3.13.3-2.fc42 updates 39.9 MiB readline x86_64 8.2-13.fc42 fedora 485.0 KiB tzdata noarch 2025b-1.fc42 fedora 1.6 MiB Installing weak dependencies: python-unversioned-command noarch 3.13.3-2.fc42 updates 23.0 B Transaction Summary: Installing: 10 packages Total size of inbound packages is 12 MiB. Need to download 12 MiB. After this operation, 44 MiB extra will be used (install 44 MiB, remove 0 B). [ 1/10] python3-0:3.13.3-2.fc42.x86_64 100% | 109.6 KiB/s | 29.7 KiB | 00m00s [...] [12/12] Installing python-unversioned-c 100% | 9.6 KiB/s | 424.0 B | 00m00s Complete! COMMIT --> edfb5d3fee4c edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f $ ps auxZ | grep pasta # In another terminal while the above is running user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0.4 0.1 2533448 48028 pts/2 Sl+ 06:11 0:00 podman build --no-cache --network=pasta . user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1 0.0 206444 17188 ? Ss 06:11 0:00 /usr/sbin/pasta --config-net --dns-forward 169.254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /proc/497672/ns/net --map-guest-addr 169.254.1.2 What are the SELinux contexts of the network namespaces? This is what I get: $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net ls: cannot access '/run/user/959/netns': No such file or directory lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1023 0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]' /run/user/959/containers/networks/rootless-netns: total 0 drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:05 ./ drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0 60 May 16 06:05 ../

...

I am not familiar with the selinux stuff but if this is a boolean that users can configure should this be documented in the man page here?

I guess more documentation is always a good thing, but most of the other container-related SELinux booleans seem to be undocumented: $ sudo semanage boolean --list | grep ^container_ container_connect_any (off , off) Determine whether container can connect to all TCP ports. container_manage_cgroup (on , on) Allow sandbox containers to manage cgroup (systemd) container_read_certs (off , off) Allow all container domains to read cert files and directories container_use_cephfs (off , off) Determine whether container can use ceph file system container_use_devices (off , off) Allow containers to use any device volume mounted into container container_use_dri_devices (on , on) Allow containers to use any dri device volume mounted into container container_use_ecryptfs (off , off) Determine whether container can use ecrypt file system container_use_xserver_devices (off , off) Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration container_user_exec_content (on , on) Allow container to user exec content $ man -wK container_connect_any No manual entry for container_connect_any $ man -wK container_manage_cgroup /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man7/podman-troubleshooting.7.gz $ man -wK container_read_certs No manual entry for container_read_certs $ man -wK container_use_cephfs No manual entry for container_use_cephfs $ man -wK container_use_devices /usr/share/man/man1/sesearch.1.gz /usr/share/man/man1/podman-pod-clone.1.gz /usr/share/man/man1/podman-pod-create.1.gz /usr/share/man/man1/podman-build.1.gz /usr/share/man/man1/podman-farm-build.1.gz /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man8/setsebool.8.gz $ man -wK container_user_exec_content No manual entry for container_user_exec_content I'll send a patch for the man pages tomorrow. Thanks, -- Max

Paul Holzinger

2:35 p.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

On 16/05/2025 14:22, Max Chernoff wrote:

...

Hi Paul,

On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote:

...
So I did test this patch with podman's system and e2e test on podman v5.5.0 on fedora rawhide and I noticed one problem that caused some failures:

podman build is broken with this policy. And I assume that means buildah would not work as well. The difference is that in the build case we do not pass a bind mounted namespace path under /run but rather /proc/$pid/ns/net as path to pasta. We get this error:

pasta failed with exit code 1: Couldn't open network namespace /proc/360143/ns/net: Permission denied

Logged avc: denied { search } for pid=360144 comm="pasta.avx2" name="360143" dev="proc" ino=2030208 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=0 Odd, it works for me:

$ id -Z user_u:user_r:user_t:s0-s0:c0.c1023

$ podman --version podman version 5.4.2

$ pasta --version pasta 0^20250512.g8ec1341-1.fc42.x86_64 Copyright Red Hat GNU General Public License, version 2 or later https://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

$ cat Containerfile FROM registry.fedoraproject.org/fedora-minimal:42 RUN dnf install --assumeyes python3

$ podman build --no-cache --network=pasta . STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42 STEP 2/2: RUN dnf install --assumeyes python3 Updating and loading repositories: Fedora 42 - x86_64 - Updates 100% | 8.3 MiB/s | 6.8 MiB | 00m01s Fedora 42 openh264 (From Cisco) - x86_ 100% | 7.7 KiB/s | 6.0 KiB | 00m01s Fedora 42 - x86_64 100% | 12.3 MiB/s | 35.4 MiB | 00m03s Repositories loaded. Package Arch Version Repository Size Installing: python3 x86_64 3.13.3-2.fc42 updates 28.7 KiB Installing dependencies: expat x86_64 2.7.1-1.fc42 fedora 290.2 KiB libb2 x86_64 0.98.1-13.fc42 fedora 46.1 KiB libgomp x86_64 15.1.1-1.fc42 updates 538.5 KiB mpdecimal x86_64 4.0.1-1.fc42 updates 217.2 KiB python-pip-wheel noarch 24.3.1-2.fc42 fedora 1.2 MiB python3-libs x86_64 3.13.3-2.fc42 updates 39.9 MiB readline x86_64 8.2-13.fc42 fedora 485.0 KiB tzdata noarch 2025b-1.fc42 fedora 1.6 MiB Installing weak dependencies: python-unversioned-command noarch 3.13.3-2.fc42 updates 23.0 B

Transaction Summary: Installing: 10 packages

Total size of inbound packages is 12 MiB. Need to download 12 MiB. After this operation, 44 MiB extra will be used (install 44 MiB, remove 0 B). [ 1/10] python3-0:3.13.3-2.fc42.x86_64 100% | 109.6 KiB/s | 29.7 KiB | 00m00s [...] [12/12] Installing python-unversioned-c 100% | 9.6 KiB/s | 424.0 B | 00m00s Complete! COMMIT --> edfb5d3fee4c edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f

$ ps auxZ | grep pasta # In another terminal while the above is running user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0.4 0.1 2533448 48028 pts/2 Sl+ 06:11 0:00 podman build --no-cache --network=pasta . user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1 0.0 206444 17188 ? Ss 06:11 0:00 /usr/sbin/pasta --config-net --dns-forward 169.254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /proc/497672/ns/net --map-guest-addr 169.254.1.2

What are the SELinux contexts of the network namespaces? This is what I get:

$ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net ls: cannot access '/run/user/959/netns': No such file or directory lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1023 0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]'

It seems to be unconfined for me lrwxrwxrwx. 1 test test unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 May 16 08:32 /proc/self/ns/net -> 'net:[4026531840]'

...

/run/user/959/containers/networks/rootless-netns: total 0 drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:05 ./ drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0 60 May 16 06:05 ../

/run/user/1001/containers/networks/rootless-netns: total 0 drwx------. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:26 . drwx------. 4 test test unconfined_u:object_r:user_tmp_t:s0 120 May 16 06:26 .. /run/user/1001/netns: total 0 drwxr-xr-x. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 16 07:31 . drwx------. 9 test test unconfined_u:object_r:user_tmp_t:s0 200 May 16 06:19 ..

...

...
I am not familiar with the selinux stuff but if this is a boolean that users can configure should this be documented in the man page here? I guess more documentation is always a good thing, but most of the other container-related SELinux booleans seem to be undocumented:

$ sudo semanage boolean --list | grep ^container_ container_connect_any (off , off) Determine whether container can connect to all TCP ports. container_manage_cgroup (on , on) Allow sandbox containers to manage cgroup (systemd) container_read_certs (off , off) Allow all container domains to read cert files and directories container_use_cephfs (off , off) Determine whether container can use ceph file system container_use_devices (off , off) Allow containers to use any device volume mounted into container container_use_dri_devices (on , on) Allow containers to use any dri device volume mounted into container container_use_ecryptfs (off , off) Determine whether container can use ecrypt file system container_use_xserver_devices (off , off) Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration container_user_exec_content (on , on) Allow container to user exec content

$ man -wK container_connect_any No manual entry for container_connect_any

$ man -wK container_manage_cgroup /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man7/podman-troubleshooting.7.gz

$ man -wK container_read_certs No manual entry for container_read_certs

$ man -wK container_use_cephfs No manual entry for container_use_cephfs

$ man -wK container_use_devices /usr/share/man/man1/sesearch.1.gz /usr/share/man/man1/podman-pod-clone.1.gz /usr/share/man/man1/podman-pod-create.1.gz /usr/share/man/man1/podman-build.1.gz /usr/share/man/man1/podman-farm-build.1.gz /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man8/setsebool.8.gz

$ man -wK container_user_exec_content No manual entry for container_user_exec_content

I'll send a patch for the man pages tomorrow.

Thanks, -- Max

-- Paul Holzinger

Stefano Brivio

6:11 p.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

On Fri, 16 May 2025 14:35:14 +0200 Paul Holzinger wrote:

...

On 16/05/2025 14:22, Max Chernoff wrote:

...
Hi Paul,

On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote:

...
So I did test this patch with podman's system and e2e test on podman v5.5.0 on fedora rawhide and I noticed one problem that caused some failures:

podman build is broken with this policy. And I assume that means buildah would not work as well. The difference is that in the build case we do not pass a bind mounted namespace path under /run but rather /proc/$pid/ns/net as path to pasta. We get this error:

pasta failed with exit code 1: Couldn't open network namespace /proc/360143/ns/net: Permission denied

Logged avc: denied { search } for pid=360144 comm="pasta.avx2" name="360143" dev="proc" ino=2030208 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=0 Odd, it works for me:

$ id -Z user_u:user_r:user_t:s0-s0:c0.c1023

$ podman --version podman version 5.4.2

$ pasta --version pasta 0^20250512.g8ec1341-1.fc42.x86_64 Copyright Red Hat GNU General Public License, version 2 or later https://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

$ cat Containerfile FROM registry.fedoraproject.org/fedora-minimal:42 RUN dnf install --assumeyes python3

$ podman build --no-cache --network=pasta . STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42 STEP 2/2: RUN dnf install --assumeyes python3 Updating and loading repositories: Fedora 42 - x86_64 - Updates 100% | 8.3 MiB/s | 6.8 MiB | 00m01s Fedora 42 openh264 (From Cisco) - x86_ 100% | 7.7 KiB/s | 6.0 KiB | 00m01s Fedora 42 - x86_64 100% | 12.3 MiB/s | 35.4 MiB | 00m03s Repositories loaded. Package Arch Version Repository Size Installing: python3 x86_64 3.13.3-2.fc42 updates 28.7 KiB Installing dependencies: expat x86_64 2.7.1-1.fc42 fedora 290.2 KiB libb2 x86_64 0.98.1-13.fc42 fedora 46.1 KiB libgomp x86_64 15.1.1-1.fc42 updates 538.5 KiB mpdecimal x86_64 4.0.1-1.fc42 updates 217.2 KiB python-pip-wheel noarch 24.3.1-2.fc42 fedora 1.2 MiB python3-libs x86_64 3.13.3-2.fc42 updates 39.9 MiB readline x86_64 8.2-13.fc42 fedora 485.0 KiB tzdata noarch 2025b-1.fc42 fedora 1.6 MiB Installing weak dependencies: python-unversioned-command noarch 3.13.3-2.fc42 updates 23.0 B

Transaction Summary: Installing: 10 packages

Total size of inbound packages is 12 MiB. Need to download 12 MiB. After this operation, 44 MiB extra will be used (install 44 MiB, remove 0 B). [ 1/10] python3-0:3.13.3-2.fc42.x86_64 100% | 109.6 KiB/s | 29.7 KiB | 00m00s [...] [12/12] Installing python-unversioned-c 100% | 9.6 KiB/s | 424.0 B | 00m00s Complete! COMMIT --> edfb5d3fee4c edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f

$ ps auxZ | grep pasta # In another terminal while the above is running user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0.4 0.1 2533448 48028 pts/2 Sl+ 06:11 0:00 podman build --no-cache --network=pasta . user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1 0.0 206444 17188 ? Ss 06:11 0:00 /usr/sbin/pasta --config-net --dns-forward 169.254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /proc/497672/ns/net --map-guest-addr 169.254.1.2

What are the SELinux contexts of the network namespaces? This is what I get:

$ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net ls: cannot access '/run/user/959/netns': No such file or directory lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1023 0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]'

It seems to be unconfined for me

lrwxrwxrwx. 1 test test unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 May 16 08:32 /proc/self/ns/net -> 'net:[4026531840]'

...
/run/user/959/containers/networks/rootless-netns: total 0 drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:05 ./ drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0 60 May 16 06:05 ../

/run/user/1001/containers/networks/rootless-netns: total 0 drwx------. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:26 . drwx------. 4 test test unconfined_u:object_r:user_tmp_t:s0 120 May 16 06:26 ..

/run/user/1001/netns: total 0 drwxr-xr-x. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 16 07:31 . drwx------. 9 test test unconfined_u:object_r:user_tmp_t:s0 200 May 16 06:19 ..

I'm getting the same issue with 'podman build' and the Containerfile shared by Max. Running with SELinux in permissive mode, I'm getting: # cat /var/log/audit/audit.log type=AVC msg=audit(1747410763.621:130615): avc: denied { search } for pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.621:130616): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1 type=AVC msg=audit(1747410763.622:130617): avc: denied { read } for pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1747410763.622:130618): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.622:130619): avc: denied { open } for pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410764.622:130620): avc: denied { read } for pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1 and: # audit2allow -a #============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read; If I add those rules, everything works (well, I'm not saying that's the solution...). This is a Fedora virtual machine with: # uname -a Linux passt.top 6.11.0-0.rc3.30.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Aug 12 14:18:21 UTC 2024 x86_64 GNU/Linux # rpm -qe podman passt podman-5.5.0~rc2-1.fc43.x86_64 passt-0^20250512.g8ec1341-1.fc43.x86_64 To me those denials look reasonable, in the sense that I would expect the namespace links to have container_runtime_t type. By the way: $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net lrwxrwxrwx. 1 sbrivio sbrivio unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 May 16 15:59 /proc/self/ns/net -> 'net:[4026531840]' /run/user/1001/containers/networks/rootless-netns: total 0 drwx------. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 15 15:00 . drwx------. 4 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 120 May 15 15:00 .. /run/user/1001/netns: total 0 drwxr-xr-x. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 15 15:00 . drwx------. 8 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 220 May 6 08:02 .. Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled": https://bugzilla.redhat.com/show_bug.cgi?id=2330512 we seem to have unconfined_t as type for those links: type=AVC msg=audit(1733378482.320:31258): avc: denied { open } for pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1 ...but I'm not sure at which point in time exactly.

...

...
...
I am not familiar with the selinux stuff but if this is a boolean that users can configure should this be documented in the man page here? I guess more documentation is always a good thing, but most of the other container-related SELinux booleans seem to be undocumented:

$ sudo semanage boolean --list | grep ^container_ container_connect_any (off , off) Determine whether container can connect to all TCP ports. container_manage_cgroup (on , on) Allow sandbox containers to manage cgroup (systemd) container_read_certs (off , off) Allow all container domains to read cert files and directories container_use_cephfs (off , off) Determine whether container can use ceph file system container_use_devices (off , off) Allow containers to use any device volume mounted into container container_use_dri_devices (on , on) Allow containers to use any dri device volume mounted into container container_use_ecryptfs (off , off) Determine whether container can use ecrypt file system container_use_xserver_devices (off , off) Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration container_user_exec_content (on , on) Allow container to user exec content

$ man -wK container_connect_any No manual entry for container_connect_any

$ man -wK container_manage_cgroup /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man7/podman-troubleshooting.7.gz

$ man -wK container_read_certs No manual entry for container_read_certs

$ man -wK container_use_cephfs No manual entry for container_use_cephfs

$ man -wK container_use_devices /usr/share/man/man1/sesearch.1.gz /usr/share/man/man1/podman-pod-clone.1.gz /usr/share/man/man1/podman-pod-create.1.gz /usr/share/man/man1/podman-build.1.gz /usr/share/man/man1/podman-farm-build.1.gz /usr/share/man/man1/podman-create.1.gz /usr/share/man/man1/podman-run.1.gz /usr/share/man/man8/setsebool.8.gz

$ man -wK container_user_exec_content No manual entry for container_user_exec_content

I'll send a patch for the man pages tomorrow.

Wait a moment. I don't think something SELinux-specific belongs to pasta's man page, because that's not relevant for all users and distributions. We could maintain that as an addition for Fedora and perhaps Gentoo, but I wonder if it's really worth the effort. Besides, I think that: # semanage boolean --list | grep pasta pasta_allow_bind_any_port (on , on) Allow pasta to allow bind any port ...this is the common practice to document those knobs (and where I usually look for things). We wouldn't have much to add to this anyway. -- Stefano

Max Chernoff

17 May 17 May

11:34 a.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

Hi Stefano On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:

...

Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled":

Simpler than that: I was testing something with SELinux permissive, and I forgot to reenable it. Whoops. I'm getting the same results as you now.

...

Running with SELinux in permissive mode, I'm getting:

# cat /var/log/audit/audit.log type=AVC msg=audit(1747410763.621:130615): avc: denied { search } for pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.621:130616): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1 type=AVC msg=audit(1747410763.622:130617): avc: denied { read } for pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1747410763.622:130618): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.622:130619): avc: denied { open } for pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410764.622:130620): avc: denied { read } for pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1

and:

# audit2allow -a

#============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read;

If I add those rules, everything works

Yes, adding those rules also fixes things for me.

...

To me those denials look reasonable, in the sense that I would expect the namespace links to have container_runtime_t type.

I'm a little surprised that "container_runtime_t:file read" is necessary since I thought that "container_runtime_t:lnk_file read" would be sufficient to get the target of the link, but it indeed does not work without it.

...

(well, I'm not saying that's the solution...).

I guess the options are: 1. Add the above rules to the pasta SELinux policy 2. Have Podman change the context of /proc/self/ns/net to pasta_t 3. Have Podman pass a file descriptor to the netns instead of the path to the netns. (1) is arguably the least secure, but is probably fine in practice?

...

Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled":

https://bugzilla.redhat.com/show_bug.cgi?id=2330512

we seem to have unconfined_t as type for those links:

type=AVC msg=audit(1733378482.320:31258): avc: denied { open } for pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1

...but I'm not sure at which point in time exactly.

Ah, I wonder if that might be related to this: https://github.com/containers/buildah/issues/6160 But with the workaround documented there, and the rules from above, "podman build" works as expected with the unconfined module disabled.

...

Wait a moment. I don't think something SELinux-specific belongs to pasta's man page, because that's not relevant for all users and distributions.

We could maintain that as an addition for Fedora and perhaps Gentoo, but I wonder if it's really worth the effort.

+1 Thanks, -- Max

Stefano Brivio

19 May 19 May

9:39 a.m.

New subject: [PATCH v2 1/1] selinux: Transition to pasta_t in containers

On Sat, 17 May 2025 03:34:42 -0600 Max Chernoff wrote:

...

Hi Stefano

On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:

...
Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled":

Simpler than that: I was testing something with SELinux permissive, and I forgot to reenable it. Whoops. I'm getting the same results as you now.

...
Running with SELinux in permissive mode, I'm getting:

# cat /var/log/audit/audit.log type=AVC msg=audit(1747410763.621:130615): avc: denied { search } for pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.621:130616): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1 type=AVC msg=audit(1747410763.622:130617): avc: denied { read } for pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1747410763.622:130618): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410763.622:130619): avc: denied { open } for pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1747410764.622:130620): avc: denied { read } for pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1

and:

# audit2allow -a

#============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read;

If I add those rules, everything works

Yes, adding those rules also fixes things for me.

...
To me those denials look reasonable, in the sense that I would expect the namespace links to have container_runtime_t type.

I'm a little surprised that "container_runtime_t:file read" is necessary since I thought that "container_runtime_t:lnk_file read" would be sufficient to get the target of the link, but it indeed does not work without it.

...
(well, I'm not saying that's the solution...).

I guess the options are:

1. Add the above rules to the pasta SELinux policy

2. Have Podman change the context of /proc/self/ns/net to pasta_t

3. Have Podman pass a file descriptor to the netns instead of the path to the netns.

(1) is arguably the least secure, but is probably fine in practice?

Well: 2. is probably the most restrictive but it doesn't really feel correct to me (pasta is not, at least conceptually, the exclusive user of the network namespace link) 3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't see this, done) ...so I would opt for 1. I see why you mention it's less secure: we didn't really want to be able to open and read *any* container_runtime_t:dir or container_t:lnk_file. But that's not really the part of "fine-grained" security that we typically delegate to SELinux anyway.

...

...
Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled":

https://bugzilla.redhat.com/show_bug.cgi?id=2330512

we seem to have unconfined_t as type for those links:

type=AVC msg=audit(1733378482.320:31258): avc: denied { open } for pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1

...but I'm not sure at which point in time exactly.

Ah, I wonder if that might be related to this:

https://github.com/containers/buildah/issues/6160

But with the workaround documented there, and the rules from above, "podman build" works as expected with the unconfined module disabled.

Ah, great, then I guess we don't need to fix something that's not broken.

...

...
Wait a moment. I don't think something SELinux-specific belongs to pasta's man page, because that's not relevant for all users and distributions.

We could maintain that as an addition for Fedora and perhaps Gentoo, but I wonder if it's really worth the effort.

+1

...so I guess the only remaining point, other than adding those rules, is to figure out why %selinux_relabel_post isn't enough and what we can add to the spec file instead. I'll try to have a look at it within a couple of days unless you find an explanation / solution before then. -- Stefano

Max Chernoff

20 May 20 May

12:37 p.m.

New subject: [PATCH v3 0/1] selinux: Transition to pasta_t in containers

Hi Stefano, On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:

...

On Sat, 17 May 2025 03:34:42 -0600 Max Chernoff wrote:

...
On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:

...
#============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read;

If I add those rules, everything works

...

...
I guess the options are:

1. Add the above rules to the pasta SELinux policy

2. Have Podman change the context of /proc/self/ns/net to pasta_t

3. Have Podman pass a file descriptor to the netns instead of the path to the netns.

(1) is arguably the least secure, but is probably fine in practice?

Well:

2. is probably the most restrictive but it doesn't really feel correct to me (pasta is not, at least conceptually, the exclusive user of the network namespace link)

3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't see this, done)

...so I would opt for 1.

I see why you mention it's less secure: we didn't really want to be able to open and read *any* container_runtime_t:dir or container_t:lnk_file. But that's not really the part of "fine-grained" security that we typically delegate to SELinux anyway.

Alright, works for me. I've added those rules into the policy in the following commit.

...

...so I guess the only remaining point, other than adding those rules, is to figure out why %selinux_relabel_post isn't enough and what we can add to the spec file instead. I'll try to have a look at it within a couple of days unless you find an explanation / solution before then.

I've looked through the code and I'm also lost as to why %selinux_relabel_post isn't working. I'll try taking a look again tomorrow, but I doubt that I'll be able to figure it out. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 42 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 5 deletions(-) -- 2.49.0

Stefano Brivio

6:08 p.m.

New subject: [PATCH v3 0/1] selinux: Transition to pasta_t in containers

On Tue, 20 May 2025 04:37:41 -0600 Max Chernoff wrote:

...

Hi Stefano,

On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:

...
On Sat, 17 May 2025 03:34:42 -0600 Max Chernoff wrote:

...
On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:

...
#============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read;

If I add those rules, everything works

...
...
I guess the options are:

1. Add the above rules to the pasta SELinux policy

2. Have Podman change the context of /proc/self/ns/net to pasta_t

3. Have Podman pass a file descriptor to the netns instead of the path to the netns.

(1) is arguably the least secure, but is probably fine in practice?

Well:

2. is probably the most restrictive but it doesn't really feel correct to me (pasta is not, at least conceptually, the exclusive user of the network namespace link)

3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't see this, done)

...so I would opt for 1.

I see why you mention it's less secure: we didn't really want to be able to open and read *any* container_runtime_t:dir or container_t:lnk_file. But that's not really the part of "fine-grained" security that we typically delegate to SELinux anyway.

Alright, works for me. I've added those rules into the policy in the following commit.

Thanks, this looks ready for merging, minus the spec file problem (which we can also solve in another change, but I'd like to merge them together). Paul, maybe you want to give this version another try as well.

...

...
...so I guess the only remaining point, other than adding those rules, is to figure out why %selinux_relabel_post isn't enough and what we can add to the spec file instead. I'll try to have a look at it within a couple of days unless you find an explanation / solution before then.

I've looked through the code and I'm also lost as to why %selinux_relabel_post isn't working. I'll try taking a look again tomorrow, but I doubt that I'll be able to figure it out.

I haven't had the chance yet, I'll tell you if / as soon as I do. My first debugging step would have been to run 'fixfiles' manually, by the way, after changing the file contexts... -- Stefano

Max Chernoff

24 May 24 May

9:16 a.m.

New subject: [PATCH v4 0/1] selinux: Transition to pasta_t in containers

1 more change: allow systemd_user_runtimedir_t to remove the netns folders; otherwise, upon logout you'll get the following error: AVC avc: denied { rmdir } for pid=59008 comm="systemd-user-ru" name="netns" dev="tmpfs" ino=80 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=user_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 +++++---- contrib/selinux/pasta.te | 44 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 5 deletions(-) -- 2.49.0

Stefano Brivio

6 Jun 6 Jun

12:06 p.m.

New subject: [PATCH v4 0/1] selinux: Transition to pasta_t in containers

On Sat, 24 May 2025 01:16:56 -0600 Max Chernoff wrote:

...

1 more change: allow systemd_user_runtimedir_t to remove the netns folders; otherwise, upon logout you'll get the following error:

AVC avc: denied { rmdir } for pid=59008 comm="systemd-user-ru" name="netns" dev="tmpfs" ino=80 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=user_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1

Thanks, -- Max

Max Chernoff (1): selinux: Transition to pasta_t in containers

Applied, thanks, and welcome to the git log! Release coming in a bit. -- Stefano

Max Chernoff

24 May 24 May

9:16 a.m.

New subject: [PATCH v4 1/1] selinux: Transition to pasta_t in containers

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff --- contrib/selinux/pasta.fc | 10 +++++---- contrib/selinux/pasta.te | 44 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 41ee46d..e4aefc4 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,7 +8,9 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 89c8043..9440d05 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -89,6 +89,15 @@ require { class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; + + # Container requires + attribute_role usernetctl_roles; + role container_user_r; + role staff_r; + role user_r; + type container_runtime_t; + type container_t; + type systemd_user_runtimedir_t; } type pasta_t; @@ -113,6 +122,9 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +# pasta only calls setuid and setgid with the current UID and GID, so this +# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 +dontaudit pasta_t self:cap_userns { setgid setuid }; allow pasta_t self:user_namespace create; auth_read_passwd(pasta_t) @@ -130,7 +142,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr allow pasta_t user_home_dir_t:dir { search getattr open add_name read write }; allow pasta_t user_home_dir_t:file { create open read write }; allow pasta_t tmp_t:dir { add_name mounton remove_name write }; -allow pasta_t tmpfs_t:filesystem mount; +allow pasta_t tmpfs_t:filesystem { getattr mount }; allow pasta_t fs_t:filesystem unmount; allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) @@ -156,6 +168,11 @@ allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_node(pasta_t) corenet_tcp_bind_generic_node(pasta_t) +allow pasta_t container_runtime_t:dir { open read search }; +allow pasta_t container_runtime_t:fifo_file { getattr write }; +allow pasta_t container_runtime_t:file read; +allow pasta_t container_runtime_t:lnk_file read; +allow pasta_t container_t:lnk_file read; allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect }; allow pasta_t pasta_port_t:udp_socket { name_bind }; allow pasta_t http_port_t:tcp_socket { name_bind name_connect }; @@ -213,3 +230,28 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; allow pasta_t user_devpts_t:chr_file { append read write }; + +# Allow network administration commands for non-privileged users +roleattribute container_user_r usernetctl_roles; +roleattribute staff_r usernetctl_roles; +roleattribute user_r usernetctl_roles; +role usernetctl_roles types pasta_t; + +# Make pasta in a container run under the pasta_t context +type_transition container_runtime_t pasta_exec_t : process pasta_t; +allow container_runtime_t pasta_t:process transition; + +# Label the user network namespace files +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t ifconfig_var_run_t:file { create open write }; +allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; + +# Allow pasta to bind to any port +bool pasta_bind_all_ports true; +if (pasta_bind_all_ports) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +} -- 2.49.0

Max Chernoff

20 May 20 May

12:37 p.m.

New subject: [PATCH v3 1/1] selinux: Transition to pasta_t in containers

Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130... Signed-off-by: Max Chernoff --- contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 42 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 5 deletions(-) diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index 41ee46d..e4aefc4 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -8,7 +8,9 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 89c8043..8b46903 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -89,6 +89,14 @@ require { class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; + + # Container requires + attribute_role usernetctl_roles; + role container_user_r; + role staff_r; + role user_r; + type container_runtime_t; + type container_t; } type pasta_t; @@ -113,6 +121,9 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +# pasta only calls setuid and setgid with the current UID and GID, so this +# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 +dontaudit pasta_t self:cap_userns { setgid setuid }; allow pasta_t self:user_namespace create; auth_read_passwd(pasta_t) @@ -130,7 +141,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr allow pasta_t user_home_dir_t:dir { search getattr open add_name read write }; allow pasta_t user_home_dir_t:file { create open read write }; allow pasta_t tmp_t:dir { add_name mounton remove_name write }; -allow pasta_t tmpfs_t:filesystem mount; +allow pasta_t tmpfs_t:filesystem { getattr mount }; allow pasta_t fs_t:filesystem unmount; allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) @@ -156,6 +167,11 @@ allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_node(pasta_t) corenet_tcp_bind_generic_node(pasta_t) +allow pasta_t container_runtime_t:dir { open read search }; +allow pasta_t container_runtime_t:fifo_file { getattr write }; +allow pasta_t container_runtime_t:file read; +allow pasta_t container_runtime_t:lnk_file read; +allow pasta_t container_t:lnk_file read; allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect }; allow pasta_t pasta_port_t:udp_socket { name_bind }; allow pasta_t http_port_t:tcp_socket { name_bind name_connect }; @@ -213,3 +229,27 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; allow pasta_t user_devpts_t:chr_file { append read write }; + +# Allow network administration commands for non-privileged users +roleattribute container_user_r usernetctl_roles; +roleattribute staff_r usernetctl_roles; +roleattribute user_r usernetctl_roles; +role usernetctl_roles types pasta_t; + +# Make pasta in a container run under the pasta_t context +type_transition container_runtime_t pasta_exec_t : process pasta_t; +allow container_runtime_t pasta_t:process transition; + +# Label the user network namespace files +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t ifconfig_var_run_t:file { create open write }; + +# Allow pasta to bind to any port +bool pasta_bind_all_ports true; +if (pasta_bind_all_ports) { + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; + allow pasta_t port_type:udp_socket { accept getopt name_bind }; +} -- 2.49.0

Age (days ago)

Last active (days ago)

List overview

Download

19 comments

3 participants

participants (3)

Max Chernoff
Paul Holzinger
Stefano Brivio