passt/contrib/selinux/pasta.te, branch bug205 Plug A Simple Socket Transport selinux: Enable open permissions on netns directory, operations on container_var_run_t 2026-01-16T16:22:44+00:00 Stefano Brivio sbrivio@redhat.com 2026-01-16T15:48:46+00:00 a6d92ca82c9ea0b395aa56c568ee6b6e6d4ac81e Tuomo reports two further SELinux denials after upgrading to a passt-selinux version that includes the transition to pasta_t for containers, one I could reproduce: denied { open } for pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 which I didn't take care of in the previous commit, d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well"), as it didn't appear in my quick test. But I can make pasta use "open" on the network namespace entry by simply using it to make connections. So, for that, add "open" to the existing rule for user_tmp_t:dir. Then, another one I couldn't reproduce instead: denied { write } for pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0 which, I think, comes from a specific combination of versions of container-selinux, Podman, and passt-selinux packages, which prevents the expected type transition on container_var_run_t unless restorecon is invoked manually, or until a reboot. Allowing the same permissions on container_var_run_t as we do on ifconfig_var_run_t is harmless, so do that to prevent this further denial. Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well") Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Tuomo reports two further SELinux denials after upgrading to a
passt-selinux version that includes the transition to pasta_t for
containers, one I could reproduce:

  denied  { open } for  pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

which I didn't take care of in the previous commit, d2c5133990a7
("selinux: Enable read and watch permissions on netns directory as
well"), as it didn't appear in my quick test. But I can make pasta use
"open" on the network namespace entry by simply using it to make
connections.

So, for that, add "open" to the existing rule for user_tmp_t:dir.

Then, another one I couldn't reproduce instead:

  denied  { write } for  pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0

which, I think, comes from a specific combination of versions of
container-selinux, Podman, and passt-selinux packages, which
prevents the expected type transition on container_var_run_t unless
restorecon is invoked manually, or until a reboot.

Allowing the same permissions on container_var_run_t as we do on
ifconfig_var_run_t is harmless, so do that to prevent this further
denial.

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well")
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Enable read and watch permissions on netns directory as well 2025-12-23T00:59:34+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-23T00:59:34+00:00 d2c5133990a7758bfa567fc73216393498949e9b With commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers"), we need to make sure that pasta can access the target namespace directory passed by Podman, and, in a general case, we have all the permissions we need. But if we now start a container without the Podman changes referenced by commit fd1bcc30af07 ("selinux: add container_var_run_t type transition"), or with them, but with the container being created before those and without a reboot in between, we'll additionally need 'read' and 'watch' permissions on user_tmp_t directory as well, as user_tmp_t is still the (inconsistent) context of the namespace entry. Otherwise, on a container start/restart, we'll get SELinux denials: type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje ct_r:user_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 This can be reproduced quite simply: $ podman create -q --name hello hello 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 [upgrade passt's SELinux policy to a version including 7aeda16a7818] $ podman start hello Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: netns dir open: Permission denied, exiting Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
containers"), we need to make sure that pasta can access the target
namespace directory passed by Podman, and, in a general case, we have
all the permissions we need.

But if we now start a container without the Podman changes referenced
by commit fd1bcc30af07 ("selinux: add container_var_run_t type
transition"), or with them, but with the container being created
before those and without a reboot in between, we'll additionally need
'read' and 'watch' permissions on user_tmp_t directory as well, as
user_tmp_t is still the (inconsistent) context of the namespace entry.

Otherwise, on a container start/restart, we'll get SELinux denials:

  type=AVC msg=audit(1766451401.296:184): avc:  denied  { read } for  pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
ct_r:user_tmp_t:s0 tclass=dir permissive=1
  type=AVC msg=audit(1766451401.298:185): avc:  denied  { watch } for  pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

This can be reproduced quite simply:

  $ podman create -q --name hello hello
  6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770

  [upgrade passt's SELinux policy to a version including 7aeda16a7818]

  $ podman start hello
  Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
  netns dir open: Permission denied, exiting

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: pasta accesses /etc/resolv.conf 2025-08-05T13:30:59+00:00 Cathy Hu cathy.hu@suse.com 2025-08-05T13:19:26+00:00 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 Signed-off-by: Cathy Hu <cathy.hu@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)

this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta

Adresses:

----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc:  denied  { search } for  pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc:  denied  { search } for  pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc:  denied  { search } for  pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Transition to pasta_t in containers 2025-06-04T10:24:01+00:00 Max Chernoff git@maxchernoff.ca 2025-05-24T07:16:57+00:00 7aeda16a781848df3dc897da477e6a9bb8a84e67 Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently, pasta runs in the container_runtime_exec_t context when
running in a container. This is not ideal since it means that pasta runs
with more privileges than strictly necessary. This commit updates the
SELinux policy to have pasta transition to the pasta_t context when
started from the container_runtime_t context, adds the appropriate
labels to $XDG_RUNTIME_DIR/netns and
$XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the
necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Add rules needed to run tests 2025-02-12T23:42:52+00:00 Stefano Brivio sbrivio@redhat.com 2025-02-12T23:42:52+00:00 9a84df4c3f9608c5e814f24ee3306a6c64a73edd ...other than being convenient, they might be reasonably representative of typical stand-alone usage. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...other than being convenient, they might be reasonably
representative of typical stand-alone usage.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
pasta.te: fix demo.sh and remove one duplicate rule 2025-02-03T06:33:14+00:00 7ppKb5bW pONy4THS@protonmail.com 2025-02-02T19:21:21+00:00 bf2860819d868c7d116923e9b5d798d410d38715 On Fedora 41, without "allow pasta_t unconfined_t:dir read" /usr/bin/pasta can't open /proc/[pid]/ns, which is required by pasta_netns_quit_init(). This patch also remove one duplicate rule "allow pasta_t nsfs_t:file read;", "allow pasta_t nsfs_t:file { open read };" at line 123 is enough. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
On Fedora 41, without "allow pasta_t unconfined_t:dir read"
/usr/bin/pasta can't open /proc/[pid]/ns, which is required by
pasta_netns_quit_init().

This patch also remove one duplicate rule "allow pasta_t nsfs_t:file
read;", "allow pasta_t nsfs_t:file { open read };" at line 123 is
enough.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Use auth_read_passwd() interface for all our getpwnam() needs 2024-11-19T20:10:14+00:00 Stefano Brivio sbrivio@redhat.com 2024-11-14T22:48:54+00:00 5e2446667729d01ef8208d0e7e866cee09c8a3fb If passt or pasta are started as root, we need to read the passwd file (be it /etc/passwd or whatever sssd provides) to find out UID and GID of 'nobody' so that we can switch to it. Instead of a bunch of allow rules for passwd_file_t and sssd macros, use the more convenient auth_read_passwd() interface which should cover our usage of getpwnam(). The existing rules weren't actually enough: # strace -e openat passt -f [...] Started as root, will change to nobody. openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 with corresponding SELinux warnings logged in audit.log. Reported-by: Minxi Hou <mhou@redhat.com> Analysed-by: Miloš Malik <mmalik@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
If passt or pasta are started as root, we need to read the passwd file
(be it /etc/passwd or whatever sssd provides) to find out UID and GID
of 'nobody' so that we can switch to it.

Instead of a bunch of allow rules for passwd_file_t and sssd macros,
use the more convenient auth_read_passwd() interface which should
cover our usage of getpwnam().

The existing rules weren't actually enough:

  # strace -e openat passt -f
  [...]
  Started as root, will change to nobody.
  openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
  openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
  openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4
  openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
  openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
  openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 4

with corresponding SELinux warnings logged in audit.log.

Reported-by: Minxi Hou <mhou@redhat.com>
Analysed-by: Miloš Malik <mmalik@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Allow read access to /proc/sys/net/ipv4/ip_local_port_range 2024-09-06T13:34:06+00:00 Stefano Brivio sbrivio@redhat.com 2024-09-06T13:19:20+00:00 116bc8266d97d3a3679f9f1c5dc306c834562b48 Since commit eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports"), we might need to read from /proc/sys/net/ipv4/ip_local_port_range in both passt and pasta. While pasta was already allowed to open and write /proc/sys/net entries, read access was missing in SELinux's type enforcement: add that. In passt, instead, this is the first time we need to access an entry there: add everything we need. Fixes: eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Since commit eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports"),
we might need to read from /proc/sys/net/ipv4/ip_local_port_range in
both passt and pasta.

While pasta was already allowed to open and write /proc/sys/net
entries, read access was missing in SELinux's type enforcement: add
that.

In passt, instead, this is the first time we need to access an entry
there: add everything we need.

Fixes: eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Allow access to user_devpts 2024-06-07T18:44:44+00:00 Derek Schrock dereks@lifeofadishwasher.com 2024-05-26T22:28:42+00:00 8a83b530feeac1a9812fe457e86257430f6b2fed Allow access to user_devpts. $ pasta --version pasta 0^20240510.g7288448-1.fc40.x86_64 ... $ awk '' < /dev/null $ pasta --version $ While this might be a awk bug it appears pasta should still have access to devpts. Signed-off-by: Derek Schrock <dereks@lifeofadishwasher.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Allow access to user_devpts.

	$ pasta --version
	pasta 0^20240510.g7288448-1.fc40.x86_64
	...
	$ awk '' < /dev/null
	$ pasta --version
	$

While this might be a awk bug it appears pasta should still have access
to devpts.

Signed-off-by: Derek Schrock <dereks@lifeofadishwasher.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>