passt/contrib/selinux, branch bug165c Plug A Simple Socket Transport selinux: Enable read and watch permissions on netns directory as well 2025-12-23T00:59:34+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-23T00:59:34+00:00 d2c5133990a7758bfa567fc73216393498949e9b With commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers"), we need to make sure that pasta can access the target namespace directory passed by Podman, and, in a general case, we have all the permissions we need. But if we now start a container without the Podman changes referenced by commit fd1bcc30af07 ("selinux: add container_var_run_t type transition"), or with them, but with the container being created before those and without a reboot in between, we'll additionally need 'read' and 'watch' permissions on user_tmp_t directory as well, as user_tmp_t is still the (inconsistent) context of the namespace entry. Otherwise, on a container start/restart, we'll get SELinux denials: type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje ct_r:user_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 This can be reproduced quite simply: $ podman create -q --name hello hello 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 [upgrade passt's SELinux policy to a version including 7aeda16a7818] $ podman start hello Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: netns dir open: Permission denied, exiting Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
containers"), we need to make sure that pasta can access the target
namespace directory passed by Podman, and, in a general case, we have
all the permissions we need.

But if we now start a container without the Podman changes referenced
by commit fd1bcc30af07 ("selinux: add container_var_run_t type
transition"), or with them, but with the container being created
before those and without a reboot in between, we'll additionally need
'read' and 'watch' permissions on user_tmp_t directory as well, as
user_tmp_t is still the (inconsistent) context of the namespace entry.

Otherwise, on a container start/restart, we'll get SELinux denials:

  type=AVC msg=audit(1766451401.296:184): avc:  denied  { read } for  pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
ct_r:user_tmp_t:s0 tclass=dir permissive=1
  type=AVC msg=audit(1766451401.298:185): avc:  denied  { watch } for  pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

This can be reproduced quite simply:

  $ podman create -q --name hello hello
  6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770

  [upgrade passt's SELinux policy to a version including 7aeda16a7818]

  $ podman start hello
  Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
  netns dir open: Permission denied, exiting

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: use regex instead of SELinux template 2025-11-04T17:49:43+00:00 Danish Prakash contact@danishpraka.sh 2025-10-30T10:49:13+00:00 1d164396397799088b6dad13178781553333f2aa It might be possible to avoid using SELinux template (%USERID), and instead using regex to match user ids. This would allow discarding the explicit restorecon call while during package builds[1]. Original suggestion from cathy.hu@suse.com: > running restorecon would be unnecessary if the passt upstream selinux > module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway) [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It might be possible to avoid using SELinux template (%USERID),
and instead using regex to match user ids. This would allow
discarding the explicit restorecon call while during package builds[1].

Original suggestion from cathy.hu@suse.com:

> running restorecon would be unnecessary if the passt upstream selinux
> module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway)

[1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add missing file contexts for Podman 2025-09-18T15:17:10+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:52+00:00 c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: pasta accesses /etc/resolv.conf 2025-08-05T13:30:59+00:00 Cathy Hu cathy.hu@suse.com 2025-08-05T13:19:26+00:00 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 Signed-off-by: Cathy Hu <cathy.hu@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)

this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta

Adresses:

----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc:  denied  { search } for  pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc:  denied  { search } for  pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc:  denied  { search } for  pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Transition to pasta_t in containers 2025-06-04T10:24:01+00:00 Max Chernoff git@maxchernoff.ca 2025-05-24T07:16:57+00:00 7aeda16a781848df3dc897da477e6a9bb8a84e67 Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently, pasta runs in the container_runtime_exec_t context when
running in a container. This is not ideal since it means that pasta runs
with more privileges than strictly necessary. This commit updates the
SELinux policy to have pasta transition to the pasta_t context when
started from the container_runtime_t context, adds the appropriate
labels to $XDG_RUNTIME_DIR/netns and
$XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the
necessary permissions to the pasta_t context.

Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Add getattr to class udp_socket 2025-05-02T10:00:51+00:00 Janne Grunau janne-psst@jannau.net 2025-05-01T09:54:07+00:00 93394f4ef0966602b2ada8f72beaf75352add7b1 Commit 59cc89f ("udp, udp_flow: Track our specific address on socket interfaces") added a getsockname() call in udp_flow_new(). This requires getattr. Fixes "Flow 0 (UDP flow): Unable to determine local address: Permission denied" errors in muvm/passt on Fedora Linux 42 with SELinux. The SELinux audit message is | type=AVC msg=audit(1746083799.606:235): avc: denied { getattr } for | pid=2961 comm="passt" laddr=127.0.0.1 lport=49221 | faddr=127.0.0.53 fport=53 | scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tclass=udp_socket permissive=0 Fixes: 59cc89f4cc01 ("udp, udp_flow: Track our specific address on socket interfaces") Link: https://bugzilla.redhat.com/show_bug.cgi?id=2363238 Signed-off-by: Janne Grunau <janne-psst@jannau.net> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Commit 59cc89f ("udp, udp_flow: Track our specific address on socket
interfaces") added a getsockname() call in udp_flow_new(). This requires
getattr. Fixes "Flow 0 (UDP flow): Unable to determine local address:
Permission denied" errors in muvm/passt on Fedora Linux 42 with SELinux.

The SELinux audit message is

| type=AVC msg=audit(1746083799.606:235): avc:  denied  { getattr } for
|   pid=2961 comm="passt" laddr=127.0.0.1 lport=49221
|   faddr=127.0.0.53 fport=53
|   scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023
|   tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023
|   tclass=udp_socket permissive=0

Fixes: 59cc89f4cc01 ("udp, udp_flow: Track our specific address on socket interfaces")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2363238
Signed-off-by: Janne Grunau <janne-psst@jannau.net>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt-repair: Add directory watch 2025-03-12T20:34:36+00:00 Stefano Brivio sbrivio@redhat.com 2025-03-07T22:27:03+00:00 04701702471ececee362669cc6b49ed9e20a1b6d It might not be feasible for users to start passt-repair after passt is started, on a migration target, but before the migration process starts. For instance, with libvirt, the guest domain (and, hence, passt) is started on the target as part of the migration process. At least for the moment being, there's no hook a libvirt user (including KubeVirt) can use to start passt-repair before the migration starts. Add a directory watch using inotify: if PATH is a directory, instead of connecting to it, we'll watch for a .repair socket file to appear in it, and then attempt to connect to that socket. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
It might not be feasible for users to start passt-repair after passt
is started, on a migration target, but before the migration process
starts.

For instance, with libvirt, the guest domain (and, hence, passt) is
started on the target as part of the migration process. At least for
the moment being, there's no hook a libvirt user (including KubeVirt)
can use to start passt-repair before the migration starts.

Add a directory watch using inotify: if PATH is a directory, instead
of connecting to it, we'll watch for a .repair socket file to appear
in it, and then attempt to connect to that socket.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage 2025-02-28T00:14:01+00:00 Stefano Brivio sbrivio@redhat.com 2025-02-28T00:14:01+00:00 87471731e6bb0b5df3a50277527caf3381b45ee4 Here are a bunch of workarounds and a couple of fixes for libvirt usage which are rather hard to split into single logical patches as there appear to be some obscure dependencies between some of them: - passt-repair needs to have an exec_type typeattribute (otherwise the policy for lsmd(1) causes a violation on getattr on its executable) file, and that typeattribute just happened to be there for passt as a result of init_daemon_domain(), but passt-repair isn't a daemon, so we need an explicit corecmd_executable_file() - passt-repair needs a workaround, which I'll revisit once https://github.com/fedora-selinux/selinux-policy/issues/2579 is solved, for usage with libvirt: allow it to use qemu_var_run_t and virt_var_run_t sockets - add 'bpf' and 'dac_read_search' capabilities for passt-repair: they are needed (for whatever reason I didn't investigate) to actually receive socket files via SCM_RIGHTS - passt needs further workarounds in the sense of https://github.com/fedora-selinux/selinux-policy/issues/2579: allow it to use map and use svirt_tmpfs_t (not just svirt_image_t): it depends on where the libvirt guest image is - ...it also needs to map /dev/null if <access mode='shared'/> is enabled in libvirt's XML for the memoryBacking object, for vhost-user operation - and 'ioctl' on the TCP socket appears to be actually needed, on top of 'getattr', to dump some socket parameters Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Here are a bunch of workarounds and a couple of fixes for libvirt
usage which are rather hard to split into single logical patches
as there appear to be some obscure dependencies between some of them:

- passt-repair needs to have an exec_type typeattribute (otherwise
  the policy for lsmd(1) causes a violation on getattr on its
  executable) file, and that typeattribute just happened to be there
  for passt as a result of init_daemon_domain(), but passt-repair
  isn't a daemon, so we need an explicit corecmd_executable_file()

- passt-repair needs a workaround, which I'll revisit once
  https://github.com/fedora-selinux/selinux-policy/issues/2579 is
  solved, for usage with libvirt: allow it to use qemu_var_run_t
  and virt_var_run_t sockets

- add 'bpf' and 'dac_read_search' capabilities for passt-repair:
  they are needed (for whatever reason I didn't investigate) to
  actually receive socket files via SCM_RIGHTS

- passt needs further workarounds in the sense of
  https://github.com/fedora-selinux/selinux-policy/issues/2579:
  allow it to use map and use svirt_tmpfs_t (not just svirt_image_t):
  it depends on where the libvirt guest image is

- ...it also needs to map /dev/null if <access mode='shared'/> is
  enabled in libvirt's XML for the memoryBacking object, for
  vhost-user operation

- and 'ioctl' on the TCP socket appears to be actually needed, on top
  of 'getattr', to dump some socket parameters

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
migrate: Migrate TCP flows 2025-02-17T07:29:03+00:00 Stefano Brivio sbrivio@redhat.com 2025-02-13T12:14:13+00:00 89ecf2fd40adab549bdf25cdb68996f56d67b13e This implements flow preparation on the source, transfer of data with a format roughly inspired by struct tcp_tap_conn, plus a specific structure for parameters that don't fit in the flow table, and flow insertion on the target, with all the appropriate window options, window scaling, MSS, etc. Contents of pending queues are transferred as well. The target side is rather convoluted because we first need to create sockets and switch them to repair mode, before we can apply options that are *not* stored in the flow table. This also means that, if we're testing this on the same machine, in the same namespace, we need to close the listening socket on the source before we can start moving data. Further, we need to connect() the socket on the target before we can restore data queues, but we can't do that (again, on the same machine) as long as the matching source socket is open, which implies an arbitrary limit on queue sizes we can transfer, because we can only dump pending queues on the source as long as the socket is open, of course. Co-authored-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Tested-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This implements flow preparation on the source, transfer of data with
a format roughly inspired by struct tcp_tap_conn, plus a specific
structure for parameters that don't fit in the flow table, and flow
insertion on the target, with all the appropriate window options,
window scaling, MSS, etc.

Contents of pending queues are transferred as well.

The target side is rather convoluted because we first need to create
sockets and switch them to repair mode, before we can apply options
that are *not* stored in the flow table. This also means that, if
we're testing this on the same machine, in the same namespace, we need
to close the listening socket on the source before we can start moving
data.

Further, we need to connect() the socket on the target before we can
restore data queues, but we can't do that (again, on the same machine)
as long as the matching source socket is open, which implies an
arbitrary limit on queue sizes we can transfer, because we can only
dump pending queues on the source as long as the socket is open, of
course.

Co-authored-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>