passt/contrib, branch 2026_01_17.81c97f6 Plug A Simple Socket Transport selinux: Enable open permissions on netns directory, operations on container_var_run_t 2026-01-16T16:22:44+00:00 Stefano Brivio sbrivio@redhat.com 2026-01-16T15:48:46+00:00 a6d92ca82c9ea0b395aa56c568ee6b6e6d4ac81e Tuomo reports two further SELinux denials after upgrading to a passt-selinux version that includes the transition to pasta_t for containers, one I could reproduce: denied { open } for pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 which I didn't take care of in the previous commit, d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well"), as it didn't appear in my quick test. But I can make pasta use "open" on the network namespace entry by simply using it to make connections. So, for that, add "open" to the existing rule for user_tmp_t:dir. Then, another one I couldn't reproduce instead: denied { write } for pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0 which, I think, comes from a specific combination of versions of container-selinux, Podman, and passt-selinux packages, which prevents the expected type transition on container_var_run_t unless restorecon is invoked manually, or until a reboot. Allowing the same permissions on container_var_run_t as we do on ifconfig_var_run_t is harmless, so do that to prevent this further denial. Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well") Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Tuomo reports two further SELinux denials after upgrading to a
passt-selinux version that includes the transition to pasta_t for
containers, one I could reproduce:

  denied  { open } for  pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

which I didn't take care of in the previous commit, d2c5133990a7
("selinux: Enable read and watch permissions on netns directory as
well"), as it didn't appear in my quick test. But I can make pasta use
"open" on the network namespace entry by simply using it to make
connections.

So, for that, add "open" to the existing rule for user_tmp_t:dir.

Then, another one I couldn't reproduce instead:

  denied  { write } for  pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0

which, I think, comes from a specific combination of versions of
container-selinux, Podman, and passt-selinux packages, which
prevents the expected type transition on container_var_run_t unless
restorecon is invoked manually, or until a reboot.

Allowing the same permissions on container_var_run_t as we do on
ifconfig_var_run_t is harmless, so do that to prevent this further
denial.

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well")
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
apparmor: Upgrade ABI version to 4.0, explicitly enable user namespace creation 2026-01-14T00:07:51+00:00 Stefano Brivio sbrivio@redhat.com 2026-01-10T13:15:44+00:00 faab79cfd56a34699f0baad7e57c52030363a544 In the 3.0 AppArmor ABI version we currently use, user namespace rules are not supported, and, as long as we load confined profiles, those implicitly allow creation of user namespaces. However, ABI version 4.0 introduces rules for user namespaces, and if we don't specify any, we can't create user namespaces, see: https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction This wouldn't affect us in general, given that we're using the 3.0 ABI, but libvirt's policy uses 4.0 instead, and if our abstractions are used from there, no matter what ABI policy version we declare, rules for user namespace creation now match ABI policy version 4.0. As a result, when libvirtd runs as root, and its profile includes passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user"), passt can't detach user namespaces and will fail to start, as reported by Niklas: ERROR internal error: Child process (passt --one-off --socket /run/libvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfaces with IPv6 routes, picked first UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket Couldn't create user namespace: Permission denied This isn't a problem with libvirtd running as regular user, because in that case, as a workaround, passt currently runs under its own profile, not as a libvirtd subprofile (see commit referenced above). Given that ABI 4.0 has been around for a while, being introduced in July 2023, finally take the step to upgrade to it and explicitly enable user namespace creation. No further changes are needed in the existing policies to match new features introduced in AppArmor 4.0. Reported-by: Niklas Edmundsson <nikke@accum.se> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124801 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In the 3.0 AppArmor ABI version we currently use, user namespace rules
are not supported, and, as long as we load confined profiles, those
implicitly allow creation of user namespaces.

However, ABI version 4.0 introduces rules for user namespaces, and if
we don't specify any, we can't create user namespaces, see:

  https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction

This wouldn't affect us in general, given that we're using the 3.0
ABI, but libvirt's policy uses 4.0 instead, and if our abstractions
are used from there, no matter what ABI policy version we declare,
rules for user namespace creation now match ABI policy version 4.0.

As a result, when libvirtd runs as root, and its profile includes
passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround
for unconfined libvirtd when triggered by unprivileged user"), passt
can't detach user namespaces and will fail to start, as reported by
Niklas:

  ERROR    internal error: Child process (passt --one-off --socket /run/libvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfaces with IPv6 routes, picked first
  UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket
  Couldn't create user namespace: Permission denied

This isn't a problem with libvirtd running as regular user, because
in that case, as a workaround, passt currently runs under its own
profile, not as a libvirtd subprofile (see commit referenced above).

Given that ABI 4.0 has been around for a while, being introduced in
July 2023, finally take the step to upgrade to it and explicitly
enable user namespace creation.

No further changes are needed in the existing policies to match new
features introduced in AppArmor 4.0.

Reported-by: Niklas Edmundsson <nikke@accum.se>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124801
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
apparmor: Allow reading TCP RTO sysctl parameters 2026-01-08T14:02:51+00:00 Martin Pitt mpitt@redhat.com 2026-01-02T20:02:12+00:00 2aa63237109b97a55c85e4c86c72db0d055bfe7a Since commits 3dde0e07804e ("tcp: Update data retransmission timeout") and 1a834879a2f7 ("tcp: Clamp the retry timeout") from 2025-12-02, passt reads additional TCP-related sysctl parameters from /proc to configure retransmission timeout behavior: - /proc/sys/net/ipv4/tcp_syn_retries - /proc/sys/net/ipv4/tcp_syn_linear_timeouts - /proc/sys/net/ipv4/tcp_rto_max_ms These are read by tcp_get_rto_params() during initialization. Adjust the AppArmor profile accordingly. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2426863 Link: https://github.com/cockpit-project/bots/pull/8568 Fixes: 3dde0e07804e ("tcp: Update data retransmission timeout") Fixes: 1a834879a2f7 ("tcp: Clamp the retry timeout") Signed-off-by: Martin Pitt <mpitt@redhat.com> [sbrivio: Minor formatting change, changed commit references] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Since commits 3dde0e07804e ("tcp: Update data retransmission timeout")
and 1a834879a2f7 ("tcp: Clamp the retry timeout") from 2025-12-02,
passt reads additional TCP-related sysctl parameters from /proc to
configure retransmission timeout behavior:

  - /proc/sys/net/ipv4/tcp_syn_retries
  - /proc/sys/net/ipv4/tcp_syn_linear_timeouts
  - /proc/sys/net/ipv4/tcp_rto_max_ms

These are read by tcp_get_rto_params() during initialization. Adjust the
AppArmor profile accordingly.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2426863
Link: https://github.com/cockpit-project/bots/pull/8568
Fixes: 3dde0e07804e ("tcp: Update data retransmission timeout")
Fixes: 1a834879a2f7 ("tcp: Clamp the retry timeout")
Signed-off-by: Martin Pitt <mpitt@redhat.com>
[sbrivio: Minor formatting change, changed commit references]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Enable read and watch permissions on netns directory as well 2025-12-23T00:59:34+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-23T00:59:34+00:00 d2c5133990a7758bfa567fc73216393498949e9b With commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers"), we need to make sure that pasta can access the target namespace directory passed by Podman, and, in a general case, we have all the permissions we need. But if we now start a container without the Podman changes referenced by commit fd1bcc30af07 ("selinux: add container_var_run_t type transition"), or with them, but with the container being created before those and without a reboot in between, we'll additionally need 'read' and 'watch' permissions on user_tmp_t directory as well, as user_tmp_t is still the (inconsistent) context of the namespace entry. Otherwise, on a container start/restart, we'll get SELinux denials: type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje ct_r:user_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 This can be reproduced quite simply: $ podman create -q --name hello hello 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 [upgrade passt's SELinux policy to a version including 7aeda16a7818] $ podman start hello Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: netns dir open: Permission denied, exiting Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
containers"), we need to make sure that pasta can access the target
namespace directory passed by Podman, and, in a general case, we have
all the permissions we need.

But if we now start a container without the Podman changes referenced
by commit fd1bcc30af07 ("selinux: add container_var_run_t type
transition"), or with them, but with the container being created
before those and without a reboot in between, we'll additionally need
'read' and 'watch' permissions on user_tmp_t directory as well, as
user_tmp_t is still the (inconsistent) context of the namespace entry.

Otherwise, on a container start/restart, we'll get SELinux denials:

  type=AVC msg=audit(1766451401.296:184): avc:  denied  { read } for  pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
ct_r:user_tmp_t:s0 tclass=dir permissive=1
  type=AVC msg=audit(1766451401.298:185): avc:  denied  { watch } for  pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

This can be reproduced quite simply:

  $ podman create -q --name hello hello
  6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770

  [upgrade passt's SELinux policy to a version including 7aeda16a7818]

  $ podman start hello
  Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
  netns dir open: Permission denied, exiting

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Fix build on Fedora 43, selinux_requires_min not available on Copr builders 2025-12-08T10:17:14+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-08T10:17:14+00:00 e8b56a3d2456a62eed5ce4297134b26427c2e5b6 For some reason, on Copr: Building target platforms: aarch64 Building for target aarch64 error: line 42: Unknown tag: %selinux_requires_min Child return code was: 1 Use %selinux_requires_min starting from current Rawhide / Fedora 44, there it works. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
For some reason, on Copr:

  Building target platforms: aarch64
  Building for target aarch64
  error: line 42: Unknown tag: %selinux_requires_min
  Child return code was: 1

Use %selinux_requires_min starting from current Rawhide / Fedora 44,
there it works.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
spec: use %selinux_requires_min macro, drop overlapping dependencies 2025-11-27T21:20:16+00:00 Danish Prakash contact@danishpraka.sh 2025-11-21T12:47:46+00:00 95ab87b490c5235c9c9dde8f100a93f4b17ba4f4 Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min. Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Also, drop unused preun policycoreutils requires, and Recommends on
selinux-policy-%{targeted}, it has since been added to
%selinux_requires_min.

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: use regex instead of SELinux template 2025-11-04T17:49:43+00:00 Danish Prakash contact@danishpraka.sh 2025-10-30T10:49:13+00:00 1d164396397799088b6dad13178781553333f2aa It might be possible to avoid using SELinux template (%USERID), and instead using regex to match user ids. This would allow discarding the explicit restorecon call while during package builds[1]. Original suggestion from cathy.hu@suse.com: > running restorecon would be unnecessary if the passt upstream selinux > module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway) [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It might be possible to avoid using SELinux template (%USERID),
and instead using regex to match user ids. This would allow
discarding the explicit restorecon call while during package builds[1].

Original suggestion from cathy.hu@suse.com:

> running restorecon would be unnecessary if the passt upstream selinux
> module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway)

[1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add missing file contexts for Podman 2025-09-18T15:17:10+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:52+00:00 c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: pasta accesses /etc/resolv.conf 2025-08-05T13:30:59+00:00 Cathy Hu cathy.hu@suse.com 2025-08-05T13:19:26+00:00 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 Signed-off-by: Cathy Hu <cathy.hu@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)

this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta

Adresses:

----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc:  denied  { search } for  pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc:  denied  { search } for  pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc:  denied  { search } for  pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>