passt/contrib, branch bug165c Plug A Simple Socket Transport selinux: Enable read and watch permissions on netns directory as well 2025-12-23T00:59:34+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-23T00:59:34+00:00 d2c5133990a7758bfa567fc73216393498949e9b With commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers"), we need to make sure that pasta can access the target namespace directory passed by Podman, and, in a general case, we have all the permissions we need. But if we now start a container without the Podman changes referenced by commit fd1bcc30af07 ("selinux: add container_var_run_t type transition"), or with them, but with the container being created before those and without a reboot in between, we'll additionally need 'read' and 'watch' permissions on user_tmp_t directory as well, as user_tmp_t is still the (inconsistent) context of the namespace entry. Otherwise, on a container start/restart, we'll get SELinux denials: type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje ct_r:user_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 This can be reproduced quite simply: $ podman create -q --name hello hello 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 [upgrade passt's SELinux policy to a version including 7aeda16a7818] $ podman start hello Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: netns dir open: Permission denied, exiting Reported-by: Tuomo Soini <tis@foobar.fi> Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
containers"), we need to make sure that pasta can access the target
namespace directory passed by Podman, and, in a general case, we have
all the permissions we need.

But if we now start a container without the Podman changes referenced
by commit fd1bcc30af07 ("selinux: add container_var_run_t type
transition"), or with them, but with the container being created
before those and without a reboot in between, we'll additionally need
'read' and 'watch' permissions on user_tmp_t directory as well, as
user_tmp_t is still the (inconsistent) context of the namespace entry.

Otherwise, on a container start/restart, we'll get SELinux denials:

  type=AVC msg=audit(1766451401.296:184): avc:  denied  { read } for  pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
ct_r:user_tmp_t:s0 tclass=dir permissive=1
  type=AVC msg=audit(1766451401.298:185): avc:  denied  { watch } for  pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

This can be reproduced quite simply:

  $ podman create -q --name hello hello
  6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770

  [upgrade passt's SELinux policy to a version including 7aeda16a7818]

  $ podman start hello
  Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
  netns dir open: Permission denied, exiting

Reported-by: Tuomo Soini <tis@foobar.fi>
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Fix build on Fedora 43, selinux_requires_min not available on Copr builders 2025-12-08T10:17:14+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-08T10:17:14+00:00 e8b56a3d2456a62eed5ce4297134b26427c2e5b6 For some reason, on Copr: Building target platforms: aarch64 Building for target aarch64 error: line 42: Unknown tag: %selinux_requires_min Child return code was: 1 Use %selinux_requires_min starting from current Rawhide / Fedora 44, there it works. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
For some reason, on Copr:

  Building target platforms: aarch64
  Building for target aarch64
  error: line 42: Unknown tag: %selinux_requires_min
  Child return code was: 1

Use %selinux_requires_min starting from current Rawhide / Fedora 44,
there it works.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
spec: use %selinux_requires_min macro, drop overlapping dependencies 2025-11-27T21:20:16+00:00 Danish Prakash contact@danishpraka.sh 2025-11-21T12:47:46+00:00 95ab87b490c5235c9c9dde8f100a93f4b17ba4f4 Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min. Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Also, drop unused preun policycoreutils requires, and Recommends on
selinux-policy-%{targeted}, it has since been added to
%selinux_requires_min.

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: use regex instead of SELinux template 2025-11-04T17:49:43+00:00 Danish Prakash contact@danishpraka.sh 2025-10-30T10:49:13+00:00 1d164396397799088b6dad13178781553333f2aa It might be possible to avoid using SELinux template (%USERID), and instead using regex to match user ids. This would allow discarding the explicit restorecon call while during package builds[1]. Original suggestion from cathy.hu@suse.com: > running restorecon would be unnecessary if the passt upstream selinux > module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway) [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It might be possible to avoid using SELinux template (%USERID),
and instead using regex to match user ids. This would allow
discarding the explicit restorecon call while during package builds[1].

Original suggestion from cathy.hu@suse.com:

> running restorecon would be unnecessary if the passt upstream selinux
> module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway)

[1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add missing file contexts for Podman 2025-09-18T15:17:10+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:52+00:00 c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: pasta accesses /etc/resolv.conf 2025-08-05T13:30:59+00:00 Cathy Hu cathy.hu@suse.com 2025-08-05T13:19:26+00:00 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 Signed-off-by: Cathy Hu <cathy.hu@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)

this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta

Adresses:

----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc:  denied  { search } for  pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc:  denied  { search } for  pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc:  denied  { search } for  pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Hide restorecon(8) errors in post-transaction scriptlet 2025-06-11T14:24:50+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T15:06:43+00:00 0293c6f4a316baa561a9b43388906707f8cf7e81 Commit e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") added a call to restorecon for /run/user in the passt-selinux post-transaction scriptlet, and we can't give a path that's more specific than that, but it often contains FUSE mountpoints that are not accessible as root, resulting in warnings as the package is installed. Hide the errors, a failure in relabeling wouldn't be really problematic in any case. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit e01932353869 ("fedora: Separately restore context for /run/user
in %posttrans selinux") added a call to restorecon for /run/user in
the passt-selinux post-transaction scriptlet, and we can't give a path
that's more specific than that, but it often contains FUSE mountpoints
that are not accessible as root, resulting in warnings as the package
is installed.

Hide the errors, a failure in relabeling wouldn't be really
problematic in any case.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Add container-selinux as dependency for passt-selinux 2025-06-11T14:24:47+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T14:51:46+00:00 98da8a94693f5c138188acd83dc352f197a64817 Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers") introduces usage of container_user_r, container_runtime_t, and container_t, which are provided by the container-selinux package. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
introduces usage of container_user_r, container_runtime_t, and
container_t, which are provided by the container-selinux package.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Depend on SELinux tools and policy version, drop circular dependency 2025-06-06T08:46:40+00:00 Vit Mojzis vmojzis@redhat.com 2025-05-30T16:37:46+00:00 a2088fef360ee262c19186470d63875b32f80917 From an original patch by Vit Mojzis: add dependencies on SELinux userspace tools and recommend the latest available version of the policy as of now. Drop circular dependency between passt and passt-selinux: passt requires passt-selinux, so passt-selinux shouldn't require passt. Link: https://src.fedoraproject.org/rpms/passt/pull-request/3 Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
From an original patch by Vit Mojzis: add dependencies on SELinux
userspace tools and recommend the latest available version of the
policy as of now.

Drop circular dependency between passt and passt-selinux: passt
requires passt-selinux, so passt-selinux shouldn't require passt.

Link: https://src.fedoraproject.org/rpms/passt/pull-request/3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>