diff options
| author | Cathy Hu <cathy.hu@suse.com> | 2025-08-05 15:19:26 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2025-08-05 15:30:59 +0200 |
| commit | 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 (patch) | |
| tree | f902787760d547e4f8b59d966027539c7f50e208 | |
| parent | a8782865c342eb2682cca292d5bf92b567344351 (diff) | |
| download | passt-master.tar passt-master.tar.gz passt-master.tar.bz2 passt-master.tar.lz passt-master.tar.xz passt-master.tar.zst passt-master.zip | |
selinux: pasta accesses /etc/resolv.confHEAD2025_08_05.309eefdmaster
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)
this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta
Adresses:
----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
| -rw-r--r-- | contrib/selinux/passt.te | 4 | ||||
| -rw-r--r-- | contrib/selinux/pasta.te | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index eb9ce72..6995df8 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -110,8 +110,6 @@ allow passt_t self:user_namespace create; auth_read_passwd(passt_t) allow passt_t proc_net_t:file read; -allow passt_t net_conf_t:file { open read }; -allow passt_t net_conf_t:lnk_file read; allow passt_t tmp_t:sock_file { create unlink write }; allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt }; kernel_search_network_sysctl(passt_t) @@ -129,6 +127,8 @@ corenet_tcp_connect_all_ports(passt_t) corenet_tcp_sendrecv_all_ports(passt_t) corenet_udp_sendrecv_all_ports(passt_t) +sysnet_read_config(passt_t) + allow passt_t node_t:icmp_socket { name_bind node_bind }; allow passt_t port_t:icmp_socket name_bind; diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 9440d05..c0a1e9b 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -159,10 +159,11 @@ logging_send_syslog_msg(pasta_t) allow syslogd_t self:cap_userns sys_ptrace; allow pasta_t proc_net_t:file { open read }; -allow pasta_t net_conf_t:file { open read }; allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write }; kernel_search_network_sysctl(pasta_t) +sysnet_read_config(pasta_t) + allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t self:tcp_socket create_stream_socket_perms; @@ -221,7 +222,6 @@ allow pasta_t kernel_t:system module_request; allow pasta_t proc_t:dir mounton; allow pasta_t proc_t:filesystem mount; -allow pasta_t net_conf_t:lnk_file read; allow pasta_t proc_net_t:lnk_file read; allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh }; |