diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-08-15 19:56:15 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-08-18 18:47:53 +0200 |
commit | 30817fdd4e98e762973a390e293130e4bd7f2396 (patch) | |
tree | 73952ae93e3385cabde626f458803d0a64367e1f | |
parent | 977652155d546fbc3cef27928f889d3cf019420a (diff) | |
download | passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.gz passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.bz2 passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.lz passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.xz passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.zst passt-30817fdd4e98e762973a390e293130e4bd7f2396.zip |
selinux: Allow pasta_t to read nsfs entries
This is needed to monitor filesystem-bound namespaces and quit when
they're gone -- this feature never really worked with SELinux.
Fixes: 745a9ba4284c ("pasta: By default, quit if filesystem-bound net namespace goes away")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Richard W.M. Jones <rjones@redhat.com>
-rw-r--r-- | contrib/selinux/pasta.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 86d9456..ce9186f 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search; allow pasta_t sysctl_net_t:file { open write }; allow pasta_t kernel_t:system module_request; +allow pasta_t nsfs_t:file read; + allow pasta_t net_conf_t:lnk_file read; allow pasta_t proc_net_t:lnk_file read; |