aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-08-15 18:53:48 +0200
committerStefano Brivio <sbrivio@redhat.com>2023-08-18 13:18:45 +0200
commit62059058cf2422e909952b26f3947df23885fd7e (patch)
treeae5fdfd0db44ac65546a2f61cd32e1a1a0dd4b30
parent0c42326204c1b8ece86512d9d5014d8603449430 (diff)
downloadpasst-62059058cf2422e909952b26f3947df23885fd7e.tar
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.gz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.bz2
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.lz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.xz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.zst
passt-62059058cf2422e909952b26f3947df23885fd7e.zip
selinux: Fix user namespace creation after breaking kernel change
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook") seems to just introduce a new functionality, but given that SELinux implements a form of mandatory access control, introducing the new permission breaks any application (shipping with SELinux policies) that needs to create user namespaces, such as passt and pasta for sandboxing purposes. Add the new 'allow' rules. They appear to be backward compatible, kernel-wise, and the policy now requires the new 'user_namespace' class to build, but that's something distributions already ship. Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
-rw-r--r--contrib/selinux/passt.te2
-rw-r--r--contrib/selinux/pasta.te2
2 files changed, 4 insertions, 0 deletions
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 687ae40..5868a41 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -51,6 +51,7 @@ require {
class capability sys_tty_config;
class cap_userns { setpcap sys_admin sys_ptrace };
+ class user_namespace create;
}
type passt_t;
@@ -90,6 +91,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
+allow passt_t self:user_namespace create;
allow passt_t proc_net_t:file read;
allow passt_t net_conf_t:file { open read };
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 367d09f..645ccee 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -80,6 +80,7 @@ require {
type init_t;
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
+ class user_namespace create;
}
type pasta_t;
@@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+allow pasta_t self:user_namespace create;
allow pasta_t bin_t:file { execute execute_no_trans map };
allow pasta_t nsfs_t:file { open read };