diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-08-15 18:53:48 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-08-18 13:18:45 +0200 |
commit | 62059058cf2422e909952b26f3947df23885fd7e (patch) | |
tree | ae5fdfd0db44ac65546a2f61cd32e1a1a0dd4b30 | |
parent | 0c42326204c1b8ece86512d9d5014d8603449430 (diff) | |
download | passt-62059058cf2422e909952b26f3947df23885fd7e.tar passt-62059058cf2422e909952b26f3947df23885fd7e.tar.gz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.bz2 passt-62059058cf2422e909952b26f3947df23885fd7e.tar.lz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.xz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.zst passt-62059058cf2422e909952b26f3947df23885fd7e.zip |
selinux: Fix user namespace creation after breaking kernel change
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
seems to just introduce a new functionality, but given that SELinux
implements a form of mandatory access control, introducing the new
permission breaks any application (shipping with SELinux policies)
that needs to create user namespaces, such as passt and pasta for
sandboxing purposes.
Add the new 'allow' rules. They appear to be backward compatible,
kernel-wise, and the policy now requires the new 'user_namespace'
class to build, but that's something distributions already ship.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
-rw-r--r-- | contrib/selinux/passt.te | 2 | ||||
-rw-r--r-- | contrib/selinux/pasta.te | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index 687ae40..5868a41 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -51,6 +51,7 @@ require { class capability sys_tty_config; class cap_userns { setpcap sys_admin sys_ptrace }; + class user_namespace create; } type passt_t; @@ -90,6 +91,7 @@ allow syslogd_t self:cap_userns sys_ptrace; allow passt_t self:process setcap; allow passt_t self:capability { sys_tty_config setpcap net_bind_service }; allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; +allow passt_t self:user_namespace create; allow passt_t proc_net_t:file read; allow passt_t net_conf_t:file { open read }; diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 367d09f..645ccee 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -80,6 +80,7 @@ require { type init_t; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; + class user_namespace create; } type pasta_t; @@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +allow pasta_t self:user_namespace create; allow pasta_t bin_t:file { execute execute_no_trans map }; allow pasta_t nsfs_t:file { open read }; |