selinux: Allow pasta to create and use its control socket when started by Podman

If Podman starts us, we need to be able to create and use a UNIX
domain socket file under ifconfig_var_run_t or container_var_run_t:
add the related permissions.

The failure reported by Jan would have been fixed by a simple:

  allow pasta_t ifconfig_var_run_t:sock_file create;

but we'll need more than that for actual operation with pesto(1),
and to cover all possible cases.

Reported-by: Jan Rodák <jrodak@redhat.com>
Link: https://github.com/containers/podman/pull/28478
Fixes: 533577008942 ("selinux: Add file context and type enforcement for pesto")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index fb51416..ff74dd7 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -253,6 +253,8 @@ allow pasta_t container_var_run_t:dir { add_name open rmdir write };
 allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
 allow pasta_t container_var_run_t:file { create open write };
 allow pasta_t ifconfig_var_run_t:file { create open write };
+allow pasta_t container_var_run_t:sock_file { getattr create open read write };
+allow pasta_t ifconfig_var_run_t:sock_file { getattr create open read write };
 allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
 
 # Allow pasta to bind to any port