aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-08-15 19:56:15 +0200
committerStefano Brivio <sbrivio@redhat.com>2023-08-18 18:47:53 +0200
commit30817fdd4e98e762973a390e293130e4bd7f2396 (patch)
tree73952ae93e3385cabde626f458803d0a64367e1f
parent977652155d546fbc3cef27928f889d3cf019420a (diff)
downloadpasst-30817fdd4e98e762973a390e293130e4bd7f2396.tar
passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.gz
passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.bz2
passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.lz
passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.xz
passt-30817fdd4e98e762973a390e293130e4bd7f2396.tar.zst
passt-30817fdd4e98e762973a390e293130e4bd7f2396.zip
selinux: Allow pasta_t to read nsfs entries
This is needed to monitor filesystem-bound namespaces and quit when they're gone -- this feature never really worked with SELinux. Fixes: 745a9ba4284c ("pasta: By default, quit if filesystem-bound net namespace goes away") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Richard W.M. Jones <rjones@redhat.com>
-rw-r--r--contrib/selinux/pasta.te2
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 86d9456..ce9186f 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;
+allow pasta_t nsfs_t:file read;
+
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;