aboutgitcodebugslistschat
path: root/contrib/selinux/pasta.te
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2024-02-16 09:43:12 +0100
committerStefano Brivio <sbrivio@redhat.com>2024-02-16 09:43:12 +0100
commit08344dacb14bdda5f6ee1fa36dab36776101115b (patch)
tree9e059c4d8f31fadb64ffe01b56b7d4b82c68c26f /contrib/selinux/pasta.te
parent338b6321ac0db2fbcbfccd99d2625f3b6da777da (diff)
downloadpasst-08344dacb14bdda5f6ee1fa36dab36776101115b.tar
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.tar.gz
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.tar.bz2
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.tar.lz
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.tar.xz
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.tar.zst
passt-08344dacb14bdda5f6ee1fa36dab36776101115b.zip
selinux: Allow pasta to remount procfs2024_02_16.08344da
Partially equivalent to commit abf5ef6c22d2 ("apparmor: Allow pasta to remount /proc, access entries under its own copy"): we should allow pasta to remount /proc. It still works otherwise, but further UID remapping in nested user namespaces (e.g. pasta in pasta) won't. Reported-by: Laurent Jacquot <jk@lutty.net> Link: https://bugs.passt.top/show_bug.cgi?id=79#c3 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/selinux/pasta.te')
-rw-r--r--contrib/selinux/pasta.te2
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index ed70c5f..0ceda06 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -201,6 +201,8 @@ allow pasta_t kernel_t:system module_request;
allow pasta_t nsfs_t:file read;
+allow pasta_t proc_t:dir mounton;
+allow pasta_t proc_t:filesystem mount;
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-03 07:56:15 +0000