diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-08-15 18:53:48 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-08-18 13:18:45 +0200 |
commit | 62059058cf2422e909952b26f3947df23885fd7e (patch) | |
tree | ae5fdfd0db44ac65546a2f61cd32e1a1a0dd4b30 /util.h | |
parent | 0c42326204c1b8ece86512d9d5014d8603449430 (diff) | |
download | passt-62059058cf2422e909952b26f3947df23885fd7e.tar passt-62059058cf2422e909952b26f3947df23885fd7e.tar.gz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.bz2 passt-62059058cf2422e909952b26f3947df23885fd7e.tar.lz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.xz passt-62059058cf2422e909952b26f3947df23885fd7e.tar.zst passt-62059058cf2422e909952b26f3947df23885fd7e.zip |
selinux: Fix user namespace creation after breaking kernel change
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
seems to just introduce a new functionality, but given that SELinux
implements a form of mandatory access control, introducing the new
permission breaks any application (shipping with SELinux policies)
that needs to create user namespaces, such as passt and pasta for
sandboxing purposes.
Add the new 'allow' rules. They appear to be backward compatible,
kernel-wise, and the policy now requires the new 'user_namespace'
class to build, but that's something distributions already ship.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Diffstat (limited to 'util.h')
0 files changed, 0 insertions, 0 deletions