aboutgitcodebugslistschat
path: root/util.h
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-08-15 18:53:48 +0200
committerStefano Brivio <sbrivio@redhat.com>2023-08-18 13:18:45 +0200
commit62059058cf2422e909952b26f3947df23885fd7e (patch)
treeae5fdfd0db44ac65546a2f61cd32e1a1a0dd4b30 /util.h
parent0c42326204c1b8ece86512d9d5014d8603449430 (diff)
downloadpasst-62059058cf2422e909952b26f3947df23885fd7e.tar
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.gz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.bz2
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.lz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.xz
passt-62059058cf2422e909952b26f3947df23885fd7e.tar.zst
passt-62059058cf2422e909952b26f3947df23885fd7e.zip
selinux: Fix user namespace creation after breaking kernel change
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook") seems to just introduce a new functionality, but given that SELinux implements a form of mandatory access control, introducing the new permission breaks any application (shipping with SELinux policies) that needs to create user namespaces, such as passt and pasta for sandboxing purposes. Add the new 'allow' rules. They appear to be backward compatible, kernel-wise, and the policy now requires the new 'user_namespace' class to build, but that's something distributions already ship. Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Diffstat (limited to 'util.h')
0 files changed, 0 insertions, 0 deletions