5 files changed, 191 insertions, 27 deletions

diff --git a/contrib/selinux/passt-repair.fc b/contrib/selinux/passt-repair.fc
new file mode 100644
index 0000000..bcd526e
--- /dev/null
+++ b/contrib/selinux/passt-repair.fc
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+#  for qemu/UNIX domain socket mode
+#
+# contrib/selinux/passt-repair.fc - SELinux: File Context for passt-repair
+#
+# Copyright (c) 2025 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+/usr/bin/passt-repair		system_u:object_r:passt_repair_exec_t:s0
diff --git a/contrib/selinux/passt-repair.te b/contrib/selinux/passt-repair.te
new file mode 100644
index 0000000..7157dfb
--- /dev/null
+++ b/contrib/selinux/passt-repair.te
@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+#  for qemu/UNIX domain socket mode
+#
+# contrib/selinux/passt-repair.te - SELinux: Type Enforcement for passt-repair
+#
+# Copyright (c) 2025 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+policy_module(passt-repair, 0.1)
+
+require {
+	type unconfined_t;
+	type passt_t;
+	role unconfined_r;
+	class process transition;
+
+	class file { read execute execute_no_trans entrypoint open map };
+	class capability { dac_override net_admin net_raw };
+	class chr_file { append open getattr read write ioctl };
+
+	class unix_stream_socket { create connect sendto };
+	class sock_file { read write };
+
+	class tcp_socket { read setopt write };
+
+	type console_device_t;
+	type user_devpts_t;
+	type user_tmp_t;
+
+	# Workaround: passt-repair needs to needs to access socket files
+	# that passt, started by libvirt, might create under different
+	# labels, depending on whether passt is started as root or not.
+	#
+	# However, libvirt doesn't maintain its own policy, which makes
+	# updates particularly complicated. To avoid breakage in the short
+	# term, deal with that in passt's own policy.
+	type qemu_var_run_t;
+	type virt_var_run_t;
+}
+
+type passt_repair_t;
+domain_type(passt_repair_t);
+type passt_repair_exec_t;
+corecmd_executable_file(passt_repair_exec_t);
+
+role unconfined_r types passt_repair_t;
+
+allow passt_repair_t passt_repair_exec_t:file { read execute execute_no_trans entrypoint open map };
+type_transition unconfined_t passt_repair_exec_t:process passt_repair_t;
+allow unconfined_t passt_repair_t:process transition;
+
+allow passt_repair_t self:capability { dac_override dac_read_search net_admin net_raw };
+allow passt_repair_t self:capability2 bpf;
+
+allow passt_repair_t console_device_t:chr_file { append open getattr read write ioctl };
+allow passt_repair_t user_devpts_t:chr_file { append open getattr read write ioctl };
+
+allow passt_repair_t unconfined_t:unix_stream_socket { connectto read write };
+allow passt_repair_t passt_t:unix_stream_socket { connectto read write };
+allow passt_repair_t user_tmp_t:unix_stream_socket { connectto read write };
+
+allow passt_repair_t user_tmp_t:dir { getattr read search watch };
+
+allow passt_repair_t unconfined_t:sock_file { getattr read write };
+allow passt_repair_t passt_t:sock_file { getattr read write };
+allow passt_repair_t user_tmp_t:sock_file { getattr read write };
+
+allow passt_repair_t unconfined_t:tcp_socket { read setopt write };
+allow passt_repair_t passt_t:tcp_socket { read setopt write };
+
+# Workaround: passt-repair needs to needs to access socket files
+# that passt, started by libvirt, might create under different
+# labels, depending on whether passt is started as root or not.
+#
+# However, libvirt doesn't maintain its own policy, which makes
+# updates particularly complicated. To avoid breakage in the short
+# term, deal with that in passt's own policy.
+allow passt_repair_t qemu_var_run_t:unix_stream_socket { connectto read write };
+allow passt_repair_t virt_var_run_t:unix_stream_socket { connectto read write };
+
+allow passt_repair_t qemu_var_run_t:dir { getattr read search watch };
+allow passt_repair_t virt_var_run_t:dir { getattr read search watch };
+
+allow passt_repair_t qemu_var_run_t:sock_file { getattr read write };
+allow passt_repair_t virt_var_run_t:sock_file { getattr read write };
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index bbb0917..eb9ce72 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -20,9 +20,19 @@ require {
 	type fs_t;
 	type tmp_t;
 	type user_tmp_t;
+	type user_home_t;
 	type tmpfs_t;
 	type root_t;
 
+	# Workaround: passt --vhost-user needs to map guest memory, but
+	# libvirt doesn't maintain its own policy, which makes updates
+	# particularly complicated. To avoid breakage in the short term,
+	# deal with it in passt's own policy.
+	type svirt_image_t;
+	type svirt_tmpfs_t;
+	type svirt_t;
+	type null_device_t;
+
 	class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
 	class dir { search write add_name remove_name mounton };
 	class chr_file { append read write open getattr ioctl };
@@ -38,8 +48,8 @@ require {
 	type net_conf_t;
 	type proc_net_t;
 	type node_t;
-	class tcp_socket { create accept listen name_bind name_connect };
-	class udp_socket { create accept listen };
+	class tcp_socket { create accept listen name_bind name_connect getattr ioctl };
+	class udp_socket { create accept listen getattr };
 	class icmp_socket { bind create name_bind node_bind setopt read write };
 	class sock_file { create unlink write };
 
@@ -47,9 +57,8 @@ require {
 	type port_t;
 	type http_port_t;
 
-	type passwd_file_t;
-
 	class netlink_route_socket { bind create nlmsg_read };
+	type sysctl_net_t;
 
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace };
@@ -81,6 +90,9 @@ allow passt_t root_t:dir mounton;
 allow passt_t tmp_t:dir { add_name mounton remove_name write };
 allow passt_t tmpfs_t:filesystem mount;
 allow passt_t fs_t:filesystem unmount;
+allow passt_t user_home_t:dir search;
+allow passt_t user_tmp_t:fifo_file append;
+allow passt_t user_tmp_t:file map;
 
 manage_files_pattern(passt_t, user_tmp_t, user_tmp_t)
 files_pid_filetrans(passt_t, user_tmp_t, file)
@@ -95,8 +107,7 @@ allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid s
 allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
 allow passt_t self:user_namespace create;
 
-allow passt_t passwd_file_t:file read_file_perms;
-sssd_search_lib(passt_t)
+auth_read_passwd(passt_t)
 
 allow passt_t proc_net_t:file read;
 allow passt_t net_conf_t:file { open read };
@@ -104,6 +115,8 @@ allow passt_t net_conf_t:lnk_file read;
 allow passt_t tmp_t:sock_file { create unlink write };
 allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
 kernel_search_network_sysctl(passt_t)
+allow passt_t sysctl_net_t:dir search;
+allow passt_t sysctl_net_t:file { open read };
 
 corenet_tcp_bind_all_nodes(passt_t)
 corenet_udp_bind_all_nodes(passt_t)
@@ -119,11 +132,19 @@ corenet_udp_sendrecv_all_ports(passt_t)
 allow passt_t node_t:icmp_socket { name_bind node_bind };
 allow passt_t port_t:icmp_socket name_bind;
 
-allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
-allow passt_t self:udp_socket { create getopt setopt connect bind read write };
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write getattr ioctl };
+allow passt_t self:udp_socket { create getopt setopt connect bind read write getattr };
 allow passt_t self:icmp_socket { bind create setopt read write };
 
 allow passt_t user_tmp_t:dir { add_name write };
 allow passt_t user_tmp_t:file { create open };
 allow passt_t user_tmp_t:sock_file { create read write unlink };
 allow passt_t unconfined_t:unix_stream_socket { read write };
+
+# Workaround: passt --vhost-user needs to map guest memory, but
+# libvirt doesn't maintain its own policy, which makes updates
+# particularly complicated. To avoid breakage in the short term,
+# deal with it in passt's own policy.
+allow passt_t svirt_image_t:file { read write map };
+allow passt_t svirt_tmpfs_t:file { read write map };
+allow passt_t null_device_t:chr_file map;
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index 41ee46d..e4aefc4 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -8,7 +8,9 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-/usr/bin/pasta			system_u:object_r:pasta_exec_t:s0
-/usr/bin/pasta.avx2		system_u:object_r:pasta_exec_t:s0
-/tmp/pasta\.pcap		system_u:object_r:pasta_log_t:s0
-/var/run/pasta\.pid		system_u:object_r:pasta_pid_t:s0
+/usr/bin/pasta						system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2					system_u:object_r:pasta_exec_t:s0
+/tmp/pasta\.pcap					system_u:object_r:pasta_log_t:s0
+/var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
+/run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
+/run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 4e36c3f..9440d05 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -18,6 +18,7 @@ require {
 	type bin_t;
 	type user_home_t;
 	type user_home_dir_t;
+	type user_tmp_t;
 	type fs_t;
 	type tmp_t;
 	type tmpfs_t;
@@ -56,8 +57,10 @@ require {
 	attribute port_type;
 	type port_t;
 	type http_port_t;
+	type http_cache_port_t;
 	type ssh_port_t;
 	type reserved_port_t;
+	type unreserved_port_t;
 	type dns_port_t;
 	type dhcpc_port_t;
 	type chronyd_port_t;
@@ -68,9 +71,6 @@ require {
 	type system_dbusd_t;
 	type systemd_hostnamed_t;
 	type systemd_systemctl_exec_t;
-	type passwd_file_t;
-	type sssd_public_t;
-	type sssd_var_lib_t;
 	class dbus send_msg;
 	class system module_request;
 	class system status;
@@ -89,6 +89,15 @@ require {
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
 	class user_namespace create;
+
+	# Container requires
+	attribute_role usernetctl_roles;
+	role container_user_r;
+	role staff_r;
+	role user_r;
+	type container_runtime_t;
+	type container_t;
+	type systemd_user_runtimedir_t;
 }
 
 type pasta_t;
@@ -113,10 +122,12 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+# pasta only calls setuid and setgid with the current UID and GID, so this
+# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
+dontaudit pasta_t self:cap_userns { setgid setuid };
 allow pasta_t self:user_namespace create;
 
-allow pasta_t passwd_file_t:file read_file_perms;
-sssd_search_lib(pasta_t)
+auth_read_passwd(pasta_t)
 
 domain_auto_trans(pasta_t, bin_t, unconfined_t);
 domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
@@ -126,17 +137,22 @@ domain_auto_trans(pasta_t, ping_exec_t, ping_t);
 
 allow pasta_t nsfs_t:file { open read };
 
-allow pasta_t user_home_t:dir getattr;
-allow pasta_t user_home_t:file { open read getattr setattr };
+allow pasta_t user_home_t:dir { getattr search };
+allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_trans map};
 allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
 allow pasta_t user_home_dir_t:file { create open read write };
 allow pasta_t tmp_t:dir { add_name mounton remove_name write };
-allow pasta_t tmpfs_t:filesystem mount;
+allow pasta_t tmpfs_t:filesystem { getattr mount };
 allow pasta_t fs_t:filesystem unmount;
 allow pasta_t root_t:dir mounton;
 manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
 files_pid_filetrans(pasta_t, pasta_pid_t, file)
 
+allow pasta_t user_tmp_t:dir { add_name remove_name search write };
+allow pasta_t user_tmp_t:fifo_file append;
+allow pasta_t user_tmp_t:file { create open write };
+allow pasta_t user_tmp_t:sock_file { create unlink };
+
 allow pasta_t console_device_t:chr_file { open write getattr ioctl };
 allow pasta_t user_devpts_t:chr_file { getattr read write ioctl };
 logging_send_syslog_msg(pasta_t)
@@ -152,6 +168,11 @@ allow pasta_t tmp_t:sock_file { create unlink write };
 allow pasta_t self:tcp_socket create_stream_socket_perms;
 corenet_tcp_sendrecv_generic_node(pasta_t)
 corenet_tcp_bind_generic_node(pasta_t)
+allow pasta_t container_runtime_t:dir { open read search };
+allow pasta_t container_runtime_t:fifo_file { getattr write };
+allow pasta_t container_runtime_t:file read;
+allow pasta_t container_runtime_t:lnk_file read;
+allow pasta_t container_t:lnk_file read;
 allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
 allow pasta_t pasta_port_t:udp_socket { name_bind };
 allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
@@ -164,6 +185,8 @@ allow pasta_t self:udp_socket create_stream_socket_perms;
 allow pasta_t reserved_port_t:udp_socket name_bind;
 allow pasta_t llmnr_port_t:tcp_socket name_bind;
 allow pasta_t llmnr_port_t:udp_socket name_bind;
+allow pasta_t http_cache_port_t:tcp_socket { name_bind name_connect };
+allow pasta_t unreserved_port_t:udp_socket name_bind;
 corenet_udp_sendrecv_generic_node(pasta_t)
 corenet_udp_bind_generic_node(pasta_t)
 allow pasta_t node_t:icmp_socket { name_bind node_bind };
@@ -175,15 +198,12 @@ allow pasta_t init_t:lnk_file read;
 allow pasta_t init_t:unix_stream_socket connectto;
 allow pasta_t init_t:dbus send_msg;
 allow pasta_t init_t:system status;
-allow pasta_t unconfined_t:dir search;
+allow pasta_t unconfined_t:dir { read search };
 allow pasta_t unconfined_t:file read;
 allow pasta_t unconfined_t:lnk_file read;
-allow pasta_t passwd_file_t:file { getattr open read };
 allow pasta_t self:process { setpgid setcap };
 allow pasta_t shell_exec_t:file { execute execute_no_trans map };
 
-allow pasta_t sssd_var_lib_t:dir search;
-allow pasta_t sssd_public_t:dir search;
 allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map };
 allow pasta_t system_dbusd_t:unix_stream_socket connectto;
 allow pasta_t system_dbusd_t:dbus send_msg;
@@ -196,11 +216,9 @@ allow pasta_t ifconfig_var_run_t:dir { read search watch };
 allow pasta_t self:tun_socket create;
 allow pasta_t tun_tap_device_t:chr_file { ioctl open read write };
 allow pasta_t sysctl_net_t:dir search;
-allow pasta_t sysctl_net_t:file { open write };
+allow pasta_t sysctl_net_t:file { open read write };
 allow pasta_t kernel_t:system module_request;
 
-allow pasta_t nsfs_t:file read;
-
 allow pasta_t proc_t:dir mounton;
 allow pasta_t proc_t:filesystem mount;
 allow pasta_t net_conf_t:lnk_file read;
@@ -212,3 +230,28 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
 allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
 allow pasta_t user_tty_device_t:chr_file { append read write };
 allow pasta_t user_devpts_t:chr_file { append read write };
+
+# Allow network administration commands for non-privileged users
+roleattribute container_user_r usernetctl_roles;
+roleattribute staff_r usernetctl_roles;
+roleattribute user_r usernetctl_roles;
+role usernetctl_roles types pasta_t;
+
+# Make pasta in a container run under the pasta_t context
+type_transition container_runtime_t pasta_exec_t : process pasta_t;
+allow container_runtime_t pasta_t:process transition;
+
+# Label the user network namespace files
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+allow pasta_t ifconfig_var_run_t:file { create open write };
+allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
+
+# Allow pasta to bind to any port
+bool pasta_bind_all_ports true;
+if (pasta_bind_all_ports) {
+	allow pasta_t port_type:icmp_socket { accept getopt name_bind };
+	allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
+	allow pasta_t port_type:udp_socket { accept getopt name_bind };
+}