9 files changed, 275 insertions, 41 deletions

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index d245115..43fd63f 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -34,6 +34,8 @@
 
   owner @{PROC}/@{pid}/uid_map		r,	# conf_ugid()
 
+  @{PROC}/sys/net/ipv4/ip_local_port_range r,	# fwd_probe_ephemeral()
+
   network netlink raw,				# nl_sock_init_do(), netlink.c
 
   network inet stream,				# tcp.c
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index 9568189..62a4514 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -27,4 +27,25 @@ profile passt /usr/bin/passt{,.avx2} {
 
   owner @{HOME}/**			w,	# pcap(), pidfile_open(),
 						# pidfile_write()
+
+  # Workaround: libvirt's profile comes with a passt subprofile which includes,
+  # in turn, <abstractions/passt>, and adds libvirt-specific rules on top, to
+  # allow passt (when started by libvirtd) to write socket and PID files in the
+  # location requested by libvirtd itself, and to execute passt itself.
+  #
+  # However, when libvirt runs as unprivileged user, the mechanism based on
+  # virt-aa-helper, designed to build per-VM profiles as guests are started,
+  # doesn't work. The helper needs to create and load profiles on the fly, which
+  # can't be done by unprivileged users, of course.
+  #
+  # As a result, libvirtd runs unconfined if guests are started by unprivileged
+  # users, starting passt unconfined as well, which means that passt runs under
+  # its own stand-alone profile (this one), which implies in turn that execve()
+  # of /usr/bin/passt is not allowed, and socket and PID files can't be written.
+  #
+  # Duplicate libvirt-specific rules here as long as this is not solved in
+  # libvirt's profile itself.
+  /usr/bin/passt r,
+  owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
+  owner @{run}/libvirt/qemu/passt/* rw,
 }
diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr.bin.passt-repair
new file mode 100644
index 0000000..901189d
--- /dev/null
+++ b/contrib/apparmor/usr.bin.passt-repair
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+#  for qemu/UNIX domain socket mode
+#
+# PASTA - Pack A Subtle Tap Abstraction
+#  for network namespace/tap device mode
+#
+# contrib/apparmor/usr.bin.passt-repair - AppArmor profile for passt-repair(1)
+#
+# Copyright (c) 2025 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+profile passt-repair /usr/bin/passt-repair {
+  #include <abstractions/base>
+  /** rw,			# passt's ".repair" socket might be anywhere
+  unix (connect, receive, send) type=stream,
+
+  capability dac_override,	# connect to passt's socket as root
+  capability net_admin,		# currently needed for TCP_REPAIR socket option
+  capability net_raw,		# what TCP_REPAIR should require instead
+
+  network unix stream,		# connect and use UNIX domain socket
+  network inet stream,		# use TCP sockets
+}
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 7950fb9..663289f 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -9,6 +9,7 @@
 
 %global git_hash {{{ git_head }}}
 %global selinuxtype targeted
+%global selinux_policy_version 41.41
 
 Name:		passt
 Version:	{{{ git_version }}}
@@ -33,18 +34,22 @@ for network namespaces: traffic is forwarded using a tap interface inside the
 namespace, without the need to create further interfaces on the host, hence not
 requiring any capabilities or privileges.
 
-%package    selinux
-BuildArch:  noarch
-Summary:    SELinux support for passt and pasta
-Requires:   %{name} = %{version}-%{release}
-Requires:   selinux-policy
-Requires(post): %{name}
-Requires(post): policycoreutils
-Requires(preun): %{name}
-Requires(preun): policycoreutils
+%package		selinux
+BuildArch:		noarch
+Summary:		SELinux support for passt and pasta
+Requires:		selinux-policy-%{selinuxtype}
+Requires:		container-selinux
+Requires(post):		selinux-policy-%{selinuxtype}
+Requires(post):		container-selinux
+Requires(post):		policycoreutils
+Requires(post):		libselinux-utils
+Requires(preun):	policycoreutils
+BuildRequires:		selinux-policy-devel
+BuildRequires:		pkgconfig(systemd)
+Recommends:		selinux-policy-%{selinuxtype} >= %{selinux_policy_version}
 
 %description selinux
-This package adds SELinux enforcement to passt(1) and pasta(1).
+This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
 
 %prep
 %setup -q -n passt-%{git_hash}
@@ -82,23 +87,33 @@ make -f %{_datadir}/selinux/devel/Makefile
 install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
 install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if
 install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+install -p -m 644 -D passt-repair.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 popd
 
 %pre selinux
 %selinux_relabel_pre -s %{selinuxtype}
 
 %post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %postun selinux
 if [ $1 -eq 0 ]; then
-	%selinux_modules_uninstall -s %{selinuxtype} passt
-	%selinux_modules_uninstall -s %{selinuxtype} pasta
+	%selinux_modules_uninstall -s %{selinuxtype} passt pasta passt-repair
 fi
 
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
+# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
+# (see selabel_file(5)) in order to restore only the file contexts which
+# actually changed. However, as file_contexts doesn't support %{USERID}
+# substitutions, this will not work for specific file contexts that pasta needs
+# to have under /run/user.
+#
+# Restore those explicitly, hiding errors from restorecon(8): we can't pass a
+# path that's more specific than this, but at the same time /run/user often
+# contains FUSE mountpoints that can't be accessed as root, leading to
+# "Permission denied" messages, but not failures.
+restorecon -R /run/user 2>/dev/null
 
 %files
 %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
@@ -108,9 +123,11 @@ fi
 %{_bindir}/passt
 %{_bindir}/pasta
 %{_bindir}/qrap
+%{_bindir}/passt-repair
 %{_mandir}/man1/passt.1*
 %{_mandir}/man1/pasta.1*
 %{_mandir}/man1/qrap.1*
+%{_mandir}/man1/passt-repair.1*
 %ifarch x86_64
 %{_bindir}/passt.avx2
 %{_mandir}/man1/passt.avx2.1*
@@ -122,6 +139,7 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
 %{_datadir}/selinux/devel/include/distributed/passt.if
 %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %changelog
 {{{ passt_git_changelog }}}
diff --git a/contrib/selinux/passt-repair.fc b/contrib/selinux/passt-repair.fc
new file mode 100644
index 0000000..bcd526e
--- /dev/null
+++ b/contrib/selinux/passt-repair.fc
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+#  for qemu/UNIX domain socket mode
+#
+# contrib/selinux/passt-repair.fc - SELinux: File Context for passt-repair
+#
+# Copyright (c) 2025 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+/usr/bin/passt-repair		system_u:object_r:passt_repair_exec_t:s0
diff --git a/contrib/selinux/passt-repair.te b/contrib/selinux/passt-repair.te
new file mode 100644
index 0000000..7157dfb
--- /dev/null
+++ b/contrib/selinux/passt-repair.te
@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+#  for qemu/UNIX domain socket mode
+#
+# contrib/selinux/passt-repair.te - SELinux: Type Enforcement for passt-repair
+#
+# Copyright (c) 2025 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+policy_module(passt-repair, 0.1)
+
+require {
+	type unconfined_t;
+	type passt_t;
+	role unconfined_r;
+	class process transition;
+
+	class file { read execute execute_no_trans entrypoint open map };
+	class capability { dac_override net_admin net_raw };
+	class chr_file { append open getattr read write ioctl };
+
+	class unix_stream_socket { create connect sendto };
+	class sock_file { read write };
+
+	class tcp_socket { read setopt write };
+
+	type console_device_t;
+	type user_devpts_t;
+	type user_tmp_t;
+
+	# Workaround: passt-repair needs to needs to access socket files
+	# that passt, started by libvirt, might create under different
+	# labels, depending on whether passt is started as root or not.
+	#
+	# However, libvirt doesn't maintain its own policy, which makes
+	# updates particularly complicated. To avoid breakage in the short
+	# term, deal with that in passt's own policy.
+	type qemu_var_run_t;
+	type virt_var_run_t;
+}
+
+type passt_repair_t;
+domain_type(passt_repair_t);
+type passt_repair_exec_t;
+corecmd_executable_file(passt_repair_exec_t);
+
+role unconfined_r types passt_repair_t;
+
+allow passt_repair_t passt_repair_exec_t:file { read execute execute_no_trans entrypoint open map };
+type_transition unconfined_t passt_repair_exec_t:process passt_repair_t;
+allow unconfined_t passt_repair_t:process transition;
+
+allow passt_repair_t self:capability { dac_override dac_read_search net_admin net_raw };
+allow passt_repair_t self:capability2 bpf;
+
+allow passt_repair_t console_device_t:chr_file { append open getattr read write ioctl };
+allow passt_repair_t user_devpts_t:chr_file { append open getattr read write ioctl };
+
+allow passt_repair_t unconfined_t:unix_stream_socket { connectto read write };
+allow passt_repair_t passt_t:unix_stream_socket { connectto read write };
+allow passt_repair_t user_tmp_t:unix_stream_socket { connectto read write };
+
+allow passt_repair_t user_tmp_t:dir { getattr read search watch };
+
+allow passt_repair_t unconfined_t:sock_file { getattr read write };
+allow passt_repair_t passt_t:sock_file { getattr read write };
+allow passt_repair_t user_tmp_t:sock_file { getattr read write };
+
+allow passt_repair_t unconfined_t:tcp_socket { read setopt write };
+allow passt_repair_t passt_t:tcp_socket { read setopt write };
+
+# Workaround: passt-repair needs to needs to access socket files
+# that passt, started by libvirt, might create under different
+# labels, depending on whether passt is started as root or not.
+#
+# However, libvirt doesn't maintain its own policy, which makes
+# updates particularly complicated. To avoid breakage in the short
+# term, deal with that in passt's own policy.
+allow passt_repair_t qemu_var_run_t:unix_stream_socket { connectto read write };
+allow passt_repair_t virt_var_run_t:unix_stream_socket { connectto read write };
+
+allow passt_repair_t qemu_var_run_t:dir { getattr read search watch };
+allow passt_repair_t virt_var_run_t:dir { getattr read search watch };
+
+allow passt_repair_t qemu_var_run_t:sock_file { getattr read write };
+allow passt_repair_t virt_var_run_t:sock_file { getattr read write };
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index bbb0917..eb9ce72 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -20,9 +20,19 @@ require {
 	type fs_t;
 	type tmp_t;
 	type user_tmp_t;
+	type user_home_t;
 	type tmpfs_t;
 	type root_t;
 
+	# Workaround: passt --vhost-user needs to map guest memory, but
+	# libvirt doesn't maintain its own policy, which makes updates
+	# particularly complicated. To avoid breakage in the short term,
+	# deal with it in passt's own policy.
+	type svirt_image_t;
+	type svirt_tmpfs_t;
+	type svirt_t;
+	type null_device_t;
+
 	class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
 	class dir { search write add_name remove_name mounton };
 	class chr_file { append read write open getattr ioctl };
@@ -38,8 +48,8 @@ require {
 	type net_conf_t;
 	type proc_net_t;
 	type node_t;
-	class tcp_socket { create accept listen name_bind name_connect };
-	class udp_socket { create accept listen };
+	class tcp_socket { create accept listen name_bind name_connect getattr ioctl };
+	class udp_socket { create accept listen getattr };
 	class icmp_socket { bind create name_bind node_bind setopt read write };
 	class sock_file { create unlink write };
 
@@ -47,9 +57,8 @@ require {
 	type port_t;
 	type http_port_t;
 
-	type passwd_file_t;
-
 	class netlink_route_socket { bind create nlmsg_read };
+	type sysctl_net_t;
 
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace };
@@ -81,6 +90,9 @@ allow passt_t root_t:dir mounton;
 allow passt_t tmp_t:dir { add_name mounton remove_name write };
 allow passt_t tmpfs_t:filesystem mount;
 allow passt_t fs_t:filesystem unmount;
+allow passt_t user_home_t:dir search;
+allow passt_t user_tmp_t:fifo_file append;
+allow passt_t user_tmp_t:file map;
 
 manage_files_pattern(passt_t, user_tmp_t, user_tmp_t)
 files_pid_filetrans(passt_t, user_tmp_t, file)
@@ -95,8 +107,7 @@ allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid s
 allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
 allow passt_t self:user_namespace create;
 
-allow passt_t passwd_file_t:file read_file_perms;
-sssd_search_lib(passt_t)
+auth_read_passwd(passt_t)
 
 allow passt_t proc_net_t:file read;
 allow passt_t net_conf_t:file { open read };
@@ -104,6 +115,8 @@ allow passt_t net_conf_t:lnk_file read;
 allow passt_t tmp_t:sock_file { create unlink write };
 allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
 kernel_search_network_sysctl(passt_t)
+allow passt_t sysctl_net_t:dir search;
+allow passt_t sysctl_net_t:file { open read };
 
 corenet_tcp_bind_all_nodes(passt_t)
 corenet_udp_bind_all_nodes(passt_t)
@@ -119,11 +132,19 @@ corenet_udp_sendrecv_all_ports(passt_t)
 allow passt_t node_t:icmp_socket { name_bind node_bind };
 allow passt_t port_t:icmp_socket name_bind;
 
-allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
-allow passt_t self:udp_socket { create getopt setopt connect bind read write };
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write getattr ioctl };
+allow passt_t self:udp_socket { create getopt setopt connect bind read write getattr };
 allow passt_t self:icmp_socket { bind create setopt read write };
 
 allow passt_t user_tmp_t:dir { add_name write };
 allow passt_t user_tmp_t:file { create open };
 allow passt_t user_tmp_t:sock_file { create read write unlink };
 allow passt_t unconfined_t:unix_stream_socket { read write };
+
+# Workaround: passt --vhost-user needs to map guest memory, but
+# libvirt doesn't maintain its own policy, which makes updates
+# particularly complicated. To avoid breakage in the short term,
+# deal with it in passt's own policy.
+allow passt_t svirt_image_t:file { read write map };
+allow passt_t svirt_tmpfs_t:file { read write map };
+allow passt_t null_device_t:chr_file map;
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index 41ee46d..e4aefc4 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -8,7 +8,9 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-/usr/bin/pasta			system_u:object_r:pasta_exec_t:s0
-/usr/bin/pasta.avx2		system_u:object_r:pasta_exec_t:s0
-/tmp/pasta\.pcap		system_u:object_r:pasta_log_t:s0
-/var/run/pasta\.pid		system_u:object_r:pasta_pid_t:s0
+/usr/bin/pasta						system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2					system_u:object_r:pasta_exec_t:s0
+/tmp/pasta\.pcap					system_u:object_r:pasta_log_t:s0
+/var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
+/run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
+/run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 4e36c3f..9440d05 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -18,6 +18,7 @@ require {
 	type bin_t;
 	type user_home_t;
 	type user_home_dir_t;
+	type user_tmp_t;
 	type fs_t;
 	type tmp_t;
 	type tmpfs_t;
@@ -56,8 +57,10 @@ require {
 	attribute port_type;
 	type port_t;
 	type http_port_t;
+	type http_cache_port_t;
 	type ssh_port_t;
 	type reserved_port_t;
+	type unreserved_port_t;
 	type dns_port_t;
 	type dhcpc_port_t;
 	type chronyd_port_t;
@@ -68,9 +71,6 @@ require {
 	type system_dbusd_t;
 	type systemd_hostnamed_t;
 	type systemd_systemctl_exec_t;
-	type passwd_file_t;
-	type sssd_public_t;
-	type sssd_var_lib_t;
 	class dbus send_msg;
 	class system module_request;
 	class system status;
@@ -89,6 +89,15 @@ require {
 	class capability { sys_tty_config setuid setgid };
 	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
 	class user_namespace create;
+
+	# Container requires
+	attribute_role usernetctl_roles;
+	role container_user_r;
+	role staff_r;
+	role user_r;
+	type container_runtime_t;
+	type container_t;
+	type systemd_user_runtimedir_t;
 }
 
 type pasta_t;
@@ -113,10 +122,12 @@ init_daemon_domain(pasta_t, pasta_exec_t)
 
 allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
 allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+# pasta only calls setuid and setgid with the current UID and GID, so this
+# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
+dontaudit pasta_t self:cap_userns { setgid setuid };
 allow pasta_t self:user_namespace create;
 
-allow pasta_t passwd_file_t:file read_file_perms;
-sssd_search_lib(pasta_t)
+auth_read_passwd(pasta_t)
 
 domain_auto_trans(pasta_t, bin_t, unconfined_t);
 domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
@@ -126,17 +137,22 @@ domain_auto_trans(pasta_t, ping_exec_t, ping_t);
 
 allow pasta_t nsfs_t:file { open read };
 
-allow pasta_t user_home_t:dir getattr;
-allow pasta_t user_home_t:file { open read getattr setattr };
+allow pasta_t user_home_t:dir { getattr search };
+allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_trans map};
 allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
 allow pasta_t user_home_dir_t:file { create open read write };
 allow pasta_t tmp_t:dir { add_name mounton remove_name write };
-allow pasta_t tmpfs_t:filesystem mount;
+allow pasta_t tmpfs_t:filesystem { getattr mount };
 allow pasta_t fs_t:filesystem unmount;
 allow pasta_t root_t:dir mounton;
 manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
 files_pid_filetrans(pasta_t, pasta_pid_t, file)
 
+allow pasta_t user_tmp_t:dir { add_name remove_name search write };
+allow pasta_t user_tmp_t:fifo_file append;
+allow pasta_t user_tmp_t:file { create open write };
+allow pasta_t user_tmp_t:sock_file { create unlink };
+
 allow pasta_t console_device_t:chr_file { open write getattr ioctl };
 allow pasta_t user_devpts_t:chr_file { getattr read write ioctl };
 logging_send_syslog_msg(pasta_t)
@@ -152,6 +168,11 @@ allow pasta_t tmp_t:sock_file { create unlink write };
 allow pasta_t self:tcp_socket create_stream_socket_perms;
 corenet_tcp_sendrecv_generic_node(pasta_t)
 corenet_tcp_bind_generic_node(pasta_t)
+allow pasta_t container_runtime_t:dir { open read search };
+allow pasta_t container_runtime_t:fifo_file { getattr write };
+allow pasta_t container_runtime_t:file read;
+allow pasta_t container_runtime_t:lnk_file read;
+allow pasta_t container_t:lnk_file read;
 allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
 allow pasta_t pasta_port_t:udp_socket { name_bind };
 allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
@@ -164,6 +185,8 @@ allow pasta_t self:udp_socket create_stream_socket_perms;
 allow pasta_t reserved_port_t:udp_socket name_bind;
 allow pasta_t llmnr_port_t:tcp_socket name_bind;
 allow pasta_t llmnr_port_t:udp_socket name_bind;
+allow pasta_t http_cache_port_t:tcp_socket { name_bind name_connect };
+allow pasta_t unreserved_port_t:udp_socket name_bind;
 corenet_udp_sendrecv_generic_node(pasta_t)
 corenet_udp_bind_generic_node(pasta_t)
 allow pasta_t node_t:icmp_socket { name_bind node_bind };
@@ -175,15 +198,12 @@ allow pasta_t init_t:lnk_file read;
 allow pasta_t init_t:unix_stream_socket connectto;
 allow pasta_t init_t:dbus send_msg;
 allow pasta_t init_t:system status;
-allow pasta_t unconfined_t:dir search;
+allow pasta_t unconfined_t:dir { read search };
 allow pasta_t unconfined_t:file read;
 allow pasta_t unconfined_t:lnk_file read;
-allow pasta_t passwd_file_t:file { getattr open read };
 allow pasta_t self:process { setpgid setcap };
 allow pasta_t shell_exec_t:file { execute execute_no_trans map };
 
-allow pasta_t sssd_var_lib_t:dir search;
-allow pasta_t sssd_public_t:dir search;
 allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map };
 allow pasta_t system_dbusd_t:unix_stream_socket connectto;
 allow pasta_t system_dbusd_t:dbus send_msg;
@@ -196,11 +216,9 @@ allow pasta_t ifconfig_var_run_t:dir { read search watch };
 allow pasta_t self:tun_socket create;
 allow pasta_t tun_tap_device_t:chr_file { ioctl open read write };
 allow pasta_t sysctl_net_t:dir search;
-allow pasta_t sysctl_net_t:file { open write };
+allow pasta_t sysctl_net_t:file { open read write };
 allow pasta_t kernel_t:system module_request;
 
-allow pasta_t nsfs_t:file read;
-
 allow pasta_t proc_t:dir mounton;
 allow pasta_t proc_t:filesystem mount;
 allow pasta_t net_conf_t:lnk_file read;
@@ -212,3 +230,28 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
 allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
 allow pasta_t user_tty_device_t:chr_file { append read write };
 allow pasta_t user_devpts_t:chr_file { append read write };
+
+# Allow network administration commands for non-privileged users
+roleattribute container_user_r usernetctl_roles;
+roleattribute staff_r usernetctl_roles;
+roleattribute user_r usernetctl_roles;
+role usernetctl_roles types pasta_t;
+
+# Make pasta in a container run under the pasta_t context
+type_transition container_runtime_t pasta_exec_t : process pasta_t;
+allow container_runtime_t pasta_t:process transition;
+
+# Label the user network namespace files
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+allow pasta_t ifconfig_var_run_t:file { create open write };
+allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
+
+# Allow pasta to bind to any port
+bool pasta_bind_all_ports true;
+if (pasta_bind_all_ports) {
+	allow pasta_t port_type:icmp_socket { accept getopt name_bind };
+	allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
+	allow pasta_t port_type:udp_socket { accept getopt name_bind };
+}