From 5335770089427746986e4f2a6304b39181393083 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 6 May 2026 03:30:29 +0200 Subject: selinux: Add file context and type enforcement for pesto Loosely inspired by passt-repair's policy: pesto needs to be able to run, check networking entries under /proc (for ip_local_port_range), talk to passt and pasta, wherever the control socket is. Signed-off-by: Stefano Brivio --- contrib/selinux/pesto.fc | 11 ++++++ contrib/selinux/pesto.te | 95 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 contrib/selinux/pesto.fc create mode 100644 contrib/selinux/pesto.te diff --git a/contrib/selinux/pesto.fc b/contrib/selinux/pesto.fc new file mode 100644 index 0000000..7ec4d87 --- /dev/null +++ b/contrib/selinux/pesto.fc @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# PESTO - Programmable Extensible Socket Translation Orchestrator +# front-end for passt(1) and pasta(1) forwarding configuration +# +# contrib/selinux/pesto.fc - SELinux: File Context for pesto +# +# Copyright (c) 2026 Red Hat GmbH +# Author: Stefano Brivio + +/usr/bin/pesto system_u:object_r:pesto_exec_t:s0 diff --git a/contrib/selinux/pesto.te b/contrib/selinux/pesto.te new file mode 100644 index 0000000..991833a --- /dev/null +++ b/contrib/selinux/pesto.te @@ -0,0 +1,95 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# PESTO - Programmable Extensible Socket Translation Orchestrator +# front-end for passt(1) and pasta(1) forwarding configuration +# +# contrib/selinux/pesto.te - SELinux: Type Enforcement for pesto +# +# Copyright (c) 2026 Red Hat GmbH +# Author: Stefano Brivio + +policy_module(pesto, 0.1) + +require { + type unconfined_t; + type passt_t; + type pasta_t; + role unconfined_r; + class process transition; + + class file { read execute execute_no_trans entrypoint open map }; + class capability { dac_override dac_read_search }; + class chr_file { append open getattr read write ioctl }; + + type net_conf_t; + type proc_net_t; + type sysctl_net_t; + + class unix_stream_socket { create connect sendto }; + class sock_file { read write }; + + type console_device_t; + type user_devpts_t; + type user_tmp_t; + type tmp_t; + + # Workaround: pesto needs to needs to access socket files + # that passt, started by libvirt, might create under different + # labels, depending on whether passt is started as root or not. + # + # However, libvirt doesn't maintain its own policy, which makes + # updates particularly complicated. To avoid breakage in the short + # term, deal with that in passt's own policy. + type qemu_var_run_t; + type virt_var_run_t; +} + +type pesto_t; +domain_type(pesto_t); +type pesto_exec_t; +corecmd_executable_file(pesto_exec_t); + +role unconfined_r types pesto_t; + +allow pesto_t pesto_exec_t:file { read execute execute_no_trans entrypoint open map }; +type_transition unconfined_t pesto_exec_t:process pesto_t; +allow unconfined_t pesto_t:process transition; + +allow pesto_t self:capability { dac_override dac_read_search }; + +allow pesto_t proc_net_t:file read; +kernel_search_network_sysctl(pesto_t) +allow pesto_t sysctl_net_t:dir search; +allow pesto_t sysctl_net_t:file { open read }; + +allow pesto_t console_device_t:chr_file { append open getattr read write ioctl }; +allow pesto_t user_devpts_t:chr_file { append open getattr read write ioctl }; + +allow pesto_t unconfined_t:unix_stream_socket { connectto read write }; +allow pesto_t passt_t:unix_stream_socket { connectto read write }; +allow pesto_t pasta_t:unix_stream_socket { connectto read write }; +allow pesto_t user_tmp_t:unix_stream_socket { connectto read write }; + +allow pesto_t user_tmp_t:dir { getattr read search watch }; + +allow pesto_t unconfined_t:sock_file { getattr read write }; +allow pesto_t passt_t:sock_file { getattr read write }; +allow pesto_t pasta_t:sock_file { getattr read write }; +allow pesto_t user_tmp_t:sock_file { getattr read write }; +allow pesto_t tmp_t:sock_file { getattr read write }; + +# Workaround: pesto needs to needs to access socket files +# that passt, started by libvirt, might create under different +# labels, depending on whether passt is started as root or not. +# +# However, libvirt doesn't maintain its own policy, which makes +# updates particularly complicated. To avoid breakage in the short +# term, deal with that in passt's own policy. +allow pesto_t qemu_var_run_t:unix_stream_socket { connectto read write }; +allow pesto_t virt_var_run_t:unix_stream_socket { connectto read write }; + +allow pesto_t qemu_var_run_t:dir { getattr read search watch }; +allow pesto_t virt_var_run_t:dir { getattr read search watch }; + +allow pesto_t qemu_var_run_t:sock_file { getattr read write }; +allow pesto_t virt_var_run_t:sock_file { getattr read write }; -- cgit v1.2.3