From 76fd54667ee516e7d6a7ff59befb4a00895b9863 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 19 May 2026 19:28:21 +0200 Subject: selinux: Allow pasta to create and use its control socket when started by Podman MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If Podman starts us, we need to be able to create and use a UNIX domain socket file under ifconfig_var_run_t or container_var_run_t: add the related permissions. The failure reported by Jan would have been fixed by a simple: allow pasta_t ifconfig_var_run_t:sock_file create; but we'll need more than that for actual operation with pesto(1), and to cover all possible cases. Reported-by: Jan Rodák Link: https://github.com/containers/podman/pull/28478 Fixes: 533577008942 ("selinux: Add file context and type enforcement for pesto") Signed-off-by: Stefano Brivio --- contrib/selinux/pasta.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index fb51416..ff74dd7 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -253,6 +253,8 @@ allow pasta_t container_var_run_t:dir { add_name open rmdir write }; allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; allow pasta_t container_var_run_t:file { create open write }; allow pasta_t ifconfig_var_run_t:file { create open write }; +allow pasta_t container_var_run_t:sock_file { getattr create open read write }; +allow pasta_t ifconfig_var_run_t:sock_file { getattr create open read write }; allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; # Allow pasta to bind to any port -- cgit v1.2.3