Hi Stefano, On Mon, 2025-05-19 at 09:39 +0200, Stefano Brivio wrote:
On Sat, 17 May 2025 03:34:42 -0600 Max Chernoff
wrote: On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
#============= pasta_t ============== allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read;
If I add those rules, everything works
I guess the options are:
1. Add the above rules to the pasta SELinux policy
2. Have Podman change the context of /proc/self/ns/net to pasta_t
3. Have Podman pass a file descriptor to the netns instead of the path to the netns.
(1) is arguably the least secure, but is probably fine in practice?
Well:
2. is probably the most restrictive but it doesn't really feel correct to me (pasta is not, at least conceptually, the exclusive user of the network namespace link)
3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't see this, done)
...so I would opt for 1.
I see why you mention it's less secure: we didn't really want to be able to open and read *any* container_runtime_t:dir or container_t:lnk_file. But that's not really the part of "fine-grained" security that we typically delegate to SELinux anyway.
Alright, works for me. I've added those rules into the policy in the following commit.
...so I guess the only remaining point, other than adding those rules, is to figure out why %selinux_relabel_post isn't enough and what we can add to the spec file instead. I'll try to have a look at it within a couple of days unless you find an explanation / solution before then.
I've looked through the code and I'm also lost as to why %selinux_relabel_post isn't working. I'll try taking a look again tomorrow, but I doubt that I'll be able to figure it out. Thanks, -- Max Max Chernoff (1): selinux: Transition to pasta_t in containers contrib/selinux/pasta.fc | 10 ++++++---- contrib/selinux/pasta.te | 42 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 5 deletions(-) -- 2.49.0