Since commit eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports"), we might need to read from /proc/sys/net/ipv4/ip_local_port_range in both passt and pasta. While pasta was already allowed to open and write /proc/sys/net entries, read access was missing in SELinux's type enforcement: add that. In passt, instead, this is the first time we need to access an entry there: add everything we need. Fixes: eedc81b6ef55 ("fwd, conf: Probe host's ephemeral ports") Signed-off-by: Stefano Brivio --- contrib/selinux/passt.te | 3 +++ contrib/selinux/pasta.te | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index bbb0917..80bf780 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -50,6 +50,7 @@ require { type passwd_file_t; class netlink_route_socket { bind create nlmsg_read }; + type sysctl_net_t; class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace }; @@ -104,6 +105,8 @@ allow passt_t net_conf_t:lnk_file read; allow passt_t tmp_t:sock_file { create unlink write }; allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt }; kernel_search_network_sysctl(passt_t) +allow passt_t sysctl_net_t:dir search; +allow passt_t sysctl_net_t:file { open read }; corenet_tcp_bind_all_nodes(passt_t) corenet_udp_bind_all_nodes(passt_t) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 4e36c3f..310383c 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -196,7 +196,7 @@ allow pasta_t ifconfig_var_run_t:dir { read search watch }; allow pasta_t self:tun_socket create; allow pasta_t tun_tap_device_t:chr_file { ioctl open read write }; allow pasta_t sysctl_net_t:dir search; -allow pasta_t sysctl_net_t:file { open write }; +allow pasta_t sysctl_net_t:file { open read write }; allow pasta_t kernel_t:system module_request; allow pasta_t nsfs_t:file read; -- 2.43.0