Tuomo reports two further SELinux denials after upgrading to a passt-selinux version that includes the transition to pasta_t for containers, one I could reproduce: denied { open } for pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 which I didn't take care of in the previous commit, d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well"), as it didn't appear in my quick test. But I can make pasta use "open" on the network namespace entry by simply using it to make connections. So, for that, add "open" to the existing rule for user_tmp_t:dir. Then, another one I couldn't reproduce instead: denied { write } for pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0 which, I think, comes from a specific combination of versions of container-selinux, Podman, and passt-selinux packages, which prevents the expected type transition on container_var_run_t unless restorecon is invoked manually, or until a reboot. Allowing the same permissions on container_var_run_t as we do on ifconfig_var_run_t is harmless, so do that to prevent this further denial. Reported-by: Tuomo Soini Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well") Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio --- Max, for context, this was reported at https://issues.redhat.com/browse/RHEL-136495, which is a public ticket but not necessarily a stable link as far as I know, so I'm not adding that as a Link: tag. I hope it's the last one! :) contrib/selinux/pasta.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 3eb58f6..fb51416 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton; manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) files_pid_filetrans(pasta_t, pasta_pid_t, file) -allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write }; +allow pasta_t user_tmp_t:dir { add_name open read remove_name search watch write }; allow pasta_t user_tmp_t:fifo_file append; allow pasta_t user_tmp_t:file { create open write }; allow pasta_t user_tmp_t:sock_file { create unlink }; @@ -249,7 +249,9 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; +allow pasta_t container_var_run_t:dir { add_name open rmdir write }; allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; +allow pasta_t container_var_run_t:file { create open write }; allow pasta_t ifconfig_var_run_t:file { create open write }; allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; -- 2.43.0