[PATCH 0/4] Further adjustments for SELinux policy files
This series addresses a number of issues or inconveniences shown by further testing against libvirt, essentially a 9.1.0 version patched up to fix the current breakage by starting passt in the "passt_t" domain. Stefano Brivio (4): contrib/selinux: Drop duplicate init_daemon_domain() rule contrib/selinux: Let passt write to stdout and stderr when it starts contrib/selinux: Allow binding and connecting to all UDP and TCP ports contrib/selinux: Let interface users set paths for log, PID, socket files contrib/selinux/passt.if | 26 +++++++++++++++++++++++++- contrib/selinux/passt.te | 29 ++++++++++++++++------------- 2 files changed, 41 insertions(+), 14 deletions(-) -- 2.39.2
Signed-off-by: Stefano Brivio
Otherwise, it's unusable as stand-alone tool, or in foreground mode,
and it's also impossible to get output from --help or --version,
because for SELinux it's just a daemon.
Signed-off-by: Stefano Brivio
Laine reports that with a simple:
<portForward proto='tcp'>
<range start='2022' to='22'/>
</portForward>
in libvirt's domain XML, passt won't start as it fails to bind
arbitrary ports. That was actually the intention behind passt_port_t:
the user or system administrator should have explicitly configured
allowed ports on a given machine. But it's probably not realistic, so
just allow any port to be bound and forwarded.
Also fix up some missing operations on sockets.
Reported-by: Laine Stump
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.
Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.
Signed-off-by: Stefano Brivio
On 3/6/23 6:28 PM, Stefano Brivio wrote:
This series addresses a number of issues or inconveniences shown by further testing against libvirt, essentially a 9.1.0 version patched up to fix the current breakage by starting passt in the "passt_t" domain.
Stefano Brivio (4): contrib/selinux: Drop duplicate init_daemon_domain() rule contrib/selinux: Let passt write to stdout and stderr when it starts contrib/selinux: Allow binding and connecting to all UDP and TCP ports contrib/selinux: Let interface users set paths for log, PID, socket files
contrib/selinux/passt.if | 26 +++++++++++++++++++++++++- contrib/selinux/passt.te | 29 ++++++++++++++++------------- 2 files changed, 41 insertions(+), 14 deletions(-)
Tested-by: Laine Stump
participants (2)
-
Laine Stump
-
Stefano Brivio