passt: Relicense to GPL 2.0, or any later version
In practical terms, passt doesn't benefit from the additional
protection offered by the AGPL over the GPL, because it's not
suitable to be executed over a computer network.
Further, restricting the distribution under the version 3 of the GPL
wouldn't provide any practical advantage either, as long as the passt
codebase is concerned, and might cause unnecessary compatibility
dilemmas.
Change licensing terms to the GNU General Public License Version 2,
or any later version, with written permission from all current and
past contributors, namely: myself, David Gibson, Laine Stump, Andrea
Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian
Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-04-05 18:11:44 +00:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
2022-03-28 09:08:39 +00:00
|
|
|
#
|
|
|
|
# PASST - Plug A Simple Socket Transport
|
|
|
|
# for qemu/UNIX domain socket mode
|
|
|
|
#
|
2023-03-10 14:53:14 +00:00
|
|
|
# contrib/selinux/passt.te - SELinux profile: Type Enforcement for passt
|
2022-03-28 09:08:39 +00:00
|
|
|
#
|
|
|
|
# Copyright (c) 2022 Red Hat GmbH
|
|
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
policy_module(passt, 0.1)
|
|
|
|
|
|
|
|
require {
|
|
|
|
type unconfined_t;
|
|
|
|
role unconfined_r;
|
|
|
|
class process transition;
|
|
|
|
|
|
|
|
type bin_t;
|
|
|
|
type user_home_dir_t;
|
|
|
|
type fs_t;
|
|
|
|
type tmp_t;
|
2023-02-21 18:03:49 +00:00
|
|
|
type user_tmp_t;
|
2022-03-28 09:08:39 +00:00
|
|
|
type tmpfs_t;
|
|
|
|
type root_t;
|
|
|
|
|
|
|
|
class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
|
|
|
|
class dir { search write add_name remove_name mounton };
|
|
|
|
class chr_file { append read write open getattr ioctl };
|
|
|
|
class filesystem { getattr mount unmount };
|
|
|
|
|
|
|
|
type console_device_t;
|
|
|
|
type user_devpts_t;
|
|
|
|
type devlog_t;
|
|
|
|
type syslogd_t;
|
|
|
|
type var_run_t;
|
|
|
|
class unix_dgram_socket { create connect sendto };
|
|
|
|
|
|
|
|
type net_conf_t;
|
|
|
|
type proc_net_t;
|
|
|
|
type node_t;
|
|
|
|
class tcp_socket { create accept listen name_bind name_connect };
|
|
|
|
class udp_socket { create accept listen };
|
|
|
|
class icmp_socket { bind create name_bind node_bind setopt read write };
|
|
|
|
class sock_file { create unlink write };
|
|
|
|
|
|
|
|
attribute port_type;
|
|
|
|
type port_t;
|
|
|
|
type http_port_t;
|
|
|
|
|
|
|
|
class netlink_route_socket { bind create nlmsg_read };
|
2024-09-06 13:19:20 +00:00
|
|
|
type sysctl_net_t;
|
2022-03-28 09:08:39 +00:00
|
|
|
|
2023-08-15 17:37:46 +00:00
|
|
|
class capability { sys_tty_config setuid setgid };
|
2022-03-28 09:08:39 +00:00
|
|
|
class cap_userns { setpcap sys_admin sys_ptrace };
|
2023-11-07 13:58:02 +00:00
|
|
|
class user_namespace create;
|
2022-03-28 09:08:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type passt_t;
|
|
|
|
domain_type(passt_t);
|
|
|
|
type passt_exec_t;
|
|
|
|
files_type(passt_exec_t);
|
|
|
|
type passt_log_t;
|
|
|
|
logging_log_file(passt_log_t);
|
|
|
|
type passt_etc_t;
|
|
|
|
files_config_file(passt_etc_t);
|
|
|
|
|
|
|
|
role unconfined_r types passt_t;
|
|
|
|
|
|
|
|
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
|
|
|
type_transition unconfined_t passt_exec_t : process passt_t;
|
|
|
|
allow unconfined_t passt_t : process transition ;
|
|
|
|
|
|
|
|
init_daemon_domain(passt_t, passt_exec_t)
|
2023-03-06 22:49:39 +00:00
|
|
|
term_use_all_inherited_terms(passt_t)
|
2022-03-28 09:08:39 +00:00
|
|
|
|
|
|
|
allow passt_t bin_t:file { execute execute_no_trans map };
|
|
|
|
allow passt_t user_home_dir_t:dir { search add_name write };
|
|
|
|
allow passt_t user_home_dir_t:file { create open write };
|
|
|
|
allow passt_t root_t:dir mounton;
|
|
|
|
allow passt_t tmp_t:dir { add_name mounton remove_name write };
|
|
|
|
allow passt_t tmpfs_t:filesystem mount;
|
|
|
|
allow passt_t fs_t:filesystem unmount;
|
|
|
|
|
2023-02-21 18:03:49 +00:00
|
|
|
manage_files_pattern(passt_t, user_tmp_t, user_tmp_t)
|
|
|
|
files_pid_filetrans(passt_t, user_tmp_t, file)
|
2022-03-28 09:08:39 +00:00
|
|
|
|
|
|
|
allow passt_t console_device_t:chr_file { open write getattr ioctl };
|
|
|
|
allow passt_t user_devpts_t:chr_file { getattr read write ioctl };
|
|
|
|
logging_send_syslog_msg(passt_t)
|
|
|
|
allow syslogd_t self:cap_userns sys_ptrace;
|
|
|
|
|
2023-02-21 18:06:05 +00:00
|
|
|
allow passt_t self:process setcap;
|
2023-08-15 17:37:46 +00:00
|
|
|
allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
|
2022-03-28 09:08:39 +00:00
|
|
|
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
|
2023-11-07 13:58:02 +00:00
|
|
|
allow passt_t self:user_namespace create;
|
2022-03-28 09:08:39 +00:00
|
|
|
|
selinux: Use auth_read_passwd() interface for all our getpwnam() needs
If passt or pasta are started as root, we need to read the passwd file
(be it /etc/passwd or whatever sssd provides) to find out UID and GID
of 'nobody' so that we can switch to it.
Instead of a bunch of allow rules for passwd_file_t and sssd macros,
use the more convenient auth_read_passwd() interface which should
cover our usage of getpwnam().
The existing rules weren't actually enough:
# strace -e openat passt -f
[...]
Started as root, will change to nobody.
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
with corresponding SELinux warnings logged in audit.log.
Reported-by: Minxi Hou <mhou@redhat.com>
Analysed-by: Miloš Malik <mmalik@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2024-11-14 22:48:54 +00:00
|
|
|
auth_read_passwd(passt_t)
|
2023-08-15 17:37:46 +00:00
|
|
|
|
2022-03-28 09:08:39 +00:00
|
|
|
allow passt_t proc_net_t:file read;
|
|
|
|
allow passt_t net_conf_t:file { open read };
|
2023-02-21 18:07:31 +00:00
|
|
|
allow passt_t net_conf_t:lnk_file read;
|
2022-03-28 09:08:39 +00:00
|
|
|
allow passt_t tmp_t:sock_file { create unlink write };
|
2023-02-21 18:09:23 +00:00
|
|
|
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
|
2023-08-15 17:50:48 +00:00
|
|
|
kernel_search_network_sysctl(passt_t)
|
2024-09-06 13:19:20 +00:00
|
|
|
allow passt_t sysctl_net_t:dir search;
|
|
|
|
allow passt_t sysctl_net_t:file { open read };
|
2022-03-28 09:08:39 +00:00
|
|
|
|
2023-03-06 23:05:36 +00:00
|
|
|
corenet_tcp_bind_all_nodes(passt_t)
|
|
|
|
corenet_udp_bind_all_nodes(passt_t)
|
|
|
|
|
|
|
|
corenet_tcp_bind_all_ports(passt_t)
|
|
|
|
corenet_udp_bind_all_ports(passt_t)
|
|
|
|
|
|
|
|
corenet_tcp_connect_all_ports(passt_t)
|
|
|
|
|
|
|
|
corenet_tcp_sendrecv_all_ports(passt_t)
|
|
|
|
corenet_udp_sendrecv_all_ports(passt_t)
|
|
|
|
|
2022-03-28 09:08:39 +00:00
|
|
|
allow passt_t node_t:icmp_socket { name_bind node_bind };
|
2023-03-06 23:05:36 +00:00
|
|
|
allow passt_t port_t:icmp_socket name_bind;
|
|
|
|
|
|
|
|
allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
|
|
|
|
allow passt_t self:udp_socket { create getopt setopt connect bind read write };
|
2022-03-28 09:08:39 +00:00
|
|
|
allow passt_t self:icmp_socket { bind create setopt read write };
|
2023-02-21 18:03:49 +00:00
|
|
|
|
|
|
|
allow passt_t user_tmp_t:dir { add_name write };
|
|
|
|
allow passt_t user_tmp_t:file { create open };
|
|
|
|
allow passt_t user_tmp_t:sock_file { create read write unlink };
|
2023-11-07 11:28:27 +00:00
|
|
|
allow passt_t unconfined_t:unix_stream_socket { read write };
|