External/passt
1
0
Fork 0
mirror of https://passt.top/passt synced 2024-07-06 17:56:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
62059058cf
passt/contrib/selinux/passt.te
Stefano Brivio 62059058cf selinux: Fix user namespace creation after breaking kernel change 
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
seems to just introduce a new functionality, but given that SELinux
implements a form of mandatory access control, introducing the new
permission breaks any application (shipping with SELinux policies)
that needs to create user namespaces, such as passt and pasta for
sandboxing purposes.

Add the new 'allow' rules. They appear to be backward compatible,
kernel-wise, and the policy now requires the new 'user_namespace'
class to build, but that's something distributions already ship.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
2023-08-18 13:18:45 +02:00

123 lines
3.8 KiB
Plaintext
Raw Blame History

# SPDX-License-Identifier: GPL-2.0-or-later
#
# PASST - Plug A Simple Socket Transport
# for qemu/UNIX domain socket mode
#
# contrib/selinux/passt.te - SELinux profile: Type Enforcement for passt
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
policy_module(passt, 0.1)
require {
type unconfined_t;
role unconfined_r;
class process transition;
type bin_t;
type user_home_dir_t;
type fs_t;
type tmp_t;
type user_tmp_t;
type tmpfs_t;
type root_t;
class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
class dir { search write add_name remove_name mounton };
class chr_file { append read write open getattr ioctl };
class filesystem { getattr mount unmount };
type console_device_t;
type user_devpts_t;
type devlog_t;
type syslogd_t;
type var_run_t;
class unix_dgram_socket { create connect sendto };
type net_conf_t;
type proc_net_t;
type node_t;
class tcp_socket { create accept listen name_bind name_connect };
class udp_socket { create accept listen };
class icmp_socket { bind create name_bind node_bind setopt read write };
class sock_file { create unlink write };
attribute port_type;
type port_t;
type http_port_t;
class netlink_route_socket { bind create nlmsg_read };
class capability sys_tty_config;
class cap_userns { setpcap sys_admin sys_ptrace };
class user_namespace create;
}
type passt_t;
domain_type(passt_t);
type passt_exec_t;
files_type(passt_exec_t);
type passt_log_t;
logging_log_file(passt_log_t);
type passt_etc_t;
files_config_file(passt_etc_t);
role unconfined_r types passt_t;
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
type_transition unconfined_t passt_exec_t : process passt_t;
allow unconfined_t passt_t : process transition ;
init_daemon_domain(passt_t, passt_exec_t)
term_use_all_inherited_terms(passt_t)
allow passt_t bin_t:file { execute execute_no_trans map };
allow passt_t user_home_dir_t:dir { search add_name write };
allow passt_t user_home_dir_t:file { create open write };
allow passt_t root_t:dir mounton;
allow passt_t tmp_t:dir { add_name mounton remove_name write };
allow passt_t tmpfs_t:filesystem mount;
allow passt_t fs_t:filesystem unmount;
manage_files_pattern(passt_t, user_tmp_t, user_tmp_t)
files_pid_filetrans(passt_t, user_tmp_t, file)
allow passt_t console_device_t:chr_file { open write getattr ioctl };
allow passt_t user_devpts_t:chr_file { getattr read write ioctl };
logging_send_syslog_msg(passt_t)
allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
allow passt_t self:user_namespace create;
allow passt_t proc_net_t:file read;
allow passt_t net_conf_t:file { open read };
allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
corenet_tcp_bind_all_nodes(passt_t)
corenet_udp_bind_all_nodes(passt_t)
corenet_tcp_bind_all_ports(passt_t)
corenet_udp_bind_all_ports(passt_t)
corenet_tcp_connect_all_ports(passt_t)
corenet_tcp_sendrecv_all_ports(passt_t)
corenet_udp_sendrecv_all_ports(passt_t)
allow passt_t node_t:icmp_socket { name_bind node_bind };
allow passt_t port_t:icmp_socket name_bind;
allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
allow passt_t self:udp_socket { create getopt setopt connect bind read write };
allow passt_t self:icmp_socket { bind create setopt read write };
allow passt_t user_tmp_t:dir { add_name write };
allow passt_t user_tmp_t:file { create open };
allow passt_t user_tmp_t:sock_file { create read write unlink };
Reference in New Issue View Git Blame Copy Permalink