mirrors/passt
1
0
Fork 0
mirror of https://passt.top/passt synced 2025-05-05 18:28:52 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

pasta.te: fix demo.sh and remove one duplicate rule

Browse source 
On Fedora 41, without "allow pasta_t unconfined_t:dir read"
/usr/bin/pasta can't open /proc/[pid]/ns, which is required by
pasta_netns_quit_init().

This patch also remove one duplicate rule "allow pasta_t nsfs_t:file
read;", "allow pasta_t nsfs_t:file { open read };" at line 123 is
enough.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
7ppKb5bW 2025-02-02 19:21:21 +00:00 committed by Stefano Brivio
parent dcd6d8191a
commit bf2860819d
1 changed files with 1 additions and 3 deletions

4
contrib/selinux/pasta.te
View file

@ -171,7 +171,7 @@ allow pasta_t init_t:lnk_file read;
allow pasta_t init_t:unix_stream_socket connectto;
allow pasta_t init_t:dbus send_msg;
allow pasta_t init_t:system status;
allow pasta_t unconfined_t:dir search;
allow pasta_t unconfined_t:dir { read search };
allow pasta_t unconfined_t:file read;
allow pasta_t unconfined_t:lnk_file read;
allow pasta_t self:process { setpgid setcap };
@ -192,8 +192,6 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open read write };
allow pasta_t kernel_t:system module_request;
allow pasta_t nsfs_t:file read;
allow pasta_t proc_t:dir mounton;
allow pasta_t proc_t:filesystem mount;
allow pasta_t net_conf_t:lnk_file read;