mirrors/passt
1
0
Fork 0
mirror of https://passt.top/passt synced 2025-05-20 08:25:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

selinux: Drop user_namespace create allow rules

Browse source 
Those are incompatible with current el9 kernels. I introduced them
upstream with commit 62059058cf ("selinux: Fix user namespace
creation after breaking kernel change"), in turn as a result of
kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook"),
but on current el9 kernels (which lack the hook) they result in
failures such as:

  Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103
  Failed to resolve AST
  /usr/sbin/semodule:  Failed!
  Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104
  Failed to resolve AST
  /usr/sbin/semodule:  Failed!

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2023-08-21 17:52:28 +02:00 committed by David Gibson
parent a1e48a02ff
commit e5575743d9
2 changed files with 0 additions and 2 deletions
contrib/selinux
passt.tepasta.te

1
contrib/selinux/passt.te
View file

@ -102,7 +102,6 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
allow passt_t self:user_namespace create;
auth_read_passwd(passt_t)

1
contrib/selinux/pasta.te
View file

@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t)
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
allow pasta_t self:user_namespace create;
auth_read_passwd(pasta_t)