Skip to content

Commit 76fd546

Browse files
committed
selinux: Allow pasta to create and use its control socket when started by Podman
If Podman starts us, we need to be able to create and use a UNIX domain socket file under ifconfig_var_run_t or container_var_run_t: add the related permissions. The failure reported by Jan would have been fixed by a simple: allow pasta_t ifconfig_var_run_t:sock_file create; but we'll need more than that for actual operation with pesto(1), and to cover all possible cases. Reported-by: Jan Rodák <jrodak@redhat.com> Link: podman-container-tools/podman#28478 Fixes: 5335770 ("selinux: Add file context and type enforcement for pesto") Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
1 parent cea2d19 commit 76fd546

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

contrib/selinux/pasta.te

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,8 @@ allow pasta_t container_var_run_t:dir { add_name open rmdir write };
253253
allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
254254
allow pasta_t container_var_run_t:file { create open write };
255255
allow pasta_t ifconfig_var_run_t:file { create open write };
256+
allow pasta_t container_var_run_t:sock_file { getattr create open read write };
257+
allow pasta_t ifconfig_var_run_t:sock_file { getattr create open read write };
256258
allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
257259

258260
# Allow pasta to bind to any port

0 commit comments

Comments
 (0)