|
 |
f07426 |
From 8cb64a237ed6183c492dea04da7c8d3ca064a155 Mon Sep 17 00:00:00 2001
|
|
|
f07426 |
From: Stefano Brivio <sbrivio@redhat.com>
|
|
|
f07426 |
Date: Mon, 6 Mar 2023 23:05:36 +0000
|
|
|
f07426 |
Subject: [PATCH 11/20] contrib/selinux: Allow binding and connecting to all
|
|
|
f07426 |
UDP and TCP ports
|
|
|
f07426 |
|
|
|
f07426 |
Laine reports that with a simple:
|
|
|
f07426 |
|
|
|
f07426 |
<portForward proto='tcp'>
|
|
|
f07426 |
<range start='2022' to='22'/>
|
|
|
f07426 |
</portForward>
|
|
|
f07426 |
|
|
|
f07426 |
in libvirt's domain XML, passt won't start as it fails to bind
|
|
|
f07426 |
arbitrary ports. That was actually the intention behind passt_port_t:
|
|
|
f07426 |
the user or system administrator should have explicitly configured
|
|
|
f07426 |
allowed ports on a given machine. But it's probably not realistic, so
|
|
|
f07426 |
just allow any port to be bound and forwarded.
|
|
|
f07426 |
|
|
|
f07426 |
Also fix up some missing operations on sockets.
|
|
|
f07426 |
|
|
|
f07426 |
Reported-by: Laine Stump <laine@redhat.com>
|
|
|
f07426 |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
f07426 |
Tested-by: Laine Stump <laine@redhat.com>
|
|
|
f07426 |
Reviewed-by: Laine Stump <laine@redhat.com>
|
|
|
f07426 |
(cherry picked from commit de9b0cb5fee2ea00ed7e7877ef9be8c446bca134)
|
|
|
f07426 |
---
|
|
|
f07426 |
contrib/selinux/passt.te | 27 +++++++++++++++------------
|
|
|
f07426 |
1 file changed, 15 insertions(+), 12 deletions(-)
|
|
|
f07426 |
|
|
|
f07426 |
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
|
|
|
f07426 |
index 6cd61f1..438155d 100644
|
|
|
f07426 |
--- a/contrib/selinux/passt.te
|
|
|
f07426 |
+++ b/contrib/selinux/passt.te
|
|
|
f07426 |
@@ -62,9 +62,6 @@ logging_log_file(passt_log_t);
|
|
|
f07426 |
type passt_etc_t;
|
|
|
f07426 |
files_config_file(passt_etc_t);
|
|
|
f07426 |
|
|
|
f07426 |
-type passt_port_t;
|
|
|
f07426 |
-typeattribute passt_port_t port_type;
|
|
|
f07426 |
-
|
|
|
f07426 |
role unconfined_r types passt_t;
|
|
|
f07426 |
|
|
|
f07426 |
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
|
|
f07426 |
@@ -100,16 +97,22 @@ allow passt_t net_conf_t:lnk_file read;
|
|
|
f07426 |
allow passt_t tmp_t:sock_file { create unlink write };
|
|
|
f07426 |
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
|
|
|
f07426 |
|
|
|
f07426 |
-allow passt_t self:tcp_socket create_stream_socket_perms;
|
|
|
f07426 |
-corenet_tcp_sendrecv_generic_node(passt_t)
|
|
|
f07426 |
-corenet_tcp_bind_generic_node(passt_t)
|
|
|
f07426 |
-allow passt_t passt_port_t:tcp_socket { name_bind name_connect };
|
|
|
f07426 |
-allow passt_t http_port_t:tcp_socket { name_bind name_connect };
|
|
|
f07426 |
-allow passt_t self:udp_socket create_stream_socket_perms;
|
|
|
f07426 |
-corenet_udp_sendrecv_generic_node(passt_t)
|
|
|
f07426 |
-corenet_udp_bind_generic_node(passt_t)
|
|
|
f07426 |
-allow passt_t passt_port_t:udp_socket { name_bind };
|
|
|
f07426 |
+corenet_tcp_bind_all_nodes(passt_t)
|
|
|
f07426 |
+corenet_udp_bind_all_nodes(passt_t)
|
|
|
f07426 |
+
|
|
|
f07426 |
+corenet_tcp_bind_all_ports(passt_t)
|
|
|
f07426 |
+corenet_udp_bind_all_ports(passt_t)
|
|
|
f07426 |
+
|
|
|
f07426 |
+corenet_tcp_connect_all_ports(passt_t)
|
|
|
f07426 |
+
|
|
|
f07426 |
+corenet_tcp_sendrecv_all_ports(passt_t)
|
|
|
f07426 |
+corenet_udp_sendrecv_all_ports(passt_t)
|
|
|
f07426 |
+
|
|
|
f07426 |
allow passt_t node_t:icmp_socket { name_bind node_bind };
|
|
|
f07426 |
+allow passt_t port_t:icmp_socket name_bind;
|
|
|
f07426 |
+
|
|
|
f07426 |
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
|
|
|
f07426 |
+allow passt_t self:udp_socket { create getopt setopt connect bind read write };
|
|
|
f07426 |
allow passt_t self:icmp_socket { bind create setopt read write };
|
|
|
f07426 |
|
|
|
f07426 |
allow passt_t user_tmp_t:dir { add_name write };
|
|
|
f07426 |
--
|
|
|
f07426 |
2.39.2
|
|
|
f07426 |
|