Open mochaaP opened 6 months ago
Another option might be transition to unconfined when forking an incubator / invoking dropPrivileges
(see ssh/tailssh/incubator.go
).
Temporarily addressed in https://github.com/mcha-forks/tailscale-selinux/commit/d4bc7698457c0a9eaaf200e388c3b4d444e9eee6
Currently, SFTP is (almost) unusable since we didn't grant most permission for accessing files.
This might be a bad idea to be the default if we gave unconfined filesystem permission to
tailscaled
, so it'd better be an optional policy.