mochaaP
commented
6 months ago Another option might be transition to unconfined when forking an incubator / invoking dropPrivileges (see ssh/tailssh/incubator.go).
Open mochaaP opened 6 months ago
mochaaP
commented
6 months ago Another option might be transition to unconfined when forking an incubator / invoking dropPrivileges (see ssh/tailssh/incubator.go).
mochaaP
commented
6 months ago Temporarily addressed in https://github.com/mcha-forks/tailscale-selinux/commit/d4bc7698457c0a9eaaf200e388c3b4d444e9eee6
Currently, SFTP is (almost) unusable since we didn't grant most permission for accessing files.
This might be a bad idea to be the default if we gave unconfined filesystem permission to
tailscaled, so it'd better be an optional policy.