[PATCH] fedora: Replace pasta hard links by separate builds

[PATCH] fedora: Replace pasta hard links by separate builds

[Stefano Brivio]

The hard link trick didn't actually fix the issue with SELinux file
contexts properly: as opposed to symbolic links, SELinux now
correctly associates types to the labels that are set -- except that
those labels are now shared, so we can end up (depending on how
rpm(8) extracts the archives) with /usr/bin/passt having a
pasta_exec_t context.

This got rather confusing as running restorecon(8) seemed to fix up
labels -- but that's simply toggling between passt_exec_t and
pasta_exec_t for both links, because each invocation will just "fix"
the file with the mismatching context.

Replace the hard links with two separate builds of the binary, as
suggested by David. The build is reproducible, so we pass "-pasta" in
the VERSION for pasta's build. This is wasteful but better than the
alternative.

Just copying the binary over would otherwise cause issues with
debuginfo packages due to duplicate Build-IDs -- and rpmbuild(8) also
warns about them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/fedora/passt.spec | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index d0c6895..825cd76 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -51,17 +51,27 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
 
 %build
 %set_build_flags
-%make_build VERSION="%{version}-%{release}.%{_arch}"
+# The Makefile creates symbolic links for pasta, but we need actual copies for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+# Build twice, changing the version string, to avoid duplicate Build-IDs.
+%make_build VERSION="%{version}-%{release}.%{_arch}-pasta"
+mv -f passt pasta
+%ifarch x86_64
+mv -f passt.avx2 pasta.avx2
+%make_build passt passt.avx2 VERSION="%{version}-%{release}.%{_arch}"
+%else
+%make_build passt VERSION="%{version}-%{release}.%{_arch}"
+%endif
 
 %install
+# Already built (not as symbolic links), see above
+touch pasta
+%ifarch x86_64
+touch pasta.avx2
+%endif
 
 %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
-# The Makefile creates symbolic links for pasta, but we need hard links for
-# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
-ln -f %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
 %ifarch x86_64
-ln -f %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
-
 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
 install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
-- 
@@ -51,17 +51,27 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
 
 %build
 %set_build_flags
-%make_build VERSION="%{version}-%{release}.%{_arch}"
+# The Makefile creates symbolic links for pasta, but we need actual copies for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+# Build twice, changing the version string, to avoid duplicate Build-IDs.
+%make_build VERSION="%{version}-%{release}.%{_arch}-pasta"
+mv -f passt pasta
+%ifarch x86_64
+mv -f passt.avx2 pasta.avx2
+%make_build passt passt.avx2 VERSION="%{version}-%{release}.%{_arch}"
+%else
+%make_build passt VERSION="%{version}-%{release}.%{_arch}"
+%endif
 
 %install
+# Already built (not as symbolic links), see above
+touch pasta
+%ifarch x86_64
+touch pasta.avx2
+%endif
 
 %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
-# The Makefile creates symbolic links for pasta, but we need hard links for
-# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
-ln -f %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
 %ifarch x86_64
-ln -f %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
-
 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
 install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
-- 
2.39.2