* [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux
@ 2025-05-22 21:13 Stefano Brivio
2025-05-23 4:19 ` Max Chernoff
0 siblings, 1 reply; 4+ messages in thread
From: Stefano Brivio @ 2025-05-22 21:13 UTC (permalink / raw)
To: passt-dev; +Cc: Max Chernoff, Paul Holzinger
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.
Add a separate restorecon(8) call for /run/user in the
post-transaction scriptlet for the SELinux subpackage.
Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
This should be applied on top of Max's:
[PATCH v3 1/1] selinux: Transition to pasta_t in containers
contrib/fedora/passt.spec | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 745cf01..5aaf7ac 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -102,6 +102,12 @@ fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
+# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
+# (see selabel_file(5)) in order to restore only the file contexts which
+# actually changed. However, as file_contexts doesn't support %{USERID}
+# substitutions, this will not work for specific file contexts that pasta needs
+# to have under /run/user. Restore those explicitly.
+restorecon -R /run/user
%files
%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
--
@@ -102,6 +102,12 @@ fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
+# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
+# (see selabel_file(5)) in order to restore only the file contexts which
+# actually changed. However, as file_contexts doesn't support %{USERID}
+# substitutions, this will not work for specific file contexts that pasta needs
+# to have under /run/user. Restore those explicitly.
+restorecon -R /run/user
%files
%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux
2025-05-22 21:13 [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux Stefano Brivio
@ 2025-05-23 4:19 ` Max Chernoff
2025-05-23 12:19 ` Stefano Brivio
0 siblings, 1 reply; 4+ messages in thread
From: Max Chernoff @ 2025-05-23 4:19 UTC (permalink / raw)
To: Stefano Brivio, passt-dev; +Cc: Max Chernoff, Paul Holzinger
Hi Stefano,
On Thu, 2025-05-22 at 23:13 +0200, Stefano Brivio wrote:
> The previous change introduces specific file contexts for
> /run/user/%{USERID}/netns and
> /run/user/%{USERID}/containers/networks/rootless-netns, but
> %selinux_relabel_post can't handle that, see comments for more
> details.
>
> Add a separate restorecon(8) call for /run/user in the
> post-transaction scriptlet for the SELinux subpackage.
I've tested this out and can confirm that it works, thanks.
Aside: what is the correct way to build passt rpms? "make pkgs" doesn't
build the SELinux package, but I was eventually able to get the
following to work:
$ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar
$ xz passt-*.tar
$ mv *.tar.xz contrib/fedora/
$ cd contrib/fedora/
$ rpkg local --outdir $(realpath .)
Is there a way to do this without needing to manually create the .tar.xz
archive first?
Thanks,
-- Max
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux
2025-05-23 4:19 ` Max Chernoff
@ 2025-05-23 12:19 ` Stefano Brivio
2025-05-24 7:07 ` Max Chernoff
0 siblings, 1 reply; 4+ messages in thread
From: Stefano Brivio @ 2025-05-23 12:19 UTC (permalink / raw)
To: Max Chernoff; +Cc: passt-dev, Paul Holzinger
On Thu, 22 May 2025 22:19:11 -0600
Max Chernoff <git@maxchernoff.ca> wrote:
> Hi Stefano,
>
> On Thu, 2025-05-22 at 23:13 +0200, Stefano Brivio wrote:
> > The previous change introduces specific file contexts for
> > /run/user/%{USERID}/netns and
> > /run/user/%{USERID}/containers/networks/rootless-netns, but
> > %selinux_relabel_post can't handle that, see comments for more
> > details.
> >
> > Add a separate restorecon(8) call for /run/user in the
> > post-transaction scriptlet for the SELinux subpackage.
>
> I've tested this out and can confirm that it works, thanks.
Thanks for testing! I'll apply both patches soon and make a new release
within a few days, then we'll finally have the intended SELinux setup
for pasta as well. I'm quite relieved about it. :)
> Aside: what is the correct way to build passt rpms? "make pkgs" doesn't
> build the SELinux package,
Right, 'make pkgs' is just a quick hack to make static builds (which
doesn't need a proper rpm / rpmbuild setup) and I build RPMs for releases
and release testing via Koji / Copr, which source git snapshots anyway.
For one-off builds:
> but I was eventually able to get the following to work:
>
> $ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar
> $ xz passt-*.tar
> $ mv *.tar.xz contrib/fedora/
> $ cd contrib/fedora/
> $ rpkg local --outdir $(realpath .)
I actually do something like this, but uglier. I didn't think of using
git-archive:
$ mkdir passt-679cb68455a9ae40cc72233abf218c20527500a6/
$ cp -Rpd *.c *.h Makefile seccomp.sh passt.1 passt-repair.1 qrap.1 README.md doc/ contrib/ LICENSES/ passt-679cb68455a9ae40cc72233abf218c20527500a6/
$ tar Jcvf /home/sbrivio/rpmbuild/SOURCES/passt-679cb68455a9ae40cc72233abf218c20527500a6.tar.xz passt-679cb68455a9ae40cc72233abf218c20527500a6/
$ cd contrib/fedora
$ rpkg spec
/tmp/rpkg/passt-1-djdq6cud/passt.spec
$ rpmbuild -ba /tmp/rpkg/passt-1-djdq6cud/passt.spec
> Is there a way to do this without needing to manually create the .tar.xz
> archive first?
We would need to replace %prep with a simple copy from the current
directory. I didn't really think this through, but perhaps we could
make it conditional, like this:
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 745cf01..f1973ee 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -47,7 +47,13 @@ Requires(preun): policycoreutils
This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
%prep
+%if "%(ls passt.c)" == "passt.c"
+# Hack for local build from source tree
+cp -a %(pwd)/* .
+%else
+# The usual process with an upstream tarball
%setup -q -n passt-%{git_hash}
+%endif
%build
%set_build_flags
?
Maybe there's a more common or idiomatic way though...
--
@@ -47,7 +47,13 @@ Requires(preun): policycoreutils
This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
%prep
+%if "%(ls passt.c)" == "passt.c"
+# Hack for local build from source tree
+cp -a %(pwd)/* .
+%else
+# The usual process with an upstream tarball
%setup -q -n passt-%{git_hash}
+%endif
%build
%set_build_flags
?
Maybe there's a more common or idiomatic way though...
--
Stefano
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux
2025-05-23 12:19 ` Stefano Brivio
@ 2025-05-24 7:07 ` Max Chernoff
0 siblings, 0 replies; 4+ messages in thread
From: Max Chernoff @ 2025-05-24 7:07 UTC (permalink / raw)
To: Stefano Brivio, Max Chernoff; +Cc: passt-dev, Paul Holzinger
Hi Stefano,
On Fri, 2025-05-23 at 14:19 +0200, Stefano Brivio wrote:
> For one-off builds:
>
> > but I was eventually able to get the following to work:
> >
> > $ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar
> > $ xz passt-*.tar
> > $ mv *.tar.xz contrib/fedora/
> > $ cd contrib/fedora/
> > $ rpkg local --outdir $(realpath .)
>
> I actually do something like this, but uglier. I didn't think of using
> git-archive:
>
> $ mkdir passt-679cb68455a9ae40cc72233abf218c20527500a6/
> $ cp -Rpd *.c *.h Makefile seccomp.sh passt.1 passt-repair.1 qrap.1 README.md doc/ contrib/ LICENSES/ passt-679cb68455a9ae40cc72233abf218c20527500a6/
> $ tar Jcvf /home/sbrivio/rpmbuild/SOURCES/passt-679cb68455a9ae40cc72233abf218c20527500a6.tar.xz passt-679cb68455a9ae40cc72233abf218c20527500a6/
> $ cd contrib/fedora
> $ rpkg spec
> /tmp/rpkg/passt-1-djdq6cud/passt.spec
> $ rpmbuild -ba /tmp/rpkg/passt-1-djdq6cud/passt.spec
Ah, I've never built an rpm package before, so I figured that I was just
missing something obvious.
> We would need to replace %prep with a simple copy from the current
> directory. I didn't really think this through, but perhaps we could
> make it conditional, like this:
>
> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> index 745cf01..f1973ee 100644
> --- a/contrib/fedora/passt.spec
> +++ b/contrib/fedora/passt.spec
> @@ -47,7 +47,13 @@ Requires(preun): policycoreutils
> This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
>
> %prep
> +%if "%(ls passt.c)" == "passt.c"
> +# Hack for local build from source tree
> +cp -a %(pwd)/* .
> +%else
> +# The usual process with an upstream tarball
> %setup -q -n passt-%{git_hash}
> +%endif
>
> %build
> %set_build_flags
I also needed to add "touch ../passt-%{git_hash}.tar.xz" (which is an
awful hack) for it to work properly:
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 5aaf7ac..02dab93 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -47,7 +47,14 @@ Requires(preun): policycoreutils
This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
%prep
+%if "%(ls passt.c)" == "passt.c"
+# Hack for local build from source tree
+cp -a %(pwd)/* .
+touch ../passt-%{git_hash}.tar.xz
+%else
+# The usual process with an upstream tarball
%setup -q -n passt-%{git_hash}
+%endif
%build
%set_build_flags
Thanks,
-- Max
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-05-24 7:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-22 21:13 [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux Stefano Brivio
2025-05-23 4:19 ` Max Chernoff
2025-05-23 12:19 ` Stefano Brivio
2025-05-24 7:07 ` Max Chernoff
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).