From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=G2oYGjHV; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 0BC215A027C for ; Fri, 23 May 2025 14:19:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1748002752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bfU3JFz6ck11fp+Tgsvn1ZJlOwDfkF7093cZUq+kQcw=; b=G2oYGjHVx2Wz/dBAV0dXP3nZcffS7vU/BgQOkcy6TFKKYbEBRSRyQ+JbA6qM+TuIbi6hsQ jFRO+oljQu+E9ftzdC9DQignt47uJ9NCHtOms5+YcGbf6w7KmlRnzPOT+6JPYS0U5kRuxG HowKq+nuXmY90qhgSFFZ8vCI9i9c6jU= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-536-YH8mWClQNGqUvJw8PNDhkA-1; Fri, 23 May 2025 08:19:10 -0400 X-MC-Unique: YH8mWClQNGqUvJw8PNDhkA-1 X-Mimecast-MFC-AGG-ID: YH8mWClQNGqUvJw8PNDhkA_1748002750 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-3a364d121ccso3879442f8f.2 for ; Fri, 23 May 2025 05:19:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748002749; x=1748607549; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bfU3JFz6ck11fp+Tgsvn1ZJlOwDfkF7093cZUq+kQcw=; b=gO1SX3rsXn3Mg21Sy+G1PuzV3ITXYr+pCyX4TKnz4IEr5Q3fqOGqjYcEVEpRKOK7VF hyJQGMwRza9eVd/zJxHkK3Do3sG3RfusH6UaMMYlN8erNyPMkEB7UDg47R5Ghg8Hxs70 AEVlCZR9vmc3AqgnSKmTCwi2vDHPcV827jC23U1DCp0msy1xJnqk44NIBi/PRS+txTB4 tI2wUbUgwPBcJsliG34L4DHZfROftARPQiSmmvpAOm7Y5p2Q+xLDvvYwFLhbgtJ17Bnq x9XvOkg4UYgYpfrEiDYcoYbNdA6zlRnSEzltSZ4G6ePnHf7CCMFGiaJBY5BG9CgtgJ88 BlUQ== X-Gm-Message-State: AOJu0Yz9zIAPeQg8BjJ//uqcl1XWLtW8eL+piNukhHLFNaj6GjODDQSi GiYYaKjI/oV2/qAdRgA/NXFGjdpxv/AIXcBeIA+puW4kX9EIl3oK5I+lhjslfsB2N1bqubi0sNt 09sSpYLb3QTqN+kVue0feeqZEVZBMDWd3fyIgiyAX3vrFfchj+ZYHaJasI/JF5w== X-Gm-Gg: ASbGncvhL9hTO3NMi1pEHX8L2YTq6QNhFrFRCMnNQvJQTytdkQk42CRZtPnUMg2K40v H+dBRb+voU601zpMQBwFR3ZAtTCJeIgay8DFNqpwdFITPil4iexOZjwd7dYaemJWPfc8xt9BI5R rC2Jxq31KHEOjMuU5KA93oz69xKmrCnOuma4FYIjNbe47Sw7/D5l6avhL8L2VDA70jviCRZxdti LcruEh5wv3bIEIuXIHswrbIsYMKiCHKoyHUeaADOQQ98nxlszqqlUviJ+Ls2YpJ7lRJdPnzgJD2 UklV3tQdLLjanZ9LWiR7Ck8= X-Received: by 2002:a5d:64e6:0:b0:3a3:6a36:260a with SMTP id ffacd0b85a97d-3a4c2104e0bmr2667543f8f.31.1748002749306; Fri, 23 May 2025 05:19:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/IgJQRINa1cBSB6LpHbUlUfxZ5NICH5DKgIKs6TVDdT4XPgC/iLlohrzVk+L2UJEU/dBwLQ== X-Received: by 2002:a5d:64e6:0:b0:3a3:6a36:260a with SMTP id ffacd0b85a97d-3a4c2104e0bmr2667518f8f.31.1748002748872; Fri, 23 May 2025 05:19:08 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a35ca6210asm26125099f8f.41.2025.05.23.05.19.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 May 2025 05:19:08 -0700 (PDT) Date: Fri, 23 May 2025 14:19:07 +0200 From: Stefano Brivio To: Max Chernoff Subject: Re: [PATCH] fedora: Separately restore context for /run/user in %posttrans selinux Message-ID: <20250523141907.74aff624@elisabeth> In-Reply-To: References: <20250522211331.3904674-1-sbrivio@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: YvIyi9E3exdDuDNE8SgQZdzVUFkziYiNeSolWIV1QRY_1748002750 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: Y4BFJ2T373DMLRFGNZDHUJ2HHOA6ZM4O X-Message-ID-Hash: Y4BFJ2T373DMLRFGNZDHUJ2HHOA6ZM4O X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 22 May 2025 22:19:11 -0600 Max Chernoff wrote: > Hi Stefano, > > On Thu, 2025-05-22 at 23:13 +0200, Stefano Brivio wrote: > > The previous change introduces specific file contexts for > > /run/user/%{USERID}/netns and > > /run/user/%{USERID}/containers/networks/rootless-netns, but > > %selinux_relabel_post can't handle that, see comments for more > > details. > > > > Add a separate restorecon(8) call for /run/user in the > > post-transaction scriptlet for the SELinux subpackage. > > I've tested this out and can confirm that it works, thanks. Thanks for testing! I'll apply both patches soon and make a new release within a few days, then we'll finally have the intended SELinux setup for pasta as well. I'm quite relieved about it. :) > Aside: what is the correct way to build passt rpms? "make pkgs" doesn't > build the SELinux package, Right, 'make pkgs' is just a quick hack to make static builds (which doesn't need a proper rpm / rpmbuild setup) and I build RPMs for releases and release testing via Koji / Copr, which source git snapshots anyway. For one-off builds: > but I was eventually able to get the following to work: > > $ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar > $ xz passt-*.tar > $ mv *.tar.xz contrib/fedora/ > $ cd contrib/fedora/ > $ rpkg local --outdir $(realpath .) I actually do something like this, but uglier. I didn't think of using git-archive: $ mkdir passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ cp -Rpd *.c *.h Makefile seccomp.sh passt.1 passt-repair.1 qrap.1 README.md doc/ contrib/ LICENSES/ passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ tar Jcvf /home/sbrivio/rpmbuild/SOURCES/passt-679cb68455a9ae40cc72233abf218c20527500a6.tar.xz passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ cd contrib/fedora $ rpkg spec /tmp/rpkg/passt-1-djdq6cud/passt.spec $ rpmbuild -ba /tmp/rpkg/passt-1-djdq6cud/passt.spec > Is there a way to do this without needing to manually create the .tar.xz > archive first? We would need to replace %prep with a simple copy from the current directory. I didn't really think this through, but perhaps we could make it conditional, like this: diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 745cf01..f1973ee 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -47,7 +47,13 @@ Requires(preun): policycoreutils This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). %prep +%if "%(ls passt.c)" == "passt.c" +# Hack for local build from source tree +cp -a %(pwd)/* . +%else +# The usual process with an upstream tarball %setup -q -n passt-%{git_hash} +%endif %build %set_build_flags ? Maybe there's a more common or idiomatic way though... -- Stefano