From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=danishpraka.sh Authentication-Results: passt.top; dkim=pass (2048-bit key; unprotected) header.d=danishpraka.sh header.i=@danishpraka.sh header.a=rsa-sha256 header.s=fm3 header.b=Q9PKr8uF; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm2 header.b=nNco0H+Q; dkim-atps=neutral Received: from fhigh-b2-smtp.messagingengine.com (fhigh-b2-smtp.messagingengine.com [202.12.124.153]) by passt.top (Postfix) with ESMTPS id D9F805A0619 for ; Thu, 16 Oct 2025 09:41:06 +0200 (CEST) Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfhigh.stl.internal (Postfix) with ESMTP id 63A337A0142; Thu, 16 Oct 2025 03:41:05 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-04.internal (MEProxy); Thu, 16 Oct 2025 03:41:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danishpraka.sh; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm3; t=1760600465; x=1760686865; bh=tFvjn8IJLo 5ttdl0QxKNyb0OmJHKox990M/4TopJ3l0=; b=Q9PKr8uFtKbpt9afVIIES1wSw7 rh+4gEW2WV6Yl+4Cphl3uWbfy8+f1HbEuwaAsQv8I0lcq9QNroGFu8c5MAypuccR Xp+EDvGnVIRHQKFJRzFapi9BDFlPgiv2QYXvd5rwfxDrxw1/dQNQOqLqpkDSvSX3 abQ4ox5Lp2kAUxbOCHuDAAfd9z6Aohe7w4TRhlJT2rbtKX2gN5x9mkjwuPD1CQa9 mrxaXT8RXXLPFU/Z1ZzG2Tzn26sDVOqSf0OfK/lPHh7CmmxCDk7q3QhLtA81KJnC Ne8nlG4PXSsrQ/jKy+zNPo1N+d/g+zySomKPQUo6zG/CV9NMWVakPOZ6SULg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1760600465; x=1760686865; bh=tFvjn8IJLo5ttdl0QxKNyb0OmJHKox990M/ 4TopJ3l0=; b=nNco0H+QqPzrX7HjCkkXI+JzzkIMLLrKWW5KkgddDL/4xsK09Nv /PFUlQ4U2HC4AxxmKexOhtYaPdNvBG5u7GwKydLeTGdTNp7Aayv8HeWUhz02MGRN 3bdrPiEcc7GhDbdPL7LDiSdTWFp7eDrFznOyUWNSVIGQxo7pMEpcN2lH+hhBCHo/ DirQ9V7TOQX9WMF7BANm9b8T2vqBxFYo/G8g2IkUyNAqRt2lO72twVRWe8q/8SKm 2FhE9RovnXYKgHL5Zunu8Um67wSRQ+6iR68+v+v2qLgIgm7KNPDXbDS4VXjgedRb P0XE6aJ9TyL7XcEeTKuCKjqv7FIWuh0AF0Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduvdehjeduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertdertd dtnecuhfhrohhmpeffrghnihhshhcurfhrrghkrghshhcuoegtohhnthgrtghtsegurghn ihhshhhprhgrkhgrrdhshheqnecuggftrfgrthhtvghrnhepkeeuheejheegtdevieekfe elleduuefgtdfffeeuuedulefgieffudeukeejieegnecuffhomhgrihhnpehprghsshht rdhtohhppdhsuhhsvgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpegtohhnthgrtghtsegurghnihhshhhprhgrkhgrrdhshhdpnhgs pghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepshgsrhhivh hiohesrhgvughhrghtrdgtohhmpdhrtghpthhtohepphgrshhsthdquggvvhesphgrshhs thdrthhophdprhgtphhtthhopegtohhnthgrtghtsegurghnihhshhhprhgrkhgrrdhshh X-ME-Proxy: Feedback-ID: i59a6483a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 16 Oct 2025 03:41:02 -0400 (EDT) From: Danish Prakash To: sbrivio@redhat.com Subject: [PATCH] contrib/selinux: use regex instead of non-standard bash macro Date: Thu, 16 Oct 2025 13:10:41 +0530 Message-ID: <20251016074045.562352-1-contact@danishpraka.sh> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MailFrom: contact@danishpraka.sh X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: HFGPIGDJYYJLCQHRK2UL35AFARY3YRUI X-Message-ID-Hash: HFGPIGDJYYJLCQHRK2UL35AFARY3YRUI X-Mailman-Approved-At: Thu, 16 Oct 2025 11:03:06 +0200 CC: passt-dev@passt.top, Danish Prakash X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: It might be possible to avoid using non-standard bash macro (%USERID), and instead using regex to match user ids. This would also mean discarding the explicit restorecon call while packaging[1]. [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Link: https://bugzilla.suse.com/show_bug.cgi?id=1246291 Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 11 ----------- contrib/selinux/pasta.fc | 12 ++++++------ 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 663289f53d97..d1bcf4a74338 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -103,17 +103,6 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} -# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file -# (see selabel_file(5)) in order to restore only the file contexts which -# actually changed. However, as file_contexts doesn't support %{USERID} -# substitutions, this will not work for specific file contexts that pasta needs -# to have under /run/user. -# -# Restore those explicitly, hiding errors from restorecon(8): we can't pass a -# path that's more specific than this, but at the same time /run/user often -# contains FUSE mountpoints that can't be accessed as root, leading to -# "Permission denied" messages, but not failures. -restorecon -R /run/user 2>/dev/null %files %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt} diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index e60c6148f412..82dbcbe2b75e 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -12,11 +12,11 @@ /usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 /tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 -/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 # In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) Podman falls # back to a location under /tmp -/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 -- 2.51.0