From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZFxh5AKo;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id B7E935A0619
	for <passt-dev@passt.top>; Thu, 16 Oct 2025 10:21:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1760602900;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=kkiXfqbPwWrM+ZVFDV/Or/5oT3mUQZNvqW/kNL7nGtc=;
	b=ZFxh5AKooA7uQbConkK7hpA7Fpqx7VkBSjbpYnA2MaT+mK7YjhIcbOyDGGLoGo32wA74wX
	kUuM3f9UuJDmrU6Cs3hZQS4D8528LCotjnJl3s/ilXPJXWTaBLHE5P+cE7HxioVB+knUCr
	EP750jvESJvu7OD4mxO1kCkZ+iWu6gw=
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-695-RAVSsBLQOwmOOHZOVIIlWA-1; Thu, 16 Oct 2025 04:21:38 -0400
X-MC-Unique: RAVSsBLQOwmOOHZOVIIlWA-1
X-Mimecast-MFC-AGG-ID: RAVSsBLQOwmOOHZOVIIlWA_1760602898
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-427015f63faso192387f8f.0
        for <passt-dev@passt.top>; Thu, 16 Oct 2025 01:21:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760602898; x=1761207698;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=kkiXfqbPwWrM+ZVFDV/Or/5oT3mUQZNvqW/kNL7nGtc=;
        b=D3rL3TfUOzQWIVp0T+EO3Bgfqwhl+Er13U2dGZoMBuB3Y9/xQrUwAcAB75t3m9CYSP
         neF3rpcCU9BOm2y2qJ4vkFhcptJ9qHaU3BzRJRauIKkiyOsqFQ3SlmlUUSZXK4Bg4i/i
         8+5pt2HzQnTrrWAtVIduoam+1CQGwRowaRpqx8oPmWAYr1VM5HOkhhS3Q3TvGUDV6Rlm
         elDcuiWf0DQuXJjb3yEW06QDxlElGX0PM3DTIYmnpI7ocrd4qMxkieUUK8zkCPilcLKs
         Q9CvUcG1HdzQrOTKv8mq548VzwleRrMzYRD3IL5WNQ98CPAlL8aImyjfAJNIZsROZTu5
         ScwA==
X-Gm-Message-State: AOJu0YwIsJ6Y/IGIdFnsBcjAMQCfMuT9HRHYS1ZfZGcFSdb8CGuL2t0g
	V62BWk9QYK/MWHnoJ6dyEXv53+L/ZSmlBZ/jMHCA6lbvB5B5f2ijX3o5W+sWYO31w29kG11ou3H
	iMtilxEf8Gpyeynya6uU4s0u6nwomW0Kc6tG8xtfM4BuzKbj3XNeXRg==
X-Gm-Gg: ASbGnct/jKE67Htt4rOPr0PqNzD2j2xq9kALH6vVSQuALzNFC1EsYhHjcCTWKi8Qgol
	RyUo00qUn4+VwOILb4JZDjNFLbpcOL1OyrVTZZnyvQC0RZxLNtJCMYGDYcaj7QKcClpYZij1Hi5
	dNCTm5rbJbEQcJ0nuNA9ldyrowo7D4M6stB2dqTdSeE8K+siDyNwnpKplCEvmNzmPCk7rGaW8xM
	3t5o55u1F6uZy4DNeoFc7U+sfNKg4XwAmJ6fuhVovogvVmuNAG0VLjugzZaqefh8D+0yA8cIzPM
	aNPZYG7AjRQNfhKaa9k7kQf0DmuxyCdA3gZfvFzrGa3dLPQdqmUNrMJW1rhVPoqlFNfGEM071FV
	mw5xsBey4iQ==
X-Received: by 2002:a05:6000:1a8a:b0:3f1:ee44:8bf6 with SMTP id ffacd0b85a97d-4266e8de00emr19563387f8f.51.1760602897664;
        Thu, 16 Oct 2025 01:21:37 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF5Ep/HCg6Ja321tOk+eFMwjYK9lKMbw6dksLi/T3rZQIWneCEkOa/mWc5Yo+SGrl9CsshtNg==
X-Received: by 2002:a05:6000:1a8a:b0:3f1:ee44:8bf6 with SMTP id ffacd0b85a97d-4266e8de00emr19563357f8f.51.1760602897069;
        Thu, 16 Oct 2025 01:21:37 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4710ed4b47fsm13716595e9.4.2025.10.16.01.21.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 01:21:36 -0700 (PDT)
Date: Thu, 16 Oct 2025 10:21:34 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Danish Prakash <contact@danishpraka.sh>
Subject: Re: [PATCH] contrib/selinux: use regex instead of non-standard bash
 macro
Message-ID: <20251016102134.5e2edf04@elisabeth>
In-Reply-To: <20251016074045.562352-1-contact@danishpraka.sh>
References: <20251016074045.562352-1-contact@danishpraka.sh>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 44igkWXjxbf6RJyMEPDpOg4F8FDf8mVKpvmODjzrRU8_1760602898
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: THTMRZXNF3G7CZSVGBBA6SFPSE5TMTPA
X-Message-ID-Hash: THTMRZXNF3G7CZSVGBBA6SFPSE5TMTPA
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Max Chernoff <git@maxchernoff.ca>, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20251016102134.5e2edf04@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/THTMRZXNF3G7CZSVGBBA6SFPSE5TMTPA/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

[Cc'ing Max and Paul for awareness]

Hi Danish,

On Thu, 16 Oct 2025 13:10:41 +0530
Danish Prakash <contact@danishpraka.sh> wrote:

> It might be possible to avoid using non-standard bash macro (%USERID),
> and instead using regex to match user ids. This would also mean
> discarding the explicit restorecon call while packaging[1].
> 
> [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5
> 
> Link: https://bugzilla.suse.com/show_bug.cgi?id=1246291

Thanks for the patch. This link is private. Would you mind making a copy
with the essential information in another ticket, or file a different
ticket somewhere else (bugs.passt.top, or Podman's tracker...)?

> Signed-off-by: Danish Prakash <contact@danishpraka.sh>
> ---
>  contrib/fedora/passt.spec | 11 -----------
>  contrib/selinux/pasta.fc  | 12 ++++++------
>  2 files changed, 6 insertions(+), 17 deletions(-)
> 
> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> index 663289f53d97..d1bcf4a74338 100644
> --- a/contrib/fedora/passt.spec
> +++ b/contrib/fedora/passt.spec
> @@ -103,17 +103,6 @@ fi
>  
>  %posttrans selinux
>  %selinux_relabel_post -s %{selinuxtype}
> -# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
> -# (see selabel_file(5)) in order to restore only the file contexts which
> -# actually changed. However, as file_contexts doesn't support %{USERID}
> -# substitutions, this will not work for specific file contexts that pasta needs
> -# to have under /run/user.
> -#
> -# Restore those explicitly, hiding errors from restorecon(8): we can't pass a
> -# path that's more specific than this, but at the same time /run/user often
> -# contains FUSE mountpoints that can't be accessed as root, leading to
> -# "Permission denied" messages, but not failures.
> -restorecon -R /run/user 2>/dev/null
>  
>  %files
>  %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
> diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
> index e60c6148f412..82dbcbe2b75e 100644
> --- a/contrib/selinux/pasta.fc
> +++ b/contrib/selinux/pasta.fc
> @@ -12,11 +12,11 @@
>  /usr/bin/pasta.avx2					system_u:object_r:pasta_exec_t:s0
>  /tmp/pasta\.pcap					system_u:object_r:pasta_log_t:s0
>  /var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
> -/run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
> -/run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
> +/run/user/[0-9]+/netns				system_u:object_r:ifconfig_var_run_t:s0
> +/run/user/[0-9]+/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
>  # In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) Podman falls
>  # back to a location under /tmp
> -/tmp/storage-run-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
> -/tmp/storage-run-%{USERID}/containers/networks/rootless-netns		system_u:object_r:ifconfig_var_run_t:s0
> -/tmp/containers-user-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
> -/tmp/containers-user-%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/storage-run-[0-9]+/netns					system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/storage-run-[0-9]+/containers/networks/rootless-netns		system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/containers-user-[0-9]+/netns					system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/containers-user-[0-9]+/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0

At a glance, this looks like a better solution regardless of the
reported issue. It sounds too good to be true, though, so I wonder if
Max remembers any reason why we couldn't do this in the first place.

-- 
Stefano