From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=HSuD6I4g;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id E95095A0619
	for <passt-dev@passt.top>; Thu, 30 Oct 2025 09:43:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1761813837;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=nNgOBrL8MyCFHljTJV4JAiCgKGBW1/QIsm+TUD7fq4g=;
	b=HSuD6I4gyT6QdhKjcrPUAxID+mKKtwPkGb9WZYmRMWKw9bC6N06tcrY5yxMyyfY0W1Vicp
	iEIOGJcAnLyK8nIKMKG+5mmSk9swkwcSBOlbp8C1vXXmuRHCs2Y97xJMJtWX+AQiCW+IZp
	cu9nQ5q751xl1LnSTQPjTqoRaA8AVRE=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-554-5SBEH32wO9SuhX-ZiHs6vA-1; Thu, 30 Oct 2025 04:43:56 -0400
X-MC-Unique: 5SBEH32wO9SuhX-ZiHs6vA-1
X-Mimecast-MFC-AGG-ID: 5SBEH32wO9SuhX-ZiHs6vA_1761813835
Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-428567f67c5so348295f8f.2
        for <passt-dev@passt.top>; Thu, 30 Oct 2025 01:43:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761813835; x=1762418635;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=nNgOBrL8MyCFHljTJV4JAiCgKGBW1/QIsm+TUD7fq4g=;
        b=plkAzzrL2dltnpw4m11pvo8YHeDwdqlJ2WBOtqXF5J6n+zJbEhC1pLBBdpj5MaEaok
         bFWhBPwsyX4N1NwvQCEzkI7csuIbsnTwNRTORGh/Fg5P1x7/JC+TuUkAUWd8g38JZLOt
         ZKdmQS4r1IjZ/eZ4dDSIV8Qr72Nc4eNDv3UHO2unGuyzKL708yRYR1azQAxMIrBHZrGt
         NMdpUZIZMvaQjwfmrCkyDIBhIuLUfhAh1p+QwfGpVr7RKJ9CvYWCVwQs5z74DDqmZq8m
         27Oo7WClXCbahY4JSKyj32VyvpcA7oOfpbQ5dmEiX64TfWRGtlgp6CwjJtTU5YnY1ONr
         +IMQ==
X-Forwarded-Encrypted: i=1; AJvYcCXqbKuyfgWzIkfzesmShh25U/5YBLmzFlGSiZEFNDJLAScEpNZtE/kahp06wunql6QBJTlXiVQt0wo=@passt.top
X-Gm-Message-State: AOJu0YzRM+RY/MMiHTYm89Gv+SMTv9EVamvQm1ROjQz+z1NDfAyW6NUT
	1/m6ghMXxuVCDesNfHsGPy1OtDmeD3dVHuMiqtnUINkgt5sk5nctEZPIERp/fQk5/+F/ZVOMOJS
	eRGw85fddP+3G39To0xgz1q9kRKXEvZ7ZqZoEaMbvsdt/Ihfj0X/hdpi7suCxiA==
X-Gm-Gg: ASbGnctpfv2PCKaYf/d6plYhd2e7sv3XEdIibBjuqQLPR/AbOCe995ICnD9Trmeev1g
	pcozzVJeuUKU2zNl7ttOJaK+0I6il6d/LX77k9iU0AhjBtjrOL1CDKXeCgS+g41uiRtUMDAtLIv
	5YeTWr4BwcFlxfiZoNSs2QQiNgy5xRrIXxn1mgXLd6bYSSn9yWlLcKpAdOUYKZO4DBVzzV0curT
	z3pUOTs2WT7Rs3fml/xX2yYJG6tjlIFyiHIhSmOmdSmPiGJiSwo6zhkXsVyJuTwgqYPGuW7zgKl
	BkPOAyx7Cnc1/n1aKHhN7onuv4uiTf0dkdoRVsVXBJm3crKXQUYl3bbSuXvgvFq15QTx8K8lH/F
	OdfxRtJzlig==
X-Received: by 2002:a05:6000:2dc9:b0:40e:31a2:7efe with SMTP id ffacd0b85a97d-429aef82ef0mr4960631f8f.14.1761813834177;
        Thu, 30 Oct 2025 01:43:54 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IErpZSDlY2ckSfZHx7smJucMRwDH+BIYST0ujqjSJJG/uga7T795HoiEjWJTDiAITjTdP64jA==
X-Received: by 2002:a05:6000:2dc9:b0:40e:31a2:7efe with SMTP id ffacd0b85a97d-429aef82ef0mr4960597f8f.14.1761813833580;
        Thu, 30 Oct 2025 01:43:53 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-429ba445463sm962593f8f.10.2025.10.30.01.43.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 30 Oct 2025 01:43:52 -0700 (PDT)
Date: Thu, 30 Oct 2025 09:43:46 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Danish Prakash <contact@danishpraka.sh>
Subject: Re: [PATCH] contrib/selinux: use regex instead of non-standard bash
 macro
Message-ID: <20251030094346.6431461e@elisabeth>
In-Reply-To: <3c6a267c-36e0-4925-b7af-cea641e3e6f0@danishpraka.sh>
References: <20251016074045.562352-1-contact@danishpraka.sh>
	<20251016102134.5e2edf04@elisabeth>
	<a450f3806fab8042e87a7f47574969b7b3a0db69.camel@maxchernoff.ca>
	<3aad50bb-aab8-423f-9730-21f9a3b3de78@danishpraka.sh>
	<20251027100721.46269f56@elisabeth>
	<cfb5f0d3-973a-4937-9856-42a69b0fdffd@danishpraka.sh>
	<20251029001704.43f73a42@elisabeth>
	<3c6a267c-36e0-4925-b7af-cea641e3e6f0@danishpraka.sh>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: ze5PV8_m8FV6uD83PBfv6xQdeoLIaflj5DBdYlH3W18_1761813835
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: IE2G3AACZU5PM2HAFHBOUEFKCWH4KQ4H
X-Message-ID-Hash: IE2G3AACZU5PM2HAFHBOUEFKCWH4KQ4H
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Max Chernoff <git@maxchernoff.ca>, passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20251030094346.6431461e@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/IE2G3AACZU5PM2HAFHBOUEFKCWH4KQ4H/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu, 30 Oct 2025 14:07:16 +0530
Danish Prakash <contact@danishpraka.sh> wrote:

> On 10/29/25 4:47 AM, Stefano Brivio wrote:
> > On Tue, 28 Oct 2025 11:58:18 +0530
> > Danish Prakash <contact@danishpraka.sh> wrote:
> >   
> >> On 10/27/25 2:37 PM, Stefano Brivio wrote:  
> >>> Hi Danish,
> >>>
> >>> On Mon, 27 Oct 2025 14:19:14 +0530
> >>> Danish Prakash <contact@danishpraka.sh> wrote:
> >>>     
> >>>> On 10/16/25 4:26 PM, Max Chernoff wrote:    
> >>>>> Hi Stefano,
> >>>>>
> >>>>> On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:      
> >>>>>> On Thu, 16 Oct 2025 13:10:41 +0530
> >>>>>> Danish Prakash <contact@danishpraka.sh> wrote:      
> >>>>>>> It might be possible to avoid using non-standard bash macro (%USERID),      
> >>>>>
> >>>>> It's not a Bash macro, it's a SELinux template. This doesn't seem to be
> >>>>> documented anywhere (which isn't terribly surprising with SELinux), but
> >>>>> it's defined in this file:
> >>>>>
> >>>>>     https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genhomedircon.c      
> >>>>
> >>>> Thanks Max, I wasn't aware of it being an SELinux template.
> >>>>    
> >>>>>       
> >>>>>> I wonder if
> >>>>>> Max remembers any reason why we couldn't do this in the first place.      
> >>>>>
> >>>>> The Fedora SELinux policy always uses %{USERID}, and so I copied it from
> >>>>> there:
> >>>>>
> >>>>>     $ grep -RnF '%{USERID}' policy/
> >>>>>     policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus	-s	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>>>     policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? 	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>>>     policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? 	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>>>     policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
> >>>>>     policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
> >>>>>     policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.*	gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
> >>>>>     policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
> >>>>>     policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.*	<<none>>
> >>>>>     policy/modules/system/userdomain.fc:38:/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_tmp_t,s0)
> >>>>>     policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+	<<none>>
> >>>>>
> >>>>>     $ grep -RnF '[0-9]+' policy/  | grep -v /dev/
> >>>>>     policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
> >>>>>     policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid	--	gen_context(system_u:object_r:soundd_var_run_t,s0)
> >>>>>     policy/modules/kernel/devices.if:6958:##	Allow read the hfi1_[0-9]+ devices
> >>>>>       
> >>>>>>> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> >>>>>>> index 663289f53d97..d1bcf4a74338 100644
> >>>>>>> --- a/contrib/fedora/passt.spec
> >>>>>>> +++ b/contrib/fedora/passt.spec
> >>>>>>> [...]      
> >>>>>>
> >>>>>> At a glance, this looks like a better solution regardless of the
> >>>>>> reported issue. It sounds too good to be true, though      
> >>>>>
> >>>>> I agree that it looks like a good solution, which makes me wonder why
> >>>>> the base SELinux policies don't do it that way. The containers SELinux
> >>>>> policy appears to do things this way
> >>>>>
> >>>>>     $ grep -RnF '[0-9]+'
> >>>>>     container_selinux.8:166:	/run/user/[0-9]+/gvfs
> >>>>>     $ grep -RnF '%{USERID}'; echo $?
> >>>>>     1
> >>>>>
> >>>>> so it's probably (?) okay though.      
> >>>>
> >>>> That's helpful, I guess we can go ahead with this. Stefano, Paul?    
> >>>
> >>> Sure. But back to my question about the original problem... what was
> >>> the original problem? :) Could it be something similar to:
> >>>
> >>>   https://bugzilla.redhat.com/show_bug.cgi?id=2401764
> >>>
> >>> ?    
> >>
> >> Ah, sorry about that. No, it's not a functionality issue or a bug. It
> >> was merely a few suggestions to improve the passt SUSE package from the
> >> SELinux team at SUSE. Here are the suggestions:  
> > 
> > Thanks for sharing those.
> >   
> >> 1. building twice is quite a hack, setting a hardlink as in apparmor
> >> would probably work as well and is less confusing  
> > 
> > Details as to why it doesn't work:
> > 
> >   https://passt.top/passt/commit/?id=a405d0c026582375448fe87c6e440eb0fd428dd7
> >   
> >> 2.  running restorecon would be unnecessary if the passt upstream
> >> selinux module would not use ${USERID} in pasta.fc (gets converted to
> >> [0-9]+ anyway)  
> > 
> > Would you be so kind as to re-post this patch (Cc'ing Max and Paul) with
> > a commit message reflecting this, and without private links?  
> 
> Sent updated patch, I wonder why it didn't show up in this thread, I did
> include the message-id of the original message.

Because you're not subscribed to the list so I have to approve your
posts manually, which might take a few minutes / hours. I just did that.

> >> 3. there is a %selinux_requires macro in selinux-policy-devel that
> >> likely could be used instead of listing the Requires:, but okay we dont
> >> enforce that atm
> >>
> >> For #1 I can see that building twice is required in this case, and
> >> unlike apparmor which can work with hardlinks, doing the same for
> >> SELinux isn't possible with inodes in the picture.  
> > 
> > Right, yeah, it's because labels are stored in extended attributes, and
> > those belong to inodes, not paths.
> >   
> >> #2 is what this patch is about, and #3 is SUSE-exclusive which I'm
> >> fixing in parallel.  
> > 
> > If I recall correctly, that part of openSUSE spec file is roughly taken
> > from:
> > 
> >   https://passt.top/passt/tree/contrib/fedora/passt.spec
> > 
> > and I build openSUSE packages in my Copr repository too
> > (https://copr.fedorainfracloud.org/coprs/sbrivio/passt/), based on the
> > Fedora spec file.
> > 
> > I'm not sure if it's useful for many people (one can try out an
> > upstream release right away like that) but it's almost zero effort on
> > my side. In any case, if the change also applies to Fedora or openSUSE
> > packages from Copr I guess it would be nice to have a patch for that as
> > well.  
> 
> Yes, the spec is taken from fedora. And now that you mention it, I can
> see there's a similar %selinux_requires macro in fedora as well--taken
> by openSUSE presumably. So I guess, I can send that change across as well.

Thanks, that would be nice.

> >>> In general, there are a bunch of current SELinux issues reported on
> >>> Fedora/RHEL (and I assume they would be exactly the same on
> >>> openSUSE/SLES):
> >>>
> >>>   https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=short_desc%2Cchangeddate%2Cbug_severity&component=passt&product=Fedora
> >>>
> >>> and I'm trying to find out if this change might fix some of them. Most
> >>> of those are stuff I didn't investigate yet.
> >>>     
> >>
> >> Unfortunately no, I was notified of a few spec related errors from
> >> colleagues, but I'm sure the errors would overlap, as you said. If
> >> there's something I can help, please let me know, I'll be happy to
> >> contribute.  
> > 
> > Thanks. I still need to find a moment to go through all of them with a
> > bit more time and I'll let you know, in case.
> > 
> > Well, of course, if you want to have a look meanwhile, that might help.
> > You would need an account at bugzilla.redhat.com to comment but, well, I
> > have an account on bugzilla.suse.com, so... :)
> 
> Happy to help, I'll create that coveted account :)

-- 
Stefano