On Wed, 16 Aug 2023 10:03:08 +0100 "Richard W.M. Jones" <rjones(a)redhat.com> wrote:On Wed, Aug 16, 2023 at 08:00:32AM +0200, Stefano Brivio wrote:Gosh, thanks for noticing, I sent out the wrong version. :/ That was another option that luckily we can avoid with hard links. I'll re-post in a bit. With a copy, by the way, we would have duplicate build-IDs in the RPM, and rpmtool would issue warnings (possibly problematic for debugging packages, I'm not sure).The Makefile installs symbolic links by default, which actually worked at some point (not by design) with SELinux, but at least on recent kernel versions it doesn't anymore: override pasta (and pasta.avx2) with hard links. Otherwise, even if the links are labeled as pasta_exec_t, SELinux will "resolve" them to passt_exec_t, and we'll have pasta running as passt_t instead of pasta_t.The patch and this cover note don't seem to do the same thing. It appears to copy the binary, not make a hard link. (The comment in the spec file seems to be correct.)It does appear to be possible to label symbolic links: $ touch test1 $ chcon system_u:object_r:bin_t:s0 test1 $ ln -s test1 test2 $ chcon -h system_u:object_r:tmp_t:s0 test2 $ ll -Z test1 test2 -rw-r--r--. 1 rjones rjones system_u:object_r:bin_t:s0 0 Aug 16 10:00 test1 lrwxrwxrwx. 1 rjones rjones system_u:object_r:tmp_t:s0 5 Aug 16 10:00 test2 -> test1 (which surprised me). But I don't know if SELinux does the right thing or not in this case, or if something has changed in the kernel, so I can't comment if copying is right or not.Right, yes, that's what we had before -- symbolic links with the "right" labels, but it stopped working a while ago (bisecting not really convenient, and it wasn't intended to work anyway, so whatever). -- Stefano