[PATCH] fedora: Separately restore context for /run/user in %posttrans selinux
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.
Add a separate restorecon(8) call for /run/user in the
post-transaction scriptlet for the SELinux subpackage.
Reported-by: Max Chernoff
Hi Stefano, On Thu, 2025-05-22 at 23:13 +0200, Stefano Brivio wrote:
The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details.
Add a separate restorecon(8) call for /run/user in the post-transaction scriptlet for the SELinux subpackage.
I've tested this out and can confirm that it works, thanks. Aside: what is the correct way to build passt rpms? "make pkgs" doesn't build the SELinux package, but I was eventually able to get the following to work: $ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar $ xz passt-*.tar $ mv *.tar.xz contrib/fedora/ $ cd contrib/fedora/ $ rpkg local --outdir $(realpath .) Is there a way to do this without needing to manually create the .tar.xz archive first? Thanks, -- Max
On Thu, 22 May 2025 22:19:11 -0600
Max Chernoff
Hi Stefano,
On Thu, 2025-05-22 at 23:13 +0200, Stefano Brivio wrote:
The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details.
Add a separate restorecon(8) call for /run/user in the post-transaction scriptlet for the SELinux subpackage.
I've tested this out and can confirm that it works, thanks.
Thanks for testing! I'll apply both patches soon and make a new release within a few days, then we'll finally have the intended SELinux setup for pasta as well. I'm quite relieved about it. :)
Aside: what is the correct way to build passt rpms? "make pkgs" doesn't build the SELinux package,
Right, 'make pkgs' is just a quick hack to make static builds (which doesn't need a proper rpm / rpmbuild setup) and I build RPMs for releases and release testing via Koji / Copr, which source git snapshots anyway. For one-off builds:
but I was eventually able to get the following to work:
$ git archive --prefix=passt-$(git rev-parse @)/ @ > ./passt-$(git rev-parse @).tar $ xz passt-*.tar $ mv *.tar.xz contrib/fedora/ $ cd contrib/fedora/ $ rpkg local --outdir $(realpath .)
I actually do something like this, but uglier. I didn't think of using git-archive: $ mkdir passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ cp -Rpd *.c *.h Makefile seccomp.sh passt.1 passt-repair.1 qrap.1 README.md doc/ contrib/ LICENSES/ passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ tar Jcvf /home/sbrivio/rpmbuild/SOURCES/passt-679cb68455a9ae40cc72233abf218c20527500a6.tar.xz passt-679cb68455a9ae40cc72233abf218c20527500a6/ $ cd contrib/fedora $ rpkg spec /tmp/rpkg/passt-1-djdq6cud/passt.spec $ rpmbuild -ba /tmp/rpkg/passt-1-djdq6cud/passt.spec
Is there a way to do this without needing to manually create the .tar.xz archive first?
We would need to replace %prep with a simple copy from the current directory. I didn't really think this through, but perhaps we could make it conditional, like this: diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 745cf01..f1973ee 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -47,7 +47,13 @@ Requires(preun): policycoreutils This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). %prep +%if "%(ls passt.c)" == "passt.c" +# Hack for local build from source tree +cp -a %(pwd)/* . +%else +# The usual process with an upstream tarball %setup -q -n passt-%{git_hash} +%endif %build %set_build_flags ? Maybe there's a more common or idiomatic way though... -- Stefano
participants (2)
-
Max Chernoff
-
Stefano Brivio