passt, branch 2023_03_17.dd23496 Plug A Simple Socket Transport fedora: Refresh SELinux labels in scriptlets, require -selinux package 2023-03-17T07:26:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-16T19:51:23+00:00 dd2349661933c4e9756e524ae9465f38b53b7557 Instead of: https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft follow this: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy which seems to make more sense and fixes the issue that, on a fresh install, without a reboot, the file contexts for the binaries are not actually updated. In detail: - labels are refreshed using the selinux_relabel_pre and selinux_relabel_post on install, upgrade, and uninstall - use the selinux_modules_install and selinux_modules_uninstall macros, instead of calling 'semodule' directly (no functional changes in our case) - require the -selinux package on SELinux-enabled environments and if the current system policy is "targeted" Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Instead of:
  https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

follow this:
  https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy

which seems to make more sense and fixes the issue that, on a fresh
install, without a reboot, the file contexts for the binaries are not
actually updated.

In detail:

- labels are refreshed using the selinux_relabel_pre and
  selinux_relabel_post on install, upgrade, and uninstall

- use the selinux_modules_install and selinux_modules_uninstall
  macros, instead of calling 'semodule' directly (no functional
  changes in our case)

- require the -selinux package on SELinux-enabled environments and if
  the current system policy is "targeted"

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Makefile: Enable external override for TARGET 2023-03-17T07:26:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-15T09:08:47+00:00 87a655045bf2631a10c44a3d41090bd289f34525 A cross-architecture build might pass a target-specific CC on 'make', and not on 'make install', and this is what happens in Debian cross-qa tests. Given that we select binaries to be installed depending on the target architecture, this means we would build AVX2 binaries in any case on a x86_64 build machine. By overriding TARGET in package build rules, we can tell the Makefile about the target architecture, also for the 'install' (Makefile) target. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A cross-architecture build might pass a target-specific CC on 'make',
and not on 'make install', and this is what happens in Debian
cross-qa tests.

Given that we select binaries to be installed depending on the target
architecture, this means we would build AVX2 binaries in any case on
a x86_64 build machine.

By overriding TARGET in package build rules, we can tell the Makefile
about the target architecture, also for the 'install' (Makefile)
target.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt.1: Fix description of --mtu option 2023-03-17T07:26:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-15T09:06:50+00:00 7727804658bbdf06f27d916bf7d5382d714de337 By default, 65520 bytes are advertised, and zero disables DHCP and NDP options. Fixes: ec2b58ea4dc4 ("conf, dhcp, ndp: Fix message about default MTU, make NDP consistent") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
By default, 65520 bytes are advertised, and zero disables DHCP and
NDP options.

Fixes: ec2b58ea4dc4 ("conf, dhcp, ndp: Fix message about default MTU, make NDP consistent")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
log: Avoid time_t/__syscall_slong_t format mismatch with long int on X32 ABI 2023-03-17T07:25:56+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T22:15:35+00:00 4e6178fd4660ae85f079e7f34f14525324e1f3ba On X32 (ILP32 using AMD64 system call ABI) and glibc, struct timespec::tv_nsec is __syscall_slong_t and not a long int, see also https://sourceware.org/bugzilla/show_bug.cgi?id=16437 and timespec(3type). Fine, we could cast that down to long and be done with it. But it turns out that also time_t (not guaranteed to be equivalent to any type) is a long long int, and there we can't downcast. To keep it simple, cast both to long long int, and change formats to %lli, to avoid format warnings from gcc. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
On X32 (ILP32 using AMD64 system call ABI) and glibc,
struct timespec::tv_nsec is __syscall_slong_t and not a long int, see
also https://sourceware.org/bugzilla/show_bug.cgi?id=16437 and
timespec(3type). Fine, we could cast that down to long and be done
with it.

But it turns out that also time_t (not guaranteed to be equivalent to
any type) is a long long int, and there we can't downcast.

To keep it simple, cast both to long long int, and change formats to
%lli, to avoid format warnings from gcc.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
fedora: Install SELinux interface files to shared include directory 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T18:10:01+00:00 70c0765b49e19b76639908a7686d8f795ba3ed24 Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Split interfaces into smaller bits 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T17:00:31+00:00 93105ea06619d4c199f8140f4b75ae359757dc6d ...to fit accepted Fedora practices. Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...to fit accepted Fedora practices.

Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop unused passt_read_data() interface 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:37+00:00 dcdc50fc2251339d6e929f708fad114e61b60627 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop "example" from headers: this is the actual policy 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:14+00:00 9f35cf0b11891e9dfb12eeb5d52f728881f84967 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
README: Update Features section, plus minor improvements 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:43:10+00:00 7c7625ddff10e10a7486622b25e3a66bfcdd6c8b ...it's been a while. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
...it's been a while.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
contrib: Drop libvirt out-of-tree patch, integration mostly works in 9.1.0 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:47:19+00:00 294d6dc4c69d6ac8c51480e967d06da1f395d814 ...and in any case, this patch doesn't offer any advantage over the current upstream integration. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
...and in any case, this patch doesn't offer any advantage over the
current upstream integration.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>