passt/contrib/fedora, branch 2025_06_06.754c6d7 Plug A Simple Socket Transport fedora: Depend on SELinux tools and policy version, drop circular dependency 2025-06-06T08:46:40+00:00 Vit Mojzis vmojzis@redhat.com 2025-05-30T16:37:46+00:00 a2088fef360ee262c19186470d63875b32f80917 From an original patch by Vit Mojzis: add dependencies on SELinux userspace tools and recommend the latest available version of the policy as of now. Drop circular dependency between passt and passt-selinux: passt requires passt-selinux, so passt-selinux shouldn't require passt. Link: https://src.fedoraproject.org/rpms/passt/pull-request/3 Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
From an original patch by Vit Mojzis: add dependencies on SELinux
userspace tools and recommend the latest available version of the
policy as of now.

Drop circular dependency between passt and passt-selinux: passt
requires passt-selinux, so passt-selinux shouldn't require passt.

Link: https://src.fedoraproject.org/rpms/passt/pull-request/3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Call %selinux_modules_* macros only once 2025-06-06T08:46:40+00:00 Petr Lautrbach lautrbach@redhat.com 2025-05-30T08:09:14+00:00 d21bcd9f7c70d1be09a923ad366cdf883112e431 %selinux_modules_* macros has `-i %*` so that it can be used for multiple modules at once. This will improve the performace of the package (un)installation. $ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm real 49.09 user 44.16 sys 4.37 $ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm real 17.03 user 15.06 sys 1.83 Reported-by: Richard W.M. Jones <rjones@redhat.com> Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/ Link: https://src.fedoraproject.org/rpms/passt/pull-request/2 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
%selinux_modules_* macros has `-i %*` so that it can be used for
multiple modules at once. This will improve the performace of the
package (un)installation.

$ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm
real 49.09
user 44.16
sys 4.37

$ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm
real 17.03
user 15.06
sys 1.83

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/
Link: https://src.fedoraproject.org/rpms/passt/pull-request/2
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Separately restore context for /run/user in %posttrans selinux 2025-06-04T10:24:13+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-22T21:04:15+00:00 e019323538699967c155c29411545223dadfc0f5 The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details. Add a separate restorecon(8) call for /run/user as post-transaction scriptlet for the SELinux subpackage. Reported-by: Max Chernoff <git@maxchernoff.ca> Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.

Add a separate restorecon(8) call for /run/user as post-transaction
scriptlet for the SELinux subpackage.

Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
contrib/fedora: Actually install passt-repair SELinux policy file 2025-02-19T22:33:53+00:00 Stefano Brivio sbrivio@redhat.com 2025-02-18T08:49:40+00:00 4dac2351fae5534c01e144273f849ce9ece0dca7 Otherwise we build it, but we don't install it. Not an issue that warrants a a release right away as it's anyway usable. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Otherwise we build it, but we don't install it. Not an issue that
warrants a a release right away as it's anyway usable.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Introduce passt-repair 2025-02-04T00:28:04+00:00 Stefano Brivio sbrivio@redhat.com 2025-01-27T23:03:13+00:00 8c24301462c39027e6eb6f1ad56c1f6c83fb0c23 A privileged helper to set/clear TCP_REPAIR on sockets on behalf of passt. Not used yet. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A privileged helper to set/clear TCP_REPAIR on sockets on behalf of
passt. Not used yet.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora/rpkg: List myself as author for changelog entries 2024-07-26T14:40:41+00:00 Stefano Brivio sbrivio@redhat.com 2024-07-26T14:40:41+00:00 f87b11c7be735d9d8d5267ae575d890b4226fb02 ...instead of the latest author for contrib/fedora. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...instead of the latest author for contrib/fedora.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Switch license identifier to SPDX 2024-03-18T07:57:47+00:00 Dan Čermák dan.cermak@cgc-instruments.com 2024-03-14T08:38:09+00:00 615d370ca2710d54869e128f176e3ba6e2fccf6b The spec file patch by Dan Čermák was originally contributed at: https://src.fedoraproject.org/rpms/passt/pull-request/1 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
The spec file patch by Dan Čermák was originally contributed at:
  https://src.fedoraproject.org/rpms/passt/pull-request/1

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
fedora: Replace pasta hard links by separate builds 2023-09-06T23:57:00+00:00 Stefano Brivio sbrivio@redhat.com 2023-09-06T23:57:00+00:00 a405d0c026582375448fe87c6e440eb0fd428dd7 The hard link trick didn't actually fix the issue with SELinux file contexts properly: as opposed to symbolic links, SELinux now correctly associates types to the labels that are set -- except that those labels are now shared, so we can end up (depending on how rpm(8) extracts the archives) with /usr/bin/passt having a pasta_exec_t context. This got rather confusing as running restorecon(8) seemed to fix up labels -- but that's simply toggling between passt_exec_t and pasta_exec_t for both links, because each invocation will just "fix" the file with the mismatching context. Replace the hard links with two separate builds of the binary, as suggested by David. The build is reproducible, so we pass "-pasta" in the VERSION for pasta's build. This is wasteful but better than the alternative. Just copying the binary over would otherwise cause issues with debuginfo packages due to duplicate Build-IDs -- and rpmbuild(8) also warns about them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The hard link trick didn't actually fix the issue with SELinux file
contexts properly: as opposed to symbolic links, SELinux now
correctly associates types to the labels that are set -- except that
those labels are now shared, so we can end up (depending on how
rpm(8) extracts the archives) with /usr/bin/passt having a
pasta_exec_t context.

This got rather confusing as running restorecon(8) seemed to fix up
labels -- but that's simply toggling between passt_exec_t and
pasta_exec_t for both links, because each invocation will just "fix"
the file with the mismatching context.

Replace the hard links with two separate builds of the binary, as
suggested by David. The build is reproducible, so we pass "-pasta" in
the VERSION for pasta's build. This is wasteful but better than the
alternative.

Just copying the binary over would otherwise cause issues with
debuginfo packages due to duplicate Build-IDs -- and rpmbuild(8) also
warns about them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Install pasta as hard link to ensure SELinux file context match 2023-08-18T11:18:34+00:00 Stefano Brivio sbrivio@redhat.com 2023-08-15T16:22:02+00:00 479a9e1b4d9b4e426754b44fb767d252ca144e0f The Makefile installs symbolic links by default, which actually worked at some point (not by design) with SELinux, but at least on recent kernel versions it doesn't anymore: override pasta (and pasta.avx2) with hard links. Otherwise, even if the links are labeled as pasta_exec_t, SELinux will "resolve" them to passt_exec_t, and we'll have pasta running as passt_t instead of pasta_t. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Richard W.M. Jones <rjones@redhat.com> 
The Makefile installs symbolic links by default, which actually
worked at some point (not by design) with SELinux, but at least on
recent kernel versions it doesn't anymore: override pasta (and
pasta.avx2) with hard links.

Otherwise, even if the links are labeled as pasta_exec_t, SELinux
will "resolve" them to passt_exec_t, and we'll have pasta running as
passt_t instead of pasta_t.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Richard W.M. Jones <rjones@redhat.com>
passt: Relicense to GPL 2.0, or any later version 2023-04-06T16:00:33+00:00 Stefano Brivio sbrivio@redhat.com 2023-04-05T18:11:44+00:00 ca2749e1bd520c6a1dbca24f1561ee31dd833a54 In practical terms, passt doesn't benefit from the additional protection offered by the AGPL over the GPL, because it's not suitable to be executed over a computer network. Further, restricting the distribution under the version 3 of the GPL wouldn't provide any practical advantage either, as long as the passt codebase is concerned, and might cause unnecessary compatibility dilemmas. Change licensing terms to the GNU General Public License Version 2, or any later version, with written permission from all current and past contributors, namely: myself, David Gibson, Laine Stump, Andrea Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In practical terms, passt doesn't benefit from the additional
protection offered by the AGPL over the GPL, because it's not
suitable to be executed over a computer network.

Further, restricting the distribution under the version 3 of the GPL
wouldn't provide any practical advantage either, as long as the passt
codebase is concerned, and might cause unnecessary compatibility
dilemmas.

Change licensing terms to the GNU General Public License Version 2,
or any later version, with written permission from all current and
past contributors, namely: myself, David Gibson, Laine Stump, Andrea
Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian
Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>