passt/contrib/fedora, branch 2025_08_05.309eefd Plug A Simple Socket Transport fedora: Hide restorecon(8) errors in post-transaction scriptlet 2025-06-11T14:24:50+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T15:06:43+00:00 0293c6f4a316baa561a9b43388906707f8cf7e81 Commit e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") added a call to restorecon for /run/user in the passt-selinux post-transaction scriptlet, and we can't give a path that's more specific than that, but it often contains FUSE mountpoints that are not accessible as root, resulting in warnings as the package is installed. Hide the errors, a failure in relabeling wouldn't be really problematic in any case. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit e01932353869 ("fedora: Separately restore context for /run/user
in %posttrans selinux") added a call to restorecon for /run/user in
the passt-selinux post-transaction scriptlet, and we can't give a path
that's more specific than that, but it often contains FUSE mountpoints
that are not accessible as root, resulting in warnings as the package
is installed.

Hide the errors, a failure in relabeling wouldn't be really
problematic in any case.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Add container-selinux as dependency for passt-selinux 2025-06-11T14:24:47+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T14:51:46+00:00 98da8a94693f5c138188acd83dc352f197a64817 Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers") introduces usage of container_user_r, container_runtime_t, and container_t, which are provided by the container-selinux package. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
introduces usage of container_user_r, container_runtime_t, and
container_t, which are provided by the container-selinux package.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Depend on SELinux tools and policy version, drop circular dependency 2025-06-06T08:46:40+00:00 Vit Mojzis vmojzis@redhat.com 2025-05-30T16:37:46+00:00 a2088fef360ee262c19186470d63875b32f80917 From an original patch by Vit Mojzis: add dependencies on SELinux userspace tools and recommend the latest available version of the policy as of now. Drop circular dependency between passt and passt-selinux: passt requires passt-selinux, so passt-selinux shouldn't require passt. Link: https://src.fedoraproject.org/rpms/passt/pull-request/3 Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
From an original patch by Vit Mojzis: add dependencies on SELinux
userspace tools and recommend the latest available version of the
policy as of now.

Drop circular dependency between passt and passt-selinux: passt
requires passt-selinux, so passt-selinux shouldn't require passt.

Link: https://src.fedoraproject.org/rpms/passt/pull-request/3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Call %selinux_modules_* macros only once 2025-06-06T08:46:40+00:00 Petr Lautrbach lautrbach@redhat.com 2025-05-30T08:09:14+00:00 d21bcd9f7c70d1be09a923ad366cdf883112e431 %selinux_modules_* macros has `-i %*` so that it can be used for multiple modules at once. This will improve the performace of the package (un)installation. $ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm real 49.09 user 44.16 sys 4.37 $ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm real 17.03 user 15.06 sys 1.83 Reported-by: Richard W.M. Jones <rjones@redhat.com> Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/ Link: https://src.fedoraproject.org/rpms/passt/pull-request/2 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
%selinux_modules_* macros has `-i %*` so that it can be used for
multiple modules at once. This will improve the performace of the
package (un)installation.

$ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm
real 49.09
user 44.16
sys 4.37

$ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm
real 17.03
user 15.06
sys 1.83

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/
Link: https://src.fedoraproject.org/rpms/passt/pull-request/2
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Separately restore context for /run/user in %posttrans selinux 2025-06-04T10:24:13+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-22T21:04:15+00:00 e019323538699967c155c29411545223dadfc0f5 The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details. Add a separate restorecon(8) call for /run/user as post-transaction scriptlet for the SELinux subpackage. Reported-by: Max Chernoff <git@maxchernoff.ca> Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.

Add a separate restorecon(8) call for /run/user as post-transaction
scriptlet for the SELinux subpackage.

Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
contrib/fedora: Actually install passt-repair SELinux policy file 2025-02-19T22:33:53+00:00 Stefano Brivio sbrivio@redhat.com 2025-02-18T08:49:40+00:00 4dac2351fae5534c01e144273f849ce9ece0dca7 Otherwise we build it, but we don't install it. Not an issue that warrants a a release right away as it's anyway usable. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Otherwise we build it, but we don't install it. Not an issue that
warrants a a release right away as it's anyway usable.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Introduce passt-repair 2025-02-04T00:28:04+00:00 Stefano Brivio sbrivio@redhat.com 2025-01-27T23:03:13+00:00 8c24301462c39027e6eb6f1ad56c1f6c83fb0c23 A privileged helper to set/clear TCP_REPAIR on sockets on behalf of passt. Not used yet. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A privileged helper to set/clear TCP_REPAIR on sockets on behalf of
passt. Not used yet.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora/rpkg: List myself as author for changelog entries 2024-07-26T14:40:41+00:00 Stefano Brivio sbrivio@redhat.com 2024-07-26T14:40:41+00:00 f87b11c7be735d9d8d5267ae575d890b4226fb02 ...instead of the latest author for contrib/fedora. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...instead of the latest author for contrib/fedora.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Switch license identifier to SPDX 2024-03-18T07:57:47+00:00 Dan Čermák dan.cermak@cgc-instruments.com 2024-03-14T08:38:09+00:00 615d370ca2710d54869e128f176e3ba6e2fccf6b The spec file patch by Dan Čermák was originally contributed at: https://src.fedoraproject.org/rpms/passt/pull-request/1 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
The spec file patch by Dan Čermák was originally contributed at:
  https://src.fedoraproject.org/rpms/passt/pull-request/1

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
fedora: Replace pasta hard links by separate builds 2023-09-06T23:57:00+00:00 Stefano Brivio sbrivio@redhat.com 2023-09-06T23:57:00+00:00 a405d0c026582375448fe87c6e440eb0fd428dd7 The hard link trick didn't actually fix the issue with SELinux file contexts properly: as opposed to symbolic links, SELinux now correctly associates types to the labels that are set -- except that those labels are now shared, so we can end up (depending on how rpm(8) extracts the archives) with /usr/bin/passt having a pasta_exec_t context. This got rather confusing as running restorecon(8) seemed to fix up labels -- but that's simply toggling between passt_exec_t and pasta_exec_t for both links, because each invocation will just "fix" the file with the mismatching context. Replace the hard links with two separate builds of the binary, as suggested by David. The build is reproducible, so we pass "-pasta" in the VERSION for pasta's build. This is wasteful but better than the alternative. Just copying the binary over would otherwise cause issues with debuginfo packages due to duplicate Build-IDs -- and rpmbuild(8) also warns about them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The hard link trick didn't actually fix the issue with SELinux file
contexts properly: as opposed to symbolic links, SELinux now
correctly associates types to the labels that are set -- except that
those labels are now shared, so we can end up (depending on how
rpm(8) extracts the archives) with /usr/bin/passt having a
pasta_exec_t context.

This got rather confusing as running restorecon(8) seemed to fix up
labels -- but that's simply toggling between passt_exec_t and
pasta_exec_t for both links, because each invocation will just "fix"
the file with the mismatching context.

Replace the hard links with two separate builds of the binary, as
suggested by David. The build is reproducible, so we pass "-pasta" in
the VERSION for pasta's build. This is wasteful but better than the
alternative.

Just copying the binary over would otherwise cause issues with
debuginfo packages due to duplicate Build-IDs -- and rpmbuild(8) also
warns about them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>