passt/contrib, branch 2023_03_21.1ee2f7c Plug A Simple Socket Transport fedora: Refresh SELinux labels in scriptlets, require -selinux package 2023-03-17T07:26:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-16T19:51:23+00:00 dd2349661933c4e9756e524ae9465f38b53b7557 Instead of: https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft follow this: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy which seems to make more sense and fixes the issue that, on a fresh install, without a reboot, the file contexts for the binaries are not actually updated. In detail: - labels are refreshed using the selinux_relabel_pre and selinux_relabel_post on install, upgrade, and uninstall - use the selinux_modules_install and selinux_modules_uninstall macros, instead of calling 'semodule' directly (no functional changes in our case) - require the -selinux package on SELinux-enabled environments and if the current system policy is "targeted" Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Instead of:
  https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

follow this:
  https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy

which seems to make more sense and fixes the issue that, on a fresh
install, without a reboot, the file contexts for the binaries are not
actually updated.

In detail:

- labels are refreshed using the selinux_relabel_pre and
  selinux_relabel_post on install, upgrade, and uninstall

- use the selinux_modules_install and selinux_modules_uninstall
  macros, instead of calling 'semodule' directly (no functional
  changes in our case)

- require the -selinux package on SELinux-enabled environments and if
  the current system policy is "targeted"

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Install SELinux interface files to shared include directory 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T18:10:01+00:00 70c0765b49e19b76639908a7686d8f795ba3ed24 Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Split interfaces into smaller bits 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T17:00:31+00:00 93105ea06619d4c199f8140f4b75ae359757dc6d ...to fit accepted Fedora practices. Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...to fit accepted Fedora practices.

Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop unused passt_read_data() interface 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:37+00:00 dcdc50fc2251339d6e929f708fad114e61b60627 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop "example" from headers: this is the actual policy 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:14+00:00 9f35cf0b11891e9dfb12eeb5d52f728881f84967 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib: Drop libvirt out-of-tree patch, integration mostly works in 9.1.0 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:47:19+00:00 294d6dc4c69d6ac8c51480e967d06da1f395d814 ...and in any case, this patch doesn't offer any advantage over the current upstream integration. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
...and in any case, this patch doesn't offer any advantage over the
current upstream integration.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
contrib: Drop QEMU out-of-tree patches 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:46:13+00:00 42fb62516d4e37ac456533d9d9b5c3a942b48631 Native support was introduced with commit 13c6be96618c, QEMU 7.2. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Native support was introduced with commit 13c6be96618c, QEMU 7.2.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
contrib: Drop Podman out-of-tree patch, integration is upstream now 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:45:08+00:00 f3cd0f9e454f73e3ff218a986205eb7dbb3d350d See https://github.com/containers/podman/pull/16141, shipped in Podman 4.4. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
See https://github.com/containers/podman/pull/16141, shipped in
Podman 4.4.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
contrib/selinux: Let interface users set paths for log, PID, socket files 2023-03-08T23:36:08+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-06T23:19:18+00:00 d361fe6e809bdf3539d764cfa5058f46ce51bcbf Even libvirt itself will configure passt to write log, PID and socket files to different locations depending on whether the domain is started as root (/var/log/libvirt/...) or as a regular user (/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the latter. Create interfaces for log and PID files, so that callers can specify different file contexts for those, and modify the interface for the UNIX socket file to allow different paths as well. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Laine Stump <laine@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com> 
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.

Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
contrib/selinux: Allow binding and connecting to all UDP and TCP ports 2023-03-08T23:36:08+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-06T23:05:36+00:00 de9b0cb5fee2ea00ed7e7877ef9be8c446bca134 Laine reports that with a simple: <portForward proto='tcp'> <range start='2022' to='22'/> </portForward> in libvirt's domain XML, passt won't start as it fails to bind arbitrary ports. That was actually the intention behind passt_port_t: the user or system administrator should have explicitly configured allowed ports on a given machine. But it's probably not realistic, so just allow any port to be bound and forwarded. Also fix up some missing operations on sockets. Reported-by: Laine Stump <laine@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Laine Stump <laine@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com> 
Laine reports that with a simple:

      <portForward proto='tcp'>
        <range start='2022' to='22'/>
      </portForward>

in libvirt's domain XML, passt won't start as it fails to bind
arbitrary ports. That was actually the intention behind passt_port_t:
the user or system administrator should have explicitly configured
allowed ports on a given machine. But it's probably not realistic, so
just allow any port to be bound and forwarded.

Also fix up some missing operations on sockets.

Reported-by: Laine Stump <laine@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>