passt/contrib, branch 2023_03_29.b10b983 Plug A Simple Socket Transport fedora: Adjust path for SELinux policy and interface file to latest guidelines 2023-03-29T20:11:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-29T11:17:31+00:00 b10b983fbd00634e275083c37446a538dbff0dbe Forget about: https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft and: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy The guidelines to follow are: https://fedoraproject.org/wiki/SELinux/IndependentPolicy Start from fixing the most pressing issue, that is, a path conflict with policy-selinux-devel about passt.if, and, while at it, adjust the installation paths for policy files too. Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182476 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Forget about:
  https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

and:
  https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy

The guidelines to follow are:
  https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Start from fixing the most pressing issue, that is, a path conflict
with policy-selinux-devel about passt.if, and, while at it, adjust
the installation paths for policy files too.

Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182476
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Don't install useless SELinux interface file for pasta 2023-03-29T11:48:12+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-27T17:50:01+00:00 387f4aca7477ee630fe3c261a19f5f1a9055bfe5 That was meant to be an example, and I just dropped it in the previous commit -- passt.if should be more than enough as a possible example. Reported-by: Carl G. <carlg@fedoraproject.org> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182145 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
That was meant to be an example, and I just dropped it in the
previous commit -- passt.if should be more than enough as a possible
example.

Reported-by: Carl G. <carlg@fedoraproject.org>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182145
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: Drop useless interface file for pasta 2023-03-29T11:48:12+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-27T17:47:07+00:00 dafd92d555e71ebe6cfb8288441d51aec1d5ca1a This was meant to be an example, but I managed to add syntax errors to it. Drop it altogether. Reported-by: Carl G. <carlg@fedoraproject.org> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182145 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This was meant to be an example, but I managed to add syntax errors
to it. Drop it altogether.

Reported-by: Carl G. <carlg@fedoraproject.org>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182145
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Refresh SELinux labels in scriptlets, require -selinux package 2023-03-17T07:26:07+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-16T19:51:23+00:00 dd2349661933c4e9756e524ae9465f38b53b7557 Instead of: https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft follow this: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy which seems to make more sense and fixes the issue that, on a fresh install, without a reboot, the file contexts for the binaries are not actually updated. In detail: - labels are refreshed using the selinux_relabel_pre and selinux_relabel_post on install, upgrade, and uninstall - use the selinux_modules_install and selinux_modules_uninstall macros, instead of calling 'semodule' directly (no functional changes in our case) - require the -selinux package on SELinux-enabled environments and if the current system policy is "targeted" Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Instead of:
  https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

follow this:
  https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy

which seems to make more sense and fixes the issue that, on a fresh
install, without a reboot, the file contexts for the binaries are not
actually updated.

In detail:

- labels are refreshed using the selinux_relabel_pre and
  selinux_relabel_post on install, upgrade, and uninstall

- use the selinux_modules_install and selinux_modules_uninstall
  macros, instead of calling 'semodule' directly (no functional
  changes in our case)

- require the -selinux package on SELinux-enabled environments and if
  the current system policy is "targeted"

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Install SELinux interface files to shared include directory 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T18:10:01+00:00 70c0765b49e19b76639908a7686d8f795ba3ed24 Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Split interfaces into smaller bits 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T17:00:31+00:00 93105ea06619d4c199f8140f4b75ae359757dc6d ...to fit accepted Fedora practices. Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
...to fit accepted Fedora practices.

Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop unused passt_read_data() interface 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:37+00:00 dcdc50fc2251339d6e929f708fad114e61b60627 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: Drop "example" from headers: this is the actual policy 2023-03-10T19:01:41+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-10T14:53:14+00:00 9f35cf0b11891e9dfb12eeb5d52f728881f84967 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib: Drop libvirt out-of-tree patch, integration mostly works in 9.1.0 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:47:19+00:00 294d6dc4c69d6ac8c51480e967d06da1f395d814 ...and in any case, this patch doesn't offer any advantage over the current upstream integration. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
...and in any case, this patch doesn't offer any advantage over the
current upstream integration.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
contrib: Drop QEMU out-of-tree patches 2023-03-09T02:44:21+00:00 Stefano Brivio sbrivio@redhat.com 2023-03-08T22:46:13+00:00 42fb62516d4e37ac456533d9d9b5c3a942b48631 Native support was introduced with commit 13c6be96618c, QEMU 7.2. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Native support was introduced with commit 13c6be96618c, QEMU 7.2.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>