passt/contrib, branch bug165b Plug A Simple Socket Transport spec: use %selinux_requires_min macro, drop overlapping dependencies 2025-11-27T21:20:16+00:00 Danish Prakash contact@danishpraka.sh 2025-11-21T12:47:46+00:00 95ab87b490c5235c9c9dde8f100a93f4b17ba4f4 Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min. Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Also, drop unused preun policycoreutils requires, and Recommends on
selinux-policy-%{targeted}, it has since been added to
%selinux_requires_min.

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
contrib/selinux: use regex instead of SELinux template 2025-11-04T17:49:43+00:00 Danish Prakash contact@danishpraka.sh 2025-10-30T10:49:13+00:00 1d164396397799088b6dad13178781553333f2aa It might be possible to avoid using SELinux template (%USERID), and instead using regex to match user ids. This would allow discarding the explicit restorecon call while during package builds[1]. Original suggestion from cathy.hu@suse.com: > running restorecon would be unnecessary if the passt upstream selinux > module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway) [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It might be possible to avoid using SELinux template (%USERID),
and instead using regex to match user ids. This would allow
discarding the explicit restorecon call while during package builds[1].

Original suggestion from cathy.hu@suse.com:

> running restorecon would be unnecessary if the passt upstream selinux
> module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway)

[1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add missing file contexts for Podman 2025-09-18T15:17:10+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:52+00:00 c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: pasta accesses /etc/resolv.conf 2025-08-05T13:30:59+00:00 Cathy Hu cathy.hu@suse.com 2025-08-05T13:19:26+00:00 309eefd6af5ba20f760b92b6131a9ea7f2e161d4 pasta accesses /etc/resolv.conf, which needs search permissions in openSUSE since the folder structure for the older sysconfig-netconfig is different than in fedora (which uses systemd-resolved) this replaces the manual allow rules with the sysnet_read_config interface in passt and pasta Adresses: ---- time->Fri Jul 25 15:57:16 2025 type=AVC msg=audit(1753451836.581:16831): avc: denied { search } for pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 15:58:10 2025 type=AVC msg=audit(1753451890.317:17123): avc: denied { search } for pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ---- time->Fri Jul 25 16:01:53 2025 type=AVC msg=audit(1753452113.557:17289): avc: denied { search } for pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 Signed-off-by: Cathy Hu <cathy.hu@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
pasta accesses /etc/resolv.conf, which needs search permissions
in openSUSE since the folder structure for the older
sysconfig-netconfig is different than in fedora (which uses
systemd-resolved)

this replaces the manual allow rules with the sysnet_read_config
interface in passt and pasta

Adresses:

----
time->Fri Jul 25 15:57:16 2025
type=AVC msg=audit(1753451836.581:16831): avc:  denied  { search } for  pid=44182 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 15:58:10 2025
type=AVC msg=audit(1753451890.317:17123): avc:  denied  { search } for  pid=45022 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
----
time->Fri Jul 25 16:01:53 2025
type=AVC msg=audit(1753452113.557:17289): avc:  denied  { search } for  pid=45999 comm="pasta" name="netconfig" dev="tmpfs" ino=2449 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Hide restorecon(8) errors in post-transaction scriptlet 2025-06-11T14:24:50+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T15:06:43+00:00 0293c6f4a316baa561a9b43388906707f8cf7e81 Commit e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") added a call to restorecon for /run/user in the passt-selinux post-transaction scriptlet, and we can't give a path that's more specific than that, but it often contains FUSE mountpoints that are not accessible as root, resulting in warnings as the package is installed. Hide the errors, a failure in relabeling wouldn't be really problematic in any case. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit e01932353869 ("fedora: Separately restore context for /run/user
in %posttrans selinux") added a call to restorecon for /run/user in
the passt-selinux post-transaction scriptlet, and we can't give a path
that's more specific than that, but it often contains FUSE mountpoints
that are not accessible as root, resulting in warnings as the package
is installed.

Hide the errors, a failure in relabeling wouldn't be really
problematic in any case.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Add container-selinux as dependency for passt-selinux 2025-06-11T14:24:47+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T14:51:46+00:00 98da8a94693f5c138188acd83dc352f197a64817 Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers") introduces usage of container_user_r, container_runtime_t, and container_t, which are provided by the container-selinux package. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
introduces usage of container_user_r, container_runtime_t, and
container_t, which are provided by the container-selinux package.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Depend on SELinux tools and policy version, drop circular dependency 2025-06-06T08:46:40+00:00 Vit Mojzis vmojzis@redhat.com 2025-05-30T16:37:46+00:00 a2088fef360ee262c19186470d63875b32f80917 From an original patch by Vit Mojzis: add dependencies on SELinux userspace tools and recommend the latest available version of the policy as of now. Drop circular dependency between passt and passt-selinux: passt requires passt-selinux, so passt-selinux shouldn't require passt. Link: https://src.fedoraproject.org/rpms/passt/pull-request/3 Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
From an original patch by Vit Mojzis: add dependencies on SELinux
userspace tools and recommend the latest available version of the
policy as of now.

Drop circular dependency between passt and passt-selinux: passt
requires passt-selinux, so passt-selinux shouldn't require passt.

Link: https://src.fedoraproject.org/rpms/passt/pull-request/3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Call %selinux_modules_* macros only once 2025-06-06T08:46:40+00:00 Petr Lautrbach lautrbach@redhat.com 2025-05-30T08:09:14+00:00 d21bcd9f7c70d1be09a923ad366cdf883112e431 %selinux_modules_* macros has `-i %*` so that it can be used for multiple modules at once. This will improve the performace of the package (un)installation. $ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm real 49.09 user 44.16 sys 4.37 $ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm real 17.03 user 15.06 sys 1.83 Reported-by: Richard W.M. Jones <rjones@redhat.com> Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/ Link: https://src.fedoraproject.org/rpms/passt/pull-request/2 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
%selinux_modules_* macros has `-i %*` so that it can be used for
multiple modules at once. This will improve the performace of the
package (un)installation.

$ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm
real 49.09
user 44.16
sys 4.37

$ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm
real 17.03
user 15.06
sys 1.83

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/
Link: https://src.fedoraproject.org/rpms/passt/pull-request/2
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Separately restore context for /run/user in %posttrans selinux 2025-06-04T10:24:13+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-22T21:04:15+00:00 e019323538699967c155c29411545223dadfc0f5 The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details. Add a separate restorecon(8) call for /run/user as post-transaction scriptlet for the SELinux subpackage. Reported-by: Max Chernoff <git@maxchernoff.ca> Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.

Add a separate restorecon(8) call for /run/user as post-transaction
scriptlet for the SELinux subpackage.

Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>