From 479a9e1b4d9b4e426754b44fb767d252ca144e0f Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 15 Aug 2023 18:22:02 +0200 Subject: fedora: Install pasta as hard link to ensure SELinux file context match The Makefile installs symbolic links by default, which actually worked at some point (not by design) with SELinux, but at least on recent kernel versions it doesn't anymore: override pasta (and pasta.avx2) with hard links. Otherwise, even if the links are labeled as pasta_exec_t, SELinux will "resolve" them to passt_exec_t, and we'll have pasta running as passt_t instead of pasta_t. Signed-off-by: Stefano Brivio Acked-by: Richard W.M. Jones --- contrib/fedora/passt.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 8d28ef6..d0c6895 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -54,10 +54,17 @@ This package adds SELinux enforcement to passt(1) and pasta(1). %make_build VERSION="%{version}-%{release}.%{_arch}" %install + %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name} +# The Makefile creates symbolic links for pasta, but we need hard links for +# SELinux file contexts to work as intended. Same with pasta.avx2 if present. +ln -f %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta %ifarch x86_64 +ln -f %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2 + ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1 +install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2 %endif pushd contrib/selinux -- cgit v1.2.3