From 97ab0c47f9391791e2d9039e2097af1f91b064fb Mon Sep 17 00:00:00 2001 From: Andrea Claudi Date: Fri, 15 Mar 2024 12:30:45 +0100 Subject: [PATCH] Revert "iproute-6.7.0-1.el8" RHEL 9.4 will ship with iproute v6.2.0, so we cannot release iproute-6.7.0-1.el8 for RHEL 8.10, as this will bring to a downgrade on the upgrade path to RHEL 8.10 -> RHEL 9.4. As it is not going to be part of an errata, let's reverts commit 90f50155cb1778771c0bd64a5f0921f47e360d69. Related: RHEL-21222 Signed-off-by: Andrea Claudi --- .gitignore | 1 - 0001-Update-kernel-headers.patch | 38 +++++ 0002-macvlan-Add-bclim-parameter.patch | 149 +++++++++++++++++ 0003-tc-add-missing-separator.patch | 43 +++++ ...ux_enabled-stub-work-like-in-SELinux.patch | 55 ++++++ ...stub-functions-conformant-to-API-def.patch | 52 ++++++ ...d-SELinux-include-and-stub-functions.patch | 156 ++++++++++++++++++ ...ip-vrf-make-ipvrf_exec-SELinux-aware.patch | 81 +++++++++ iproute.spec | 24 +-- sources | 1 - 10 files changed, 588 insertions(+), 12 deletions(-) create mode 100644 0001-Update-kernel-headers.patch create mode 100644 0002-macvlan-Add-bclim-parameter.patch create mode 100644 0003-tc-add-missing-separator.patch create mode 100644 0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch create mode 100644 0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch create mode 100644 0006-lib-add-SELinux-include-and-stub-functions.patch create mode 100644 0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch diff --git a/.gitignore b/.gitignore index e8379d6..dde4187 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ SOURCES/iproute2-5.18.0.tar.xz /iproute2-5.18.0.tar.xz /iproute2-6.2.0.tar.xz -/iproute2-6.7.0.tar.xz diff --git a/0001-Update-kernel-headers.patch b/0001-Update-kernel-headers.patch new file mode 100644 index 0000000..15ad90f --- /dev/null +++ b/0001-Update-kernel-headers.patch @@ -0,0 +1,38 @@ +From 6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b Mon Sep 17 00:00:00 2001 +Message-Id: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Wed, 3 May 2023 11:19:24 +0200 +Subject: [PATCH] Update kernel headers + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2188134 +Upstream Status: iproute2-next.git commit 88786cd1 + +commit 88786cd1a96a89427bc22061c7736eb2eac31121 +Author: David Ahern +Date: Thu Mar 30 09:43:49 2023 -0600 + + Update kernel headers + + Update kernel headers to commit: + da617cd8d906 ("smsc911x: remove superfluous variable init") + + Signed-off-by: David Ahern +--- + include/uapi/linux/if_link.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h +index 147ad0a3..644d3554 100644 +--- a/include/uapi/linux/if_link.h ++++ b/include/uapi/linux/if_link.h +@@ -628,6 +628,7 @@ enum { + IFLA_MACVLAN_MACADDR_COUNT, + IFLA_MACVLAN_BC_QUEUE_LEN, + IFLA_MACVLAN_BC_QUEUE_LEN_USED, ++ IFLA_MACVLAN_BC_CUTOFF, + __IFLA_MACVLAN_MAX, + }; + +-- +2.40.1 + diff --git a/0002-macvlan-Add-bclim-parameter.patch b/0002-macvlan-Add-bclim-parameter.patch new file mode 100644 index 0000000..bc713ae --- /dev/null +++ b/0002-macvlan-Add-bclim-parameter.patch @@ -0,0 +1,149 @@ +From 1638c2909a2911f981ee437dafde70e5e8d721f8 Mon Sep 17 00:00:00 2001 +Message-Id: <1638c2909a2911f981ee437dafde70e5e8d721f8.1683117490.git.aclaudi@redhat.com> +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Wed, 3 May 2023 11:19:24 +0200 +Subject: [PATCH] macvlan: Add bclim parameter + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2188134 +Upstream Status: iproute2-next.git commit e8a3fb47 + +commit e8a3fb470b4e96aa35a2731c7cc175b946c0a62d +Author: Herbert Xu +Date: Thu Mar 30 11:07:25 2023 +0800 + + macvlan: Add bclim parameter + + This patch adds support for setting the broadcast queueing threshold + on macvlan devices. This controls which multicast packets will be + processed in a workqueue instead of inline. + + Signed-off-by: Herbert Xu + + ip/iplink_macvlan.c | 26 ++++++++++++++++++++++++-- + man/man8/ip-link.8.in | 18 ++++++++++++++++++ + 3 files changed, 43 insertions(+), 2 deletions(-) + + Signed-off-by: David Ahern +--- + ip/iplink_macvlan.c | 26 ++++++++++++++++++++++++-- + man/man8/ip-link.8.in | 18 ++++++++++++++++++ + 2 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/ip/iplink_macvlan.c b/ip/iplink_macvlan.c +index 0f13637d..6bdc76d1 100644 +--- a/ip/iplink_macvlan.c ++++ b/ip/iplink_macvlan.c +@@ -26,13 +26,14 @@ + static void print_explain(struct link_util *lu, FILE *f) + { + fprintf(f, +- "Usage: ... %s mode MODE [flag MODE_FLAG] MODE_OPTS [bcqueuelen BC_QUEUE_LEN]\n" ++ "Usage: ... %s mode MODE [flag MODE_FLAG] MODE_OPTS [bcqueuelen BC_QUEUE_LEN] [bclim BCLIM]\n" + "\n" + "MODE: private | vepa | bridge | passthru | source\n" + "MODE_FLAG: null | nopromisc | nodst\n" + "MODE_OPTS: for mode \"source\":\n" + "\tmacaddr { { add | del } | set [ [ ... ] ] | flush }\n" +- "BC_QUEUE_LEN: Length of the rx queue for broadcast/multicast: [0-4294967295]\n", ++ "BC_QUEUE_LEN: Length of the rx queue for broadcast/multicast: [0-4294967295]\n" ++ "BCLIM: Threshold for broadcast queueing: 32-bit integer\n", + lu->id + ); + } +@@ -67,6 +68,12 @@ static int bc_queue_len_arg(const char *arg) + return -1; + } + ++static int bclim_arg(const char *arg) ++{ ++ fprintf(stderr, "Error: illegal value for \"bclim\": \"%s\"\n", arg); ++ return -1; ++} ++ + static int macvlan_parse_opt(struct link_util *lu, int argc, char **argv, + struct nlmsghdr *n) + { +@@ -168,6 +175,15 @@ static int macvlan_parse_opt(struct link_util *lu, int argc, char **argv, + return bc_queue_len_arg(*argv); + } + addattr32(n, 1024, IFLA_MACVLAN_BC_QUEUE_LEN, bc_queue_len); ++ } else if (!strcmp(*argv, "bclim")) { ++ __s32 bclim; ++ NEXT_ARG(); ++ ++ if (get_s32(&bclim, *argv, 0)) { ++ return bclim_arg(*argv); ++ } ++ addattr_l(n, 1024, IFLA_MACVLAN_BC_CUTOFF, ++ &bclim, sizeof(bclim)); + } else if (matches(*argv, "help") == 0) { + explain(lu); + return -1; +@@ -245,6 +261,12 @@ static void macvlan_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[] + print_luint(PRINT_ANY, "usedbcqueuelen", "usedbcqueuelen %lu ", bc_queue_len); + } + ++ if (tb[IFLA_MACVLAN_BC_CUTOFF] && ++ RTA_PAYLOAD(tb[IFLA_MACVLAN_BC_CUTOFF]) >= sizeof(__s32)) { ++ __s32 bclim = rta_getattr_s32(tb[IFLA_MACVLAN_BC_CUTOFF]); ++ print_int(PRINT_ANY, "bclim", "bclim %d ", bclim); ++ } ++ + /* in source mode, there are more options to print */ + + if (mode != MACVLAN_MODE_SOURCE) +diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in +index eeddf493..62aebabd 100644 +--- a/man/man8/ip-link.8.in ++++ b/man/man8/ip-link.8.in +@@ -1455,6 +1455,7 @@ the following additional arguments are supported: + .BR mode " { " private " | " vepa " | " bridge " | " passthru + .RB " [ " nopromisc " ] | " source " [ " nodst " ] } " + .RB " [ " bcqueuelen " { " LENGTH " } ] " ++.RB " [ " bclim " " LIMIT " ] " + + .in +8 + .sp +@@ -1513,6 +1514,13 @@ will be the maximum length that any macvlan interface has requested. + When listing device parameters both the bcqueuelen parameter + as well as the actual used bcqueuelen are listed to better help + the user understand the setting. ++ ++.BR bclim " " LIMIT ++- Set the threshold for broadcast queueing. ++.BR LIMIT " must be a 32-bit integer." ++Setting this to -1 disables broadcast queueing altogether. Otherwise ++a multicast address will be queued as broadcast if the number of devices ++using it is greater than the given value. + .in -8 + + .TP +@@ -2675,6 +2683,9 @@ Update the broadcast/multicast queue length. + [ + .BI bcqueuelen " LENGTH " + ] ++[ ++.BI bclim " LIMIT " ++] + + .in +8 + .BI bcqueuelen " LENGTH " +@@ -2688,6 +2699,13 @@ will be the maximum length that any macvlan interface has requested. + When listing device parameters both the bcqueuelen parameter + as well as the actual used bcqueuelen are listed to better help + the user understand the setting. ++ ++.BI bclim " LIMIT " ++- Set the threshold for broadcast queueing. ++.IR LIMIT " must be a 32-bit integer." ++Setting this to -1 disables broadcast queueing altogether. Otherwise ++a multicast address will be queued as broadcast if the number of devices ++using it is greater than the given value. + .in -8 + + .TP +-- +2.40.1 + diff --git a/0003-tc-add-missing-separator.patch b/0003-tc-add-missing-separator.patch new file mode 100644 index 0000000..41e9c7a --- /dev/null +++ b/0003-tc-add-missing-separator.patch @@ -0,0 +1,43 @@ +From 4c2e1768c0d446345796dc058d1e114147a1029a Mon Sep 17 00:00:00 2001 +Message-Id: <4c2e1768c0d446345796dc058d1e114147a1029a.1686090191.git.aclaudi@redhat.com> +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1686090191.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1686090191.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Wed, 7 Jun 2023 00:15:59 +0200 +Subject: [PATCH] tc: add missing separator + +Jira: https://issues.redhat.com/browse/RHEL-487 +Upstream Status: iproute2-next.git commit 4e0e56e0 + +commit 4e0e56e0ef05387f7f5d8ab41fe6ec6a1897b26d +Author: Christian Hesse +Date: Thu Feb 23 11:15:03 2023 +0100 + + tc: add missing separator + + This is missing a separator, that was accidently removed + when JSON was added. + + Fixes: 010a8388aea1 ("tc: Add JSON output to tc-class") + Signed-off-by: Christian Hesse + Signed-off-by: Stephen Hemminger +--- + tc/tc_class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/tc_class.c b/tc/tc_class.c +index c1feb009..096fa2ec 100644 +--- a/tc/tc_class.c ++++ b/tc/tc_class.c +@@ -356,7 +356,7 @@ int print_class(struct nlmsghdr *n, void *arg) + print_string(PRINT_ANY, "parent", "parent %s ", abuf); + } + if (t->tcm_info) +- print_0xhex(PRINT_ANY, "leaf", "leaf %x", t->tcm_info>>16); ++ print_0xhex(PRINT_ANY, "leaf", "leaf %x: ", t->tcm_info>>16); + + q = get_qdisc_kind(RTA_DATA(tb[TCA_KIND])); + if (tb[TCA_OPTIONS]) { +-- +2.40.1 + diff --git a/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch b/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch new file mode 100644 index 0000000..7696fd2 --- /dev/null +++ b/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch @@ -0,0 +1,55 @@ +From dcff6d4c73cd9c33b4103a4505ecebe6852f63df Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Tue, 5 Sep 2023 12:44:19 +0200 +Subject: [PATCH] ss: make is_selinux_enabled stub work like in SELinux + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023 +Upstream Status: iproute2-next.git commit c8970828 + +commit c8970828b6509af3ab0f2982da335fb6a6c846af +Author: Andrea Claudi +Date: Wed Aug 23 19:29:59 2023 +0200 + + ss: make is_selinux_enabled stub work like in SELinux + + From the is_selinux_enabled() manpage: + + is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not. + + This makes the is_selinux_enabled() stub functions works exactly like + the SELinux function it is supposed to replace. + + Signed-off-by: Andrea Claudi + Signed-off-by: David Ahern +--- + misc/ss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc/ss.c b/misc/ss.c +index de02fccb..d2dffbf8 100644 +--- a/misc/ss.c ++++ b/misc/ss.c +@@ -77,7 +77,7 @@ + /* Stubs for SELinux functions */ + static int is_selinux_enabled(void) + { +- return -1; ++ return 0; + } + + static int getpidcon(pid_t pid, char **context) +@@ -5684,7 +5684,7 @@ int main(int argc, char *argv[]) + show_sock_ctx++; + /* fall through */ + case 'Z': +- if (is_selinux_enabled() <= 0) { ++ if (!is_selinux_enabled()) { + fprintf(stderr, "ss: SELinux is not enabled.\n"); + exit(1); + } +-- +2.41.0 + diff --git a/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch b/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch new file mode 100644 index 0000000..4896199 --- /dev/null +++ b/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch @@ -0,0 +1,52 @@ +From d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Tue, 5 Sep 2023 12:44:19 +0200 +Subject: [PATCH] ss: make SELinux stub functions conformant to API definitions + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023 +Upstream Status: iproute2-next.git commit 61c6882c + +commit 61c6882ce21c1247c06cd61783120be0a2e2019c +Author: Andrea Claudi +Date: Wed Aug 23 19:30:00 2023 +0200 + + ss: make SELinux stub functions conformant to API definitions + + getfilecon() and security_get_initial_context() use the const qualifier + for their first paramater in SELinux APIs. + + This commit adds the const qualifier to these functions, making them + conformant to API definitions. + + Signed-off-by: Andrea Claudi + Signed-off-by: David Ahern +--- + misc/ss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc/ss.c b/misc/ss.c +index d2dffbf8..fe19f489 100644 +--- a/misc/ss.c ++++ b/misc/ss.c +@@ -86,13 +86,13 @@ static int getpidcon(pid_t pid, char **context) + return -1; + } + +-static int getfilecon(char *path, char **context) ++static int getfilecon(const char *path, char **context) + { + *context = NULL; + return -1; + } + +-static int security_get_initial_context(char *name, char **context) ++static int security_get_initial_context(const char *name, char **context) + { + *context = NULL; + return -1; +-- +2.41.0 + diff --git a/0006-lib-add-SELinux-include-and-stub-functions.patch b/0006-lib-add-SELinux-include-and-stub-functions.patch new file mode 100644 index 0000000..169093b --- /dev/null +++ b/0006-lib-add-SELinux-include-and-stub-functions.patch @@ -0,0 +1,156 @@ +From 0e71f7774a764c0a19037b79b71d7146769082ac Mon Sep 17 00:00:00 2001 +Message-ID: <0e71f7774a764c0a19037b79b71d7146769082ac.1695227714.git.aclaudi@redhat.com> +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Tue, 5 Sep 2023 12:44:19 +0200 +Subject: [PATCH] lib: add SELinux include and stub functions + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023 +Upstream Status: iproute2-next.git commit e246ebc3 + +commit e246ebc3b7f1f438310ad6fd1d5976ba6ccf7a69 +Author: Andrea Claudi +Date: Wed Aug 23 19:30:01 2023 +0200 + + lib: add SELinux include and stub functions + + ss provides some selinux stub functions, useful when iproute2 is + compiled without selinux support. + + Move them to lib/ so we can use them in other iproute2 tools. + + Signed-off-by: Andrea Claudi + Signed-off-by: David Ahern +--- + include/selinux.h | 9 +++++++++ + lib/Makefile | 4 ++++ + lib/selinux.c | 32 ++++++++++++++++++++++++++++++++ + misc/ss.c | 34 +--------------------------------- + 4 files changed, 46 insertions(+), 33 deletions(-) + create mode 100644 include/selinux.h + create mode 100644 lib/selinux.c + +diff --git a/include/selinux.h b/include/selinux.h +new file mode 100644 +index 00000000..499aa966 +--- /dev/null ++++ b/include/selinux.h +@@ -0,0 +1,9 @@ ++#if HAVE_SELINUX ++#include ++#else ++int is_selinux_enabled(void); ++void freecon(char *context); ++int getpidcon(pid_t pid, char **context); ++int getfilecon(const char *path, char **context); ++int security_get_initial_context(const char *name, char **context); ++#endif +diff --git a/lib/Makefile b/lib/Makefile +index ddedd37f..aa7bbd2e 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -13,6 +13,10 @@ UTILOBJ += bpf_libbpf.o + endif + endif + ++ifneq ($(HAVE_SELINUX),y) ++UTILOBJ += selinux.o ++endif ++ + NLOBJ=libgenl.o libnetlink.o + ifeq ($(HAVE_MNL),y) + NLOBJ += mnl_utils.o +diff --git a/lib/selinux.c b/lib/selinux.c +new file mode 100644 +index 00000000..4e6805fc +--- /dev/null ++++ b/lib/selinux.c +@@ -0,0 +1,32 @@ ++#include ++#include ++#include "selinux.h" ++ ++/* Stubs for SELinux functions */ ++int is_selinux_enabled(void) ++{ ++ return 0; ++} ++ ++void freecon(char *context) ++{ ++ free(context); ++} ++ ++int getpidcon(pid_t pid, char **context) ++{ ++ *context = NULL; ++ return -1; ++} ++ ++int getfilecon(const char *path, char **context) ++{ ++ *context = NULL; ++ return -1; ++} ++ ++int security_get_initial_context(const char *name, char **context) ++{ ++ *context = NULL; ++ return -1; ++} +diff --git a/misc/ss.c b/misc/ss.c +index fe19f489..6e18bf0c 100644 +--- a/misc/ss.c ++++ b/misc/ss.c +@@ -33,6 +33,7 @@ + #include "version.h" + #include "rt_names.h" + #include "cg_map.h" ++#include "selinux.h" + + #include + #include +@@ -71,39 +72,6 @@ + #define BUF_CHUNKS_MAX 5 /* Maximum number of allocated buffer chunks */ + #define LEN_ALIGN(x) (((x) + 1) & ~1) + +-#if HAVE_SELINUX +-#include +-#else +-/* Stubs for SELinux functions */ +-static int is_selinux_enabled(void) +-{ +- return 0; +-} +- +-static int getpidcon(pid_t pid, char **context) +-{ +- *context = NULL; +- return -1; +-} +- +-static int getfilecon(const char *path, char **context) +-{ +- *context = NULL; +- return -1; +-} +- +-static int security_get_initial_context(const char *name, char **context) +-{ +- *context = NULL; +- return -1; +-} +- +-static void freecon(char *context) +-{ +- free(context); +-} +-#endif +- + int preferred_family = AF_UNSPEC; + static int show_options; + int show_details; +-- +2.41.0 + diff --git a/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch b/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch new file mode 100644 index 0000000..d87cf48 --- /dev/null +++ b/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch @@ -0,0 +1,81 @@ +From 6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2 Mon Sep 17 00:00:00 2001 +Message-ID: <6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2.1695227714.git.aclaudi@redhat.com> +In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com> +From: Andrea Claudi +Date: Tue, 5 Sep 2023 12:44:19 +0200 +Subject: [PATCH] ip vrf: make ipvrf_exec SELinux-aware + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023 +Upstream Status: iproute2-next.git commit 0d0eeaa6 + +commit 0d0eeaa6cb9218e57ce910fc3a8991b80da6393e +Author: Andrea Claudi +Date: Wed Aug 23 19:30:02 2023 +0200 + + ip vrf: make ipvrf_exec SELinux-aware + + When using ip vrf and SELinux is enabled, make sure to set the exec file + context before calling cmd_exec. + + This ensures that the command is executed with the right context, + falling back to the ifconfig_t context when needed. + + Signed-off-by: Andrea Claudi + Signed-off-by: David Ahern +--- + include/selinux.h | 1 + + ip/ipvrf.c | 6 ++++++ + lib/selinux.c | 5 +++++ + 3 files changed, 12 insertions(+) + +diff --git a/include/selinux.h b/include/selinux.h +index 499aa966..592c7680 100644 +--- a/include/selinux.h ++++ b/include/selinux.h +@@ -6,4 +6,5 @@ void freecon(char *context); + int getpidcon(pid_t pid, char **context); + int getfilecon(const char *path, char **context); + int security_get_initial_context(const char *name, char **context); ++int setexecfilecon(const char *filename, const char *fallback_type); + #endif +diff --git a/ip/ipvrf.c b/ip/ipvrf.c +index 0718bea8..b0dd2abe 100644 +--- a/ip/ipvrf.c ++++ b/ip/ipvrf.c +@@ -24,6 +24,7 @@ + #include "utils.h" + #include "ip_common.h" + #include "bpf_util.h" ++#include "selinux.h" + + #define CGRP_PROC_FILE "/cgroup.procs" + +@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv) + return -1; + } + ++ if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) { ++ fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]); ++ return -1; ++ } ++ + return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]); + } + +diff --git a/lib/selinux.c b/lib/selinux.c +index 4e6805fc..7e5dd16d 100644 +--- a/lib/selinux.c ++++ b/lib/selinux.c +@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name, char **context) + *context = NULL; + return -1; + } ++ ++int setexecfilecon(const char *filename, const char *fallback_type) ++{ ++ return -1; ++} +-- +2.41.0 + diff --git a/iproute.spec b/iproute.spec index 29250f7..3281ccd 100644 --- a/iproute.spec +++ b/iproute.spec @@ -1,13 +1,20 @@ Summary: Advanced IP routing and network device configuration tools Name: iproute -Version: 6.7.0 -Release: 1%{?dist}%{?buildid} +Version: 6.2.0 +Release: 5%{?dist}%{?buildid} %if 0%{?rhel} Group: Applications/System %endif URL: https://kernel.org/pub/linux/utils/net/%{name}2/ Source0: https://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.xz Source1: rt_dsfield.deprecated +Patch0: 0001-Update-kernel-headers.patch +Patch1: 0002-macvlan-Add-bclim-parameter.patch +Patch2: 0003-tc-add-missing-separator.patch +Patch3: 0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch +Patch4: 0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch +Patch5: 0006-lib-add-SELinux-include-and-stub-functions.patch +Patch6: 0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch License: GPL-2.0-or-later AND NIST-PD BuildRequires: bison @@ -79,8 +86,8 @@ The libnetlink static library. %autosetup -p1 -n %{name}2-%{version} %build -%configure -echo -e "\nSBINDIR=%{_sbindir}" >> config.mk +%configure --libdir %{_libdir} +echo -e "\nPREFIX=%{_prefix}\nCONFDIR:=%{_sysconfdir}/iproute2\nSBINDIR=%{_sbindir}" >> config.mk %make_build %install @@ -97,11 +104,11 @@ rm -rf '%{buildroot}%{_docdir}' # append deprecated values to rt_dsfield for compatibility reasons %if 0%{?rhel} && ! 0%{?eln} -cat %{SOURCE1} >>%{buildroot}%{_datadir}/iproute2/rt_dsfield +cat %{SOURCE1} >>%{buildroot}%{_sysconfdir}/iproute2/rt_dsfield %endif %files -%dir %{_datadir}/iproute2 +%dir %{_sysconfdir}/iproute2 %license COPYING %doc README README.devel %{_mandir}/man7/* @@ -109,7 +116,7 @@ cat %{SOURCE1} >>%{buildroot}%{_datadir}/iproute2/rt_dsfield %{_mandir}/man8/* %exclude %{_mandir}/man8/tc* %exclude %{_mandir}/man8/cbq* -%attr(644,root,root) %config(noreplace) %{_datadir}/iproute2/* +%attr(644,root,root) %config(noreplace) %{_sysconfdir}/iproute2/* %{_sbindir}/* %exclude %{_sbindir}/tc %exclude %{_sbindir}/routel @@ -139,9 +146,6 @@ cat %{SOURCE1} >>%{buildroot}%{_datadir}/iproute2/rt_dsfield %{_includedir}/iproute2/bpf_elf.h %changelog -* Tue Jan 23 2024 Andrea Claudi - 6.7.0-1.el8 -- New version 6.7.0 (Andrea Claudi) [RHEL-22438] - * Mon Sep 25 2023 Andrea Claudi - 6.2.0-5.el8 - Bump version number (wrong exception build) diff --git a/sources b/sources index 997ed54..5c91d59 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (iproute2-5.18.0.tar.xz) = 7b43c89741a8ffe8fd529ac4ee19c8eab7dce2f064de494c160c75456ffb960fb5f1e78c868ab98360dafde28d5e2c4d58177135b6d380e80e06eba9e3eaf068 SHA512 (iproute2-6.2.0.tar.xz) = b24e0fdd0f51b8b78bc3bb681e3829af47d3011e93f3892289eb070b336709a6883728ecc7627ca37f6449720f8ed1349af321c0d04454894a7175b82f7de151 -SHA512 (iproute2-6.7.0.tar.xz) = 5d8dca139b1b980dac6c841f477b951dd199074cb078b5ea8df23b3532eeb235cca1df9f6628b0f81b7edd62aaf4e95bad15a851843bd61e5715215da97cc546