* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1

- Rebase to 1.38.0
- Added selinux subpackage
- resolves: RHEL-31884

0001-configure-Fix-initialization-from-incompatible-point.patch

@@ -1,44 +0,0 @@
-From ac87babe2d1652e3f37715efe9f29ad6f16eb9df Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Mon, 4 Dec 2023 10:23:29 +0000
-Subject: [PATCH] configure: Fix initialization from incompatible pointer type
-
-With GCC 14:
-
-  configure:20816: checking if environ is declared in header files
-  configure:20833: gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grec
-ord-gcc-switches -pipe -Wall -Werror=format-security
--Werror=implicit-function-declaration -Werror=implicit-int
--Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS
--specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
--specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64   -mtune=generic
--fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
--fno-omit-frame-pointer -mno-omit-leaf-frame-pointer   conftest.c >&5
-  conftest.c: In function 'test':
-  conftest.c:62:22: error: initialization of 'const char **' from incompatible p
-ointer type 'char **'
-     62 |   const char **env = environ;
-        |                      ^~~~~~~
-
-Thanks: Florian Weimer
-(cherry picked from commit 32a9ee6650654469cd591a3ae26842c54f898392)
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 3b12e357..beab4674 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -335,7 +335,7 @@ AC_LANG_SOURCE([[
- static int
- test (void)
- {
--  const char **env = environ;
-+  char **env = environ;
-   return env ? 1 : 0; // this just forces env to be used
- }
- ]])
--- 
-2.39.3
-

0002-file-Rework-documentation-for-dir-parameter.patch

@@ -1,58 +0,0 @@
-From 054798ca11b9f0b71fbad302edf66b52519f5aa2 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Thu, 14 Dec 2023 17:47:10 +0000
-Subject: [PATCH] file: Rework documentation for dir= parameter
-
-The existing documentation tended towards jargon and lacked examples.
-
-(cherry picked from commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e)
----
- plugins/file/nbdkit-file-plugin.pod | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
-index 857ad21e..e47eae97 100644
---- a/plugins/file/nbdkit-file-plugin.pod
-+++ b/plugins/file/nbdkit-file-plugin.pod
-@@ -64,13 +64,23 @@ symbolic links.  Other special files in the directory (such as
- subdirectories, pipes, or Unix sockets) are ignored.
- 
- When this mode is used, the file to be served is chosen by the export
--name passed by the client, where the client can request a list of
--available exports using NBD_OPT_LIST.  A client that requests the
--default export (C<"">) will be rejected.  However, you can use
--L<nbdkit-exportname-filter(1)> to adjust what export names the client
--sees or uses as a default.  For security, when using directory mode,
-+name passed by the client.  For security, when using directory mode,
- this plugin will not accept export names containing slash (C</>).
- 
-+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
-+
-+ nbdinfo --list nbd://localhost
-+
-+An NBD client can request a list of available exports using
-+C<NBD_OPT_LIST>.
-+
-+A client that requests the default export (C<"">) will be rejected.
-+However, you can use L<nbdkit-exportname-filter(1)> to adjust what
-+export names the client sees, and which one the client uses as a
-+default.  For example to make F</dir/file> be the default export:
-+
-+ nbdkit file dir=/dir --filter=exportname default-export=file
-+
- =item B<dirfd=>FILE_DESCRIPTOR
- 
- (nbdkit E<ge> 1.34, not Windows)
-@@ -262,7 +272,8 @@ L<nbdkit-tmpdisk-plugin(1)>,
- L<nbdkit-exportname-filter(1)>,
- L<nbdkit-fua-filter(1)>,
- L<nbdkit-luks-filter(1)>,
--L<nbdkit-noextents-filter(1)>.
-+L<nbdkit-noextents-filter(1)>,
-+L<nbdinfo(1)>.
- 
- =head1 AUTHORS
- 
--- 
-2.39.3
-

0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch

@@ -1,28 +0,0 @@
-From 596f97316e65c151741e6ee42893023f6e945c01 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Sat, 16 Dec 2023 18:08:37 +0000
-Subject: [PATCH] file: Fix markup when referencing dir= option from dirfd=
- docs
-
-Fixes: commit dd28b005430d020ccd1825437937c317332d3007
-(cherry picked from commit 5b8c9c49cc352e9b0fba4dde9e0f57c53c9c2457)
----
- plugins/file/nbdkit-file-plugin.pod | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
-index e47eae97..5feb8ea9 100644
---- a/plugins/file/nbdkit-file-plugin.pod
-+++ b/plugins/file/nbdkit-file-plugin.pod
-@@ -85,7 +85,7 @@ default.  For example to make F</dir/file> be the default export:
- 
- (nbdkit E<ge> 1.34, not Windows)
- 
--This is like the I<dir> option, but instead of specifying the
-+This is like the C<dir=> option, but instead of specifying the
- directory by name, the parent process should open the directory and
- pass this file descriptor by inheritance to nbdkit.
- 
--- 
-2.39.3
-

0004-file-Further-rework-documentation-of-dir-parameter.patch

@@ -1,108 +0,0 @@
-From 0d080223a8567a5ef673deb6ac49152fd67dd1b7 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Sat, 16 Dec 2023 18:03:13 +0000
-Subject: [PATCH] file: Further rework documentation of dir= parameter
-
-Move the documentation to a new section, allowing us to expand on this
-topic.  This also makes the HTML documentation linkable.
-
-Updates: commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e
-(cherry picked from commit 74621ec608d0edd76c2d8de140e7d1d5626c8251)
----
- plugins/file/nbdkit-file-plugin.pod | 66 +++++++++++++++++++++--------
- 1 file changed, 49 insertions(+), 17 deletions(-)
-
-diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
-index 5feb8ea9..de8fbeba 100644
---- a/plugins/file/nbdkit-file-plugin.pod
-+++ b/plugins/file/nbdkit-file-plugin.pod
-@@ -63,23 +63,7 @@ directory named C<DIRECTORY>, including those found by following
- symbolic links.  Other special files in the directory (such as
- subdirectories, pipes, or Unix sockets) are ignored.
- 
--When this mode is used, the file to be served is chosen by the export
--name passed by the client.  For security, when using directory mode,
--this plugin will not accept export names containing slash (C</>).
--
--To list exports, use L<nbdinfo(1)> I<--list> option, for example:
--
-- nbdinfo --list nbd://localhost
--
--An NBD client can request a list of available exports using
--C<NBD_OPT_LIST>.
--
--A client that requests the default export (C<"">) will be rejected.
--However, you can use L<nbdkit-exportname-filter(1)> to adjust what
--export names the client sees, and which one the client uses as a
--default.  For example to make F</dir/file> be the default export:
--
-- nbdkit file dir=/dir --filter=exportname default-export=file
-+See L</Serving multiple files and block devices> below.
- 
- =item B<dirfd=>FILE_DESCRIPTOR
- 
-@@ -89,6 +73,8 @@ This is like the C<dir=> option, but instead of specifying the
- directory by name, the parent process should open the directory and
- pass this file descriptor by inheritance to nbdkit.
- 
-+See L</Serving multiple files and block devices> below.
-+
- =item B<fadvise=normal>
- 
- =item B<fadvise=random>
-@@ -140,6 +126,52 @@ L<https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#win32-devi
- 
- =head1 NOTES
- 
-+=head2 Serving multiple files and block devices
-+
-+Using C<dir=DIRECTORY> (or C<dirfd=DIRFD>) you can serve all regular
-+files and block devices located directly inside the directory named
-+C<DIRECTORY>, including those found by following symbolic links.
-+Other special files in the directory (such as subdirectories, pipes,
-+or Unix sockets) are ignored.
-+
-+When this mode is used, the file to be served is chosen by the export
-+name passed by the client.  For security, when using directory mode,
-+this plugin will not accept export names containing slash (C</>).
-+
-+For example:
-+
-+ $ ls -l /var/tmp/exports
-+ total 0
-+ -rw-r--r--. 1 rjones rjones 1048576 Dec 14 15:34 disk1
-+ -rw-r--r--. 1 rjones rjones 2097152 Dec 14 15:34 disk2
-+ lrwxrwxrwx. 1 rjones rjones       9 Dec 14 15:35 sda1 -> /dev/sda1
-+ $ nbdkit file dir=/var/tmp/exports
-+
-+will serve three exports called C<"disk1">, C<"disk2"> and C<"sda1">.
-+The first two are regular files and the last is a block device.  You
-+can add or remove files or symbolic links from the directory while
-+nbdkit is running.
-+
-+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
-+
-+ $ nbdinfo --list nbd://localhost
-+ protocol: newstyle-fixed without TLS, using structured packets
-+ export="disk1":
-+     export-size: 1048576 (1M)
-+     uri: nbd://localhost:10809/disk1
-+ [etc]
-+
-+An NBD client can request a list of available exports using
-+C<NBD_OPT_LIST>.  For libnbd clients see nbd_opt_list(3).
-+
-+A client that requests the default export (C<"">) will be rejected.
-+However, you can use L<nbdkit-exportname-filter(1)> to adjust the
-+default export as well as other transformations of export names.  For
-+example to make F</var/tmp/exports/disk1> be the default export:
-+
-+ nbdkit file dir=/var/tmp/exports \
-+        --filter=exportname default-export=disk1
-+
- =head2 Optimizing for random or sequential access
- 
- If you know in advance that the NBD client will access the file
--- 
-2.39.3
-

0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch

@@ -1,29 +0,0 @@
-From c155987ee521c2d6a163d2814dc869ec1e89fd90 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Sat, 16 Dec 2023 18:32:50 +0000
-Subject: [PATCH] exportname: Fix markup for linking to other man pages
-
-Fixes: commit 7623b2cc45078cca88fdd2d96c70c7f82a0db49d
-(cherry picked from commit 6104f55f3851f3b82dc69f7e78c32e9c7a93dbc9)
----
- filters/exportname/nbdkit-exportname-filter.pod | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/filters/exportname/nbdkit-exportname-filter.pod b/filters/exportname/nbdkit-exportname-filter.pod
-index 1d69f7d4..f95a37be 100644
---- a/filters/exportname/nbdkit-exportname-filter.pod
-+++ b/filters/exportname/nbdkit-exportname-filter.pod
-@@ -10,8 +10,8 @@ nbdkit-exportname-filter - adjust export names between client and plugin
- 
- =head1 DESCRIPTION
- 
--Some plugins (such as C<nbdkit-file-plugin(1)> and filters (such as
--C<nbdkit-ext2-filter(1)> are able to serve different content based on
-+Some plugins (such as L<nbdkit-file-plugin(1)> and filters (such as
-+L<nbdkit-ext2-filter(1)> are able to serve different content based on
- the export name requested by the client.  The NBD protocol allows a
- server to advertise the set of export names it is serving.  However,
- the list advertised (or absent) from the plugin may not always match
--- 
-2.39.3
-

0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch

@@ -1,30 +0,0 @@
-From b8eb91e9102a2ae6cb96b0f2ffdb96b724cbb1b7 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Wed, 20 Dec 2023 10:38:27 +0000
-Subject: [PATCH] partition: Don't call nbdkit_error twice on error path
-
-Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
-(cherry picked from commit 036b178a4affd00b8bbdb6cb140e81b62f57a374)
----
- filters/partition/partition-gpt.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/filters/partition/partition-gpt.c b/filters/partition/partition-gpt.c
-index 80acddb4..930e2081 100644
---- a/filters/partition/partition-gpt.c
-+++ b/filters/partition/partition-gpt.c
-@@ -92,10 +92,8 @@ find_gpt_partition (nbdkit_next *next,
-   int err;
- 
-   if (get_gpt_header (header_bytes,
--                      &nr_partition_entries, &size_partition_entry) == -1) {
--    nbdkit_error ("cannot support non-standard GPT header");
-+                      &nr_partition_entries, &size_partition_entry) == -1)
-     return -1;
--  }
- 
-   if (partnum > nr_partition_entries) {
-     nbdkit_error ("GPT partition number out of range");
--- 
-2.39.3
-

0007-partition-Suggest-alternate-partition-sectorsize.patch

@@ -1,52 +0,0 @@
-From 3b168aa842dc80a6d95b2c1ccb52a8ef664e7aba Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Wed, 20 Dec 2023 10:34:10 +0000
-Subject: [PATCH] partition: Suggest alternate partition-sectorsize
-
-When we reach this error it means that we have failed to detect the
-"EFI PART" signature (indicating GPT) and we've fallen back to parsing
-MBR, but in doing so we have discovered a GPT protective MBR which
-should only happen for GPT.  A possible cause for missing the
-signature was because we have the wrong sector size.
-
-Therefore check for the current sector size (which should be either
-512 or 4096) and suggest that the user sets the other sector size.
-
-Also avoids the case where the user already set partition-sectorsize=4k
-and we were suggesting that they set it again.
-
-Reported-by: Ming Xie
-Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
-Fixes: https://issues.redhat.com/browse/RHEL-19815
-(cherry picked from commit cd761c9bf770b23f678fd82f0d1c8d4cce2ed1b5)
----
- filters/partition/partition-mbr.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/filters/partition/partition-mbr.c b/filters/partition/partition-mbr.c
-index 3927c31f..6a81addb 100644
---- a/filters/partition/partition-mbr.c
-+++ b/filters/partition/partition-mbr.c
-@@ -87,9 +87,16 @@ find_mbr_partition (nbdkit_next *next,
-           !is_extended (partition.part_type_byte) &&
-           partnum == i+1) {
-         if (partition.part_type_byte == 0xEE) {
--          nbdkit_error ("rejecting GPT protective entry from MBR, "
--                        "if the underlying storage uses 4K sectors "
--                        "try using partition-sectorsize=4k");
-+          if (sector_size == 512)
-+            nbdkit_error ("rejecting GPT protective entry from MBR, "
-+                          "if the underlying storage uses 4K sectors "
-+                          "try using partition-sectorsize=4k");
-+          else if (sector_size == 4096)
-+            nbdkit_error ("rejecting GPT protective entry from MBR, "
-+                          "if the underlying storage uses 512 byte sectors "
-+                          "try using partition-sectorsize=512");
-+          else
-+            nbdkit_error ("rejecting GPT protective entry from MBR");
-           return -1;
-         }
-         *offset_r = partition.start_sector * (int64_t) sector_size;
--- 
-2.39.3
-

nbdkit.fc

@@ -0,0 +1,3 @@
+/usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
+
+/usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)

nbdkit.if

@@ -0,0 +1,207 @@
+## <summary>policy for nbdkit</summary>
+
+########################################
+## <summary>
+##    Execute nbdkit_exec_t in the nbdkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nbdkit_domtrans',`
+	gen_require(`
+		type nbdkit_t, nbdkit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+')
+
+######################################
+## <summary>
+##    Execute nbdkit in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_exec',`
+	gen_require(`
+		type nbdkit_exec_t;
+	')
+    
+	corecmd_search_bin($1)
+	can_exec($1, nbdkit_exec_t)
+')
+
+########################################
+## <summary>
+##    Execute nbdkit in the nbdkit domain, and
+##    allow the specified role the nbdkit domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed the nbdkit domain.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_run',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	nbdkit_domtrans($1)
+	roleattribute $2 nbdkit_roles;
+')
+
+########################################
+## <summary>
+##    Role access for nbdkit
+## </summary>
+## <param name="role">
+##    <summary>
+##    Role allowed access
+##    </summary>
+## </param>
+## <param name="domain">
+##    <summary>
+##    User domain for the role
+##    </summary>
+## </param>
+#
+interface(`nbdkit_role',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	roleattribute $1 nbdkit_roles;
+
+	nbdkit_domtrans($2)
+
+	ps_process_pattern($2, nbdkit_t)
+	allow $2 nbdkit_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	Allow attempts to connect to nbdkit
+##	with a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nbdkit_stream_connect',`
+	gen_require(`
+		type nbdkit_t;
+	')
+
+	allow $1 nbdkit_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##      Allow nbdkit_exec_t to be an entrypoint
+##      of the specified domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nbdkit_entrypoint',`
+        gen_require(`
+                type nbdkit_exec_t;
+        ')
+        allow $1 nbdkit_exec_t:file entrypoint;
+')
+
+# ----------------------------------------------------------------------
+# RWMJ: See:
+# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
+# Remove this when virt.if gets updated.
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+########################################
+## <summary>
+##      Read and write to svirt_image dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_rw_svirt_image_dirs',`
+	interface(`virt_rw_svirt_image_dirs',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:dir rw_dir_perms;
+	')
+')
+
+########################################
+## <summary>
+##      Create svirt_image sock_files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_create_svirt_image_sock_files',`
+	interface(`virt_create_svirt_image_sock_files',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:sock_file create_sock_file_perms;
+	')
+')
+
+########################################
+## <summary>
+## 	Read and write virtlogd pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+ifndef(`virtlogd_rw_pipes',`
+	interface(`virtlogd_rw_pipes',`
+	        gen_require(`
+	                type virtlogd_t;
+	        ')
+
+	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
+	')
+')

nbdkit.spec

@@ -22,8 +22,20 @@
 %global have_ocaml 1
 %endif
 
+# libblkio was broken on i686: https://bugzilla.redhat.com/2229372
+# but somehow "fixed itself", keep an eye on it.
 %global have_blkio 1
 
+# Enable mingw subpackage on Fedora only.
+%if 0%{?fedora}
+%global have_mingw 1
+%endif
+
+# Enable nbdkit-selinux package.
+%global with_selinux 1
+%global modulename nbdkit
+%global selinuxtype targeted
+
 # Architectures where we run the complete test suite including
 # the libguestfs tests.
 #
@@ -36,25 +48,14 @@
 # it as a bug and add it to this list.
 %global broken_test_arches NONE
 
-%if 0%{?rhel} == 7
-# On RHEL 7, nothing in the virt stack is shipped on aarch64 and
-# libguestfs was not shipped on POWER (fixed in 7.5).  We could in
-# theory make all of this work by having lots more conditionals, but
-# for now limit this package to x86_64 on RHEL.
-ExclusiveArch:  x86_64
-%endif
-
 # If we should verify tarball signature with GPGv2.
 %global verify_tarball_signature 1
 
-# If there are patches which touch autotools files, set this to 1.
-%global patches_touch_autotools 1
-
 # The source directory.
-%global source_directory 1.36-stable
+%global source_directory 1.38-stable
 
 Name:           nbdkit
-Version:        1.36.2
+Version:        1.38.0
 Release:        1%{?dist}
 Summary:        NBD server
 
@@ -79,25 +80,23 @@ Source3:        copy-patches.sh
 # Patches come from the upstream repository:
 # https://gitlab.com/nbdkit/nbdkit/-/commits/rhel-9.4/
 
-# Patches.
-Patch0001:     0001-configure-Fix-initialization-from-incompatible-point.patch
-Patch0002:     0002-file-Rework-documentation-for-dir-parameter.patch
-Patch0003:     0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch
-Patch0004:     0004-file-Further-rework-documentation-of-dir-parameter.patch
-Patch0005:     0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch
-Patch0006:     0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch
-Patch0007:     0007-partition-Suggest-alternate-partition-sectorsize.patch
-
 # For automatic RPM Provides generation.
 # See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
 Source4:        nbdkit.attr
 Source5:        nbdkit-find-provides
 
-BuildRequires: make
+# For nbdkit-selinux package:
-%if 0%{patches_touch_autotools}
+Source6:        %{modulename}.te
-BuildRequires:  autoconf, automake, libtool
+Source7:        %{modulename}.if
-%endif
+Source8:        %{modulename}.fc
 
+# For applying the patches:
+BuildRequires:  git
+
+# For rebuilding autoconf cruft:
+BuildRequires:  autoconf, automake, libtool
+
+BuildRequires:  make
 BuildRequires:  gcc, gcc-c++
 BuildRequires:  %{_bindir}/pod2man
 BuildRequires:  gnutls-devel
@@ -173,12 +172,38 @@ BuildRequires:  %{_bindir}/stat
 # itself, but it's a simple noarch package so easy to install.
 BuildRequires:  nbdkit-srpm-macros >= 1.30.0
 
+%if 0%{?have_mingw}
+BuildRequires:  mingw32-filesystem
+BuildRequires:  mingw64-filesystem
+BuildRequires:  mingw32-gcc
+BuildRequires:  mingw64-gcc
+BuildRequires:  mingw32-gcc-c++
+BuildRequires:  mingw64-gcc-c++
+BuildRequires:  mingw32-dlfcn
+BuildRequires:  mingw64-dlfcn
+BuildRequires:  mingw32-gnutls
+BuildRequires:  mingw64-gnutls
+BuildRequires:  mingw32-winpthreads
+BuildRequires:  mingw64-winpthreads
+BuildRequires:  mingw32-xz
+BuildRequires:  mingw64-xz
+BuildRequires:  mingw32-zlib
+BuildRequires:  mingw64-zlib
+%endif
+
 # nbdkit is a metapackage pulling the server and a useful subset
 # of the plugins and filters.
 Requires:       nbdkit-server%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-plugins%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-filters%{?_isa} = %{version}-%{release}
 
+%if 0%{?with_selinux}
+# This ensures that the nbdkit-selinux package and all its
+# dependencies are not pulled into containers and other systems that
+# do not use SELinux.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 
 %description
 NBD is a protocol for accessing block devices (hard disks and
@@ -324,6 +349,22 @@ Requires:       %{name}-server%{?_isa} = %{version}-%{release}
 This package contains cURL (HTTP/FTP) support for %{name}.
 
 
+%if !0%{?rhel}
+# In theory this is noarch, but because plugins are placed in _libdir
+# which varies across architectures, RPM does not allow this.
+%package gcs-plugin
+Summary:        Gooogle Cloud Storage plugin %{name}
+Requires:       %{name}-python-plugin%{?_isa} = %{version}-%{release}
+Requires:       %{name}-server%{?_isa} = %{version}-%{release}
+# XXX Should not need to add this.
+Requires:       python3-google-cloud-storage
+
+%description gcs-plugin
+This package lets you open disk images stored in Google
+Cloud Storage using %{name}.
+%endif
+
+
 %if !0%{?rhel} && 0%{?have_libguestfs}
 %package guestfs-plugin
 Summary:        libguestfs plugin for %{name}
@@ -441,7 +482,8 @@ This package lets you write Ruby plugins for %{name}.
 # which varies across architectures, RPM does not allow this.
 %package S3-plugin
 Summary:        Amazon S3 and Ceph plugin for %{name}
-Requires:       %{name}-python-plugin >= 1.22
+Requires:       %{name}-python-plugin%{?_isa} = %{version}-%{release}
+Requires:       %{name}-server%{?_isa} = %{version}-%{release}
 # XXX Should not need to add this.
 Requires:       python3-boto3
 
@@ -582,6 +624,8 @@ nbdkit-rate-filter         Limit bandwidth by connection or server.
 
 nbdkit-readahead-filter    Prefetch data when reading sequentially.
 
+nbdkit-readonly-filter     Switch a plugin between read-only and writable.
+
 nbdkit-retry-filter        Reopen connection on error.
 
 nbdkit-retry-request-filter Retry single requests on error.
@@ -671,17 +715,70 @@ Install this package if you want intelligent bash tab-completion
 for %{name}.
 
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:       %{name} SELinux policy
+BuildArch:     noarch
+Requires:      selinux-policy-%{selinuxtype}
+Requires(post):selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+%{nbdkit} SELinux policy module.
+%endif
+
+
+%if 0%{?have_mingw}
+%package -n mingw32-%{name}
+Summary:       nbdkit binary, plugins, filters, development files for Windows
+BuildArch:     noarch
+Requires:      mingw32-filesystem
+Requires:      pkgconfig
+
+%description -n mingw32-%{name}
+NBD is a protocol for accessing block devices (hard disks and
+disk-like things) over the network.
+
+nbdkit is a toolkit for creating NBD servers.
+
+This package contains the nbdkit binary, plugins, filters and
+development kit for 32 bit versions of Windows.
+
+
+%package -n mingw64-%{name}
+Summary:       nbdkit binary, plugins, filters, development files for Windows
+BuildArch:     noarch
+Requires:      mingw64-filesystem
+Requires:      pkgconfig
+
+%description -n mingw64-%{name}
+NBD is a protocol for accessing block devices (hard disks and
+disk-like things) over the network.
+
+nbdkit is a toolkit for creating NBD servers.
+
+This package contains the nbdkit binary, plugins, filters and
+development kit for 64 bit versions of Windows.
+
+
+%{?mingw_debug_package}
+%endif
+
+
 %prep
 %if 0%{verify_tarball_signature}
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %endif
-%autosetup -p1
+%autosetup -p1 -S git
-%if 0%{patches_touch_autotools}
 autoreconf -i
-%endif
 
 
 %build
+mkdir build_native
+pushd build_native
+%global _configure ../configure
+
 # Golang bindings are not enabled in the build since they don't
 # need to be.  Most people would use them by copying the upstream
 # package into their vendor/ directory.
@@ -761,8 +858,64 @@ grep '^PYTHON_VERSION = 3' Makefile
 
 %make_build
 
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE6} selinux/
+cp -p %{SOURCE7} selinux/
+cp -p %{SOURCE8} selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
+popd
+
+%if 0%{?have_mingw}
+# MC=no is a temporary hack until this bug is fixed in binutils:
+# https://sourceware.org/bugzilla/show_bug.cgi?id=31283
+%mingw_configure \
+    MC=no \
+    --disable-static \
+    --enable-shared \
+    --with-extra='%{name}-%{version}-%{release}' \
+    --with-tls-priority=@NBDKIT,SYSTEM \
+    --disable-golang \
+    --disable-libguestfs-tests \
+    --disable-linuxdisk \
+    --disable-lua \
+    --disable-ocaml \
+    --disable-perl \
+    --disable-python \
+    --disable-ruby \
+    --disable-rust \
+    --disable-tcl \
+    --disable-torrent \
+    --disable-valgrind \
+    --disable-vddk \
+    --without-bash-completions \
+    --without-curl \
+    --without-ext2 \
+    --with-gnutls \
+    --without-iso \
+    --without-libblkio \
+    --without-libguestfs \
+    --without-libnbd \
+    --without-libvirt \
+    --with-liblzma \
+    --without-manpages \
+    --without-selinux \
+    --without-ssh \
+    --with-zlib \
+    %{nil}
+
+%mingw_make %{?_smp_mflags}
+%endif
+
 
 %install
+pushd build_native
 %make_install
 
 # Delete libtool crap.
@@ -778,8 +931,10 @@ for f in cc cdi ; do
     rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin.so
     rm -f $RPM_BUILD_ROOT%{_mandir}/man?/nbdkit-$f-plugin.*
 done
-rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-S3-plugin
+for f in gcs S3 ; do
-rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-S3-plugin.1*
+    rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin
+    rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-$f-plugin.1*
+done
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/filters/nbdkit-qcow2dec-filter.so
 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-qcow2dec-filter.1*
 %endif
@@ -789,9 +944,34 @@ mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
 install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
 install -m 0755 %{SOURCE5} $RPM_BUILD_ROOT%{_rpmconfigdir}/
 
+%if 0%{?with_selinux}
+install -D -m 0644 %{modulename}.pp.bz2 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+install -D -p -m 0644 selinux/%{modulename}.if $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+%endif
+popd
+
+%if 0%{?have_mingw}
+%mingw_make_install
+
+# Remove .la files
+rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
+
+# The .def files aren't interesting for other binaries
+rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
+rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
+
+# Remove man pages which duplicate stuff in Fedora already.
+rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
+rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
+
+%mingw_debug_install_post
+%endif
+
 
 %check
 %ifnarch %{broken_test_arches}
+pushd build_native
 function skip_test ()
 {
     for f in "$@"; do
@@ -836,6 +1016,7 @@ export LIBGUESTFS_TRACE=1
     cat tests/test-suite.log
     exit 1
   }
+popd
 %endif
 
 
@@ -844,6 +1025,26 @@ export LIBGUESTFS_TRACE=1
 %endif
 
 
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+# if with_selinux
+%endif
+
+
 %files
 # metapackage so empty
 
@@ -949,6 +1150,15 @@ export LIBGUESTFS_TRACE=1
 %{_mandir}/man1/nbdkit-curl-plugin.1*
 
 
+%if !0%{?rhel}
+%files gcs-plugin
+%doc README.md
+%license LICENSE
+%{_libdir}/%{name}/plugins/nbdkit-gcs-plugin
+%{_mandir}/man1/nbdkit-gcs-plugin.1*
+%endif
+
+
 %if !0%{?rhel} && 0%{?have_libguestfs}
 %files guestfs-plugin
 %doc README.md
@@ -1125,6 +1335,7 @@ export LIBGUESTFS_TRACE=1
 %endif
 %{_libdir}/%{name}/filters/nbdkit-rate-filter.so
 %{_libdir}/%{name}/filters/nbdkit-readahead-filter.so
+%{_libdir}/%{name}/filters/nbdkit-readonly-filter.so
 %{_libdir}/%{name}/filters/nbdkit-retry-filter.so
 %{_libdir}/%{name}/filters/nbdkit-retry-request-filter.so
 %{_libdir}/%{name}/filters/nbdkit-scan-filter.so
@@ -1165,6 +1376,7 @@ export LIBGUESTFS_TRACE=1
 %endif
 %{_mandir}/man1/nbdkit-rate-filter.1*
 %{_mandir}/man1/nbdkit-readahead-filter.1*
+%{_mandir}/man1/nbdkit-readonly-filter.1*
 %{_mandir}/man1/nbdkit-retry-filter.1*
 %{_mandir}/man1/nbdkit-retry-request-filter.1*
 %{_mandir}/man1/nbdkit-scan-filter.1*
@@ -1216,7 +1428,7 @@ export LIBGUESTFS_TRACE=1
 # Include the source of the example plugins in the documentation.
 %doc plugins/example*/*.c
 %if !0%{?rhel}
-%doc plugins/example4/nbdkit-example4-plugin
+%doc build_native/plugins/example4/nbdkit-example4-plugin
 %doc plugins/lua/example.lua
 %endif
 %if !0%{?rhel} && 0%{?have_ocaml}
@@ -1256,8 +1468,41 @@ export LIBGUESTFS_TRACE=1
 %{_datadir}/bash-completion/completions/nbdkit
 
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
+
+%if 0%{?have_mingw}
+%files -n mingw32-%{name}
+%license LICENSE
+%{mingw32_sbindir}/nbdkit.exe
+%{mingw32_libdir}/%{name}/
+%{mingw32_libdir}/libnbdkit.a
+%{mingw32_libdir}/pkgconfig/%{name}.pc
+%{mingw32_includedir}/*.h
+
+
+%files -n mingw64-%{name}
+%license LICENSE
+%{mingw64_sbindir}/nbdkit.exe
+%{mingw64_libdir}/%{name}/
+%{mingw64_libdir}/libnbdkit.a
+%{mingw64_libdir}/pkgconfig/%{name}.pc
+%{mingw64_includedir}/*.h
+%endif
+
+
 %changelog
-* Tue Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
+* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1
+- Rebase to 1.38.0
+- Added selinux subpackage
+- resolves: RHEL-31884
+
+* Wed Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
 - Rebase to 1.36.2
   resolves: RHEL-14475
 - partition: Suggest alternate partition-sectorsize

nbdkit.te

@@ -0,0 +1,100 @@
+policy_module(nbdkit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type unconfined_t;
+')
+
+type nbdkit_t;
+type nbdkit_exec_t;
+application_domain(nbdkit_t, nbdkit_exec_t)
+mcs_constrained(nbdkit_t)
+role system_r types nbdkit_t;
+
+type nbdkit_home_t;
+userdom_user_home_content(nbdkit_home_t)
+
+type nbdkit_tmp_t;
+files_tmp_file(nbdkit_tmp_t)
+
+type nbdkit_unit_file_t;
+systemd_unit_file(nbdkit_unit_file_t)
+
+permissive nbdkit_t;
+
+########################################
+#
+# nbdkit local policy
+#
+allow nbdkit_t self:capability { setgid setuid };
+allow nbdkit_t self:fifo_file rw_fifo_file_perms;
+allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
+allow nbdkit_t self:process { fork setsockcreate signal_perms };
+allow nbdkit_t self:tcp_socket create_stream_socket_perms;
+allow nbdkit_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
+userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
+
+manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
+userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
+
+corenet_tcp_connect_http_port(nbdkit_t)
+corenet_tcp_connect_ssh_port(nbdkit_t)
+corenet_tcp_connect_tftp_port(nbdkit_t)
+corenet_tcp_bind_generic_port(nbdkit_t)
+corenet_tcp_bind_generic_node(nbdkit_t)
+
+domain_use_interactive_fds(nbdkit_t)
+
+files_read_etc_files(nbdkit_t)
+
+init_abstract_socket_activation(nbdkit_t)
+init_ioctl_stream_sockets(nbdkit_t)
+init_rw_stream_sockets(nbdkit_t)
+
+optional_policy(`
+	auth_use_nsswitch(nbdkit_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(nbdkit_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(nbdkit_t)
+	miscfiles_read_generic_certs(nbdkit_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(nbdkit_t)
+	sysnet_read_config(nbdkit_t)
+')
+
+optional_policy(`
+	userdom_read_user_home_content_files(nbdkit_t)
+	userdom_use_inherited_user_ptys(nbdkit_t)
+')
+
+optional_policy(`
+	virt_create_svirt_image_sock_files(nbdkit_t)
+	virt_read_qemu_pid_files(nbdkit_t)
+	virtlogd_rw_pipes(nbdkit_t)
+	virt_rw_svirt_image(nbdkit_t)
+	virt_rw_svirt_image_dirs(nbdkit_t)
+	virt_search_lib(nbdkit_t)
+	virt_stream_connect_svirt(nbdkit_t)
+')
+
+
+# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
+# nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
+# unconfined_t), but we don't want this transition to happen automatically 
+# when starting directly from the shell. I'm not sure how to achieve this...  
+#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)

sources

@@ -1,2 +1,2 @@
-SHA512 (nbdkit-1.36.2.tar.gz) = a776808c6e7ab488b109e993fed5a6174e6fc35f894dace74b18cef9f8e0f640fb90bd4fd74183fc025da1f607c8907ee438369146bfbb2a48f6753748b9cf04
+SHA512 (nbdkit-1.38.0.tar.gz) = 7817ab29f2c4821237ac9114e820186b6fcbe5658fb702ecd41941fc70ffd060294c3d71fbcb37176f4609d3e25996ea71e20ea58d0aee2c8bf6b4b30254d074
-SHA512 (nbdkit-1.36.2.tar.gz.sig) = 04ef71b3fae7bf126333a8f02f6498db0b615057c942071502606b45ae5da1eafb15378a444a5388e3a3da67768687d4c151c259f9bd23ba583554cd54c054db
+SHA512 (nbdkit-1.38.0.tar.gz.sig) = e81960962737f57c586bbf4dea9b2f7f208bb7258919ddd808006d4d14582ebd8e6b7d0e9f64ed48176c74c8c6ec00f042060be6a91ac0d8db20a1d936a53b42