* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1
- Rebase to 1.38.0 - Added selinux subpackage - resolves: RHEL-31884
This commit is contained in:
parent
8ae077769e
commit
c8a2ccfe39
@ -1,44 +0,0 @@
|
||||
From ac87babe2d1652e3f37715efe9f29ad6f16eb9df Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 4 Dec 2023 10:23:29 +0000
|
||||
Subject: [PATCH] configure: Fix initialization from incompatible pointer type
|
||||
|
||||
With GCC 14:
|
||||
|
||||
configure:20816: checking if environ is declared in header files
|
||||
configure:20833: gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grec
|
||||
ord-gcc-switches -pipe -Wall -Werror=format-security
|
||||
-Werror=implicit-function-declaration -Werror=implicit-int
|
||||
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS
|
||||
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
|
||||
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
|
||||
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
|
||||
-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer conftest.c >&5
|
||||
conftest.c: In function 'test':
|
||||
conftest.c:62:22: error: initialization of 'const char **' from incompatible p
|
||||
ointer type 'char **'
|
||||
62 | const char **env = environ;
|
||||
| ^~~~~~~
|
||||
|
||||
Thanks: Florian Weimer
|
||||
(cherry picked from commit 32a9ee6650654469cd591a3ae26842c54f898392)
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 3b12e357..beab4674 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -335,7 +335,7 @@ AC_LANG_SOURCE([[
|
||||
static int
|
||||
test (void)
|
||||
{
|
||||
- const char **env = environ;
|
||||
+ char **env = environ;
|
||||
return env ? 1 : 0; // this just forces env to be used
|
||||
}
|
||||
]])
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,58 +0,0 @@
|
||||
From 054798ca11b9f0b71fbad302edf66b52519f5aa2 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 14 Dec 2023 17:47:10 +0000
|
||||
Subject: [PATCH] file: Rework documentation for dir= parameter
|
||||
|
||||
The existing documentation tended towards jargon and lacked examples.
|
||||
|
||||
(cherry picked from commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e)
|
||||
---
|
||||
plugins/file/nbdkit-file-plugin.pod | 23 +++++++++++++++++------
|
||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
|
||||
index 857ad21e..e47eae97 100644
|
||||
--- a/plugins/file/nbdkit-file-plugin.pod
|
||||
+++ b/plugins/file/nbdkit-file-plugin.pod
|
||||
@@ -64,13 +64,23 @@ symbolic links. Other special files in the directory (such as
|
||||
subdirectories, pipes, or Unix sockets) are ignored.
|
||||
|
||||
When this mode is used, the file to be served is chosen by the export
|
||||
-name passed by the client, where the client can request a list of
|
||||
-available exports using NBD_OPT_LIST. A client that requests the
|
||||
-default export (C<"">) will be rejected. However, you can use
|
||||
-L<nbdkit-exportname-filter(1)> to adjust what export names the client
|
||||
-sees or uses as a default. For security, when using directory mode,
|
||||
+name passed by the client. For security, when using directory mode,
|
||||
this plugin will not accept export names containing slash (C</>).
|
||||
|
||||
+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
|
||||
+
|
||||
+ nbdinfo --list nbd://localhost
|
||||
+
|
||||
+An NBD client can request a list of available exports using
|
||||
+C<NBD_OPT_LIST>.
|
||||
+
|
||||
+A client that requests the default export (C<"">) will be rejected.
|
||||
+However, you can use L<nbdkit-exportname-filter(1)> to adjust what
|
||||
+export names the client sees, and which one the client uses as a
|
||||
+default. For example to make F</dir/file> be the default export:
|
||||
+
|
||||
+ nbdkit file dir=/dir --filter=exportname default-export=file
|
||||
+
|
||||
=item B<dirfd=>FILE_DESCRIPTOR
|
||||
|
||||
(nbdkit E<ge> 1.34, not Windows)
|
||||
@@ -262,7 +272,8 @@ L<nbdkit-tmpdisk-plugin(1)>,
|
||||
L<nbdkit-exportname-filter(1)>,
|
||||
L<nbdkit-fua-filter(1)>,
|
||||
L<nbdkit-luks-filter(1)>,
|
||||
-L<nbdkit-noextents-filter(1)>.
|
||||
+L<nbdkit-noextents-filter(1)>,
|
||||
+L<nbdinfo(1)>.
|
||||
|
||||
=head1 AUTHORS
|
||||
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,28 +0,0 @@
|
||||
From 596f97316e65c151741e6ee42893023f6e945c01 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Sat, 16 Dec 2023 18:08:37 +0000
|
||||
Subject: [PATCH] file: Fix markup when referencing dir= option from dirfd=
|
||||
docs
|
||||
|
||||
Fixes: commit dd28b005430d020ccd1825437937c317332d3007
|
||||
(cherry picked from commit 5b8c9c49cc352e9b0fba4dde9e0f57c53c9c2457)
|
||||
---
|
||||
plugins/file/nbdkit-file-plugin.pod | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
|
||||
index e47eae97..5feb8ea9 100644
|
||||
--- a/plugins/file/nbdkit-file-plugin.pod
|
||||
+++ b/plugins/file/nbdkit-file-plugin.pod
|
||||
@@ -85,7 +85,7 @@ default. For example to make F</dir/file> be the default export:
|
||||
|
||||
(nbdkit E<ge> 1.34, not Windows)
|
||||
|
||||
-This is like the I<dir> option, but instead of specifying the
|
||||
+This is like the C<dir=> option, but instead of specifying the
|
||||
directory by name, the parent process should open the directory and
|
||||
pass this file descriptor by inheritance to nbdkit.
|
||||
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,108 +0,0 @@
|
||||
From 0d080223a8567a5ef673deb6ac49152fd67dd1b7 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Sat, 16 Dec 2023 18:03:13 +0000
|
||||
Subject: [PATCH] file: Further rework documentation of dir= parameter
|
||||
|
||||
Move the documentation to a new section, allowing us to expand on this
|
||||
topic. This also makes the HTML documentation linkable.
|
||||
|
||||
Updates: commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e
|
||||
(cherry picked from commit 74621ec608d0edd76c2d8de140e7d1d5626c8251)
|
||||
---
|
||||
plugins/file/nbdkit-file-plugin.pod | 66 +++++++++++++++++++++--------
|
||||
1 file changed, 49 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
|
||||
index 5feb8ea9..de8fbeba 100644
|
||||
--- a/plugins/file/nbdkit-file-plugin.pod
|
||||
+++ b/plugins/file/nbdkit-file-plugin.pod
|
||||
@@ -63,23 +63,7 @@ directory named C<DIRECTORY>, including those found by following
|
||||
symbolic links. Other special files in the directory (such as
|
||||
subdirectories, pipes, or Unix sockets) are ignored.
|
||||
|
||||
-When this mode is used, the file to be served is chosen by the export
|
||||
-name passed by the client. For security, when using directory mode,
|
||||
-this plugin will not accept export names containing slash (C</>).
|
||||
-
|
||||
-To list exports, use L<nbdinfo(1)> I<--list> option, for example:
|
||||
-
|
||||
- nbdinfo --list nbd://localhost
|
||||
-
|
||||
-An NBD client can request a list of available exports using
|
||||
-C<NBD_OPT_LIST>.
|
||||
-
|
||||
-A client that requests the default export (C<"">) will be rejected.
|
||||
-However, you can use L<nbdkit-exportname-filter(1)> to adjust what
|
||||
-export names the client sees, and which one the client uses as a
|
||||
-default. For example to make F</dir/file> be the default export:
|
||||
-
|
||||
- nbdkit file dir=/dir --filter=exportname default-export=file
|
||||
+See L</Serving multiple files and block devices> below.
|
||||
|
||||
=item B<dirfd=>FILE_DESCRIPTOR
|
||||
|
||||
@@ -89,6 +73,8 @@ This is like the C<dir=> option, but instead of specifying the
|
||||
directory by name, the parent process should open the directory and
|
||||
pass this file descriptor by inheritance to nbdkit.
|
||||
|
||||
+See L</Serving multiple files and block devices> below.
|
||||
+
|
||||
=item B<fadvise=normal>
|
||||
|
||||
=item B<fadvise=random>
|
||||
@@ -140,6 +126,52 @@ L<https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#win32-devi
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
+=head2 Serving multiple files and block devices
|
||||
+
|
||||
+Using C<dir=DIRECTORY> (or C<dirfd=DIRFD>) you can serve all regular
|
||||
+files and block devices located directly inside the directory named
|
||||
+C<DIRECTORY>, including those found by following symbolic links.
|
||||
+Other special files in the directory (such as subdirectories, pipes,
|
||||
+or Unix sockets) are ignored.
|
||||
+
|
||||
+When this mode is used, the file to be served is chosen by the export
|
||||
+name passed by the client. For security, when using directory mode,
|
||||
+this plugin will not accept export names containing slash (C</>).
|
||||
+
|
||||
+For example:
|
||||
+
|
||||
+ $ ls -l /var/tmp/exports
|
||||
+ total 0
|
||||
+ -rw-r--r--. 1 rjones rjones 1048576 Dec 14 15:34 disk1
|
||||
+ -rw-r--r--. 1 rjones rjones 2097152 Dec 14 15:34 disk2
|
||||
+ lrwxrwxrwx. 1 rjones rjones 9 Dec 14 15:35 sda1 -> /dev/sda1
|
||||
+ $ nbdkit file dir=/var/tmp/exports
|
||||
+
|
||||
+will serve three exports called C<"disk1">, C<"disk2"> and C<"sda1">.
|
||||
+The first two are regular files and the last is a block device. You
|
||||
+can add or remove files or symbolic links from the directory while
|
||||
+nbdkit is running.
|
||||
+
|
||||
+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
|
||||
+
|
||||
+ $ nbdinfo --list nbd://localhost
|
||||
+ protocol: newstyle-fixed without TLS, using structured packets
|
||||
+ export="disk1":
|
||||
+ export-size: 1048576 (1M)
|
||||
+ uri: nbd://localhost:10809/disk1
|
||||
+ [etc]
|
||||
+
|
||||
+An NBD client can request a list of available exports using
|
||||
+C<NBD_OPT_LIST>. For libnbd clients see nbd_opt_list(3).
|
||||
+
|
||||
+A client that requests the default export (C<"">) will be rejected.
|
||||
+However, you can use L<nbdkit-exportname-filter(1)> to adjust the
|
||||
+default export as well as other transformations of export names. For
|
||||
+example to make F</var/tmp/exports/disk1> be the default export:
|
||||
+
|
||||
+ nbdkit file dir=/var/tmp/exports \
|
||||
+ --filter=exportname default-export=disk1
|
||||
+
|
||||
=head2 Optimizing for random or sequential access
|
||||
|
||||
If you know in advance that the NBD client will access the file
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,29 +0,0 @@
|
||||
From c155987ee521c2d6a163d2814dc869ec1e89fd90 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Sat, 16 Dec 2023 18:32:50 +0000
|
||||
Subject: [PATCH] exportname: Fix markup for linking to other man pages
|
||||
|
||||
Fixes: commit 7623b2cc45078cca88fdd2d96c70c7f82a0db49d
|
||||
(cherry picked from commit 6104f55f3851f3b82dc69f7e78c32e9c7a93dbc9)
|
||||
---
|
||||
filters/exportname/nbdkit-exportname-filter.pod | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/filters/exportname/nbdkit-exportname-filter.pod b/filters/exportname/nbdkit-exportname-filter.pod
|
||||
index 1d69f7d4..f95a37be 100644
|
||||
--- a/filters/exportname/nbdkit-exportname-filter.pod
|
||||
+++ b/filters/exportname/nbdkit-exportname-filter.pod
|
||||
@@ -10,8 +10,8 @@ nbdkit-exportname-filter - adjust export names between client and plugin
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-Some plugins (such as C<nbdkit-file-plugin(1)> and filters (such as
|
||||
-C<nbdkit-ext2-filter(1)> are able to serve different content based on
|
||||
+Some plugins (such as L<nbdkit-file-plugin(1)> and filters (such as
|
||||
+L<nbdkit-ext2-filter(1)> are able to serve different content based on
|
||||
the export name requested by the client. The NBD protocol allows a
|
||||
server to advertise the set of export names it is serving. However,
|
||||
the list advertised (or absent) from the plugin may not always match
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From b8eb91e9102a2ae6cb96b0f2ffdb96b724cbb1b7 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Wed, 20 Dec 2023 10:38:27 +0000
|
||||
Subject: [PATCH] partition: Don't call nbdkit_error twice on error path
|
||||
|
||||
Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
|
||||
(cherry picked from commit 036b178a4affd00b8bbdb6cb140e81b62f57a374)
|
||||
---
|
||||
filters/partition/partition-gpt.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/filters/partition/partition-gpt.c b/filters/partition/partition-gpt.c
|
||||
index 80acddb4..930e2081 100644
|
||||
--- a/filters/partition/partition-gpt.c
|
||||
+++ b/filters/partition/partition-gpt.c
|
||||
@@ -92,10 +92,8 @@ find_gpt_partition (nbdkit_next *next,
|
||||
int err;
|
||||
|
||||
if (get_gpt_header (header_bytes,
|
||||
- &nr_partition_entries, &size_partition_entry) == -1) {
|
||||
- nbdkit_error ("cannot support non-standard GPT header");
|
||||
+ &nr_partition_entries, &size_partition_entry) == -1)
|
||||
return -1;
|
||||
- }
|
||||
|
||||
if (partnum > nr_partition_entries) {
|
||||
nbdkit_error ("GPT partition number out of range");
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 3b168aa842dc80a6d95b2c1ccb52a8ef664e7aba Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Wed, 20 Dec 2023 10:34:10 +0000
|
||||
Subject: [PATCH] partition: Suggest alternate partition-sectorsize
|
||||
|
||||
When we reach this error it means that we have failed to detect the
|
||||
"EFI PART" signature (indicating GPT) and we've fallen back to parsing
|
||||
MBR, but in doing so we have discovered a GPT protective MBR which
|
||||
should only happen for GPT. A possible cause for missing the
|
||||
signature was because we have the wrong sector size.
|
||||
|
||||
Therefore check for the current sector size (which should be either
|
||||
512 or 4096) and suggest that the user sets the other sector size.
|
||||
|
||||
Also avoids the case where the user already set partition-sectorsize=4k
|
||||
and we were suggesting that they set it again.
|
||||
|
||||
Reported-by: Ming Xie
|
||||
Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
|
||||
Fixes: https://issues.redhat.com/browse/RHEL-19815
|
||||
(cherry picked from commit cd761c9bf770b23f678fd82f0d1c8d4cce2ed1b5)
|
||||
---
|
||||
filters/partition/partition-mbr.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/filters/partition/partition-mbr.c b/filters/partition/partition-mbr.c
|
||||
index 3927c31f..6a81addb 100644
|
||||
--- a/filters/partition/partition-mbr.c
|
||||
+++ b/filters/partition/partition-mbr.c
|
||||
@@ -87,9 +87,16 @@ find_mbr_partition (nbdkit_next *next,
|
||||
!is_extended (partition.part_type_byte) &&
|
||||
partnum == i+1) {
|
||||
if (partition.part_type_byte == 0xEE) {
|
||||
- nbdkit_error ("rejecting GPT protective entry from MBR, "
|
||||
- "if the underlying storage uses 4K sectors "
|
||||
- "try using partition-sectorsize=4k");
|
||||
+ if (sector_size == 512)
|
||||
+ nbdkit_error ("rejecting GPT protective entry from MBR, "
|
||||
+ "if the underlying storage uses 4K sectors "
|
||||
+ "try using partition-sectorsize=4k");
|
||||
+ else if (sector_size == 4096)
|
||||
+ nbdkit_error ("rejecting GPT protective entry from MBR, "
|
||||
+ "if the underlying storage uses 512 byte sectors "
|
||||
+ "try using partition-sectorsize=512");
|
||||
+ else
|
||||
+ nbdkit_error ("rejecting GPT protective entry from MBR");
|
||||
return -1;
|
||||
}
|
||||
*offset_r = partition.start_sector * (int64_t) sector_size;
|
||||
--
|
||||
2.39.3
|
||||
|
3
nbdkit.fc
Normal file
3
nbdkit.fc
Normal file
@ -0,0 +1,3 @@
|
||||
/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0)
|
207
nbdkit.if
Normal file
207
nbdkit.if
Normal file
@ -0,0 +1,207 @@
|
||||
## <summary>policy for nbdkit</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute nbdkit_exec_t in the nbdkit domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nbdkit_domtrans',`
|
||||
gen_require(`
|
||||
type nbdkit_t, nbdkit_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute nbdkit in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nbdkit_exec',`
|
||||
gen_require(`
|
||||
type nbdkit_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, nbdkit_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute nbdkit in the nbdkit domain, and
|
||||
## allow the specified role the nbdkit domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the nbdkit domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nbdkit_run',`
|
||||
gen_require(`
|
||||
type nbdkit_t;
|
||||
attribute_role nbdkit_roles;
|
||||
')
|
||||
|
||||
nbdkit_domtrans($1)
|
||||
roleattribute $2 nbdkit_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Role access for nbdkit
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nbdkit_role',`
|
||||
gen_require(`
|
||||
type nbdkit_t;
|
||||
attribute_role nbdkit_roles;
|
||||
')
|
||||
|
||||
roleattribute $1 nbdkit_roles;
|
||||
|
||||
nbdkit_domtrans($2)
|
||||
|
||||
ps_process_pattern($2, nbdkit_t)
|
||||
allow $2 nbdkit_t:process { signull signal sigkill };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to connect to nbdkit
|
||||
## with a unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nbdkit_stream_connect',`
|
||||
gen_require(`
|
||||
type nbdkit_t;
|
||||
')
|
||||
|
||||
allow $1 nbdkit_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow nbdkit_exec_t to be an entrypoint
|
||||
## of the specified domain
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`nbdkit_entrypoint',`
|
||||
gen_require(`
|
||||
type nbdkit_exec_t;
|
||||
')
|
||||
allow $1 nbdkit_exec_t:file entrypoint;
|
||||
')
|
||||
|
||||
# ----------------------------------------------------------------------
|
||||
# RWMJ: See:
|
||||
# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
|
||||
# Remove this when virt.if gets updated.
|
||||
|
||||
########################################
|
||||
#
|
||||
# Interface compatibility blocks
|
||||
#
|
||||
# The following definitions ensure compatibility with distribution policy
|
||||
# versions that do not contain given interfaces (epel, or older Fedora
|
||||
# releases).
|
||||
# Each block tests for existence of given interface and defines it if needed.
|
||||
#
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write to svirt_image dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
ifndef(`virt_rw_svirt_image_dirs',`
|
||||
interface(`virt_rw_svirt_image_dirs',`
|
||||
gen_require(`
|
||||
type svirt_image_t;
|
||||
')
|
||||
|
||||
allow $1 svirt_image_t:dir rw_dir_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create svirt_image sock_files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
ifndef(`virt_create_svirt_image_sock_files',`
|
||||
interface(`virt_create_svirt_image_sock_files',`
|
||||
gen_require(`
|
||||
type svirt_image_t;
|
||||
')
|
||||
|
||||
allow $1 svirt_image_t:sock_file create_sock_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write virtlogd pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
ifndef(`virtlogd_rw_pipes',`
|
||||
interface(`virtlogd_rw_pipes',`
|
||||
gen_require(`
|
||||
type virtlogd_t;
|
||||
')
|
||||
|
||||
allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
')
|
313
nbdkit.spec
313
nbdkit.spec
@ -22,8 +22,20 @@
|
||||
%global have_ocaml 1
|
||||
%endif
|
||||
|
||||
# libblkio was broken on i686: https://bugzilla.redhat.com/2229372
|
||||
# but somehow "fixed itself", keep an eye on it.
|
||||
%global have_blkio 1
|
||||
|
||||
# Enable mingw subpackage on Fedora only.
|
||||
%if 0%{?fedora}
|
||||
%global have_mingw 1
|
||||
%endif
|
||||
|
||||
# Enable nbdkit-selinux package.
|
||||
%global with_selinux 1
|
||||
%global modulename nbdkit
|
||||
%global selinuxtype targeted
|
||||
|
||||
# Architectures where we run the complete test suite including
|
||||
# the libguestfs tests.
|
||||
#
|
||||
@ -36,25 +48,14 @@
|
||||
# it as a bug and add it to this list.
|
||||
%global broken_test_arches NONE
|
||||
|
||||
%if 0%{?rhel} == 7
|
||||
# On RHEL 7, nothing in the virt stack is shipped on aarch64 and
|
||||
# libguestfs was not shipped on POWER (fixed in 7.5). We could in
|
||||
# theory make all of this work by having lots more conditionals, but
|
||||
# for now limit this package to x86_64 on RHEL.
|
||||
ExclusiveArch: x86_64
|
||||
%endif
|
||||
|
||||
# If we should verify tarball signature with GPGv2.
|
||||
%global verify_tarball_signature 1
|
||||
|
||||
# If there are patches which touch autotools files, set this to 1.
|
||||
%global patches_touch_autotools 1
|
||||
|
||||
# The source directory.
|
||||
%global source_directory 1.36-stable
|
||||
%global source_directory 1.38-stable
|
||||
|
||||
Name: nbdkit
|
||||
Version: 1.36.2
|
||||
Version: 1.38.0
|
||||
Release: 1%{?dist}
|
||||
Summary: NBD server
|
||||
|
||||
@ -79,25 +80,23 @@ Source3: copy-patches.sh
|
||||
# Patches come from the upstream repository:
|
||||
# https://gitlab.com/nbdkit/nbdkit/-/commits/rhel-9.4/
|
||||
|
||||
# Patches.
|
||||
Patch0001: 0001-configure-Fix-initialization-from-incompatible-point.patch
|
||||
Patch0002: 0002-file-Rework-documentation-for-dir-parameter.patch
|
||||
Patch0003: 0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch
|
||||
Patch0004: 0004-file-Further-rework-documentation-of-dir-parameter.patch
|
||||
Patch0005: 0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch
|
||||
Patch0006: 0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch
|
||||
Patch0007: 0007-partition-Suggest-alternate-partition-sectorsize.patch
|
||||
|
||||
# For automatic RPM Provides generation.
|
||||
# See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
|
||||
Source4: nbdkit.attr
|
||||
Source5: nbdkit-find-provides
|
||||
|
||||
BuildRequires: make
|
||||
%if 0%{patches_touch_autotools}
|
||||
BuildRequires: autoconf, automake, libtool
|
||||
%endif
|
||||
# For nbdkit-selinux package:
|
||||
Source6: %{modulename}.te
|
||||
Source7: %{modulename}.if
|
||||
Source8: %{modulename}.fc
|
||||
|
||||
# For applying the patches:
|
||||
BuildRequires: git
|
||||
|
||||
# For rebuilding autoconf cruft:
|
||||
BuildRequires: autoconf, automake, libtool
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: %{_bindir}/pod2man
|
||||
BuildRequires: gnutls-devel
|
||||
@ -173,12 +172,38 @@ BuildRequires: %{_bindir}/stat
|
||||
# itself, but it's a simple noarch package so easy to install.
|
||||
BuildRequires: nbdkit-srpm-macros >= 1.30.0
|
||||
|
||||
%if 0%{?have_mingw}
|
||||
BuildRequires: mingw32-filesystem
|
||||
BuildRequires: mingw64-filesystem
|
||||
BuildRequires: mingw32-gcc
|
||||
BuildRequires: mingw64-gcc
|
||||
BuildRequires: mingw32-gcc-c++
|
||||
BuildRequires: mingw64-gcc-c++
|
||||
BuildRequires: mingw32-dlfcn
|
||||
BuildRequires: mingw64-dlfcn
|
||||
BuildRequires: mingw32-gnutls
|
||||
BuildRequires: mingw64-gnutls
|
||||
BuildRequires: mingw32-winpthreads
|
||||
BuildRequires: mingw64-winpthreads
|
||||
BuildRequires: mingw32-xz
|
||||
BuildRequires: mingw64-xz
|
||||
BuildRequires: mingw32-zlib
|
||||
BuildRequires: mingw64-zlib
|
||||
%endif
|
||||
|
||||
# nbdkit is a metapackage pulling the server and a useful subset
|
||||
# of the plugins and filters.
|
||||
Requires: nbdkit-server%{?_isa} = %{version}-%{release}
|
||||
Requires: nbdkit-basic-plugins%{?_isa} = %{version}-%{release}
|
||||
Requires: nbdkit-basic-filters%{?_isa} = %{version}-%{release}
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
# This ensures that the nbdkit-selinux package and all its
|
||||
# dependencies are not pulled into containers and other systems that
|
||||
# do not use SELinux.
|
||||
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||
%endif
|
||||
|
||||
|
||||
%description
|
||||
NBD is a protocol for accessing block devices (hard disks and
|
||||
@ -324,6 +349,22 @@ Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
||||
This package contains cURL (HTTP/FTP) support for %{name}.
|
||||
|
||||
|
||||
%if !0%{?rhel}
|
||||
# In theory this is noarch, but because plugins are placed in _libdir
|
||||
# which varies across architectures, RPM does not allow this.
|
||||
%package gcs-plugin
|
||||
Summary: Gooogle Cloud Storage plugin %{name}
|
||||
Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
||||
# XXX Should not need to add this.
|
||||
Requires: python3-google-cloud-storage
|
||||
|
||||
%description gcs-plugin
|
||||
This package lets you open disk images stored in Google
|
||||
Cloud Storage using %{name}.
|
||||
%endif
|
||||
|
||||
|
||||
%if !0%{?rhel} && 0%{?have_libguestfs}
|
||||
%package guestfs-plugin
|
||||
Summary: libguestfs plugin for %{name}
|
||||
@ -441,7 +482,8 @@ This package lets you write Ruby plugins for %{name}.
|
||||
# which varies across architectures, RPM does not allow this.
|
||||
%package S3-plugin
|
||||
Summary: Amazon S3 and Ceph plugin for %{name}
|
||||
Requires: %{name}-python-plugin >= 1.22
|
||||
Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
||||
# XXX Should not need to add this.
|
||||
Requires: python3-boto3
|
||||
|
||||
@ -582,6 +624,8 @@ nbdkit-rate-filter Limit bandwidth by connection or server.
|
||||
|
||||
nbdkit-readahead-filter Prefetch data when reading sequentially.
|
||||
|
||||
nbdkit-readonly-filter Switch a plugin between read-only and writable.
|
||||
|
||||
nbdkit-retry-filter Reopen connection on error.
|
||||
|
||||
nbdkit-retry-request-filter Retry single requests on error.
|
||||
@ -671,17 +715,70 @@ Install this package if you want intelligent bash tab-completion
|
||||
for %{name}.
|
||||
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
%package selinux
|
||||
Summary: %{name} SELinux policy
|
||||
BuildArch: noarch
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post):selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
%{nbdkit} SELinux policy module.
|
||||
%endif
|
||||
|
||||
|
||||
%if 0%{?have_mingw}
|
||||
%package -n mingw32-%{name}
|
||||
Summary: nbdkit binary, plugins, filters, development files for Windows
|
||||
BuildArch: noarch
|
||||
Requires: mingw32-filesystem
|
||||
Requires: pkgconfig
|
||||
|
||||
%description -n mingw32-%{name}
|
||||
NBD is a protocol for accessing block devices (hard disks and
|
||||
disk-like things) over the network.
|
||||
|
||||
nbdkit is a toolkit for creating NBD servers.
|
||||
|
||||
This package contains the nbdkit binary, plugins, filters and
|
||||
development kit for 32 bit versions of Windows.
|
||||
|
||||
|
||||
%package -n mingw64-%{name}
|
||||
Summary: nbdkit binary, plugins, filters, development files for Windows
|
||||
BuildArch: noarch
|
||||
Requires: mingw64-filesystem
|
||||
Requires: pkgconfig
|
||||
|
||||
%description -n mingw64-%{name}
|
||||
NBD is a protocol for accessing block devices (hard disks and
|
||||
disk-like things) over the network.
|
||||
|
||||
nbdkit is a toolkit for creating NBD servers.
|
||||
|
||||
This package contains the nbdkit binary, plugins, filters and
|
||||
development kit for 64 bit versions of Windows.
|
||||
|
||||
|
||||
%{?mingw_debug_package}
|
||||
%endif
|
||||
|
||||
|
||||
%prep
|
||||
%if 0%{verify_tarball_signature}
|
||||
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||
%endif
|
||||
%autosetup -p1
|
||||
%if 0%{patches_touch_autotools}
|
||||
%autosetup -p1 -S git
|
||||
autoreconf -i
|
||||
%endif
|
||||
|
||||
|
||||
%build
|
||||
mkdir build_native
|
||||
pushd build_native
|
||||
%global _configure ../configure
|
||||
|
||||
# Golang bindings are not enabled in the build since they don't
|
||||
# need to be. Most people would use them by copying the upstream
|
||||
# package into their vendor/ directory.
|
||||
@ -761,8 +858,64 @@ grep '^PYTHON_VERSION = 3' Makefile
|
||||
|
||||
%make_build
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
# SELinux policy (originally from selinux-policy-contrib)
|
||||
# this policy module will override the production module
|
||||
mkdir selinux
|
||||
cp -p %{SOURCE6} selinux/
|
||||
cp -p %{SOURCE7} selinux/
|
||||
cp -p %{SOURCE8} selinux/
|
||||
|
||||
make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
|
||||
bzip2 -9 %{modulename}.pp
|
||||
%endif
|
||||
|
||||
popd
|
||||
|
||||
%if 0%{?have_mingw}
|
||||
# MC=no is a temporary hack until this bug is fixed in binutils:
|
||||
# https://sourceware.org/bugzilla/show_bug.cgi?id=31283
|
||||
%mingw_configure \
|
||||
MC=no \
|
||||
--disable-static \
|
||||
--enable-shared \
|
||||
--with-extra='%{name}-%{version}-%{release}' \
|
||||
--with-tls-priority=@NBDKIT,SYSTEM \
|
||||
--disable-golang \
|
||||
--disable-libguestfs-tests \
|
||||
--disable-linuxdisk \
|
||||
--disable-lua \
|
||||
--disable-ocaml \
|
||||
--disable-perl \
|
||||
--disable-python \
|
||||
--disable-ruby \
|
||||
--disable-rust \
|
||||
--disable-tcl \
|
||||
--disable-torrent \
|
||||
--disable-valgrind \
|
||||
--disable-vddk \
|
||||
--without-bash-completions \
|
||||
--without-curl \
|
||||
--without-ext2 \
|
||||
--with-gnutls \
|
||||
--without-iso \
|
||||
--without-libblkio \
|
||||
--without-libguestfs \
|
||||
--without-libnbd \
|
||||
--without-libvirt \
|
||||
--with-liblzma \
|
||||
--without-manpages \
|
||||
--without-selinux \
|
||||
--without-ssh \
|
||||
--with-zlib \
|
||||
%{nil}
|
||||
|
||||
%mingw_make %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
|
||||
%install
|
||||
pushd build_native
|
||||
%make_install
|
||||
|
||||
# Delete libtool crap.
|
||||
@ -778,8 +931,10 @@ for f in cc cdi ; do
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin.so
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man?/nbdkit-$f-plugin.*
|
||||
done
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-S3-plugin
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-S3-plugin.1*
|
||||
for f in gcs S3 ; do
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-$f-plugin.1*
|
||||
done
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/filters/nbdkit-qcow2dec-filter.so
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-qcow2dec-filter.1*
|
||||
%endif
|
||||
@ -789,9 +944,34 @@ mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
|
||||
install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
|
||||
install -m 0755 %{SOURCE5} $RPM_BUILD_ROOT%{_rpmconfigdir}/
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
install -D -m 0644 %{modulename}.pp.bz2 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||
install -D -p -m 0644 selinux/%{modulename}.if $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
|
||||
%endif
|
||||
popd
|
||||
|
||||
%if 0%{?have_mingw}
|
||||
%mingw_make_install
|
||||
|
||||
# Remove .la files
|
||||
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
|
||||
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
|
||||
|
||||
# The .def files aren't interesting for other binaries
|
||||
rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
|
||||
rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
|
||||
|
||||
# Remove man pages which duplicate stuff in Fedora already.
|
||||
rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
|
||||
rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
|
||||
|
||||
%mingw_debug_install_post
|
||||
%endif
|
||||
|
||||
|
||||
%check
|
||||
%ifnarch %{broken_test_arches}
|
||||
pushd build_native
|
||||
function skip_test ()
|
||||
{
|
||||
for f in "$@"; do
|
||||
@ -836,6 +1016,7 @@ export LIBGUESTFS_TRACE=1
|
||||
cat tests/test-suite.log
|
||||
exit 1
|
||||
}
|
||||
popd
|
||||
%endif
|
||||
|
||||
|
||||
@ -844,6 +1025,26 @@ export LIBGUESTFS_TRACE=1
|
||||
%endif
|
||||
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
# SELinux contexts are saved so that only affected files can be
|
||||
# relabeled after the policy module installation
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
|
||||
fi
|
||||
|
||||
%posttrans selinux
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
# if with_selinux
|
||||
%endif
|
||||
|
||||
|
||||
%files
|
||||
# metapackage so empty
|
||||
|
||||
@ -949,6 +1150,15 @@ export LIBGUESTFS_TRACE=1
|
||||
%{_mandir}/man1/nbdkit-curl-plugin.1*
|
||||
|
||||
|
||||
%if !0%{?rhel}
|
||||
%files gcs-plugin
|
||||
%doc README.md
|
||||
%license LICENSE
|
||||
%{_libdir}/%{name}/plugins/nbdkit-gcs-plugin
|
||||
%{_mandir}/man1/nbdkit-gcs-plugin.1*
|
||||
%endif
|
||||
|
||||
|
||||
%if !0%{?rhel} && 0%{?have_libguestfs}
|
||||
%files guestfs-plugin
|
||||
%doc README.md
|
||||
@ -1125,6 +1335,7 @@ export LIBGUESTFS_TRACE=1
|
||||
%endif
|
||||
%{_libdir}/%{name}/filters/nbdkit-rate-filter.so
|
||||
%{_libdir}/%{name}/filters/nbdkit-readahead-filter.so
|
||||
%{_libdir}/%{name}/filters/nbdkit-readonly-filter.so
|
||||
%{_libdir}/%{name}/filters/nbdkit-retry-filter.so
|
||||
%{_libdir}/%{name}/filters/nbdkit-retry-request-filter.so
|
||||
%{_libdir}/%{name}/filters/nbdkit-scan-filter.so
|
||||
@ -1165,6 +1376,7 @@ export LIBGUESTFS_TRACE=1
|
||||
%endif
|
||||
%{_mandir}/man1/nbdkit-rate-filter.1*
|
||||
%{_mandir}/man1/nbdkit-readahead-filter.1*
|
||||
%{_mandir}/man1/nbdkit-readonly-filter.1*
|
||||
%{_mandir}/man1/nbdkit-retry-filter.1*
|
||||
%{_mandir}/man1/nbdkit-retry-request-filter.1*
|
||||
%{_mandir}/man1/nbdkit-scan-filter.1*
|
||||
@ -1216,7 +1428,7 @@ export LIBGUESTFS_TRACE=1
|
||||
# Include the source of the example plugins in the documentation.
|
||||
%doc plugins/example*/*.c
|
||||
%if !0%{?rhel}
|
||||
%doc plugins/example4/nbdkit-example4-plugin
|
||||
%doc build_native/plugins/example4/nbdkit-example4-plugin
|
||||
%doc plugins/lua/example.lua
|
||||
%endif
|
||||
%if !0%{?rhel} && 0%{?have_ocaml}
|
||||
@ -1256,8 +1468,41 @@ export LIBGUESTFS_TRACE=1
|
||||
%{_datadir}/bash-completion/completions/nbdkit
|
||||
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
|
||||
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
%endif
|
||||
|
||||
|
||||
%if 0%{?have_mingw}
|
||||
%files -n mingw32-%{name}
|
||||
%license LICENSE
|
||||
%{mingw32_sbindir}/nbdkit.exe
|
||||
%{mingw32_libdir}/%{name}/
|
||||
%{mingw32_libdir}/libnbdkit.a
|
||||
%{mingw32_libdir}/pkgconfig/%{name}.pc
|
||||
%{mingw32_includedir}/*.h
|
||||
|
||||
|
||||
%files -n mingw64-%{name}
|
||||
%license LICENSE
|
||||
%{mingw64_sbindir}/nbdkit.exe
|
||||
%{mingw64_libdir}/%{name}/
|
||||
%{mingw64_libdir}/libnbdkit.a
|
||||
%{mingw64_libdir}/pkgconfig/%{name}.pc
|
||||
%{mingw64_includedir}/*.h
|
||||
%endif
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
|
||||
* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1
|
||||
- Rebase to 1.38.0
|
||||
- Added selinux subpackage
|
||||
- resolves: RHEL-31884
|
||||
|
||||
* Wed Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
|
||||
- Rebase to 1.36.2
|
||||
resolves: RHEL-14475
|
||||
- partition: Suggest alternate partition-sectorsize
|
||||
|
100
nbdkit.te
Normal file
100
nbdkit.te
Normal file
@ -0,0 +1,100 @@
|
||||
policy_module(nbdkit, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
type nbdkit_t;
|
||||
type nbdkit_exec_t;
|
||||
application_domain(nbdkit_t, nbdkit_exec_t)
|
||||
mcs_constrained(nbdkit_t)
|
||||
role system_r types nbdkit_t;
|
||||
|
||||
type nbdkit_home_t;
|
||||
userdom_user_home_content(nbdkit_home_t)
|
||||
|
||||
type nbdkit_tmp_t;
|
||||
files_tmp_file(nbdkit_tmp_t)
|
||||
|
||||
type nbdkit_unit_file_t;
|
||||
systemd_unit_file(nbdkit_unit_file_t)
|
||||
|
||||
permissive nbdkit_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# nbdkit local policy
|
||||
#
|
||||
allow nbdkit_t self:capability { setgid setuid };
|
||||
allow nbdkit_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow nbdkit_t self:process { fork setsockcreate signal_perms };
|
||||
allow nbdkit_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nbdkit_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
|
||||
manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
|
||||
userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
|
||||
manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
|
||||
userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
|
||||
|
||||
corenet_tcp_connect_http_port(nbdkit_t)
|
||||
corenet_tcp_connect_ssh_port(nbdkit_t)
|
||||
corenet_tcp_connect_tftp_port(nbdkit_t)
|
||||
corenet_tcp_bind_generic_port(nbdkit_t)
|
||||
corenet_tcp_bind_generic_node(nbdkit_t)
|
||||
|
||||
domain_use_interactive_fds(nbdkit_t)
|
||||
|
||||
files_read_etc_files(nbdkit_t)
|
||||
|
||||
init_abstract_socket_activation(nbdkit_t)
|
||||
init_ioctl_stream_sockets(nbdkit_t)
|
||||
init_rw_stream_sockets(nbdkit_t)
|
||||
|
||||
optional_policy(`
|
||||
auth_use_nsswitch(nbdkit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(nbdkit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
miscfiles_read_localization(nbdkit_t)
|
||||
miscfiles_read_generic_certs(nbdkit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_dns_name_resolve(nbdkit_t)
|
||||
sysnet_read_config(nbdkit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userdom_read_user_home_content_files(nbdkit_t)
|
||||
userdom_use_inherited_user_ptys(nbdkit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_create_svirt_image_sock_files(nbdkit_t)
|
||||
virt_read_qemu_pid_files(nbdkit_t)
|
||||
virtlogd_rw_pipes(nbdkit_t)
|
||||
virt_rw_svirt_image(nbdkit_t)
|
||||
virt_rw_svirt_image_dirs(nbdkit_t)
|
||||
virt_search_lib(nbdkit_t)
|
||||
virt_stream_connect_svirt(nbdkit_t)
|
||||
')
|
||||
|
||||
|
||||
# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to
|
||||
# nbdkit_t when libvirtd was started manually from the commandline (i.e. in
|
||||
# unconfined_t), but we don't want this transition to happen automatically
|
||||
# when starting directly from the shell. I'm not sure how to achieve this...
|
||||
#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (nbdkit-1.36.2.tar.gz) = a776808c6e7ab488b109e993fed5a6174e6fc35f894dace74b18cef9f8e0f640fb90bd4fd74183fc025da1f607c8907ee438369146bfbb2a48f6753748b9cf04
|
||||
SHA512 (nbdkit-1.36.2.tar.gz.sig) = 04ef71b3fae7bf126333a8f02f6498db0b615057c942071502606b45ae5da1eafb15378a444a5388e3a3da67768687d4c151c259f9bd23ba583554cd54c054db
|
||||
SHA512 (nbdkit-1.38.0.tar.gz) = 7817ab29f2c4821237ac9114e820186b6fcbe5658fb702ecd41941fc70ffd060294c3d71fbcb37176f4609d3e25996ea71e20ea58d0aee2c8bf6b4b30254d074
|
||||
SHA512 (nbdkit-1.38.0.tar.gz.sig) = e81960962737f57c586bbf4dea9b2f7f208bb7258919ddd808006d4d14582ebd8e6b7d0e9f64ed48176c74c8c6ec00f042060be6a91ac0d8db20a1d936a53b42
|
||||
|
Loading…
Reference in New Issue
Block a user