* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1

resolves: RHEL-14475
partition: Suggest alternate partition-sectorsize
  resolves: RHEL-19815

.nbdkit.metadata

@@ -0,0 +1,2 @@
+e3deb0f0e6b4d6c69923c7cea7347016f1d680e0 nbdkit-1.38.0.tar.gz
+8b7e787bd65346c94a6e06f238ca9628f7306bb2 nbdkit-1.38.0.tar.gz.sig

nbdkit.fc

@@ -0,0 +1,3 @@
+/usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
+
+/usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)

nbdkit.if

@@ -0,0 +1,207 @@
+## <summary>policy for nbdkit</summary>
+
+########################################
+## <summary>
+##    Execute nbdkit_exec_t in the nbdkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nbdkit_domtrans',`
+	gen_require(`
+		type nbdkit_t, nbdkit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+')
+
+######################################
+## <summary>
+##    Execute nbdkit in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_exec',`
+	gen_require(`
+		type nbdkit_exec_t;
+	')
+    
+	corecmd_search_bin($1)
+	can_exec($1, nbdkit_exec_t)
+')
+
+########################################
+## <summary>
+##    Execute nbdkit in the nbdkit domain, and
+##    allow the specified role the nbdkit domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed the nbdkit domain.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_run',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	nbdkit_domtrans($1)
+	roleattribute $2 nbdkit_roles;
+')
+
+########################################
+## <summary>
+##    Role access for nbdkit
+## </summary>
+## <param name="role">
+##    <summary>
+##    Role allowed access
+##    </summary>
+## </param>
+## <param name="domain">
+##    <summary>
+##    User domain for the role
+##    </summary>
+## </param>
+#
+interface(`nbdkit_role',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	roleattribute $1 nbdkit_roles;
+
+	nbdkit_domtrans($2)
+
+	ps_process_pattern($2, nbdkit_t)
+	allow $2 nbdkit_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	Allow attempts to connect to nbdkit
+##	with a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nbdkit_stream_connect',`
+	gen_require(`
+		type nbdkit_t;
+	')
+
+	allow $1 nbdkit_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##      Allow nbdkit_exec_t to be an entrypoint
+##      of the specified domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nbdkit_entrypoint',`
+        gen_require(`
+                type nbdkit_exec_t;
+        ')
+        allow $1 nbdkit_exec_t:file entrypoint;
+')
+
+# ----------------------------------------------------------------------
+# RWMJ: See:
+# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
+# Remove this when virt.if gets updated.
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+########################################
+## <summary>
+##      Read and write to svirt_image dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_rw_svirt_image_dirs',`
+	interface(`virt_rw_svirt_image_dirs',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:dir rw_dir_perms;
+	')
+')
+
+########################################
+## <summary>
+##      Create svirt_image sock_files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_create_svirt_image_sock_files',`
+	interface(`virt_create_svirt_image_sock_files',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:sock_file create_sock_file_perms;
+	')
+')
+
+########################################
+## <summary>
+## 	Read and write virtlogd pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+ifndef(`virtlogd_rw_pipes',`
+	interface(`virtlogd_rw_pipes',`
+	        gen_require(`
+	                type virtlogd_t;
+	        ')
+
+	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
+	')
+')

nbdkit.spec

@@ -22,8 +22,20 @@
 %global have_ocaml 1
 %endif
 
+# libblkio was broken on i686: https://bugzilla.redhat.com/2229372
+# but somehow "fixed itself", keep an eye on it.
 %global have_blkio 1
 
+# Enable mingw subpackage on Fedora only.
+%if 0%{?fedora}
+%global have_mingw 1
+%endif
+
+# Enable nbdkit-selinux package.
+%global with_selinux 1
+%global modulename nbdkit
+%global selinuxtype targeted
+
 # Architectures where we run the complete test suite including
 # the libguestfs tests.
 #
@@ -36,25 +48,14 @@
 # it as a bug and add it to this list.
 %global broken_test_arches NONE
 
-%if 0%{?rhel} == 7
-# On RHEL 7, nothing in the virt stack is shipped on aarch64 and
-# libguestfs was not shipped on POWER (fixed in 7.5).  We could in
-# theory make all of this work by having lots more conditionals, but
-# for now limit this package to x86_64 on RHEL.
-ExclusiveArch:  x86_64
-%endif
-
 # If we should verify tarball signature with GPGv2.
 %global verify_tarball_signature 1
 
-# If there are patches which touch autotools files, set this to 1.
-%global patches_touch_autotools %{nil}
-
 # The source directory.
-%global source_directory 1.36-stable
+%global source_directory 1.38-stable
 
 Name:           nbdkit
-Version:        1.36.1
+Version:        1.38.0
 Release:        1%{?dist}
 Summary:        NBD server
 
@@ -79,19 +80,23 @@ Source3:        copy-patches.sh
 # Patches come from the upstream repository:
 # https://gitlab.com/nbdkit/nbdkit/-/commits/rhel-9.4/
 
-# Patches.
-#(none)
-
 # For automatic RPM Provides generation.
 # See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
 Source4:        nbdkit.attr
 Source5:        nbdkit-find-provides
 
-BuildRequires: make
-%if 0%{patches_touch_autotools}
-BuildRequires:  autoconf, automake, libtool
-%endif
+# For nbdkit-selinux package:
+Source6:        %{modulename}.te
+Source7:        %{modulename}.if
+Source8:        %{modulename}.fc
 
+# For applying the patches:
+BuildRequires:  git
+
+# For rebuilding autoconf cruft:
+BuildRequires:  autoconf, automake, libtool
+
+BuildRequires:  make
 BuildRequires:  gcc, gcc-c++
 BuildRequires:  %{_bindir}/pod2man
 BuildRequires:  gnutls-devel
@@ -167,12 +172,38 @@ BuildRequires:  %{_bindir}/stat
 # itself, but it's a simple noarch package so easy to install.
 BuildRequires:  nbdkit-srpm-macros >= 1.30.0
 
+%if 0%{?have_mingw}
+BuildRequires:  mingw32-filesystem
+BuildRequires:  mingw64-filesystem
+BuildRequires:  mingw32-gcc
+BuildRequires:  mingw64-gcc
+BuildRequires:  mingw32-gcc-c++
+BuildRequires:  mingw64-gcc-c++
+BuildRequires:  mingw32-dlfcn
+BuildRequires:  mingw64-dlfcn
+BuildRequires:  mingw32-gnutls
+BuildRequires:  mingw64-gnutls
+BuildRequires:  mingw32-winpthreads
+BuildRequires:  mingw64-winpthreads
+BuildRequires:  mingw32-xz
+BuildRequires:  mingw64-xz
+BuildRequires:  mingw32-zlib
+BuildRequires:  mingw64-zlib
+%endif
+
 # nbdkit is a metapackage pulling the server and a useful subset
 # of the plugins and filters.
 Requires:       nbdkit-server%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-plugins%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-filters%{?_isa} = %{version}-%{release}
 
+%if 0%{?with_selinux}
+# This ensures that the nbdkit-selinux package and all its
+# dependencies are not pulled into containers and other systems that
+# do not use SELinux.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 
 %description
 NBD is a protocol for accessing block devices (hard disks and
@@ -318,6 +349,22 @@ Requires:       %{name}-server%{?_isa} = %{version}-%{release}
 This package contains cURL (HTTP/FTP) support for %{name}.
 
 
+%if !0%{?rhel}
+# In theory this is noarch, but because plugins are placed in _libdir
+# which varies across architectures, RPM does not allow this.
+%package gcs-plugin
+Summary:        Gooogle Cloud Storage plugin %{name}
+Requires:       %{name}-python-plugin%{?_isa} = %{version}-%{release}
+Requires:       %{name}-server%{?_isa} = %{version}-%{release}
+# XXX Should not need to add this.
+Requires:       python3-google-cloud-storage
+
+%description gcs-plugin
+This package lets you open disk images stored in Google
+Cloud Storage using %{name}.
+%endif
+
+
 %if !0%{?rhel} && 0%{?have_libguestfs}
 %package guestfs-plugin
 Summary:        libguestfs plugin for %{name}
@@ -435,7 +482,8 @@ This package lets you write Ruby plugins for %{name}.
 # which varies across architectures, RPM does not allow this.
 %package S3-plugin
 Summary:        Amazon S3 and Ceph plugin for %{name}
-Requires:       %{name}-python-plugin >= 1.22
+Requires:       %{name}-python-plugin%{?_isa} = %{version}-%{release}
+Requires:       %{name}-server%{?_isa} = %{version}-%{release}
 # XXX Should not need to add this.
 Requires:       python3-boto3
 
@@ -576,6 +624,8 @@ nbdkit-rate-filter         Limit bandwidth by connection or server.
 
 nbdkit-readahead-filter    Prefetch data when reading sequentially.
 
+nbdkit-readonly-filter     Switch a plugin between read-only and writable.
+
 nbdkit-retry-filter        Reopen connection on error.
 
 nbdkit-retry-request-filter Retry single requests on error.
@@ -665,17 +715,70 @@ Install this package if you want intelligent bash tab-completion
 for %{name}.
 
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:       %{name} SELinux policy
+BuildArch:     noarch
+Requires:      selinux-policy-%{selinuxtype}
+Requires(post):selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+%{nbdkit} SELinux policy module.
+%endif
+
+
+%if 0%{?have_mingw}
+%package -n mingw32-%{name}
+Summary:       nbdkit binary, plugins, filters, development files for Windows
+BuildArch:     noarch
+Requires:      mingw32-filesystem
+Requires:      pkgconfig
+
+%description -n mingw32-%{name}
+NBD is a protocol for accessing block devices (hard disks and
+disk-like things) over the network.
+
+nbdkit is a toolkit for creating NBD servers.
+
+This package contains the nbdkit binary, plugins, filters and
+development kit for 32 bit versions of Windows.
+
+
+%package -n mingw64-%{name}
+Summary:       nbdkit binary, plugins, filters, development files for Windows
+BuildArch:     noarch
+Requires:      mingw64-filesystem
+Requires:      pkgconfig
+
+%description -n mingw64-%{name}
+NBD is a protocol for accessing block devices (hard disks and
+disk-like things) over the network.
+
+nbdkit is a toolkit for creating NBD servers.
+
+This package contains the nbdkit binary, plugins, filters and
+development kit for 64 bit versions of Windows.
+
+
+%{?mingw_debug_package}
+%endif
+
+
 %prep
 %if 0%{verify_tarball_signature}
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %endif
-%autosetup -p1
-%if 0%{patches_touch_autotools}
+%autosetup -p1 -S git
 autoreconf -i
-%endif
 
 
 %build
+mkdir build_native
+pushd build_native
+%global _configure ../configure
+
 # Golang bindings are not enabled in the build since they don't
 # need to be.  Most people would use them by copying the upstream
 # package into their vendor/ directory.
@@ -755,8 +858,64 @@ grep '^PYTHON_VERSION = 3' Makefile
 
 %make_build
 
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE6} selinux/
+cp -p %{SOURCE7} selinux/
+cp -p %{SOURCE8} selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
+popd
+
+%if 0%{?have_mingw}
+# MC=no is a temporary hack until this bug is fixed in binutils:
+# https://sourceware.org/bugzilla/show_bug.cgi?id=31283
+%mingw_configure \
+    MC=no \
+    --disable-static \
+    --enable-shared \
+    --with-extra='%{name}-%{version}-%{release}' \
+    --with-tls-priority=@NBDKIT,SYSTEM \
+    --disable-golang \
+    --disable-libguestfs-tests \
+    --disable-linuxdisk \
+    --disable-lua \
+    --disable-ocaml \
+    --disable-perl \
+    --disable-python \
+    --disable-ruby \
+    --disable-rust \
+    --disable-tcl \
+    --disable-torrent \
+    --disable-valgrind \
+    --disable-vddk \
+    --without-bash-completions \
+    --without-curl \
+    --without-ext2 \
+    --with-gnutls \
+    --without-iso \
+    --without-libblkio \
+    --without-libguestfs \
+    --without-libnbd \
+    --without-libvirt \
+    --with-liblzma \
+    --without-manpages \
+    --without-selinux \
+    --without-ssh \
+    --with-zlib \
+    %{nil}
+
+%mingw_make %{?_smp_mflags}
+%endif
+
 
 %install
+pushd build_native
 %make_install
 
 # Delete libtool crap.
@@ -772,8 +931,10 @@ for f in cc cdi ; do
     rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin.so
     rm -f $RPM_BUILD_ROOT%{_mandir}/man?/nbdkit-$f-plugin.*
 done
-rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-S3-plugin
-rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-S3-plugin.1*
+for f in gcs S3 ; do
+    rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin
+    rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-$f-plugin.1*
+done
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/filters/nbdkit-qcow2dec-filter.so
 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-qcow2dec-filter.1*
 %endif
@@ -783,9 +944,34 @@ mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
 install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
 install -m 0755 %{SOURCE5} $RPM_BUILD_ROOT%{_rpmconfigdir}/
 
+%if 0%{?with_selinux}
+install -D -m 0644 %{modulename}.pp.bz2 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+install -D -p -m 0644 selinux/%{modulename}.if $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+%endif
+popd
+
+%if 0%{?have_mingw}
+%mingw_make_install
+
+# Remove .la files
+rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
+
+# The .def files aren't interesting for other binaries
+rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
+rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
+
+# Remove man pages which duplicate stuff in Fedora already.
+rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
+rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
+
+%mingw_debug_install_post
+%endif
+
 
 %check
 %ifnarch %{broken_test_arches}
+pushd build_native
 function skip_test ()
 {
     for f in "$@"; do
@@ -830,6 +1016,7 @@ export LIBGUESTFS_TRACE=1
     cat tests/test-suite.log
     exit 1
   }
+popd
 %endif
 
 
@@ -838,6 +1025,26 @@ export LIBGUESTFS_TRACE=1
 %endif
 
 
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+# if with_selinux
+%endif
+
+
 %files
 # metapackage so empty
 
@@ -943,6 +1150,15 @@ export LIBGUESTFS_TRACE=1
 %{_mandir}/man1/nbdkit-curl-plugin.1*
 
 
+%if !0%{?rhel}
+%files gcs-plugin
+%doc README.md
+%license LICENSE
+%{_libdir}/%{name}/plugins/nbdkit-gcs-plugin
+%{_mandir}/man1/nbdkit-gcs-plugin.1*
+%endif
+
+
 %if !0%{?rhel} && 0%{?have_libguestfs}
 %files guestfs-plugin
 %doc README.md
@@ -1119,6 +1335,7 @@ export LIBGUESTFS_TRACE=1
 %endif
 %{_libdir}/%{name}/filters/nbdkit-rate-filter.so
 %{_libdir}/%{name}/filters/nbdkit-readahead-filter.so
+%{_libdir}/%{name}/filters/nbdkit-readonly-filter.so
 %{_libdir}/%{name}/filters/nbdkit-retry-filter.so
 %{_libdir}/%{name}/filters/nbdkit-retry-request-filter.so
 %{_libdir}/%{name}/filters/nbdkit-scan-filter.so
@@ -1159,6 +1376,7 @@ export LIBGUESTFS_TRACE=1
 %endif
 %{_mandir}/man1/nbdkit-rate-filter.1*
 %{_mandir}/man1/nbdkit-readahead-filter.1*
+%{_mandir}/man1/nbdkit-readonly-filter.1*
 %{_mandir}/man1/nbdkit-retry-filter.1*
 %{_mandir}/man1/nbdkit-retry-request-filter.1*
 %{_mandir}/man1/nbdkit-scan-filter.1*
@@ -1210,7 +1428,7 @@ export LIBGUESTFS_TRACE=1
 # Include the source of the example plugins in the documentation.
 %doc plugins/example*/*.c
 %if !0%{?rhel}
-%doc plugins/example4/nbdkit-example4-plugin
+%doc build_native/plugins/example4/nbdkit-example4-plugin
 %doc plugins/lua/example.lua
 %endif
 %if !0%{?rhel} && 0%{?have_ocaml}
@@ -1250,10 +1468,45 @@ export LIBGUESTFS_TRACE=1
 %{_datadir}/bash-completion/completions/nbdkit
 
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
+
+%if 0%{?have_mingw}
+%files -n mingw32-%{name}
+%license LICENSE
+%{mingw32_sbindir}/nbdkit.exe
+%{mingw32_libdir}/%{name}/
+%{mingw32_libdir}/libnbdkit.a
+%{mingw32_libdir}/pkgconfig/%{name}.pc
+%{mingw32_includedir}/*.h
+
+
+%files -n mingw64-%{name}
+%license LICENSE
+%{mingw64_sbindir}/nbdkit.exe
+%{mingw64_libdir}/%{name}/
+%{mingw64_libdir}/libnbdkit.a
+%{mingw64_libdir}/pkgconfig/%{name}.pc
+%{mingw64_includedir}/*.h
+%endif
+
+
 %changelog
-* Tue Oct 31 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.1-1
-- Rebase to 1.36.1
+* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1
+- Rebase to 1.38.0
+- Added selinux subpackage
+- resolves: RHEL-31884
+
+* Wed Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
+- Rebase to 1.36.2
   resolves: RHEL-14475
+- partition: Suggest alternate partition-sectorsize
+  resolves: RHEL-19815
 
 * Tue Aug 01 2023 Richard W.M. Jones <rjones@redhat.com> - 1.34.2-1
 - Rebase to 1.34.2

nbdkit.te

@@ -0,0 +1,100 @@
+policy_module(nbdkit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type unconfined_t;
+')
+
+type nbdkit_t;
+type nbdkit_exec_t;
+application_domain(nbdkit_t, nbdkit_exec_t)
+mcs_constrained(nbdkit_t)
+role system_r types nbdkit_t;
+
+type nbdkit_home_t;
+userdom_user_home_content(nbdkit_home_t)
+
+type nbdkit_tmp_t;
+files_tmp_file(nbdkit_tmp_t)
+
+type nbdkit_unit_file_t;
+systemd_unit_file(nbdkit_unit_file_t)
+
+permissive nbdkit_t;
+
+########################################
+#
+# nbdkit local policy
+#
+allow nbdkit_t self:capability { setgid setuid };
+allow nbdkit_t self:fifo_file rw_fifo_file_perms;
+allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
+allow nbdkit_t self:process { fork setsockcreate signal_perms };
+allow nbdkit_t self:tcp_socket create_stream_socket_perms;
+allow nbdkit_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
+userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
+
+manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
+userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
+
+corenet_tcp_connect_http_port(nbdkit_t)
+corenet_tcp_connect_ssh_port(nbdkit_t)
+corenet_tcp_connect_tftp_port(nbdkit_t)
+corenet_tcp_bind_generic_port(nbdkit_t)
+corenet_tcp_bind_generic_node(nbdkit_t)
+
+domain_use_interactive_fds(nbdkit_t)
+
+files_read_etc_files(nbdkit_t)
+
+init_abstract_socket_activation(nbdkit_t)
+init_ioctl_stream_sockets(nbdkit_t)
+init_rw_stream_sockets(nbdkit_t)
+
+optional_policy(`
+	auth_use_nsswitch(nbdkit_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(nbdkit_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(nbdkit_t)
+	miscfiles_read_generic_certs(nbdkit_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(nbdkit_t)
+	sysnet_read_config(nbdkit_t)
+')
+
+optional_policy(`
+	userdom_read_user_home_content_files(nbdkit_t)
+	userdom_use_inherited_user_ptys(nbdkit_t)
+')
+
+optional_policy(`
+	virt_create_svirt_image_sock_files(nbdkit_t)
+	virt_read_qemu_pid_files(nbdkit_t)
+	virtlogd_rw_pipes(nbdkit_t)
+	virt_rw_svirt_image(nbdkit_t)
+	virt_rw_svirt_image_dirs(nbdkit_t)
+	virt_search_lib(nbdkit_t)
+	virt_stream_connect_svirt(nbdkit_t)
+')
+
+
+# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
+# nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
+# unconfined_t), but we don't want this transition to happen automatically 
+# when starting directly from the shell. I'm not sure how to achieve this...  
+#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)

sources

@@ -1,2 +1,2 @@
-SHA512 (nbdkit-1.36.1.tar.gz) = ca0e6e6729fb6f43a9717a3815dfb8ff54a2f182ef079e72b0e5e1b018c55f2205be52a10abc0b0a2243d0737f27b1ccf67c0d9586135454a460d39dad79f042
-SHA512 (nbdkit-1.36.1.tar.gz.sig) = d0cf5e58f1d4e5fb601d33f6d1cba7fdc4f7085b3481775e061e89107e1d86cb524b1cae35e79a09873558945844993acd08294a74dbf0c289666caa39f0e243
+SHA512 (nbdkit-1.38.0.tar.gz) = 7817ab29f2c4821237ac9114e820186b6fcbe5658fb702ecd41941fc70ffd060294c3d71fbcb37176f4609d3e25996ea71e20ea58d0aee2c8bf6b4b30254d074
+SHA512 (nbdkit-1.38.0.tar.gz.sig) = e81960962737f57c586bbf4dea9b2f7f208bb7258919ddd808006d4d14582ebd8e6b7d0e9f64ed48176c74c8c6ec00f042060be6a91ac0d8db20a1d936a53b42