passt-0^20251210.gd04c480-3.el9

Resolves: RHEL-137588 RHEL-136313

0006-selinux-Enable-open-permissions-on-netns-directory-o.patch

@@ -0,0 +1,68 @@
+From 6babaa8a88eb337e4b81aeff673fcebb28015f36 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Fri, 16 Jan 2026 16:48:46 +0100
+Subject: [PATCH 6/7] selinux: Enable open permissions on netns directory,
+ operations on container_var_run_t
+
+Tuomo reports two further SELinux denials after upgrading to a
+passt-selinux version that includes the transition to pasta_t for
+containers, one I could reproduce:
+
+  denied  { open } for  pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
+
+which I didn't take care of in the previous commit, d2c5133990a7
+("selinux: Enable read and watch permissions on netns directory as
+well"), as it didn't appear in my quick test. But I can make pasta use
+"open" on the network namespace entry by simply using it to make
+connections.
+
+So, for that, add "open" to the existing rule for user_tmp_t:dir.
+
+Then, another one I couldn't reproduce instead:
+
+  denied  { write } for  pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0
+
+which, I think, comes from a specific combination of versions of
+container-selinux, Podman, and passt-selinux packages, which
+prevents the expected type transition on container_var_run_t unless
+restorecon is invoked manually, or until a reboot.
+
+Allowing the same permissions on container_var_run_t as we do on
+ifconfig_var_run_t is harmless, so do that to prevent this further
+denial.
+
+Reported-by: Tuomo Soini <tis@foobar.fi>
+Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well")
+Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+(cherry picked from commit a6d92ca82c9ea0b395aa56c568ee6b6e6d4ac81e)
+---
+ contrib/selinux/pasta.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
+index 22daa77..abeafa4 100644
+--- a/contrib/selinux/pasta.te
++++ b/contrib/selinux/pasta.te
+@@ -148,7 +148,7 @@ allow pasta_t root_t:dir mounton;
+ manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
+ files_pid_filetrans(pasta_t, pasta_pid_t, file)
+ 
+-allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write };
++allow pasta_t user_tmp_t:dir { add_name open read remove_name search watch write };
+ allow pasta_t user_tmp_t:fifo_file append;
+ allow pasta_t user_tmp_t:file { create open write };
+ allow pasta_t user_tmp_t:sock_file { create unlink };
+@@ -248,7 +248,9 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+ type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns";
+ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+ type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns";
++allow pasta_t container_var_run_t:dir { add_name open rmdir write };
+ allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
++allow pasta_t container_var_run_t:file { create open write };
+ allow pasta_t ifconfig_var_run_t:file { create open write };
+ allow systemd_logind_exec_t ifconfig_var_run_t:dir rmdir;
+ 
+-- 
+2.47.1
+

0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch

@@ -0,0 +1,74 @@
+From dbfbc33776290260b87bb29bb5572750f9709b35 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Fri, 9 Jan 2026 13:52:00 +0100
+Subject: [PATCH 7/7] tcp: Fix rounding issue in check for approximating window
+ to zero
+
+In general, we approximate the advertised window to zero if we would
+otherwise advertise less than a MSS worth, and the reasoning behind
+that is explained in cf1925fb7b77 ("tcp: Don't limit window to
+less-than-MSS values, use zero instead").
+
+Then, in commit b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no
+queued data, or no data sent recently"), I introduced some conditions
+under which we won't do that, including a check on whether any data
+was sent recently.
+
+As an arbitrary but probably reasonable threshold, we consider data to
+have recently been sent if that occurred less than ten times the
+round-trip time (RTT) ago.
+
+The time elapsed since the last data transmission is reported by the
+kernel in milliseconds, in the tcpi_last_data_sent field of struct
+tcp_info, and the RTT is reported in microseconds instead, in
+tcpi_rtt.
+
+To avoid the risk of overflow in a simple way, for the purpose of this
+comparison, I converted tcpi_rtt to milliseconds first, but this means
+that the check will always be false (and we'll never approximate the
+window to zero) if the RTT is below one millisecond.
+
+This, in turn, reintroduces nasty delay issues in transfers in
+non-local connections which have however almost-local (low) latency.
+
+Given that we want to use ten times the RTT as an arbitrary "long
+enough" upper bound, round the RTT up while converting it to
+milliseconds.
+
+As an alternative, we could perform the comparison in microseconds,
+but we would need a slightly more complicated implementation to
+exclude overflows, and it's definitely not worth it given the nature
+of this threshold.
+
+Fixes: b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no queued data, or no data sent recently")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 2be0e790804f99580b1c8a1781c49913440607f2)
+---
+ tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tcp.c b/tcp.c
+index 23fcbc3..8f4f087 100644
+--- a/tcp.c
++++ b/tcp.c
+@@ -1180,6 +1180,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn,
+ 	if ((conn->flags & LOCAL) || tcp_rtt_dst_low(conn)) {
+ 		new_wnd_to_tap = tinfo->tcpi_snd_wnd;
+ 	} else {
++		unsigned rtt_ms_ceiling = DIV_ROUND_UP(tinfo->tcpi_rtt, 1000);
+ 		uint32_t sendq;
+ 		int limit;
+ 
+@@ -1223,7 +1224,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn,
+ 		 *   with pending data in the outbound queue
+ 		 */
+ 		if (limit < MSS_GET(conn) && sendq &&
+-		    tinfo->tcpi_last_data_sent < tinfo->tcpi_rtt / 1000 * 10)
++		    tinfo->tcpi_last_data_sent < rtt_ms_ceiling * 10)
+ 			limit = 0;
+ 
+ 		new_wnd_to_tap = MIN((int)tinfo->tcpi_snd_wnd, limit);
+-- 
+2.47.1
+

passt.spec

@@ -13,7 +13,7 @@
 
 Name:		passt
 Version:	0^20251210.gd04c480
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
 License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
@@ -25,6 +25,8 @@ Patch2:		0002-selinux-Use-systemd_logind_exec_t-instead-of-systemd.patch
 Patch3:		0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch
 Patch4:		0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch
 Patch5:		0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch
+Patch6:		0006-selinux-Enable-open-permissions-on-netns-directory-o.patch
+Patch7:		0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch
 
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -139,6 +141,9 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %changelog
+* Wed Feb 11 2026 Stefano Brivio <sbrivio@redhat.com> - 0^20251210.gd04c480-3
+- Resolves: RHEL-137588 RHEL-136313
+
 * Wed Dec 24 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20251210.gd04c480-2
 - Resolves: RHEL-136313 RHEL-136461 RHEL-137439 RHEL-137588