From 29cd080c4d080463306c64a261a2b0f026d2b0d4 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 13 May 2025 14:47:01 +0000 Subject: [PATCH] import UBI passt-0^20250217.ga1e48a0-1.el9 --- .gitignore | 2 +- .passt.metadata | 2 +- ...op-user_namespace-create-allow-rules.patch | 17 ++-- ...-if-guest-attempts-to-connect-to-por.patch | 64 ------------- ...keep-alive-segments-ignore-them-for-.patch | 69 -------------- ...-Set-again-TCP_NODELAY-on-both-sides.patch | 93 ------------------- ...orrect-hash-probe-in-flowside_lookup.patch | 43 --------- ...-on-all-RST-segments-even-for-client.patch | 78 ---------------- ...t-outbound-connection-on-SYN-retries.patch | 44 --------- SPECS/passt.spec | 39 ++++---- 10 files changed, 28 insertions(+), 423 deletions(-) delete mode 100644 SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch delete mode 100644 SOURCES/0003-tcp-Acknowledge-keep-alive-segments-ignore-them-for-.patch delete mode 100644 SOURCES/0004-tcp_splice-Set-again-TCP_NODELAY-on-both-sides.patch delete mode 100644 SOURCES/0005-flow-Fix-incorrect-hash-probe-in-flowside_lookup.patch delete mode 100644 SOURCES/0006-tcp-Set-ACK-flag-on-all-RST-segments-even-for-client.patch delete mode 100644 SOURCES/0007-tcp-Don-t-reset-outbound-connection-on-SYN-retries.patch diff --git a/.gitignore b/.gitignore index 3ac5abe..5493e12 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz +SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz diff --git a/.passt.metadata b/.passt.metadata index 6ae71fd..1ee7dbd 100644 --- a/.passt.metadata +++ b/.passt.metadata @@ -1 +1 @@ -421a821e193faa31035a158c913c70d7fc13bf68 SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz +6561fdc75b29dc6566bc1fb30b88d6846ef5e23b SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz diff --git a/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch b/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch index 4cac1f7..4149192 100644 --- a/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch +++ b/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch @@ -24,29 +24,28 @@ Signed-off-by: Stefano Brivio 2 files changed, 2 deletions(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te -index facc2d1..de10f45 100644 +index c6cea34..131fadc 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te -@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace; +@@ -92,7 +92,6 @@ allow syslogd_t self:cap_userns sys_ptrace; allow passt_t self:process setcap; allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; -allow passt_t self:user_namespace create; - allow passt_t passwd_file_t:file read_file_perms; - sssd_search_lib(passt_t) + auth_read_passwd(passt_t) + diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te -index ed70c5f..3226e37 100644 +index 69be081..892edae 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te -@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) +@@ -110,7 +110,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; -allow pasta_t self:user_namespace create; - allow pasta_t passwd_file_t:file read_file_perms; - sssd_search_lib(pasta_t) + auth_read_passwd(pasta_t) + -- 2.39.2 - diff --git a/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch b/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch deleted file mode 100644 index 00692fa..0000000 --- a/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001 -From: David Gibson -Date: Wed, 14 Aug 2024 20:03:33 +1000 -Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0 - -Using a zero port on TCP or UDP is dubious, and we can't really deal with -forwarding such a flow within the constraints of the socket API. Hence -we ASSERT()ed that we had non-zero ports in flow_hash(). - -The intention was to make sure that the protocol code sanitizes such ports -before completing a flow entry. Unfortunately, flow_hash() is also called -on new packets to see if they have an existing flow, so the unsanitized -guest packet can crash passt with the assert. - -Correct this by moving the assert from flow_hash() to flow_sidx_hash() -which is only used on entries already in the table, not on unsanitized -data. - -Reported-by: Matt Hamilton -Signed-off-by: David Gibson -Signed-off-by: Stefano Brivio ---- - flow.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/flow.c b/flow.c -index 687e9fd..93b687d 100644 ---- a/flow.c -+++ b/flow.c -@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif, - { - struct siphash_state state = SIPHASH_INIT(c->hash_secret); - -- /* For the hash table to work, we need complete endpoint information, -- * and at least a forwarding port. -- */ -- ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) && -- side->eport != 0 && side->fport != 0); -- - inany_siphash_feed(&state, &side->faddr); - inany_siphash_feed(&state, &side->eaddr); - -@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif, - static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx) - { - const struct flow_common *f = &flow_at_sidx(sidx)->f; -- return flow_hash(c, FLOW_PROTO(f), -- f->pif[sidx.sidei], &f->side[sidx.sidei]); -+ const struct flowside *side = &f->side[sidx.sidei]; -+ uint8_t pif = f->pif[sidx.sidei]; -+ -+ /* For the hash table to work, entries must have complete endpoint -+ * information, and at least a forwarding port. -+ */ -+ ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) && -+ side->eport != 0 && side->fport != 0); -+ -+ return flow_hash(c, FLOW_PROTO(f), pif, side); - } - - /** --- -2.43.0 - diff --git a/SOURCES/0003-tcp-Acknowledge-keep-alive-segments-ignore-them-for-.patch b/SOURCES/0003-tcp-Acknowledge-keep-alive-segments-ignore-them-for-.patch deleted file mode 100644 index 429bcbd..0000000 --- a/SOURCES/0003-tcp-Acknowledge-keep-alive-segments-ignore-them-for-.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 238c69f9af458e41dea5ad8c988dbf65b05b5172 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Tue, 19 Nov 2024 20:53:44 +0100 -Subject: [PATCH] tcp: Acknowledge keep-alive segments, ignore them for the - rest - -RFC 9293, 3.8.4 says: - - Implementers MAY include "keep-alives" in their TCP implementations - (MAY-5), although this practice is not universally accepted. Some - TCP implementations, however, have included a keep-alive mechanism. - To confirm that an idle connection is still active, these - implementations send a probe segment designed to elicit a response - from the TCP peer. Such a segment generally contains SEG.SEQ = - SND.NXT-1 and may or may not contain one garbage octet of data. If - keep-alives are included, the application MUST be able to turn them - on or off for each TCP connection (MUST-24), and they MUST default to - off (MUST-25). - -but currently, tcp_data_from_tap() is not aware of this and will -schedule a fast re-transmit on the second keep-alive (because it's -also a duplicate ACK), ignoring the fact that the sequence number was -rewinded to SND.NXT-1. - -ACK these keep-alive segments, reset the activity timeout, and ignore -them for the rest. - -At some point, we could think of implementing an approximation of -keep-alive segments on outbound sockets, for example by setting -TCP_KEEPIDLE to 1, and a large TCP_KEEPINTVL, so that we send a single -keep-alive segment at approximately the same time, and never reset the -connection. That's beyond the scope of this fix, though. - -Reported-by: Tim Besard -Link: https://github.com/containers/podman/discussions/24572 -Signed-off-by: Stefano Brivio -Reviewed-by: David Gibson ---- - tcp.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/tcp.c b/tcp.c -index f357920..1eb85bb 100644 ---- a/tcp.c -+++ b/tcp.c -@@ -1763,6 +1763,20 @@ static int tcp_data_from_tap(const struct ctx *c, struct tcp_tap_conn *conn, - continue; - - seq = ntohl(th->seq); -+ if (SEQ_LT(seq, conn->seq_from_tap) && len <= 1) { -+ flow_trace(conn, -+ "keep-alive sequence: %u, previous: %u", -+ seq, conn->seq_from_tap); -+ -+ tcp_send_flag(c, conn, ACK); -+ tcp_timer_ctl(c, conn); -+ -+ if (p->count == 1) -+ return 1; -+ -+ continue; -+ } -+ - ack_seq = ntohl(th->ack_seq); - - if (th->ack) { --- -2.43.5 - diff --git a/SOURCES/0004-tcp_splice-Set-again-TCP_NODELAY-on-both-sides.patch b/SOURCES/0004-tcp_splice-Set-again-TCP_NODELAY-on-both-sides.patch deleted file mode 100644 index 7eb354e..0000000 --- a/SOURCES/0004-tcp_splice-Set-again-TCP_NODELAY-on-both-sides.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 725acd111ba340122f2bb0601e373534eb4b5ed8 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Mon, 6 Jan 2025 10:10:29 +0100 -Subject: [PATCH] tcp_splice: Set (again) TCP_NODELAY on both sides - -In commit 7ecf69329787 ("pasta, tcp: Don't set TCP_CORK on spliced -sockets") I just assumed that we wouldn't benefit from disabling -Nagle's algorithm once we drop TCP_CORK (and its 200ms fixed delay). - -It turns out that with some patterns, such as a PostgreSQL server -in a container receiving parameterised, short queries, for which pasta -sees several short inbound messages (Parse, Bind, Describe, Execute -and Sync commands getting each one their own packet, 5 to 49 bytes TCP -payload each), we'll read them usually in two batches, and send them -in matching batches, for example: - - 9165.2467: pasta: epoll event on connected spliced TCP socket 117 (events: 0x00000001) - 9165.2468: Flow 0 (TCP connection (spliced)): 76 from read-side call - 9165.2468: Flow 0 (TCP connection (spliced)): 76 from write-side call (passed 524288) - 9165.2469: pasta: epoll event on connected spliced TCP socket 117 (events: 0x00000001) - 9165.2470: Flow 0 (TCP connection (spliced)): 15 from read-side call - 9165.2470: Flow 0 (TCP connection (spliced)): 15 from write-side call (passed 524288) - 9165.2944: pasta: epoll event on connected spliced TCP socket 118 (events: 0x00000001) - -and the kernel delivers the first one, waits for acknowledgement from -the receiver, then delivers the second one. This adds very substantial -and unnecessary delay. It's usually a fixed ~40ms between the two -batches, which is clearly unacceptable for loopback connections. - -In this example, the delay is shown by the timestamp of the response -from socket 118. The peer (server) doesn't actually take that long -(less than a millisecond), but it takes that long for the kernel to -deliver our request. - -To avoid batching and delays, disable Nagle's algorithm by setting -TCP_NODELAY on both internal and external sockets: this way, we get -one inbound packet for each original message, we transfer them right -away, and the kernel delivers them to the process in the container as -they are, without delay. - -We can do this safely as we don't care much about network utilisation -when there's in fact pretty much no network (loopback connections). - -This is unfortunately not visible in the TCP request-response tests -from the test suite because, with smaller messages (we use one byte), -Nagle's algorithm doesn't even kick in. It's probably not trivial to -implement a universal test covering this case. - -Fixes: 7ecf69329787 ("pasta, tcp: Don't set TCP_CORK on spliced sockets") -Signed-off-by: Stefano Brivio ---- - tcp_splice.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/tcp_splice.c b/tcp_splice.c -index 3a0f868..3a000ff 100644 ---- a/tcp_splice.c -+++ b/tcp_splice.c -@@ -348,6 +348,7 @@ static int tcp_splice_connect(const struct ctx *c, struct tcp_splice_conn *conn) - uint8_t tgtpif = conn->f.pif[TGTSIDE]; - union sockaddr_inany sa; - socklen_t sl; -+ int one = 1; - - if (tgtpif == PIF_HOST) - conn->s[1] = tcp_conn_sock(c, af); -@@ -359,12 +360,21 @@ static int tcp_splice_connect(const struct ctx *c, struct tcp_splice_conn *conn) - if (conn->s[1] < 0) - return -1; - -- if (setsockopt(conn->s[1], SOL_TCP, TCP_QUICKACK, -- &((int){ 1 }), sizeof(int))) { -+ if (setsockopt(conn->s[1], SOL_TCP, TCP_QUICKACK, &one, sizeof(one))) { - flow_trace(conn, "failed to set TCP_QUICKACK on socket %i", - conn->s[1]); - } - -+ if (setsockopt(conn->s[0], SOL_TCP, TCP_NODELAY, &one, sizeof(one))) { -+ flow_trace(conn, "failed to set TCP_NODELAY on socket %i", -+ conn->s[0]); -+ } -+ -+ if (setsockopt(conn->s[1], SOL_TCP, TCP_NODELAY, &one, sizeof(one))) { -+ flow_trace(conn, "failed to set TCP_NODELAY on socket %i", -+ conn->s[1]); -+ } -+ - pif_sockaddr(c, &sa, &sl, tgtpif, &tgt->eaddr, tgt->eport); - - if (connect(conn->s[1], &sa.sa, sl)) { --- -2.47.1 - diff --git a/SOURCES/0005-flow-Fix-incorrect-hash-probe-in-flowside_lookup.patch b/SOURCES/0005-flow-Fix-incorrect-hash-probe-in-flowside_lookup.patch deleted file mode 100644 index 2f97956..0000000 --- a/SOURCES/0005-flow-Fix-incorrect-hash-probe-in-flowside_lookup.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7ad9f9bd2bbda8d705e0c6faf5acf2792fce063c Mon Sep 17 00:00:00 2001 -From: David Gibson -Date: Fri, 6 Sep 2024 15:17:05 +1000 -Subject: [PATCH] flow: Fix incorrect hash probe in flowside_lookup() - -Our flow hash table uses linear probing in which we step backwards through -clusters of adjacent hash entries when we have near collisions. Usually -that's implemented by flow_hash_probe(). However, due to some details we -need a second implementation in flowside_lookup(). An embarrassing -oversight in rebasing from earlier versions has mean that version is -incorrect, trying to step forward through clusters rather than backward. - -In situations with the right sorts of has near-collisions this can lead to -us not associating an ACK from the tap device with the right flow, leaving -it in a not-quite-established state. If the remote peer does a shutdown() -at the right time, this can lead to a storm of EPOLLRDHUP events causing -high CPU load. - -Fixes: acca4235c46f ("flow, tcp: Generalise TCP hash table to general flow hash table") -Link: https://bugs.passt.top/show_bug.cgi?id=94 -Suggested-by: Stefano Brivio -Signed-off-by: David Gibson -Signed-off-by: Stefano Brivio ---- - flow.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/flow.c b/flow.c -index 02631eb..a00e01d 100644 ---- a/flow.c -+++ b/flow.c -@@ -697,7 +697,7 @@ static flow_sidx_t flowside_lookup(const struct ctx *c, uint8_t proto, - !(FLOW_PROTO(&flow->f) == proto && - flow->f.pif[sidx.sidei] == pif && - flowside_eq(&flow->f.side[sidx.sidei], side))) -- b = (b + 1) % FLOW_HASH_SIZE; -+ b = mod_sub(b, 1, FLOW_HASH_SIZE); - - return flow_hashtab[b]; - } --- -2.47.1 - diff --git a/SOURCES/0006-tcp-Set-ACK-flag-on-all-RST-segments-even-for-client.patch b/SOURCES/0006-tcp-Set-ACK-flag-on-all-RST-segments-even-for-client.patch deleted file mode 100644 index a446a34..0000000 --- a/SOURCES/0006-tcp-Set-ACK-flag-on-all-RST-segments-even-for-client.patch +++ /dev/null @@ -1,78 +0,0 @@ -From b10ddf22581ea470a57a0c2e4e8a5687bede0f53 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Mon, 20 Jan 2025 18:36:30 +0100 -Subject: [PATCH] tcp: Set ACK flag on *all* RST segments, even for client in - SYN-SENT state - -Somewhat curiously, RFC 9293, section 3.10.7.3, states: - - If the state is SYN-SENT, then - [...] - - Second, check the RST bit: - - If the RST bit is set, - [...] - - o If the ACK was acceptable, then signal to the user "error: - connection reset", drop the segment, enter CLOSED state, - delete TCB, and return. Otherwise (no ACK), drop the - segment and return. - -which matches verbatim RFC 793, pages 66-67, and is implemented as-is -by tcp_rcv_synsent_state_process() in the Linux kernel, that is: - - /* No ACK in the segment */ - - if (th->rst) { - /* rfc793: - * "If the RST bit is set - * - * Otherwise (no ACK) drop the segment and return." - */ - - goto discard_and_undo; - } - -meaning that if a client is in SYN-SENT state, and we send a RST -segment once we realise that we can't establish the outbound -connection, the client will ignore our segment and will need to -pointlessly wait until the connection times out instead of aborting -it right away. - -The ACK flag on a RST, in this case, doesn't really seem to have any -function, but we must set it nevertheless. The ACK sequence number is -already correct because we always set it before calling -tcp_prepare_flags(), whenever relevant. - -This leaves us with no cases where we should *not* set the ACK flag -on non-SYN segments, so always set the ACK flag for RST segments. - -Note that non-SYN, non-RST segments were already covered by commit -4988e2b40631 ("tcp: Unconditionally force ACK for all !SYN, !RST -packets"). - -Reported-by: Dirk Janssen -Reported-by: Roeland van de Pol -Reported-by: Robert Floor -Signed-off-by: Stefano Brivio -(cherry picked from commit db2c91ae86c7c0d1d068714db2342b9057506148) ---- - tcp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tcp.c b/tcp.c -index c0820ce..4e3148e 100644 ---- a/tcp.c -+++ b/tcp.c -@@ -1199,7 +1199,7 @@ int tcp_prepare_flags(struct ctx *c, struct tcp_tap_conn *conn, - *data++ = OPT_WS; - *data++ = OPT_WS_LEN; - *data++ = conn->ws_to_tap; -- } else if (!(flags & RST)) { -+ } else { - flags |= ACK; - } - --- -2.47.1 - diff --git a/SOURCES/0007-tcp-Don-t-reset-outbound-connection-on-SYN-retries.patch b/SOURCES/0007-tcp-Don-t-reset-outbound-connection-on-SYN-retries.patch deleted file mode 100644 index 4420126..0000000 --- a/SOURCES/0007-tcp-Don-t-reset-outbound-connection-on-SYN-retries.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 2d5181f7363a09b24b225b9d7c07f999a1f89e63 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Mon, 3 Feb 2025 08:19:16 +0100 -Subject: [PATCH] tcp: Don't reset outbound connection on SYN retries - -Reported by somebody on IRC: if the server has considerable latency, -it might happen that the client retries sending SYN segments for the -same flow while we're still in a TAP_SYN_RCVD, non-ESTABLISHED state. - -In that case, we should go with the blanket assumption that we need -to reset the connection on any unexpected segment: RFC 9293 explicitly -mentions this case in Figure 8: Recovery from Old Duplicate SYN, -section 3.5. It doesn't make sense for us to set a specific sequence -number, socket-side, but we should definitely wait and see. - -Ignoring the duplicate SYN segment should also be compatible with -section 3.10.7.3. SYN-SENT STATE, which mentions updating sequences -socket-side (which we can't do anyway), but certainly not reset the -connection. - -Signed-off-by: Stefano Brivio -Reviewed-by: David Gibson -(cherry picked from commit 722d347c1932f630a53ba05ea0270a651ed601b2) ---- - tcp.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tcp.c b/tcp.c -index bbc5687..babd02a 100644 ---- a/tcp.c -+++ b/tcp.c -@@ -1962,6 +1962,9 @@ int tcp_tap_handler(struct ctx *c, uint8_t pif, sa_family_t af, - - /* Establishing connection from tap */ - if (conn->events & TAP_SYN_RCVD) { -+ if (th->syn && !th->ack && !th->fin) -+ return 1; /* SYN retry: ignore and keep waiting */ -+ - if (!(conn->events & TAP_SYN_ACK_SENT)) - goto reset; - --- -2.47.1 - diff --git a/SPECS/passt.spec b/SPECS/passt.spec index 224e848..6fb2248 100644 --- a/SPECS/passt.spec +++ b/SPECS/passt.spec @@ -7,12 +7,12 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd +%global git_hash a1e48a02ff3550eb7875a7df6726086e9b3a1213 %global selinuxtype targeted Name: passt -Version: 0^20240806.gee36266 -Release: 7%{?dist} +Version: 0^20250217.ga1e48a0 +Release: 1%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPL-2.0-or-later AND BSD-3-Clause Group: System Environment/Daemons @@ -20,12 +20,6 @@ URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz Patch1: 0001-selinux-Drop-user_namespace-create-allow-rules.patch -Patch2: 0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch -Patch3: 0003-tcp-Acknowledge-keep-alive-segments-ignore-them-for-.patch -Patch4: 0004-tcp_splice-Set-again-TCP_NODELAY-on-both-sides.patch -Patch5: 0005-flow-Fix-incorrect-hash-probe-in-flowside_lookup.patch -Patch6: 0006-tcp-Set-ACK-flag-on-all-RST-segments-even-for-client.patch -Patch7: 0007-tcp-Don-t-reset-outbound-connection-on-SYN-retries.patch BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) @@ -52,7 +46,7 @@ Requires(preun): %{name} Requires(preun): policycoreutils %description selinux -This package adds SELinux enforcement to passt(1) and pasta(1). +This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). %prep %autosetup -S git_am -n passt-%{git_hash} @@ -90,6 +84,7 @@ make -f %{_datadir}/selinux/devel/Makefile install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp +install -p -m 644 -D passt-repair.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp popd %pre selinux @@ -98,11 +93,13 @@ popd %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} passt %selinux_modules_uninstall -s %{selinuxtype} pasta + %selinux_modules_uninstall -s %{selinuxtype} passt-repair fi %posttrans selinux @@ -116,9 +113,11 @@ fi %{_bindir}/passt %{_bindir}/pasta %{_bindir}/qrap +%{_bindir}/passt-repair %{_mandir}/man1/passt.1* %{_mandir}/man1/pasta.1* %{_mandir}/man1/qrap.1* +%{_mandir}/man1/passt-repair.1* %ifarch x86_64 %{_bindir}/passt.avx2 %{_mandir}/man1/passt.avx2.1* @@ -130,22 +129,20 @@ fi %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/devel/include/distributed/passt.if %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp +%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp %changelog -* Wed Mar 12 2025 Stefano Brivio - 0^20240806-gee36266-7 -- Resolves: RHEL-83155 +* Mon Feb 17 2025 Stefano Brivio - 0^20250217.ga1e48a0-1 +- Resolves: RHEL-79787 -* Tue Jan 21 2025 Stefano Brivio - 0^20240806-gee36266-6 -- Resolves: RHEL-75645 +* Wed Jan 22 2025 Stefano Brivio - 0^20250121.g4f2c8e7-3 +- Resolves: RHEL-75654 -* Thu Jan 16 2025 Stefano Brivio - 0^20240806-gee36266-5 -- Resolves: RHEL-74301 +* Tue Jan 21 2025 Stefano Brivio - 0^20250121.g4f2c8e7-1 +- Resolves: RHEL-75654 -* Fri Jan 10 2025 Stefano Brivio - 0^20240806-gee36266-4 -- Resolves: RHEL-73251 - -* Tue Nov 26 2024 Stefano Brivio - 0^20240806-gee36266-3 -- Resolves: RHEL-68948 +* Thu Nov 21 2024 Stefano Brivio - 0^20241121.g238c69f-1 +- Resolves: RHEL-65502 * Wed Aug 14 2024 Stefano Brivio - 0^20240806-gee36266-2 - Resolves: RHEL-54268