From 520bfe09a94267bd94c55141445a4a87d4de6a91 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Mon, 21 Aug 2023 17:57:28 +0200 Subject: [PATCH] passt-0^20230818.g0af928e-2.el9 passt-selinux policies from passt-0^20230818.g0af928e-1.el9 fail to load on the current el9 kernel -- add a patch. Resolves: RHELPLAN-155811 --- ...op-user_namespace-create-allow-rules.patch | 52 +++++++++++++++++++ passt.spec | 12 +++-- 2 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 0001-selinux-Drop-user_namespace-create-allow-rules.patch diff --git a/0001-selinux-Drop-user_namespace-create-allow-rules.patch b/0001-selinux-Drop-user_namespace-create-allow-rules.patch new file mode 100644 index 0000000..4cac1f7 --- /dev/null +++ b/0001-selinux-Drop-user_namespace-create-allow-rules.patch @@ -0,0 +1,52 @@ +From 6977619743bbc602a865f79562b59a80921d6063 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Mon, 21 Aug 2023 17:52:28 +0200 +Subject: [PATCH] selinux: Drop user_namespace create allow rules + +Those are incompatible with current el9 kernels. I introduced them +upstream with commit 62059058cf24 ("selinux: Fix user namespace +creation after breaking kernel change"), in turn as a result of +kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook"), +but on current el9 kernels (which lack the hook) they result in +failures such as: + + Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103 + Failed to resolve AST + /usr/sbin/semodule: Failed! + Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104 + Failed to resolve AST + /usr/sbin/semodule: Failed! + +Signed-off-by: Stefano Brivio +--- + contrib/selinux/passt.te | 1 - + contrib/selinux/pasta.te | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te +index facc2d1..de10f45 100644 +--- a/contrib/selinux/passt.te ++++ b/contrib/selinux/passt.te +@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace; + allow passt_t self:process setcap; + allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; + allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; +-allow passt_t self:user_namespace create; + + allow passt_t passwd_file_t:file read_file_perms; + sssd_search_lib(passt_t) +diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te +index ed70c5f..3226e37 100644 +--- a/contrib/selinux/pasta.te ++++ b/contrib/selinux/pasta.te +@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) + + allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; + allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +-allow pasta_t self:user_namespace create; + + allow pasta_t passwd_file_t:file read_file_perms; + sssd_search_lib(pasta_t) +-- +2.39.2 + diff --git a/passt.spec b/passt.spec index 4298173..4f4dfca 100644 --- a/passt.spec +++ b/passt.spec @@ -12,14 +12,16 @@ Name: passt Version: 0^20230818.g0af928e -Release: 1%{?dist} +Release: 2%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPLv2+ and BSD Group: System Environment/Daemons URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz -BuildRequires: gcc, make, checkpolicy, selinux-policy-devel +Patch1: 0001-selinux-Drop-user_namespace-create-allow-rules.patch + +BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %description @@ -47,7 +49,7 @@ Requires(preun): policycoreutils This package adds SELinux enforcement to passt(1) and pasta(1). %prep -%setup -q -n passt-%{git_hash} +%autosetup -S git_am -n passt-%{git_hash} %build %set_build_flags @@ -114,6 +116,10 @@ fi %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %changelog +* Mon Aug 21 2023 Stefano Brivio - 0^20230818.g0af928e-2 +- Drop user_namespace create allow rule, incompatible with current el9 kernel +- Resolves: RHELPLAN-155811 + * Sat Aug 19 2023 Stefano Brivio - 0^20230818.g0af928e-1 - Rebase from Fedora 39 - Resolves: RHELPLAN-155811