rpms
/
passt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

passt-0^20230818.g0af928e-3.el9 

pasta and pasta.avx2 are now hard links, and their file context
didn't change from previous versions, but the SELinux plug-in of
rpm(8) might mix up their contexts depending on the order of entries
in the archive. This doesn't happen on Fedora by luck, but on RHEL:

D: create     100755  1 (   0,   0)184640 /usr/bin/passt.avx2;64e4a813
ufdio:       6 writes,   184640 total bytes in 0.000104 secs
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/bin/passt.avx2;64e4a813, system_u:object_r:passt_exec_t:s0)
D: create     100755  1 (   0,   0)184640 /usr/bin/pasta.avx2;64e4a813
ufdio:       6 writes,   184640 total bytes in 0.000065 secs
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/bin/pasta.avx2;64e4a813, system_u:object_r:pasta_exec_t:s0)

so far so good. Then:

D: create     100755  2 (   0,   0)     0 /usr/bin/passt;64e4a813
D: create     100755  2 (   0,   0)164128 /usr/bin/pasta;64e4a813
ufdio:       6 writes,   164128 total bytes in 0.000058 secs
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/bin/pasta;64e4a813, system_u:object_r:pasta_exec_t:s0)

which leads to:

[sbrivio@passt ~]$ ls -lZ /usr/bin/passt
-rwxr-xr-x. 2 root root system_u:object_r:pasta_exec_t:s0 164128 Aug 21 17:53 /usr/bin/passt
[sbrivio@passt ~]$ ls -lZ /usr/bin/passt.avx2
-rwxr-xr-x. 1 root root system_u:object_r:passt_exec_t:s0 184640 Aug 21 17:53 /usr/bin/passt.avx2
[sbrivio@passt ~]$ ls -lZ /usr/bin/pasta
-rwxr-xr-x. 2 root root system_u:object_r:pasta_exec_t:s0 164128 Aug 21 17:53 /usr/bin/pasta
[sbrivio@passt ~]$ ls -lZ /usr/bin/pasta.avx2
-rwxr-xr-x. 1 root root system_u:object_r:pasta_exec_t:s0 184640 Aug 21 17:53 /usr/bin/pasta.avx2

Add (back) an explicit restorecon call in the scriptlet.

Resolves: RHELPLAN-155811
This commit is contained in:
Stefano Brivio 2023-08-22 15:44:29 +02:00
parent 520bfe09a9
commit 7375212a6a
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
passt.spec
View File

@ -12,7 +12,7 @@
Name: passt
Version: 0^20230818.g0af928e
Release: 2%{?dist}
Release: 3%{?dist}
Summary: User-mode networking daemons for virtual machines and namespaces
License: GPLv2+ and BSD
Group: System Environment/Daemons
@ -91,6 +91,16 @@ fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
# pasta is a hard link to passt, and, depending on the order of archiving,
# rpm(8) might or might not associate (lsetfilecon) the same context to both
# entries, see rpmPackageFilesInstall() in lib/fsm.c. If there's no difference
# in file contexts compared to a previous installed version,
# %selinux_relabel_post won't touch the labels, so we need to ensure that the
# right labels are applied to hard links, here.
restorecon %{_bindir}/passt %{_bindir}/pasta || :
%ifarch x86_64
restorecon %{_bindir}/passt.avx2 %{_bindir}/pasta.avx2 || :
%endif
%files
%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
@ -116,6 +126,10 @@ fi
%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
%changelog
* Tue Aug 22 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-3
- Explicit restorecon in scriptlet as rpm(8) mix up contexts with hard links
- Resolves: RHELPLAN-155811
* Mon Aug 21 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-2
- Drop user_namespace create allow rule, incompatible with current el9 kernel
- Resolves: RHELPLAN-155811