From 7375212a6ae74f301b1de4bc1a79268187a62a4a Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 22 Aug 2023 15:44:29 +0200 Subject: [PATCH] passt-0^20230818.g0af928e-3.el9 pasta and pasta.avx2 are now hard links, and their file context didn't change from previous versions, but the SELinux plug-in of rpm(8) might mix up their contexts depending on the order of entries in the archive. This doesn't happen on Fedora by luck, but on RHEL: D: create 100755 1 ( 0, 0)184640 /usr/bin/passt.avx2;64e4a813 ufdio: 6 writes, 184640 total bytes in 0.000104 secs D: Plugin: calling hook fsm_file_prepare in selinux plugin D: lsetfilecon: (/usr/bin/passt.avx2;64e4a813, system_u:object_r:passt_exec_t:s0) D: create 100755 1 ( 0, 0)184640 /usr/bin/pasta.avx2;64e4a813 ufdio: 6 writes, 184640 total bytes in 0.000065 secs D: Plugin: calling hook fsm_file_prepare in selinux plugin D: lsetfilecon: (/usr/bin/pasta.avx2;64e4a813, system_u:object_r:pasta_exec_t:s0) so far so good. Then: D: create 100755 2 ( 0, 0) 0 /usr/bin/passt;64e4a813 D: create 100755 2 ( 0, 0)164128 /usr/bin/pasta;64e4a813 ufdio: 6 writes, 164128 total bytes in 0.000058 secs D: Plugin: calling hook fsm_file_prepare in selinux plugin D: lsetfilecon: (/usr/bin/pasta;64e4a813, system_u:object_r:pasta_exec_t:s0) which leads to: [sbrivio@passt ~]$ ls -lZ /usr/bin/passt -rwxr-xr-x. 2 root root system_u:object_r:pasta_exec_t:s0 164128 Aug 21 17:53 /usr/bin/passt [sbrivio@passt ~]$ ls -lZ /usr/bin/passt.avx2 -rwxr-xr-x. 1 root root system_u:object_r:passt_exec_t:s0 184640 Aug 21 17:53 /usr/bin/passt.avx2 [sbrivio@passt ~]$ ls -lZ /usr/bin/pasta -rwxr-xr-x. 2 root root system_u:object_r:pasta_exec_t:s0 164128 Aug 21 17:53 /usr/bin/pasta [sbrivio@passt ~]$ ls -lZ /usr/bin/pasta.avx2 -rwxr-xr-x. 1 root root system_u:object_r:pasta_exec_t:s0 184640 Aug 21 17:53 /usr/bin/pasta.avx2 Add (back) an explicit restorecon call in the scriptlet. Resolves: RHELPLAN-155811 --- passt.spec | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/passt.spec b/passt.spec index 4f4dfca..d718461 100644 --- a/passt.spec +++ b/passt.spec @@ -12,7 +12,7 @@ Name: passt Version: 0^20230818.g0af928e -Release: 2%{?dist} +Release: 3%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPLv2+ and BSD Group: System Environment/Daemons @@ -91,6 +91,16 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} +# pasta is a hard link to passt, and, depending on the order of archiving, +# rpm(8) might or might not associate (lsetfilecon) the same context to both +# entries, see rpmPackageFilesInstall() in lib/fsm.c. If there's no difference +# in file contexts compared to a previous installed version, +# %selinux_relabel_post won't touch the labels, so we need to ensure that the +# right labels are applied to hard links, here. +restorecon %{_bindir}/passt %{_bindir}/pasta || : +%ifarch x86_64 +restorecon %{_bindir}/passt.avx2 %{_bindir}/pasta.avx2 || : +%endif %files %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt} @@ -116,6 +126,10 @@ fi %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %changelog +* Tue Aug 22 2023 Stefano Brivio - 0^20230818.g0af928e-3 +- Explicit restorecon in scriptlet as rpm(8) mix up contexts with hard links +- Resolves: RHELPLAN-155811 + * Mon Aug 21 2023 Stefano Brivio - 0^20230818.g0af928e-2 - Drop user_namespace create allow rule, incompatible with current el9 kernel - Resolves: RHELPLAN-155811