diff --git a/.gitignore b/.gitignore index 58e8109..751db76 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/passt-4ddbcb9c0c555838b123c018a9ebc9b7e14a87e5.tar.xz +SOURCES/passt-0af928eaa020c1062fdc91598dfdc533966e2afe.tar.xz diff --git a/.passt.metadata b/.passt.metadata index 2092824..64ef250 100644 --- a/.passt.metadata +++ b/.passt.metadata @@ -1 +1 @@ -f0d7edae2c421217fd15a72ce7b552656ce4ed16 SOURCES/passt-4ddbcb9c0c555838b123c018a9ebc9b7e14a87e5.tar.xz +2aa08dbe282e48efa5e67e63ab0b02d43c7b9c74 SOURCES/passt-0af928eaa020c1062fdc91598dfdc533966e2afe.tar.xz diff --git a/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch b/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch new file mode 100644 index 0000000..4cac1f7 --- /dev/null +++ b/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch @@ -0,0 +1,52 @@ +From 6977619743bbc602a865f79562b59a80921d6063 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Mon, 21 Aug 2023 17:52:28 +0200 +Subject: [PATCH] selinux: Drop user_namespace create allow rules + +Those are incompatible with current el9 kernels. I introduced them +upstream with commit 62059058cf24 ("selinux: Fix user namespace +creation after breaking kernel change"), in turn as a result of +kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook"), +but on current el9 kernels (which lack the hook) they result in +failures such as: + + Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103 + Failed to resolve AST + /usr/sbin/semodule: Failed! + Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104 + Failed to resolve AST + /usr/sbin/semodule: Failed! + +Signed-off-by: Stefano Brivio +--- + contrib/selinux/passt.te | 1 - + contrib/selinux/pasta.te | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te +index facc2d1..de10f45 100644 +--- a/contrib/selinux/passt.te ++++ b/contrib/selinux/passt.te +@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace; + allow passt_t self:process setcap; + allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; + allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; +-allow passt_t self:user_namespace create; + + allow passt_t passwd_file_t:file read_file_perms; + sssd_search_lib(passt_t) +diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te +index ed70c5f..3226e37 100644 +--- a/contrib/selinux/pasta.te ++++ b/contrib/selinux/pasta.te +@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) + + allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; + allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; +-allow pasta_t self:user_namespace create; + + allow pasta_t passwd_file_t:file read_file_perms; + sssd_search_lib(pasta_t) +-- +2.39.2 + diff --git a/SPECS/passt.spec b/SPECS/passt.spec index 8aa3326..46fdad5 100644 --- a/SPECS/passt.spec +++ b/SPECS/passt.spec @@ -7,18 +7,22 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -%global git_hash 4ddbcb9c0c555838b123c018a9ebc9b7e14a87e5 +%global git_hash 0af928eaa020c1062fdc91598dfdc533966e2afe +%global selinuxtype targeted Name: passt -Version: 0^20230222.g4ddbcb9 -Release: 1%{?dist} +Version: 0^20230818.g0af928e +Release: 4%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces -License: AGPLv3+ and BSD +License: GPLv2+ and BSD Group: System Environment/Daemons URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz -BuildRequires: gcc, make, checkpolicy, selinux-policy-devel +Patch1: 0001-selinux-Drop-user_namespace-create-allow-rules.patch + +BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %description passt implements a translation layer between a Layer-2 network interface and @@ -45,35 +49,56 @@ Requires(preun): policycoreutils This package adds SELinux enforcement to passt(1) and pasta(1). %prep -%setup -q -n passt-%{git_hash} +%autosetup -S git_am -n passt-%{git_hash} %build %set_build_flags %make_build VERSION="%{version}-%{release}.%{_arch}" %install + %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name} +# The Makefile creates symbolic links for pasta, but we need hard links for +# SELinux file contexts to work as intended. Same with pasta.avx2 if present. +# +# RHEL 9 note: switch from hard links to copies -- given that the behaviour +# differs depending on filesystems and how cpio builds archives. This leads to +# "Duplicate build-ids" warnings for rpmbuild at the moment, we need to find a +# better solution upstream. +rm %{buildroot}%{_bindir}/pasta +cp %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta %ifarch x86_64 +rm %{buildroot}%{_bindir}/pasta.avx2 +cp %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1 %endif pushd contrib/selinux make -f %{_datadir}/selinux/devel/Makefile -install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/passt.pp -install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/pasta.pp +install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp +install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if +install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp popd -%post selinux -semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || : -semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || : +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} -%preun selinux -semodule -r passt 2>/dev/null || : -semodule -r pasta 2>/dev/null || : +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} passt + %selinux_modules_uninstall -s %{selinuxtype} pasta +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} %files -%license LICENSES/{AGPL-3.0-or-later.txt,BSD-3-Clause.txt} +%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt} %dir %{_docdir}/%{name} %doc %{_docdir}/%{name}/README.md %doc %{_docdir}/%{name}/demo.sh @@ -91,11 +116,60 @@ semodule -r pasta 2>/dev/null || : %endif %files selinux -%dir %{_datadir}/selinux/packages/%{name} -%{_datadir}/selinux/packages/%{name}/passt.pp -%{_datadir}/selinux/packages/%{name}/pasta.pp +%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp +%{_datadir}/selinux/devel/include/distributed/passt.if +%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %changelog +* Tue Aug 22 2023 Stefano Brivio - 0^20230818.g0af928e-4 +- Switch to copies instead of links for pasta: previous workaround unreliable +- Resolves: RHELPLAN-155811 + +* Tue Aug 22 2023 Stefano Brivio - 0^20230818.g0af928e-3 +- Explicit restorecon in scriptlet as rpm(8) mix up contexts with hard links +- Resolves: RHELPLAN-155811 + +* Mon Aug 21 2023 Stefano Brivio - 0^20230818.g0af928e-2 +- Drop user_namespace create allow rule, incompatible with current el9 kernel +- Resolves: RHELPLAN-155811 + +* Sat Aug 19 2023 Stefano Brivio - 0^20230818.g0af928e-1 +- Rebase from Fedora 39 +- Resolves: RHELPLAN-155811 + +* Sun Jun 11 2023 Stefano Brivio - 0^20230222.g4ddbcb9-4 +- Drop (pointless) patches 20, 21, 22, actually apply changes to the spec file! +- Refresh SELinux labels in scriptlets, require -selinux package (rhbz#2183089) +- Don't install useless SELinux interface file for pasta (rhbz#2183106) + +* Fri Apr 28 2023 Stefano Brivio - 0^20230222.g4ddbcb9-3 +- Refresh SELinux labels in scriptlets, require -selinux package (rhbz#2183089) +- Don't install useless SELinux interface file for pasta (rhbz#2183106) + +* Thu Mar 16 2023 Stefano Brivio - 0^20230222.g4ddbcb9-2 +- udp: Actually use host resolver to forward DNS queries (rhbz#2177075) +- conf: Split add_dns{4,6}() out of get_dns() (rhbz#2177075) +- conf, udp: Allow any loopback address to be used as resolver (rhbz#2177075) +- tcp, tcp_splice: Get rid of false positive CWE-394 Coverity warning from fls() (rhbz#2177084) +- tcp: Avoid false (but convoluted) positive Coverity CWE-476 warning (rhbz#2177084) +- tcp: Avoid (theoretical) resource leak (CWE-772) Coverity warning (rhbz#2177084) +- Fix definitions of SOCKET_MAX, TCP_MAX_CONNS (rhbz#2177084) +- doc/demo: Fix and suppress ShellCheck warnings (rhbz#2177084) +- contrib/selinux: Drop duplicate init_daemon_domain() rule (rhbz#2176813) +- contrib/selinux: Let passt write to stdout and stderr when it starts (rhbz#2176813) +- contrib/selinux: Allow binding and connecting to all UDP and TCP ports (rhbz#2176813) +- contrib/selinux: Let interface users set paths for log, PID, socket files (rhbz#2176813) +- contrib/selinux: Drop "example" from headers: this is the actual policy (rhbz#2176813) +- contrib/selinux: Drop unused passt_read_data() interface (rhbz#2176813) +- contrib/selinux: Split interfaces into smaller bits (rhbz#2176813) +- fedora: Install SELinux interface files to shared include directory (rhbz#2176813) +- tcp, udp, util: Pass socket creation errors all the way up (rhbz#2177080) +- tcp, udp: Fix partial success return codes in {tcp,udp}_sock_init() (rhbz#2177080) +- conf: Terminate on EMFILE or ENFILE on sockets for port mapping (rhbz#2177080) +- tcp: Clamp MSS value when queueing data to tap, also for pasta (rhbz#2177083) +- Fix up SELinux labels on install/uninstall, require matching -selinux package (rhbz#2176813) +- Resolves: rhbz#2177075 rhbz#2177084 rhbz#2177080 rhbz#2177083 rhbz#2176813 + * Wed Feb 22 2023 Camilla Conte - 0^20230222.g4ddbcb9-1 - Import from fedora to CentOS/RHEL - Resolves: rhbz#2172244