From fcae47c9a649b913b6656a67b59a2ebfad7cf363 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Fri, 28 Apr 2023 14:29:26 +0200
Subject: [PATCH] passt-0^20230222.g4ddbcb9-3.el9

Resolves: rhbz#2183089 rhbz#2183106
---
 ...ELinux-labels-in-scriptlets-require-.patch | 84 +++++++++++++++++++
 ...tall-useless-SELinux-interface-file-.patch | 41 +++++++++
 passt.spec                                    |  6 ++
 3 files changed, 131 insertions(+)
 create mode 100644 0021-fedora-Refresh-SELinux-labels-in-scriptlets-require-.patch
 create mode 100644 0022-fedora-Don-t-install-useless-SELinux-interface-file-.patch

diff --git a/0021-fedora-Refresh-SELinux-labels-in-scriptlets-require-.patch b/0021-fedora-Refresh-SELinux-labels-in-scriptlets-require-.patch
new file mode 100644
index 0000000..80648b7
--- /dev/null
+++ b/0021-fedora-Refresh-SELinux-labels-in-scriptlets-require-.patch
@@ -0,0 +1,84 @@
+From 41dd4e1b8d5fd8371b7e4e123340bc6a5a6ac226 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 16 Mar 2023 20:51:23 +0100
+Subject: [PATCH 1/2] fedora: Refresh SELinux labels in scriptlets, require
+ -selinux package
+
+Instead of:
+  https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
+
+follow this:
+  https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy
+
+which seems to make more sense and fixes the issue that, on a fresh
+install, without a reboot, the file contexts for the binaries are not
+actually updated.
+
+In detail:
+
+- labels are refreshed using the selinux_relabel_pre and
+  selinux_relabel_post on install, upgrade, and uninstall
+
+- use the selinux_modules_install and selinux_modules_uninstall
+  macros, instead of calling 'semodule' directly (no functional
+  changes in our case)
+
+- require the -selinux package on SELinux-enabled environments and if
+  the current system policy is "targeted"
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+(cherry picked from commit dd2349661933c4e9756e524ae9465f38b53b7557)
+---
+ contrib/fedora/passt.spec | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
+index 51cad90..f6aa117 100644
+--- a/contrib/fedora/passt.spec
++++ b/contrib/fedora/passt.spec
+@@ -8,6 +8,7 @@
+ # Author: Stefano Brivio <sbrivio@redhat.com>
+ 
+ %global git_hash {{{ git_head }}}
++%global selinuxtype targeted
+ 
+ Name:		passt
+ Version:	{{{ git_version }}}
+@@ -19,6 +20,7 @@ URL:		https://passt.top/
+ Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
+ 
+ BuildRequires:	gcc, make, checkpolicy, selinux-policy-devel
++Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+ 
+ %description
+ passt implements a translation layer between a Layer-2 network interface and
+@@ -66,13 +68,21 @@ install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/p
+ install -p -m 644 -D pasta.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/pasta.if
+ popd
+ 
++%pre selinux
++%selinux_relabel_pre -s %{selinuxtype}
++
+ %post selinux
+-semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || :
+-semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || :
++%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
++%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
++
++%postun selinux
++if [ $1 -eq 0 ]; then
++	%selinux_modules_uninstall -s %{selinuxtype} passt
++	%selinux_modules_uninstall -s %{selinuxtype} pasta
++fi
+ 
+-%preun selinux
+-semodule -r passt 2>/dev/null || :
+-semodule -r pasta 2>/dev/null || :
++%posttrans selinux
++%selinux_relabel_post -s %{selinuxtype}
+ 
+ %files
+ %license LICENSES/{AGPL-3.0-or-later.txt,BSD-3-Clause.txt}
+-- 
+2.39.2
+
diff --git a/0022-fedora-Don-t-install-useless-SELinux-interface-file-.patch b/0022-fedora-Don-t-install-useless-SELinux-interface-file-.patch
new file mode 100644
index 0000000..0e25d05
--- /dev/null
+++ b/0022-fedora-Don-t-install-useless-SELinux-interface-file-.patch
@@ -0,0 +1,41 @@
+From b065e1adbfb4ee5ed618b8269fd5135b4a201e2f Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 27 Mar 2023 19:50:01 +0200
+Subject: [PATCH 2/2] fedora: Don't install useless SELinux interface file for
+ pasta
+
+That was meant to be an example, and I just dropped it in the
+previous commit -- passt.if should be more than enough as a possible
+example.
+
+Reported-by: Carl G. <carlg@fedoraproject.org>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2182145
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+(cherry picked from commit 387f4aca7477ee630fe3c261a19f5f1a9055bfe5)
+---
+ contrib/fedora/passt.spec | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
+index f6aa117..da1accb 100644
+--- a/contrib/fedora/passt.spec
++++ b/contrib/fedora/passt.spec
+@@ -65,7 +65,6 @@ make -f %{_datadir}/selinux/devel/Makefile
+ install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/passt.pp
+ install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/passt.if
+ install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/pasta.pp
+-install -p -m 644 -D pasta.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/pasta.if
+ popd
+ 
+ %pre selinux
+@@ -107,7 +106,6 @@ fi
+ %{_datadir}/selinux/packages/%{name}/passt.pp
+ %{_datadir}/selinux/devel/include/contrib/passt.if
+ %{_datadir}/selinux/packages/%{name}/pasta.pp
+-%{_datadir}/selinux/devel/include/contrib/pasta.if
+ 
+ %changelog
+ {{{ passt_git_changelog }}}
+-- 
+2.39.2
+
diff --git a/passt.spec b/passt.spec
index 6a9b56d..c057749 100644
--- a/passt.spec
+++ b/passt.spec
@@ -39,6 +39,8 @@ Patch17: 0017-contrib-selinux-Drop-example-from-headers-this-is-th.patch
 Patch18: 0018-contrib-selinux-Drop-unused-passt_read_data-interfac.patch
 Patch19: 0019-contrib-selinux-Split-interfaces-into-smaller-bits.patch
 Patch20: 0020-fedora-Install-SELinux-interface-files-to-shared-inc.patch
+Patch21: 0021-fedora-Refresh-SELinux-labels-in-scriptlets-require-.patch
+Patch22: 0022-fedora-Don-t-install-useless-SELinux-interface-file-.patch
 
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -128,6 +130,10 @@ semodule -r pasta 2>/dev/null || :
 %{_datadir}/selinux/devel/include/contrib/pasta.if
 
 %changelog
+* Fri Apr 28 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230222.g4ddbcb9-3
+- Refresh SELinux labels in scriptlets, require -selinux package (rhbz#2183089)
+- Don't install useless SELinux interface file for pasta (rhbz#2183106)
+
 * Thu Mar 16 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230222.g4ddbcb9-2
 - udp: Actually use host resolver to forward DNS queries (rhbz#2177075)
 - conf: Split add_dns{4,6}() out of get_dns() (rhbz#2177075)