From fecb34d4d094ca7a3f2af3a29417ab0af1342f47 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 17 Jun 2026 06:32:16 -0400 Subject: [PATCH] passt-0^20260611.ga9c61ff-1.el10 Resolves: RHEL-185656 --- .gitignore | 1 + ...n-MSS-window-on-no-queued-data-or-no.patch | 110 ------------------ ...le-matching-IP-version-if-not-suppor.patch | 90 -------------- ...ead-and-watch-permissions-on-netns-d.patch | 58 --------- ...pen-permissions-on-netns-directory-o.patch | 68 ----------- ...-issue-in-check-for-approximating-wi.patch | 74 ------------ passt.spec | 27 +++-- sources | 2 +- 8 files changed, 18 insertions(+), 412 deletions(-) delete mode 100644 0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch delete mode 100644 0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch delete mode 100644 0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch delete mode 100644 0006-selinux-Enable-open-permissions-on-netns-directory-o.patch delete mode 100644 0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch diff --git a/.gitignore b/.gitignore index 721113a..e118287 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ /passt-8ec134109eb136432a29bdf5a14f8b1fd4e46208.tar.xz /passt-c3f1ba70237a9e66822aff3aa5765d0adf6f6307.tar.xz /passt-d04c48032bcf724550d0b8f652fd00efcd2dfad0.tar.xz +/passt-a9c61ffaf15347b8dfcc2347c5440e4b0e82333b.tar.xz diff --git a/0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch b/0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch deleted file mode 100644 index 50f80a3..0000000 --- a/0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch +++ /dev/null @@ -1,110 +0,0 @@ -From b40f5cd8c8e16c6eceb1f26eb895527fda84068b Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Sat, 13 Dec 2025 14:19:13 +0100 -Subject: [PATCH] tcp: Use less-than-MSS window on no queued data, or no data - sent recently - -We limit the advertised window to guests and containers to the -available length of the sending buffer, and if it's less than the MSS, -since commit cf1925fb7b77 ("tcp: Don't limit window to less-than-MSS -values, use zero instead"), we approximate that limit to zero. - -This way, we'll trigger a window update as soon as we realise that we -can advertise a larger value, just like we do in all other cases where -we advertise a zero-sized window. - -By doing that, we don't wait for the peer to send us data before we -update the window. This matters because the guest or container might -be trying to aggregate more data and won't send us anything at all if -the advertised window is too small. - -However, this might be problematic in two situations: - -1. one, reported by Tyler, where the remote (receiving) peer - advertises a window that's smaller than what we usually get and - very close to the MSS, causing the kernel to give us a starting - size of the buffer that's less than the MSS we advertise to the - guest or container. - - If this happens, we'll never advertise a non-zero window after - the handshake, and the container or guest will never send us any - data at all. - - With a simple 'curl https://cloudflare.com/', we get, with default - TCP memory parameters, a 65535-byte window from the peer, and 46080 - bytes of initial sending buffer from the kernel. But we advertised - a 65480-byte MSS, and we'll never actually receive the client - request. - - This seems to be specific to Cloudflare for some reason, probably - deriving from a particular tuning of TCP parameters on their - servers. - -2. another one, hypothesised by David, where the peer might only be - willing to process (and acknowledge) data in batches. - - We might have queued outbound data which is, at the same time, not - enough to fill one of these batches and be acknowledged and removed - from the sending queue, but enough to make our available buffer - smaller than the MSS, and the connection will hang. - -Take care of both cases by: - -a. not approximating the sending buffer to zero if we have no outboud - queued data at all, because in that case we don't expect the - available buffer to increase if we don't send any data, so there's - no point in waiting for it to grow larger than the MSS. - - This fixes problem 1. above. - -b. also using the full sending buffer size if we haven't send data to - the socket for a while (reported by tcpi_last_data_sent). This part - was already suggested by David in: - - https://archives.passt.top/passt-dev/aTZzgtcKWLb28zrf@zatzit/ - - and I'm now picking ten times the RTT as a somewhat arbitrary - threshold. - - This is meant to take care of potential problem 2. above, but it - also happens to fix 1. - -Reported-by: Tyler Cloud -Link: https://bugs.passt.top/show_bug.cgi?id=183 -Suggested-by: David Gibson -Signed-off-by: Stefano Brivio -Reviewed-by: David Gibson ---- - tcp.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/tcp.c b/tcp.c -index 81bc114..b179e39 100644 ---- a/tcp.c -+++ b/tcp.c -@@ -1211,8 +1211,21 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn, - * the MSS to zero, as we already have mechanisms in place to - * force updates after the window becomes zero. This matches the - * suggestion from RFC 813, Section 4. -+ * -+ * But don't do this if, either: -+ * -+ * - there's nothing in the outbound queue: the size of the -+ * sending buffer is limiting us, and it won't increase if we -+ * don't send data, so there's no point in waiting, or -+ * -+ * - we haven't sent data in a while (somewhat arbitrarily, ten -+ * times the RTT), as that might indicate that the receiver -+ * will only process data in batches that are large enough, -+ * but we won't send enough to fill one because we're stuck -+ * with pending data in the outbound queue - */ -- if (limit < MSS_GET(conn)) -+ if (limit < MSS_GET(conn) && sendq && -+ tinfo->tcpi_last_data_sent < tinfo->tcpi_rtt / 1000 * 10) - limit = 0; - - new_wnd_to_tap = MIN((int)tinfo->tcpi_snd_wnd, limit); --- -2.47.1 - diff --git a/0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch b/0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch deleted file mode 100644 index d85c03d..0000000 --- a/0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 75dcbc300bf09c3649823b12d30c4f24de7271d4 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Tue, 23 Dec 2025 13:39:17 +0100 -Subject: [PATCH] pasta: Warn, disable matching IP version if not supported, in - local mode - -...instead of exiting, but only if local mode is enabled, that is, if -we couldn't find a template interface or if the user didn't specify -one. - -With IPv4, we always try to set or copy an address, so check if that -fails. - -With IPv6, in local mode, we rely on the link-local address that's -automatically generated inside the target namespace, and only fail -later, as we try to set up routes. Check if that fails, instead. - -Otherwise, we'll fail to start if IPv6 support is not built in or -disabled by the kernel ("ipv6.disable=1" on the command line), -because, in that case, we'll try to enable local mode by default, and -then fail to set any address or route. - -It would probably be more elegant to check for IP version support in -conf_ip4_local() and conf_ip6_local(), and not even try to enable -connectivity for unsupported versions, but it looks less robust than -trying and failing, as there might be other ways to disable a given -IP version. - -Note that there's currently no way to disable IPv4 support on the -kernel command line, that is, there's no such thing as an -ipv4.disable boot parameter. But I guess that's due to be eventually -implemented, one day, so let's cover that case as well, also for -consistency. - -Reported-by: Iyan -Link: https://bugzilla.redhat.com/show_bug.cgi?id=2424192 -Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don't enable disabled IP version") -Signed-off-by: Stefano Brivio ---- - pasta.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/pasta.c b/pasta.c -index c307b8a..0ddd6b0 100644 ---- a/pasta.c -+++ b/pasta.c -@@ -348,6 +348,12 @@ void pasta_ns_conf(struct ctx *c) - AF_INET); - } - -+ if (c->ifi4 == -1 && rc == -ENOTSUP) { -+ warn("IPv4 not supported, disabling"); -+ c->ifi4 = 0; -+ goto ipv4_done; -+ } -+ - if (rc < 0) { - die("Couldn't set IPv4 address(es) in namespace: %s", - strerror_(-rc)); -@@ -367,6 +373,7 @@ void pasta_ns_conf(struct ctx *c) - strerror_(-rc)); - } - } -+ipv4_done: - - if (c->ifi6) { - rc = nl_addr_get_ll(nl_sock_ns, c->pasta_ifi, -@@ -413,12 +420,19 @@ void pasta_ns_conf(struct ctx *c) - AF_INET6); - } - -+ if (c->ifi6 == -1 && rc == -ENOTSUP) { -+ warn("IPv6 not supported, disabling"); -+ c->ifi6 = 0; -+ goto ipv6_done; -+ } -+ - if (rc < 0) { - die("Couldn't set IPv6 route(s) in guest: %s", - strerror_(-rc)); - } - } - } -+ipv6_done: - - proto_update_l2_buf(c->guest_mac); - } --- -2.47.1 - diff --git a/0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch b/0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch deleted file mode 100644 index f3d94ad..0000000 --- a/0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch +++ /dev/null @@ -1,58 +0,0 @@ -From d2c5133990a7758bfa567fc73216393498949e9b Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Tue, 23 Dec 2025 01:59:34 +0100 -Subject: [PATCH] selinux: Enable read and watch permissions on netns directory - as well - -With commit 7aeda16a7818 ("selinux: Transition to pasta_t in -containers"), we need to make sure that pasta can access the target -namespace directory passed by Podman, and, in a general case, we have -all the permissions we need. - -But if we now start a container without the Podman changes referenced -by commit fd1bcc30af07 ("selinux: add container_var_run_t type -transition"), or with them, but with the container being created -before those and without a reboot in between, we'll additionally need -'read' and 'watch' permissions on user_tmp_t directory as well, as -user_tmp_t is still the (inconsistent) context of the namespace entry. - -Otherwise, on a container start/restart, we'll get SELinux denials: - - type=AVC msg=audit(1766451401.296:184): avc: denied { read } for pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje -ct_r:user_tmp_t:s0 tclass=dir permissive=1 - type=AVC msg=audit(1766451401.298:185): avc: denied { watch } for pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 - -This can be reproduced quite simply: - - $ podman create -q --name hello hello - 6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770 - - [upgrade passt's SELinux policy to a version including 7aeda16a7818] - - $ podman start hello - Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1: - netns dir open: Permission denied, exiting - -Reported-by: Tuomo Soini -Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") -Signed-off-by: Stefano Brivio ---- - contrib/selinux/pasta.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te -index 95fe42a..3eb58f6 100644 ---- a/contrib/selinux/pasta.te -+++ b/contrib/selinux/pasta.te -@@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton; - manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) - files_pid_filetrans(pasta_t, pasta_pid_t, file) - --allow pasta_t user_tmp_t:dir { add_name remove_name search write }; -+allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write }; - allow pasta_t user_tmp_t:fifo_file append; - allow pasta_t user_tmp_t:file { create open write }; - allow pasta_t user_tmp_t:sock_file { create unlink }; --- -2.47.1 - diff --git a/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch b/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch deleted file mode 100644 index fa997ea..0000000 --- a/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5f9c51e34e5ff9c78f4b295666fa438402103e84 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Fri, 16 Jan 2026 16:48:46 +0100 -Subject: [PATCH 6/7] selinux: Enable open permissions on netns directory, - operations on container_var_run_t - -Tuomo reports two further SELinux denials after upgrading to a -passt-selinux version that includes the transition to pasta_t for -containers, one I could reproduce: - - denied { open } for pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 - -which I didn't take care of in the previous commit, d2c5133990a7 -("selinux: Enable read and watch permissions on netns directory as -well"), as it didn't appear in my quick test. But I can make pasta use -"open" on the network namespace entry by simply using it to make -connections. - -So, for that, add "open" to the existing rule for user_tmp_t:dir. - -Then, another one I couldn't reproduce instead: - - denied { write } for pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0 - -which, I think, comes from a specific combination of versions of -container-selinux, Podman, and passt-selinux packages, which -prevents the expected type transition on container_var_run_t unless -restorecon is invoked manually, or until a reboot. - -Allowing the same permissions on container_var_run_t as we do on -ifconfig_var_run_t is harmless, so do that to prevent this further -denial. - -Reported-by: Tuomo Soini -Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well") -Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") -Signed-off-by: Stefano Brivio -(cherry picked from commit a6d92ca82c9ea0b395aa56c568ee6b6e6d4ac81e) ---- - contrib/selinux/pasta.te | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te -index 3eb58f6..fb51416 100644 ---- a/contrib/selinux/pasta.te -+++ b/contrib/selinux/pasta.te -@@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton; - manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) - files_pid_filetrans(pasta_t, pasta_pid_t, file) - --allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write }; -+allow pasta_t user_tmp_t:dir { add_name open read remove_name search watch write }; - allow pasta_t user_tmp_t:fifo_file append; - allow pasta_t user_tmp_t:file { create open write }; - allow pasta_t user_tmp_t:sock_file { create unlink }; -@@ -249,7 +249,9 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; - type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; - type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; - type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; -+allow pasta_t container_var_run_t:dir { add_name open rmdir write }; - allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; -+allow pasta_t container_var_run_t:file { create open write }; - allow pasta_t ifconfig_var_run_t:file { create open write }; - allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; - --- -2.47.1 - diff --git a/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch b/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch deleted file mode 100644 index 6f9f1e7..0000000 --- a/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch +++ /dev/null @@ -1,74 +0,0 @@ -From b9fbbca97e4ebf2358da3c0d971e1cc214cab632 Mon Sep 17 00:00:00 2001 -From: Stefano Brivio -Date: Fri, 9 Jan 2026 13:52:00 +0100 -Subject: [PATCH 7/7] tcp: Fix rounding issue in check for approximating window - to zero - -In general, we approximate the advertised window to zero if we would -otherwise advertise less than a MSS worth, and the reasoning behind -that is explained in cf1925fb7b77 ("tcp: Don't limit window to -less-than-MSS values, use zero instead"). - -Then, in commit b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no -queued data, or no data sent recently"), I introduced some conditions -under which we won't do that, including a check on whether any data -was sent recently. - -As an arbitrary but probably reasonable threshold, we consider data to -have recently been sent if that occurred less than ten times the -round-trip time (RTT) ago. - -The time elapsed since the last data transmission is reported by the -kernel in milliseconds, in the tcpi_last_data_sent field of struct -tcp_info, and the RTT is reported in microseconds instead, in -tcpi_rtt. - -To avoid the risk of overflow in a simple way, for the purpose of this -comparison, I converted tcpi_rtt to milliseconds first, but this means -that the check will always be false (and we'll never approximate the -window to zero) if the RTT is below one millisecond. - -This, in turn, reintroduces nasty delay issues in transfers in -non-local connections which have however almost-local (low) latency. - -Given that we want to use ten times the RTT as an arbitrary "long -enough" upper bound, round the RTT up while converting it to -milliseconds. - -As an alternative, we could perform the comparison in microseconds, -but we would need a slightly more complicated implementation to -exclude overflows, and it's definitely not worth it given the nature -of this threshold. - -Fixes: b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no queued data, or no data sent recently") -Signed-off-by: Stefano Brivio -Reviewed-by: David Gibson -(cherry picked from commit 2be0e790804f99580b1c8a1781c49913440607f2) ---- - tcp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tcp.c b/tcp.c -index 23fcbc3..8f4f087 100644 ---- a/tcp.c -+++ b/tcp.c -@@ -1180,6 +1180,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn, - if ((conn->flags & LOCAL) || tcp_rtt_dst_low(conn)) { - new_wnd_to_tap = tinfo->tcpi_snd_wnd; - } else { -+ unsigned rtt_ms_ceiling = DIV_ROUND_UP(tinfo->tcpi_rtt, 1000); - uint32_t sendq; - int limit; - -@@ -1223,7 +1224,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn, - * with pending data in the outbound queue - */ - if (limit < MSS_GET(conn) && sendq && -- tinfo->tcpi_last_data_sent < tinfo->tcpi_rtt / 1000 * 10) -+ tinfo->tcpi_last_data_sent < rtt_ms_ceiling * 10) - limit = 0; - - new_wnd_to_tap = MIN((int)tinfo->tcpi_snd_wnd, limit); --- -2.47.1 - diff --git a/passt.spec b/passt.spec index 6588e3d..5533f17 100644 --- a/passt.spec +++ b/passt.spec @@ -4,28 +4,25 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # +# PESTO - Programmable Extensible Socket Translation Orchestrator +# front-end for passt(1) and pasta(1) forwarding configuration +# # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -%global git_hash d04c48032bcf724550d0b8f652fd00efcd2dfad0 +%global git_hash a9c61ffaf15347b8dfcc2347c5440e4b0e82333b %global selinuxtype targeted %global selinux_policy_version 41.41 Name: passt -Version: 0^20251210.gd04c480 -Release: 3%{?dist} +Version: 0^20260611.ga9c61ff +Release: 1%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPL-2.0-or-later AND BSD-3-Clause Group: System Environment/Daemons URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz -Patch3: 0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch -Patch4: 0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch -Patch5: 0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch -Patch6: 0006-selinux-Enable-open-permissions-on-netns-directory-o.patch -Patch7: 0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch - BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) @@ -57,7 +54,8 @@ Requires(post): container-selinux Requires(post): selinux-policy-%{selinuxtype} %description selinux -This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). +This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1), +pesto(1). %prep %autosetup -S git_am -n passt-%{git_hash} @@ -96,13 +94,14 @@ install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinux install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp install -p -m 644 -D passt-repair.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp +install -p -m 644 -D pesto.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pesto.pp popd %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp %{_datadir}/selinux/packages/%{selinuxtype}/pesto.pp %postun selinux if [ $1 -eq 0 ]; then @@ -121,10 +120,12 @@ fi %{_bindir}/pasta %{_bindir}/qrap %{_bindir}/passt-repair +%{_bindir}/pesto %{_mandir}/man1/passt.1* %{_mandir}/man1/pasta.1* %{_mandir}/man1/qrap.1* %{_mandir}/man1/passt-repair.1* +%{_mandir}/man1/pesto.1* %ifarch x86_64 %{_bindir}/passt.avx2 %{_mandir}/man1/passt.avx2.1* @@ -137,8 +138,12 @@ fi %{_datadir}/selinux/devel/include/distributed/passt.if %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp +%{_datadir}/selinux/packages/%{selinuxtype}/pesto.pp %changelog +* Wed Jun 17 2026 Stefano Brivio - 0^20260611.ga9c61ff-1 +- Resolves: RHEL-185656 + * Wed Feb 11 2026 Stefano Brivio - 0^20251210.gd04c480-3 - Resolves: RHEL-136495 RHEL-136314 diff --git a/sources b/sources index ba91c70..c6b989e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (passt-d04c48032bcf724550d0b8f652fd00efcd2dfad0.tar.xz) = ad9606133292dcc5955aa58d6481aaf98f327ded5c70dcefb35158ef8fd1a35ea0c6bfb5ef9e3ba39f9a161366dc3733aca475d34249aff8977174fdae7d39cc +SHA512 (passt-a9c61ffaf15347b8dfcc2347c5440e4b0e82333b.tar.xz) = fb1b34b92c0059c4e1d7ac01e36c90c51cbf42c8bcdcbbf42f22299facc6791cab640502772588a1bc7fe0ddff771f4058bd4da36de8188a13b08bad8766445c