fedora: Install pasta as hard link to ensure SELinux file context match
The Makefile installs symbolic links by default, which actually worked at some point (not by design) with SELinux, but at least on recent kernel versions it doesn't anymore: override pasta (and pasta.avx2) with hard links. Otherwise, even if the links are labeled as pasta_exec_t, SELinux will "resolve" them to passt_exec_t, and we'll have pasta running as passt_t instead of pasta_t. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Richard W.M. Jones <rjones@redhat.com>
This commit is contained in:
parent
5f1fcfffe4
commit
479a9e1b4d
1 changed files with 7 additions and 0 deletions
|
@ -54,10 +54,17 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
|
||||||
%make_build VERSION="%{version}-%{release}.%{_arch}"
|
%make_build VERSION="%{version}-%{release}.%{_arch}"
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
|
||||||
%make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
|
%make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
|
||||||
|
# The Makefile creates symbolic links for pasta, but we need hard links for
|
||||||
|
# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
|
||||||
|
ln -f %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
|
||||||
%ifarch x86_64
|
%ifarch x86_64
|
||||||
|
ln -f %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
|
||||||
|
|
||||||
ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
|
ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
|
||||||
ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
|
ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
|
||||||
|
install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
pushd contrib/selinux
|
pushd contrib/selinux
|
||||||
|
|
Loading…
Reference in a new issue