Re: [PATCH] spec: use %selinux_requires macro, drop overlapping dependencies

Hi, On 11/13/25 12:10 PM, Stefano Brivio wrote:

Adding Vit as author of some parts now changed by this patch. Full discussion thread at:

https://archives.passt.top/passt-dev/20251113072256.4034068-1-contact@danish...

On Thu, 13 Nov 2025 02:47:42 -0700 Max Chernoff wrote:

...

Hi Danish,

On Thu, 2025-11-13 at 12:52 +0530, Danish Prakash wrote:

...

Also, drop unused preun policycoreutils requires.

Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..cab2bb4c409b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,15 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires I think that we want "%selinux_requires_min" instead, since "%selinux_requires" also pulls in "policycoreutils-python-utils" (and hence all of Python). Yes, we only recently added this option and selinux_requires_min is what you need as long as you're not using semanage (e.g. to customize booleans).

...

(I'm not very familiar with spec files, but since the RPM macro "%selinux_requires" is provided by the "selinux-policy" package, do we also need to add a Requires/BuildRequires for that?)

Yes, BuildRequires: selinux-policy-devel is indeed needed (it will bring selinux-policy with it) for RPM to have access to the macro. Please test all the "Requires" you removed, because unfortunately %selinux_requires gets expanded too late for some of the contents to matter (which is why I recomended using this set of "Requires"): https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble (It has been a few years since I tested it last though)

...

...

+Requires: container-selinux +Requires: selinux-policy-%{selinuxtype} I think that "selinux-policy-%{selinuxtype}" is included via "%selinux_requires" above.

It is not. %selinux_requires does not specify which one of selinux-policy-{mls|minimum|targeted|atomotive} to install.

...

...

Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} +Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version}

You can drop the Recommends, since that is part of the macro. We recently replaced the original hard "Requires" with "Recommends" (along with a Requires for the "stable version"). So the original reason for removing the macro from your package is mostly gone.

Vit

...

...

%description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). Everything else looks good to me.

Thanks, -- Max