Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro

On 10/29/25 4:47 AM, Stefano Brivio wrote:

On Tue, 28 Oct 2025 11:58:18 +0530 Danish Prakash wrote:

...

On 10/27/25 2:37 PM, Stefano Brivio wrote:

...

Hi Danish,

On Mon, 27 Oct 2025 14:19:14 +0530 Danish Prakash wrote:

...

On 10/16/25 4:26 PM, Max Chernoff wrote:

...

Hi Stefano,

On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:

...

On Thu, 16 Oct 2025 13:10:41 +0530 Danish Prakash wrote: > It might be possible to avoid using non-standard bash macro (%USERID),

It's not a Bash macro, it's a SELinux template. This doesn't seem to be documented anywhere (which isn't terribly surprising with SELinux), but it's defined in this file:

https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genh...

Thanks Max, I wasn't aware of it being an SELinux template.

...

...

I wonder if Max remembers any reason why we couldn't do this in the first place.

The Fedora SELinux policy always uses %{USERID}, and so I copied it from there:

$ grep -RnF '%{USERID}' policy/ policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.* <<none>> policy/modules/system/userdomain.fc:38:/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+ <<none>>

$ grep -RnF '[0-9]+' policy/ | grep -v /dev/ policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) policy/modules/kernel/devices.if:6958:## Allow read the hfi1_[0-9]+ devices

...

> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec > index 663289f53d97..d1bcf4a74338 100644 > --- a/contrib/fedora/passt.spec > +++ b/contrib/fedora/passt.spec > [...]

At a glance, this looks like a better solution regardless of the reported issue. It sounds too good to be true, though

I agree that it looks like a good solution, which makes me wonder why the base SELinux policies don't do it that way. The containers SELinux policy appears to do things this way

$ grep -RnF '[0-9]+' container_selinux.8:166: /run/user/[0-9]+/gvfs $ grep -RnF '%{USERID}'; echo $? 1

so it's probably (?) okay though.

That's helpful, I guess we can go ahead with this. Stefano, Paul?

Sure. But back to my question about the original problem... what was the original problem? :) Could it be something similar to:

https://bugzilla.redhat.com/show_bug.cgi?id=2401764

?

Ah, sorry about that. No, it's not a functionality issue or a bug. It was merely a few suggestions to improve the passt SUSE package from the SELinux team at SUSE. Here are the suggestions:

Thanks for sharing those.

...

1. building twice is quite a hack, setting a hardlink as in apparmor would probably work as well and is less confusing

Details as to why it doesn't work:

https://passt.top/passt/commit/?id=a405d0c026582375448fe87c6e440eb0fd428dd7

...

2. running restorecon would be unnecessary if the passt upstream selinux module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway)

Would you be so kind as to re-post this patch (Cc'ing Max and Paul) with a commit message reflecting this, and without private links?

Sent updated patch, I wonder why it didn't show up in this thread, I did include the message-id of the original message.

...

3. there is a %selinux_requires macro in selinux-policy-devel that likely could be used instead of listing the Requires:, but okay we dont enforce that atm

For #1 I can see that building twice is required in this case, and unlike apparmor which can work with hardlinks, doing the same for SELinux isn't possible with inodes in the picture.

Right, yeah, it's because labels are stored in extended attributes, and those belong to inodes, not paths.

...

#2 is what this patch is about, and #3 is SUSE-exclusive which I'm fixing in parallel.

If I recall correctly, that part of openSUSE spec file is roughly taken from:

https://passt.top/passt/tree/contrib/fedora/passt.spec

and I build openSUSE packages in my Copr repository too (https://copr.fedorainfracloud.org/coprs/sbrivio/passt/), based on the Fedora spec file.

I'm not sure if it's useful for many people (one can try out an upstream release right away like that) but it's almost zero effort on my side. In any case, if the change also applies to Fedora or openSUSE packages from Copr I guess it would be nice to have a patch for that as well.

Yes, the spec is taken from fedora. And now that you mention it, I can see there's a similar %selinux_requires macro in fedora as well--taken by openSUSE presumably. So I guess, I can send that change across as well.

...

...

In general, there are a bunch of current SELinux issues reported on Fedora/RHEL (and I assume they would be exactly the same on openSUSE/SLES):

https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=short_desc%2Cchangeddate%2Cbug_severity&component=passt&product=Fedora

and I'm trying to find out if this change might fix some of them. Most of those are stuff I didn't investigate yet.

Unfortunately no, I was notified of a few spec related errors from colleagues, but I'm sure the errors would overlap, as you said. If there's something I can help, please let me know, I'll be happy to contribute.

Thanks. I still need to find a moment to go through all of them with a bit more time and I'll let you know, in case.

Well, of course, if you want to have a look meanwhile, that might help. You would need an account at bugzilla.redhat.com to comment but, well, I have an account on bugzilla.suse.com, so... :)

Happy to help, I'll create that coveted account :) -- danishpraka.sh