[PATCH] spec: use %selinux_requires macro, drop overlapping dependencies

older
[PATCH v4 0/9] Reduce differences...

Danish Prakash

13 Nov 2025 13 Nov '25

8:22 a.m.

Also, drop unused preun policycoreutils requires. Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..cab2bb4c409b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,15 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges. -%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires +Requires: container-selinux +Requires: selinux-policy-%{selinuxtype} Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} +Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} %description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). -- 2.51.0

Show replies by date

Max Chernoff

13 Nov 13 Nov

10:47 a.m.

Hi Danish, On Thu, 2025-11-13 at 12:52 +0530, Danish Prakash wrote:

...

Also, drop unused preun policycoreutils requires.

Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..cab2bb4c409b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,15 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires

I think that we want "%selinux_requires_min" instead, since "%selinux_requires" also pulls in "policycoreutils-python-utils" (and hence all of Python). (I'm not very familiar with spec files, but since the RPM macro "%selinux_requires" is provided by the "selinux-policy" package, do we also need to add a Requires/BuildRequires for that?)

...

+Requires: container-selinux +Requires: selinux-policy-%{selinuxtype}

I think that "selinux-policy-%{selinuxtype}" is included via "%selinux_requires" above.

...

Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} +Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version}

%description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).

Everything else looks good to me. Thanks, -- Max

Stefano Brivio

12:10 p.m.

Adding Vit as author of some parts now changed by this patch. Full discussion thread at: https://archives.passt.top/passt-dev/20251113072256.4034068-1-contact@danish... On Thu, 13 Nov 2025 02:47:42 -0700 Max Chernoff wrote:

...

Hi Danish,

On Thu, 2025-11-13 at 12:52 +0530, Danish Prakash wrote:

...
Also, drop unused preun policycoreutils requires.

Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..cab2bb4c409b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,15 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires

I think that we want "%selinux_requires_min" instead, since "%selinux_requires" also pulls in "policycoreutils-python-utils" (and hence all of Python).

(I'm not very familiar with spec files, but since the RPM macro "%selinux_requires" is provided by the "selinux-policy" package, do we also need to add a Requires/BuildRequires for that?)

...
+Requires: container-selinux +Requires: selinux-policy-%{selinuxtype}

I think that "selinux-policy-%{selinuxtype}" is included via "%selinux_requires" above.

...
Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} +Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version}

%description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).

Everything else looks good to me.

Thanks, -- Max

-- Stefano

Vit Mojzis

1:04 p.m.

Hi, On 11/13/25 12:10 PM, Stefano Brivio wrote:

...

Adding Vit as author of some parts now changed by this patch. Full discussion thread at:

https://archives.passt.top/passt-dev/20251113072256.4034068-1-contact@danish...

On Thu, 13 Nov 2025 02:47:42 -0700 Max Chernoff wrote:

...
Hi Danish,

On Thu, 2025-11-13 at 12:52 +0530, Danish Prakash wrote:

...
Also, drop unused preun policycoreutils requires.

Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..cab2bb4c409b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,15 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires I think that we want "%selinux_requires_min" instead, since "%selinux_requires" also pulls in "policycoreutils-python-utils" (and hence all of Python). Yes, we only recently added this option and selinux_requires_min is what you need as long as you're not using semanage (e.g. to customize booleans).

...

...
(I'm not very familiar with spec files, but since the RPM macro "%selinux_requires" is provided by the "selinux-policy" package, do we also need to add a Requires/BuildRequires for that?)

Yes, BuildRequires: selinux-policy-devel is indeed needed (it will bring selinux-policy with it) for RPM to have access to the macro. Please test all the "Requires" you removed, because unfortunately %selinux_requires gets expanded too late for some of the contents to matter (which is why I recomended using this set of "Requires"): https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble (It has been a few years since I tested it last though)

...

...
...
+Requires: container-selinux +Requires: selinux-policy-%{selinuxtype} I think that "selinux-policy-%{selinuxtype}" is included via "%selinux_requires" above.

It is not. %selinux_requires does not specify which one of selinux-policy-{mls|minimum|targeted|atomotive} to install.

...

...
...
Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} +Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version}

You can drop the Recommends, since that is part of the macro. We recently replaced the original hard "Requires" with "Recommends" (along with a Requires for the "stable version"). So the original reason for removing the macro from your package is mostly gone.

Vit

...

...
...
%description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). Everything else looks good to me.

Thanks, -- Max

Danish Prakash

21 Nov 21 Nov

1:33 p.m.

On 11/13/25 5:34 PM, Vit Mojzis wrote:

...

...
...
...
-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%selinux_requires I think that we want "%selinux_requires_min" instead, since "%selinux_requires" also pulls in "policycoreutils-python-utils" (and hence all of Python). Yes, we only recently added this option and selinux_requires_min is what you need as long as you're not using semanage (e.g. to customize booleans).

I checked and it seems that %selinux_requires_min is available on >=F43; I've added a conditional macro use in the patch (v2) and relying on explicit Requires (same as before) for

...

...
...
(I'm not very familiar with spec files, but since the RPM macro "%selinux_requires" is provided by the "selinux-policy" package, do we also need to add a Requires/BuildRequires for that?)

Yes, BuildRequires: selinux-policy-devel is indeed needed (it will bring selinux-policy with it) for RPM to have access to the macro. Please test all the "Requires" you removed, because unfortunately %selinux_requires gets expanded too late for some of the contents to matter (which is why I recomended using this set of "Requires"): https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble (It has been a few years since I tested it last though)

I've tested local builds on F42 and F43, looks good to me, though if there's a better way to test this, I'd love to do that as well. regards! -- danishpraka.sh

Danish Prakash

1:47 p.m.

New subject: [PATCH v2] spec: use %selinux_requires_min macro, drop overlapping dependencies

Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min. Signed-off-by: Danish Prakash --- contrib/fedora/passt.spec | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..bcbe1f77bb6c 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,21 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges. -%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%if 0%{?fedora} >= 43 +BuildRequires: selinux-policy-devel +%selinux_requires_min +%else +BuildRequires: pkgconfig(systemd) +Requires(post): libselinux-utils +Requires(post): policycoreutils +%endif +Requires: container-selinux +Requires: selinux-policy-%{selinuxtype} Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype} %description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1). -- 2.51.0

Max Chernoff

23 Nov 23 Nov

8:37 a.m.

New subject: [PATCH v2] spec: use %selinux_requires_min macro, drop overlapping dependencies

Hi Danish, On Fri, 2025-11-21 at 18:17 +0530, Danish Prakash wrote:

...

Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min.

Signed-off-by: Danish Prakash

Reviewed-by: Max Chernoff Tested-by: Max Chernoff (I've only tested this on F43, but the non-F43 changes also look good to me)

...

--- contrib/fedora/passt.spec | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index d1bcf4a74338..bcbe1f77bb6c 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -34,19 +34,21 @@ for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

-%package selinux -BuildArch: noarch -Summary: SELinux support for passt and pasta -Requires: selinux-policy-%{selinuxtype} -Requires: container-selinux -Requires(post): selinux-policy-%{selinuxtype} +%package selinux +BuildArch: noarch +Summary: SELinux support for passt and pasta +%if 0%{?fedora} >= 43 +BuildRequires: selinux-policy-devel +%selinux_requires_min +%else +BuildRequires: pkgconfig(systemd) +Requires(post): libselinux-utils +Requires(post): policycoreutils +%endif +Requires: container-selinux +Requires: selinux-policy-%{selinuxtype} Requires(post): container-selinux -Requires(post): policycoreutils -Requires(post): libselinux-utils -Requires(preun): policycoreutils -BuildRequires: selinux-policy-devel -BuildRequires: pkgconfig(systemd) -Recommends: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} +Requires(post): selinux-policy-%{selinuxtype}

%description selinux This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).

Thanks, -- Max

Stefano Brivio

27 Nov 27 Nov

11:33 p.m.

New subject: [PATCH v2] spec: use %selinux_requires_min macro, drop overlapping dependencies

On Sun, 23 Nov 2025 00:37:24 -0700 Max Chernoff wrote:

...

Hi Danish,

On Fri, 2025-11-21 at 18:17 +0530, Danish Prakash wrote:

...
Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min.

Signed-off-by: Danish Prakash

Reviewed-by: Max Chernoff Tested-by: Max Chernoff

(I've only tested this on F43, but the non-F43 changes also look good to me)

Applied, thanks everybody! -- Stefano

Age (days ago)

Last active (days ago)

List overview

Download

7 comments

4 participants

participants (4)

Danish Prakash
Max Chernoff
Stefano Brivio
Vit Mojzis