Merge branch 'rawhide' into epel8

Add patch excluding fs_watch_cgroup_dirs
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2025-11-17 23:16:54 +01:00 · 2025-09-04 08:34:46 +02:00 · 2025-09-03 15:14:55 +02:00 · 2025-07-14 15:00:14 +02:00 · 2025-05-19 13:21:20 +02:00 · 2025-03-25 15:06:11 +01:00
3 changed files with 57 additions and 0 deletions
--- a/0001-Revert-data-selinux-remove-timedatex-14670.patch
+++ b/0001-Revert-data-selinux-remove-timedatex-14670.patch
@ -0,0 +1,32 @@
+From 18faae8698370c3f192319c88214fe01dd06b83f Mon Sep 17 00:00:00 2001
+Message-ID: <18faae8698370c3f192319c88214fe01dd06b83f.1747651437.git.maciej.borzecki@canonical.com>
+From: Maciej Borzecki <maciej.borzecki@canonical.com>
+Date: Mon, 19 May 2025 12:02:54 +0200
+Subject: [PATCH] Revert "data/selinux: remove timedatex (#14670)"
+
+This reverts commit cc90a8be2eaa9718dba018ff42cce2c6cd0ad963.
+
+Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
+---
+ data/selinux/snappy.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
+index f66e7d5b37dd721c7cac0e17fc58a29b4029a656..802bddd520a5d3341acf8299fcfda8a29cc3a9eb 100644
+--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
+@@ -345,6 +345,11 @@ optional_policy(`
+ 	allow snappy_t systemd_timedated_t:dbus send_msg;
+ 	allow systemd_timedated_t snappy_t:dbus send_msg;
+ ')
+# or on some systems same dbus API may be provided by timedatex
+# RHEL7: there is no timedatex.if
+ifndef(`distro_rhel7',`
+  timedatex_dbus_chat(snappy_t)
+')
+ 
+ # kernel-module-load interface may inspect or write files under /etc/modprobe.d
+ optional_policy(`
+-- 
+2.49.0
+
--- a/fs_watch_group_dirs.patch
+++ b/fs_watch_group_dirs.patch
@ -0,0 +1,15 @@
+diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
+index 61284f4bf7..d91f5d69ed 100644
+--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
+@@ -464,7 +464,9 @@ gen_require(`
+ allow snappy_t devicekit_power_exec_t:file { getattr };
+ 
+ # Snapd monitors cgroup hierarchy for refresh app awareness.
+-fs_watch_cgroup_dirs(snappy_t)
+ifndef(`distro_rhel8',`
+  fs_watch_cgroup_dirs(snappy_t)
+')
+ 
+ # connect to unix socket of snap session agent usually executing as unconfined_t.
+ # TODO: define separate policy for user session agent
--- a/snapd.spec
+++ b/snapd.spec
@ -95,6 +95,9 @@ License:        GPL-3.0-only
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.no-vendor.tar.xz
 Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz
+# EPEL8: fix for https://bugs.launchpad.net/snapd/+bug/2097170
+Patch0:         0001-Revert-data-selinux-remove-timedatex-14670.patch
+Patch1:         fs_watch_group_dirs.patch

 ExclusiveArch:  %{?golang_arches}%{!?golang_arches:%{ix86} x86_64 %{arm} aarch64 ppc64le s390x}

@ -603,6 +606,9 @@ EOF
 %if 0%{?rhel} == 7
    M4PARAM='-D distro_rhel7'
 %endif
+%if 0%{?rhel} == 8
+    M4PARAM='-D distro_rhel8'
+%endif
 %if 0%{?rhel} == 7 || 0%{?rhel} == 8 || 0%{?rhel} == 9
    # RHEL7, RHEL8 and RHEL9 are missing the BPF interfaces from their reference policy
    M4PARAM="$M4PARAM -D no_bpf"
@ -1313,6 +1319,10 @@ fi
 - Interfaces: add symlinks backend
 - Interfaces: system key mismatch handling

+* Mon May 19 2025 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.68.3-1
+- Revert upstream patch dropping timedatex from SELinux policy of snapd
+ - Fixes: https://bugs.launchpad.net/snapd/+bug/2097170
+
 * Tue Apr 08 2025 Ernest Lotter <ernest.lotter@canonical.com>
 - New upstream release 2.69
 - FDE: re-factor listing of the disks based on run mode model and
Author	SHA1	Message	Date
Zygmunt Krynicki	c324a3b8d9	Merge branch 'rawhide' into epel8	2025-11-17 23:16:54 +01:00
Zygmunt Krynicki	d29928ac89	Add patch excluding fs_watch_cgroup_dirs Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>	2025-09-04 08:34:46 +02:00
Zygmunt Krynicki	308771aee5	Merge branch 'rawhide' into epel8	2025-09-03 15:14:55 +02:00
Zygmunt Krynicki	aa6e3b7d5e	New upstream release 2.70 Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>	2025-07-14 15:00:14 +02:00
Maciek Borzecki	6277e01d50	snapd: revert upstream patch dropping timedatex Fixes bug reported in snapd LP: https://bugs.launchpad.net/snapd/+bug/2097170 Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>	2025-05-19 13:21:20 +02:00
Zygmunt Krynicki	62f4d631ae	Merge branch 'rawhide' into epel8	2025-03-25 15:06:11 +01:00
Zygmunt Krynicki	80d2c95ee6	Merge branch 'rawhide' into epel8	2025-01-22 13:10:38 +01:00
Zygmunt Krynicki	53daf65e7b	Merge branch 'rawhide' into epel8	2024-11-20 15:18:20 +01:00
Zygmunt Krynicki	c4340f57ea	Merge branch 'epel9' into epel8	2024-09-05 13:15:37 +02:00
Zygmunt Krynicki	14128e4ad8	Merge branch 'main' into epel9	2024-09-05 12:53:39 +02:00
Zygmunt Krynicki	3b170ec424	Update to 2.63 Small build change related to snap-seccomp, so that the progarm continues to build on rawhide (-D_GNU_SOURCE) and another change related to a stale removal of -Bstatic. Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>	2024-05-27 09:38:28 +02:00
Zygmunt Krynicki	2b199658c5	Update to 2.63 Small build change related to snap-seccomp, so that the progarm continues to build on rawhide (-D_GNU_SOURCE) and another change related to a stale removal of -Bstatic. Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>	2024-05-27 09:06:57 +02:00