Sync from SUSE:SLFO:Main passt revision a6d7406fcf24b3fa1b7257c2f2f9fae3

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="versionformat">%cs.%h</param>
-    <param name="revision">2024_09_06.6b38f07</param>
+    <param name="revision">2025_04_15.2340bbf</param>
   </service>
   <service mode="manual" name="recompress">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://passt.top/passt</param>
-              <param name="changesrevision">6b38f0723949f8b4b2787ee55d4330249a1a4a3e</param></service></servicedata>
+              <param name="changesrevision">2340bbf867e6c3c3b5ac67345b0e841ab49bbaa5</param></service></servicedata>

passt.changes

@@ -1,3 +1,382 @@
+-------------------------------------------------------------------
+Wed Apr 16 06:17:16 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250415.2340bbf:
+  * udp: Propagate errors on listening and brand new sockets
+  * udp: Minor re-organisation of udp_sock_recverr()
+  * udp: Add udp_pktinfo() helper
+  * udp: Deal with errors as we go in udp_sock_fwd()
+  * udp: Pass socket & flow information direction to error handling functions
+  * udp: Be quieter about errors on UDP receive
+  * udp: Fix breakage of UDP error handling by PKTINFO support
+  * conf: Honour --dns-forward for local resolver even with --no-map-gw
+  * conf: Split add_dns_resolv() into separate IPv4 and IPv6 versions
+  * udp, udp_flow: Track our specific address on socket interfaces
+  * inany: Improve ASSERT message for bad socket family
+  * udp: Use PKTINFO cmsgs to get destination address for received datagrams
+  * tcp_splice: Don't clobber errno before checking for EAGAIN
+  * tcp_splice: Don't double count bytes read on EINTR
+  * conf: Add missing return in conf_nat(), fix --map-guest-addr none
+  * udp_flow: Save 8 bytes in struct udp_flow on 64-bit architectures
+  * udp_flow: Don't discard packets that arrive between bind() and connect()
+  * udp: Fold udp_splice_prepare and udp_splice_send into udp_sock_to_sock
+  * udp: Rework udp_listen_sock_data() into udp_sock_fwd()
+  * udp_flow: Take pif and port as explicit parameters to udp_flow_from_sock()
+  * udp: Move UDP_MAX_FRAMES to udp.c
+  * udp: Merge vhost-user and "buf" listening socket paths
+  * udp: Split spliced forwarding path from udp_buf_reply_sock_data()
+  * udp: Parameterize number of datagrams handled by udp_*_reply_sock_data()
+  * udp: Don't bother to batch datagrams from "listening" socket
+  * udp: Polish udp_vu_sock_info() and remove from vu specific code
+  * udp: Make udp_sock_recv() take max number of frames as a parameter
+  * udp: Use connect()ed sockets for initiating side
+  * udp: support traceroute in direction tap-socket
+  * passt-repair: Ensure that read buffer is NULL-terminated
+  * udp: Correct some seccomp filter annotations
+  * udp: Simplify updates to UDP flow timestamp
+  * udp: Remove redundant udp_at_sidx() call in udp_tap_handler()
+  * passt-repair: Correct off-by-one error verifying name
+  * migrate, tcp: bind() migrated sockets in repair mode
+  * platform requirements: Add test for address conflicts with TCP_REPAIR
+  * platform requirements: Add attributes to die() function
+  * platform requirements: Fix clang-tidy warning
+  * udp: Improve name of UDP related ICMP sending functions
+  * udp: Don't attempt to forward ICMP socket errors to other sockets
+  * pasta, passt-repair: Support multiple events per read() in inotify handlers
+  * udp: correct source address for ICMP messages
+  * build: normalize arm targets
+  * udp: Add helper function for creating connected UDP socket
+  * udp: Always hash socket facing flowsides
+  * udp: Better handling of failure to forward from reply socket
+  * udp: Share more logic between vu and non-vu reply socket paths
+  * udp_vu: Factor things out of udp_vu_reply_sock_data() loop
+  * udp: Simplify checking of epoll event bits
+  * udp: Common invocation of udp_sock_errs() for vhost-user and "buf" paths
+  * packet: Upgrade severity of most packet errors
+  * packet: ASSERT on signs of pool corruption
+  * util: Add abort_with_msg() and ASSERT_WITH_MSG() helpers
+  * packet: Rework packet_get() versus packet_get_try()
+  * packet: Move checks against PACKET_MAX_LEN to packet_check_range()
+  * packet: Avoid integer overflows in packet_get_do()
+  * packet: Correct type of PACKET_MAX_LEN
+  * tap: Clarify calculation of TAP_MSGS
+  * tap: Make size of pool_tap[46] purely a tuning parameter
+  * packet: More cautious checks to avoid pointer arithmetic UB
+  * vu_common: Tighten vu_packet_check_range()
+
+-------------------------------------------------------------------
+Thu Mar 20 14:38:07 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250320.32f6212:
+  * Makefile: Enable -Wformat-security
+  * conf: Include libgen.h for basename(), fix build against musl
+  * tcp: Flush socket before checking for more data in active close state
+  * migrate: Bump migration version number
+  * migrate, tcp: Migrate RFC 7323 timestamp
+  * migrate, tcp: More careful marshalling of mss parameter during migration
+  * passt-repair: Fix build with -Werror=format-security
+  * tcp, flow: Better use flow specific logging heleprs
+  * conf: Unify several paths in conf_ports()
+  * test/perf: Simplify iperf3 server lifetime management
+  * conf: Limit maximum MTU based on backend frame size
+  * pcap: Correctly set snaplen based on tap backend type
+  * Simplify sizing of pkt_buf
+  * tap: Use explicit defines for maximum length of L2 frame
+  * packet: Remove redundant TAP_BUF_BYTES define
+  * packet: Give explicit name to maximum packet size
+  * conf: Detect vhost-user mode earlier
+  * conf: Move mode detection into helper function
+  * conf: Use the same optstring for passt and pasta modes
+  * flow, repair: Wait for a short while for passt-repair to connect
+  * passt-repair: Add directory watch
+  * cppcheck: Add suppressions for "logically" exported functions
+  * vhost_user: Don't export several functions
+  * tcp: Don't export tcp_update_csum()
+  * checksum: Don't export various functions
+  * log: Don't export passt_vsyslog()
+  * treewide: Mark assorted functions static
+  * udp: create and send ICMPv6 to local peer when applicable
+  * tap: break out building of udp header from tap_udp6_send function
+  * udp: create and send ICMPv4 to local peer when applicable
+  * tap: break out building of udp header from tap_udp4_send function
+  * conf: Be more precise about minimum MTUs
+  * tcp: Send RST in response to guest packets that match no connection
+  * tap: Consider IPv6 flow label when building packet sequences
+  * ip: Helpers to access IPv6 flow label
+  * migrate, tcp: Don't flow_alloc_cancel() during incoming migration
+  * tcp: Unconditionally move to CLOSED state on tcp_rst()
+  * tcp: Correct error code handling from tcp_flow_repair_socket()
+  * migrate, flow: Don't attempt to migrate TCP flows without passt-repair
+  * migrate, flow: Trivially succeed if migrating with no flows
+  * selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage
+  * seccomp.sh: Silence stty errors
+  * tap: always set the no_frag flag in IPv4 headers
+  * contrib/fedora: Actually install passt-repair SELinux policy file
+  * dhcp: Add option code byte in calculation for OPT_MAX boundary check
+  * Makefile: Use mmap2() as alternative for mmap() in valgrind extra syscalls
+  * conf: Use 0 instead of -1 as "unassigned" mtu value
+  * conf: More thorough error checking when parsing --mtu option
+  * flow: Clean up and generalise flow traversal macros
+  * flow: Remove unneeded bound parameter from flow traversal macros
+  * flow: Remove unneeded index from foreach_* macros
+  * flow: Add flow_perror() helper
+  * tcp: Don't pass both flow pointer and flow index
+  * tcp: Remove spurious prototype for tcp_flow_migrate_shrink_window
+  * tcp: More type safety for tcp_flow_migrate_target_ext()
+  * tcp_vu: head_cnt need not be global
+  * tap: Remove unused ETH_HDR_INIT() macro
+  * packet: Don't pass start and offset separately to packet_check_range()
+  * packet: Use flexible array member in struct pool
+  * dhcp: Remove option 255 length byte
+
+-------------------------------------------------------------------
+Thu Mar  6 10:50:13 UTC 2025 - Dan Čermák <dcermak@suse.com>
+
+- Introduce apparmor subpackage, fixes bsc#1238597
+
+-------------------------------------------------------------------
+Mon Feb 17 13:53:53 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250217.a1e48a0:
+  * test: Add migration tests
+  * migrate: Migrate TCP flows
+  * repair, passt-repair: Build and warning fixes for musl
+  * tcp_splice: A typo three years ago and SO_RCVLOWAT is gone
+  * tcp_splice: Don't wake up on input data if we can't write it anywhere
+  * vhost_user: Clear ring address on GET_VRING_BASE
+  * tcp, tcp_splice: Don't set SO_SNDBUF and SO_RCVBUF to maximum values
+  * tcp: Keep updating window and checking for socket data after FIN from guest
+  * contrib/selinux: Enable mapping guest memory for libvirt guests
+  * selinux: Add rules needed to run tests
+  * rampstream: Add utility to test for corruption of data streams
+  * tcp: Get bound address for connected inbound sockets too
+  * vhost_user: Make source quit after reporting migration state
+  * Add interfaces and configuration bits for passt-repair
+  * migrate: Migrate guest observed addresses
+  * migrate: Skeleton of live migration logic
+  * passt-repair: Fix off-by-one in check for number of file descriptors
+  * tcp_vu: Fix off-by one in header count array adjustment
+  * tcp: Implement conservative zero-window probe on ACK timeout
+  * tcp: Don't discard window information on keep-alive segments
+  * dhcp, dhcpv6: Add hostname and client fqdn ops
+  * conf: Don't map DNS traffic to host, if host gateway is a resolver
+  * passt-repair: Send one confirmation *per command*, not *per socket*
+  * dhcp: Don't re-use request message for reply
+  * passt-repair: Dodge "structurally unreachable code" warning from Coverity
+  * passt-repair: Fix calculation of payload length from cmsg_len
+  * passt-repair: Don't use perror(), accept ECONNRESET as termination
+  * conf, passt.1: Un-deprecate --host-lo-to-ns-lo
+  * debug: Add tcpdump to mbuto.img
+  * apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user
+  * passt-repair.1: Fix indication of TCP_REPAIR constants
+  * passt-repair: Build fixes for musl
+  * passt-repair: use _exit() over return
+  * treewide: use _exit() over exit()
+  * tcp: Simplify handling of getsockname()
+  * migrate: Fix several errors with passt-repair
+  * doc: Add mock of migration source and target
+  * tcp: Get socket port and address using getsockname() when connecting from guest
+  * Introduce passt-repair
+  * vhost_user: Turn some vhost-user message reports to trace()
+  * util: Add read_remainder() and read_all_buf()
+  * tcp_splice, udp_flow: fcntl64() support on PPC64 depends on glibc version
+  * vhost_user: On 32-bit ARM, mmap() is not available, mmap2() is used instead
+  * tcp: Don't reset outbound connection on SYN retries
+  * pasta.te: fix demo.sh and remove one duplicate rule
+  * tcp: Add HOSTSIDE(x), HOSTFLOW(x) macros
+  * util: Rename and make global vu_remove_watch()
+  * tcp: Always pass NULL event with EPOLL_CTL_DEL
+  * vhost-user: Implement an empty VHOST_USER_SEND_RARP command
+  * netlink: Skip loopback interface while looking for a template
+
+-------------------------------------------------------------------
+Wed Jan 22 08:34:13 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250121.4f2c8e7:
+  * vhost_user: Drop packet with unsupported iovec array
+  * tcp: Set PSH flag for last incoming packets in a batch
+  * tcp: Set ACK flag on *all* RST segments, even for client in SYN-SENT state
+  * tcp: Disable Nagle's algorithm (set TCP_NODELAY) on all sockets
+  * tcp: Buffer sizes are *not* inherited on accept()/accept4()
+  * vhost_user: remove ASSERT() on iovec number
+  * vhost-user: Report to front-end we support VHOST_USER_PROTOCOL_F_DEVICE_STATE
+  * vhost-user: add VHOST_USER_SET_DEVICE_STATE_FD command
+  * vhost-user: add VHOST_USER_CHECK_DEVICE_STATE command
+  * vhost-user: Report to front-end we support VHOST_USER_PROTOCOL_F_LOG_SHMFD
+  * vhost-user: add VHOST_USER_SET_LOG_BASE command
+  * vhost-user: Pass vu_dev to more virtio functions
+  * vhost-user: add VHOST_USER_SET_LOG_FD command
+  * vhost-user: update protocol features and commands list
+  * tcp: Mask EPOLLIN altogether if we're blocked waiting on an ACK from the guest
+  * tcp: Set EPOLLET when when reading from a socket fails with EAGAIN
+  * tcp: Don't subscribe to EPOLLOUT events on STALLED
+  * tcp: Fix ACK sequence getting out of sync on EPOLLOUT wake-up
+  * vhost_user: fix multibuffer from linux
+  * test/pasta_podman: Run Podman tests on a single CPU thread
+  * checksum: fix checksum with odd base address
+  * tcp_splice: Set (again) TCP_NODELAY on both sides
+  * seccomp: Unconditionally allow accept(2) even if accept4(2) is present
+  * virtio: Use const pointer for vu_dev
+  * udp_flow: Don't block multicast and broadcast messages
+  * Makefile: Report error and stop if we can't set TARGET
+  * README: Mark vhost-user as supported
+
+-------------------------------------------------------------------
+Thu Dec 12 13:41:51 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241211.09478d5:
+  * treewide: Dodge dynamic memory allocation in strerror() from glibc > 2.40
+  * pasta: make it possible to disable socket splicing
+  * tap: Call vu_init() with --fd
+  * tap: Use a common function to start a new connection
+  * udp_vu: update segment size
+  * flow: Remove over-zealous sanity checks in flow_sidx_hash()
+  * udp: Improve detail of UDP endpoint sanity checking
+  * perf/passt_vu_tcp: Make it shine
+  * tcp_vu: Compute IPv4 header checksum if dlen changes
+  * Makefile: Use make internal string functions
+  * tcp_vu: Remove unnecessary tcp_vu_update_check() function
+  * tcp: Merge tcp_fill_headers[46]() with each other
+  * tcp: Merge tcp_update_check_tcp[46]()
+  * tcp: Pass TCP header and payload separately to tcp_fill_headers[46]()
+  * tcp: Pass TCP header and payload separately to tcp_update_check_tcp[46]()
+  * iov, checksum: Replace csum_iov() with csum_iov_tail()
+  * iov: iov tail helpers
+  * tcp_vu: Change 'dlen' to ssize_t in tcp_vu_data_from_sock()
+  * Fix build on 32bit target
+  * virtio: check if avail ring is configured
+  * tcp: Move tcp_l2_buf_fill_headers() to tcp_buf.c
+  * test: Add tests for passt in vhost-user mode
+  * vhost-user: add vhost-user
+  * passt: rename tap_sock_init() to tap_backend_init()
+  * tcp: Export headers functions
+  * udp: Prepare udp.c to be shared with vhost-user
+  * vhost-user: introduce vhost-user API
+  * vhost-user: introduce virtio API
+  * packet: replace struct desc by struct iovec
+
+-------------------------------------------------------------------
+Wed Nov 27 14:19:40 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241127.c0fbc7e:
+  * dhcp: Honour broadcast flag (RFC 2131, 4.1)
+  * dhcp: Introduce support for Rapid Commit (option 80, RFC 4039)
+  * dhcp: Use -1 as "missing option" length instead of 0
+  * treewide: Introduce 'local mode' for disconnected setups
+  * test: Improve logic for waiting for SLAAC & DAD to complete in NDP tests
+  * ndp: Don't send first periodic router advertisement right after guest connects
+  * test/perf: Select a single IPv6 namespace address in pasta tests
+  * conf, passt.1: Update --mac-addr default in usage() and man page
+  * passt.1: Fix "default" note about --map-guest-addr
+
+-------------------------------------------------------------------
+Mon Nov 25 07:27:04 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241121.238c69f:
+  * tcp: Acknowledge keep-alive segments, ignore them for the rest
+  * tcp: Reset ACK_TO_TAP_DUE flag whenever an ACK isn't needed anymore
+  * ndp: Don't send unsolicited RAs if NDP is disabled
+  * ndp: Don't send unsolicited router advertisement if we can't, yet
+  * selinux: Use auth_read_passwd() interface for all our getpwnam() needs
+  * ndp: Send unsolicited Router Advertisements
+  * passt: Seed libc's pseudo random number generator
+  * util: Add general low-level random bytes helper
+  * ndp: Make route lifetime a #define
+  * ndp: Use struct assignment in preference to memcpy() for IPv6 addresses
+  * ndp: Split out helpers for sending specific NDP message types
+  * ndp: Add ndp_send() helper
+  * ndp: Remove redundant update to addr_seen
+  * cppcheck: Don't check the system headers
+  * linux_dep: Fix CLOSE_RANGE_UNSHARE availability handling
+  * linux_dep: Move close_range() conditional handling to linux_dep.h
+  * log: Only check for FALLOC_FL_COLLAPSE_RANGE availability at runtime
+  * tap, tcp, util: Add some missing SOCK_CLOEXEC flags
+  * passt: Use NOLINT clang-tidy block instead of NOLINTNEXTLINE
+  * util: Define small and big thresholds for socket buffers as unsigned long long
+  * tap: Cast TAP_BUF_BYTES - ETH_MAX_MTU to ssize_t, not TAP_BUF_BYTES
+  * dhcpv6: Turn some option headers pointers to const
+  * dhcpv6: Use for loop instead of goto to avoid false positive cppcheck warning
+  * tcp: unify payload and flags l2 frames array
+  * test: Improve test for NDP assigned prefix
+  * test: Don't require 64-bit prefixes in perf tests
+  * test: Make nstool hold robust against interruptions to control clients
+  * test: Rename propagating signal handler
+  * util: Work around cppcheck bug 6936
+  * udp: Don't dereference uflow before NULL check in udp_reply_sock_handler()
+  * ndp: Use const pointer for ndp_ns packet
+  * linux_dep: Generalise tcp_info.h to handling Linux extension compatibility
+  * fwd: Squash different-signedness comparison warning
+  * util: Remove unused ffsl() function
+  * clang: Add rudimentary clangd configuration
+  * Makefile: Don't attempt to auto-detect stack size
+  * Makefile: Use -DARCH for qrap only
+  * seccomp: Simplify handling of AUDIT_ARCH
+  * Makefile: Move NETNS_RUN_DIR definition to C code
+  * netlink: RTA_PAYLOAD() returns int, not size_t
+  * flow: Correct type of flowside_at_sidx()
+  * arch: Avoid explicit access to 'environ'
+  * clang: Move clang-tidy configuration from Makefile to .clang-tidy
+  * Makefile: Simplify exclusion of qrap from static checks
+  * clang: Add .clang-format file
+  * test: Adjust misplaced sleeps in two_guests code
+  * tap: Explicitly cast TUNSETIFF to fix build warning with musl on ppc64le
+  * tcp: Fix build against musl, __sum16 comes from linux/types.h
+
+-------------------------------------------------------------------
+Mon Nov 04 10:10:37 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241030.ee7d0b6:
+  * util: Don't use errno after a successful call in __daemon()
+  * udp: Take care of cert-int09-c clang-tidy warning for enum udp_iov_idx
+  * treewide: Address cert-err33-c clang-tidy warnings for clock and timer functions
+  * treewide: Suppress clang-tidy warning if we already use O_CLOEXEC
+  * Makefile: Disable readability-math-missing-parentheses clang-tidy check
+  * treewide: Silence cert-err33-c clang-tidy warnings for fprintf()
+  * treewide: Comply with CERT C rule ERR33-C for snprintf()
+  * Makefile: Exclude qrap.c from clang-tidy checks
+  * tcp: unify l2 TCPv4 and TCPv6 queues and structures
+  * tcp: set ip and eth headers in l2 tap queues on the fly
+  * test: remove obsolete images
+  * tcp: cleanup tcp_buf_data_from_sock()
+  * tcp: Use runtime tests for TCP_INFO fields
+  * tcp: Generalise probing for tcpi_snd_wnd field
+  * tcp: Remove compile-time dependency on struct tcp_info version
+  * tcp_splice: fcntl(2) returns the size of the pipe, if F_SETPIPE_SZ succeeds
+  * tcp_splice: splice() all we have to the writing side, not what we just read
+  * tcp: Use structures to construct initial TCP options
+  * fwd: Direct inbound spliced forwards to the guest's external address
+  * test: Clarify test for spliced inbound transfers
+  * passt.1: Clarify and update "Handling of local addresses" section
+  * passt.1: Mark --stderr as deprecated more prominently
+  * test: Wait for DAD on DHCPv6 addresses
+  * test: Explicitly wait for DAD to complete on SLAAC addresses
+  * arp: Fix a handful of small warts
+  * tcp: Send "empty" handshake ACK before first data segment
+  * test: Pass TRACE from run_term() into ./run from_term
+  * test/lib/term: Always use printf for messages with escape sequences
+  * conf: Add --dns-host option to configure host side nameserver
+  * conf: Add command line switch to enable IP_FREEBIND socket option
+  * udp: Update UDP checksum using an iovec array
+  * tcp: Update TCP checksum using an iovec array
+  * checksum: Add an offset argument in csum_iov()
+  * pcap: Add an offset argument in pcap_iov()
+  * tcp: Use tcp_payload_t rather than tcphdr
+  * test: Kernel binary can now be passed via the KERNEL environmental variable
+  * inany: Add inany_pton() helper
+  * tcp, udp: Make {tcp,udp}_sock_init() take an inany address
+  * util, pif: Replace sock_l4() with pif_sock_l4()
+  * udp: Don't attempt to get dual-stack sockets in nonsensical cases
+  * tcp: Allow checksum to be disabled
+  * udp: Allow checksum to be disabled
+  * util: Remove possible quadratic behaviour from write_remainder()
+  * util: Add helper to write() all of a buffer
+  * tcp: Make tcp_update_seqack_wnd()s force_seq parameter explicitly boolean
+  * tcp: Simplify ifdef logic in tcp_update_seqack_wnd()
+  * tcp: Clean up tcpi_snd_wnd probing
+  * tcp: Make some extra functions private
+  * tcp: Avoid overlapping memcpy() in DUP_ACK handling
+  * tcp: Remove redundant initialisation of iov[TCP_IOV_ETH].iov_base
+
 -------------------------------------------------------------------
 Thu Sep 12 11:08:38 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 

passt.spec

@@ -45,7 +45,7 @@
 
 %global selinuxtype targeted
 Name:           passt
-Version:        20240906.6b38f07
+Version:        20250415.2340bbf
 Release:        0
 Summary:        User-mode networking daemons for virtual machines and namespaces
 License:        GPL-2.0-or-later AND BSD-3-Clause
@@ -63,6 +63,7 @@ BuildRequires:  selinux-policy-targeted
 %endif
 %if %{with apparmor}
 BuildRequires:  apparmor-abstractions, apparmor-rpm-macros, libapparmor-devel
+Requires:       (%{name}-apparmor if apparmor-abstractions)
 %endif
 
 %description
@@ -76,6 +77,18 @@ for network namespaces: traffic is forwarded using a tap interface inside the
 namespace, without the need to create further interfaces on the host, hence not
 requiring any capabilities or privileges.
 
+%if %{with apparmor}
+%package        apparmor
+BuildArch:      noarch
+Summary:        Apparmor profiles for passt and pasta
+Requires:       %{name} = %{version}-%{release}
+Requires:       apparmor-abstractions
+Requires(post): apparmor-parser
+
+%description apparmor
+This package contains Apparmor profiles for passt and pasta.
+%endif
+
 %if %{with selinux}
 %package    selinux
 BuildArch:  noarch
@@ -130,7 +143,7 @@ popd
 %endif
 
 %if %{with apparmor}
-%post
+%post apparmor
 %apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.passt
 %apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.pasta
 %endif
@@ -145,8 +158,8 @@ popd
 
 %postun selinux
 if [ $1 -eq 0 ]; then
-	%selinux_modules_uninstall -s %{selinuxtype} passt
+        %selinux_modules_uninstall -s %{selinuxtype} passt
-	%selinux_modules_uninstall -s %{selinuxtype} pasta
+        %selinux_modules_uninstall -s %{selinuxtype} pasta
 fi
 
 %posttrans selinux
@@ -161,16 +174,11 @@ fi
 %{_bindir}/passt
 %{_bindir}/pasta
 %{_bindir}/qrap
-%if %{with apparmor}
+%{_bindir}/passt-repair
-%dir %{_sysconfdir}/apparmor.d
-%dir %{_sysconfdir}/apparmor.d/abstractions/
-%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.passt
-%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.pasta
-%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/pas*
-%endif
 %{_mandir}/man1/passt.1*
 %{_mandir}/man1/pasta.1*
 %{_mandir}/man1/qrap.1*
+%{_mandir}/man1/passt-repair.1*
 %ifarch x86_64
 %{_bindir}/passt.avx2
 %{_mandir}/man1/passt.avx2.1*
@@ -187,4 +195,13 @@ fi
 %{_datadir}/selinux/devel/include/distributed/passt.if
 %endif
 
+%if %{with apparmor}
+%files apparmor
+%dir %{_sysconfdir}/apparmor.d
+%dir %{_sysconfdir}/apparmor.d/abstractions/
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.passt
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.pasta
+%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/pas*
+%endif
+
 %changelog