Use _fortify_level to disable fortification.

Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>

0025-selinux-prepare-for-anon-inode-controls-enablement.patch

@@ -0,0 +1,42 @@
+From 73218e291ca68a927965bdffa7d43d0fc62c2718 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 27 Jul 2022 17:14:25 +0200
+Subject: [PATCH] selinux: prepare for anon inode controls enablement
+
+We plan to start labeling anon inodes (userfaultfd and io_uring file
+descriptors) properly in selinux-policy, which means that domains using
+these will need new rules.
+
+See: https://github.com/fedora-selinux/selinux-policy/pull/1351
+
+Since ceph may optionally use io_uring, this patch adds the necessary
+interface call to its policy to avoid a regression. As the new interface
+call is put under a conditional, the policy package will be buildable
+against selinux-policy with or without the above PR merged, but it will
+need to be rebuilt against the updated selinux-policy to actually pick
+up the new rules.
+
+I tested this on a minimal ceph cluster with 'bdev_ioring = true' added
+to ceph.conf. I got io_uring denials without this patch + with
+selinux-policy with PR#1351 and no denials with ceph rebuilt with this
+patch.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ selinux/ceph.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/selinux/ceph.te b/selinux/ceph.te
+index 77d35d9714b60..729bce1fc8589 100644
+--- a/selinux/ceph.te
++++ b/selinux/ceph.te
+@@ -75,6 +75,9 @@ manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+ 
+ kernel_read_system_state(ceph_t)
+ kernel_read_network_state(ceph_t)
++ifdef(`kernel_io_uring_use',`
++	kernel_io_uring_use(ceph_t)
++')
+ allow ceph_t kernel_t:system module_request;
+ 
+ corenet_all_recvfrom_unlabeled(ceph_t)

ceph.spec

@@ -162,7 +162,7 @@
 #################################################################################
 Name:		ceph
 Version:	17.2.5
-Release:	5%{?dist}
+Release:	6%{?dist}
 %if 0%{?fedora} || 0%{?rhel}
 Epoch:		2
 %endif
@@ -193,6 +193,7 @@ Patch0019:	0019-cmake-modules-CheckCxxAtomic.cmake.patch
 Patch0020:	0020-src-arrow-cpp-cmake_modules-ThirdpartyToolchain.cmake.patch
 Patch0023:	0023-src-s3select-include-s3select_parquet_intrf.h.patch
 Patch0024:	0024-gcc-13.patch
+Patch0025:	0025-selinux-prepare-for-anon-inode-controls-enablement.patch
 # ceph 14.0.1 does not support 32-bit architectures, bugs #1727788, #1727787
 ExcludeArch:	i686 armv7hl
 %if 0%{?suse_version}
@@ -1347,10 +1348,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS -DFMT_DEPRECATED_OSTREAM"
 
 %if 0%{with seastar}
 # seastar uses longjmp() to implement coroutine. and this annoys longjmp_chk()
-export CXXFLAGS=$(echo $RPM_OPT_FLAGS | sed -e 's/-Wp,-D_FORTIFY_SOURCE=2//g')
-# remove from CFLAGS too because it causes the arrow submodule to fail with:
-#   warning _FORTIFY_SOURCE requires compiling with optimization (-O)
-export CFLAGS=$(echo $RPM_OPT_FLAGS | sed -e 's/-Wp,-D_FORTIFY_SOURCE=2//g')
+%undefine _fortify_level
 %endif
 
 env | sort
@@ -2625,6 +2623,12 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Fri Jan 20 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2:17.2.5-6
+- Use _fortify_level to disable fortification.
+
+* Thu Jan 19 2023 Ondrej Mosnacek <omosnace@redhat.com>
+- Prepare for anon inode SELinux controls enablement
+
 * Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:17.2.5-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild