commit container-selinux for openSUSE:Factory

Source-Sync Fri, 15 Jan 2021 10:46:15 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2021-01-15 19:44:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "container-selinux"

Fri Jan 15 19:44:14 2021 rev:5 rq:862254 version:2.154.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2020-11-06 23:42:47.115530479 +0100
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.28504/container-selinux.changes
   2021-01-15 19:44:32.625870191 +0100
@@ -1,0 +2,10 @@
+Mon Jan 11 10:40:32 UTC 2021 - Thorsten Kukuk <[email protected]>
+
+- Update to version 2.154.0
+  - Allow confined user domains to run confined container domains.
+  - Allow all containers to use nfs shares, iff virt_use_nfs boolean
+    is enabled.
+  - Allow containers to read nsfs file systems.
+  - KVM Container need to use tunnel sockets created by runtime.
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.150.0.tar.gz

New:
----
  container-selinux-2.154.0.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.HxrhAr/_old  2021-01-15 19:44:33.189871115 +0100
+++ /var/tmp/diff_new_pack.HxrhAr/_new  2021-01-15 19:44:33.193871121 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package container-selinux
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.150.0
+Version:        2.154.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ container-selinux-2.150.0.tar.gz -> container-selinux-2.154.0.tar.gz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.150.0/container.if 
new/container-selinux-2.154.0/container.if
--- old/container-selinux-2.150.0/container.if  2020-10-22 21:07:11.000000000 
+0200
+++ new/container-selinux-2.154.0/container.if  2020-12-30 18:20:50.000000000 
+0100
@@ -796,10 +796,12 @@
                type container_runtime_t;
                type container_var_lib_t;
                type container_ro_file_t;
+               role system_r, sysadm_r;
        ')
 
        type $1_t, container_runtime_domain;
        role system_r types $1_t;
+       role sysadm_r types $1_t;
        domain_type($1_t)
        domain_subj_id_change_exemption($1_t)
        domain_role_change_exemption($1_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.150.0/container.te 
new/container-selinux-2.154.0/container.te
--- old/container-selinux-2.150.0/container.te  2020-10-22 21:07:11.000000000 
+0200
+++ new/container-selinux-2.154.0/container.te  2020-12-30 18:20:50.000000000 
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.150.0)
+policy_module(container, 2.154.0)
 gen_require(`
        class passwd rootok;
 ')
@@ -37,6 +37,7 @@
 type container_runtime_exec_t alias docker_exec_t;
 can_exec(container_runtime_t,container_runtime_exec_t)
 attribute container_domain;
+attribute container_user_domain;
 attribute container_net_domain;
 allow container_runtime_domain container_domain:process { dyntransition 
transition };
 allow container_domain container_runtime_domain:process sigchld;
@@ -485,6 +486,16 @@
        type cephfs_t;
 ')
 
+tunable_policy(`virt_use_nfs',`
+       fs_manage_nfs_dirs(container_domain)
+       fs_manage_nfs_files(container_domain)
+       fs_manage_nfs_named_sockets(container_domain)
+       fs_manage_nfs_symlinks(container_domain)
+       fs_mount_nfs(container_domain)
+       fs_unmount_nfs(container_domain)
+       fs_exec_nfs_files(container_domain)
+')
+
 tunable_policy(`container_use_cephfs',`
        manage_files_pattern(container_domain, cephfs_t, cephfs_t)
        manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
@@ -561,13 +572,6 @@
 ')
 
 optional_policy(`
-       gen_require(`
-               role staff_r;
-       ')
-       role_transition staff_r container_runtime_exec_t system_r;
-')
-
-optional_policy(`
        unconfined_stub_role()
        unconfined_domain(container_runtime_t)
        unconfined_run_to(container_runtime_t, container_runtime_exec_t)
@@ -723,7 +727,7 @@
 gen_require(`
        type container_t;
 ')
-typeattribute container_t container_domain, container_net_domain;
+typeattribute container_t container_domain, container_net_domain, 
container_user_domain;
 allow container_domain { container_var_lib_t container_ro_file_t 
container_file_t }:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms 
map };
@@ -830,6 +834,7 @@
 fs_exec_hugetlbfs_files(container_domain)
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
+fs_read_nsfs_files(container_domain)
 
 term_use_all_inherited_terms(container_domain)
 
@@ -1033,7 +1038,7 @@
 #
 container_domain_template(container_userns)
 
-typeattribute  container_userns_t sandbox_net_domain;
+typeattribute  container_userns_t sandbox_net_domain, container_user_domain;
 dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)
 
@@ -1101,10 +1106,10 @@
        role sysadm_r types spc_t;
 
        container_runtime_run(staff_t, staff_r)
-       role staff_r types container_domain;
+       role staff_r types container_user_domain;
 
        container_runtime_run(user_t, user_r)
-       role user_r types container_domain;
+       role user_r types container_user_domain;
 ')
 
 gen_require(`
@@ -1128,7 +1133,7 @@
 
 # Container kvm - Policy for running kata containers
 container_domain_template(container_kvm)
-typeattribute container_kvm_t container_net_domain;
+typeattribute container_kvm_t container_net_domain, container_user_domain;
 
 type container_kvm_var_run_t;
 files_pid_file(container_kvm_var_run_t)
@@ -1148,6 +1153,8 @@
 
 container_stream_connect(container_kvm_t)
 
+allow container_kvm_t container_runtime_t:tun_socket attach_queue;
+
 dev_rw_inherited_vhost(container_kvm_t)
 dev_rw_vfio_dev(container_kvm_t)
 
@@ -1179,7 +1186,7 @@
 
 # Container init - Policy for running systemd based containers
 container_domain_template(container_init)
-typeattribute container_init_t container_net_domain;
+typeattribute container_init_t container_net_domain, container_user_domain;
 
 corenet_unconfined(container_init_t)

commit container-selinux for openSUSE:Factory

Reply via email to