Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2023-05-24 20:21:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Wed May 24 20:21:48 2023 rev:18 rq:1088560 version:2.215.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2023-04-25 16:53:22.246121928 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1533/container-selinux.changes
2023-05-24 20:21:58.124038697 +0200
@@ -1,0 +2,12 @@
+Tue May 23 07:32:16 UTC 2023 - Johannes Segitz <[email protected]>
+
+- Update to version 2.215.0:
+ * Add some MLS rules to policy
+ * Allow container runtime to dyntransition to spc_t
+ * Tighten controls on confined users
+ * Add labels for /var/lib/shared
+ * Cleanup entrypoint definitions
+ * Allow container_device_plugin_t access to debugfs
+ * Allow containers which use devices to map them
+
+-------------------------------------------------------------------
Old:
----
v2.211.0.tar.gz
New:
----
v2.215.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.tPhzMp/_old 2023-05-24 20:21:58.700042131 +0200
+++ /var/tmp/diff_new_pack.tPhzMp/_new 2023-05-24 20:21:58.704042155 +0200
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.211.0
+Version: 2.215.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ v2.211.0.tar.gz -> v2.215.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/.packit.sh
new/container-selinux-2.215.0/.packit.sh
--- old/container-selinux-2.211.0/.packit.sh 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/.packit.sh 2023-05-22 16:52:49.000000000
+0200
@@ -6,22 +6,22 @@
set -eo pipefail
+# Set path to rpm spec file
+SPEC_FILE=rpm/container-selinux.spec
+
# Get Version from HEAD
HEAD_VERSION=$(grep '^policy_module' container.te | sed 's/[^0-9.]//g')
# Generate source tarball
-git archive --prefix=container-selinux-$HEAD_VERSION/ -o
container-selinux-$HEAD_VERSION.tar.gz HEAD
+git archive --prefix=container-selinux-$HEAD_VERSION/ -o
rpm/container-selinux-$HEAD_VERSION.tar.gz HEAD
# RPM Spec modifications
# Update Version in spec with Version from container.te
-sed -i "s/^Version:.*/Version: $HEAD_VERSION/" container-selinux.spec
+sed -i "s/^Version:.*/Version: $HEAD_VERSION/" $SPEC_FILE
# Update Release in spec with Packit's release envvar
-sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/"
container-selinux.spec
+sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" $SPEC_FILE
# Update Source tarball name in spec
-sed -i "s/^Source:.*.tar.gz/Source: %{name}-$HEAD_VERSION.tar.gz/"
container-selinux.spec
-
-# Update setup macro to use the correct build dir
-sed -i "s/^%setup.*/%autosetup -Sgit -n %{name}-$HEAD_VERSION/"
container-selinux.spec
+sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-$HEAD_VERSION.tar.gz/" $SPEC_FILE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/.packit.yaml
new/container-selinux-2.215.0/.packit.yaml
--- old/container-selinux-2.211.0/.packit.yaml 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/.packit.yaml 2023-05-22 16:52:49.000000000
+0200
@@ -5,7 +5,8 @@
# Build targets can be found at:
# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
-specfile_path: container-selinux.spec
+specfile_path: rpm/container-selinux.spec
+upstream_tag_template: v{version}
jobs:
- &copr
@@ -27,8 +28,6 @@
- make
- rpkg
actions:
- post-upstream-clone:
- - rpkg spec --outdir ./
fix-spec-file:
- bash .packit.sh
@@ -69,3 +68,19 @@
targets: *pr_copr_targets
identifier: podman_system_test
tmt_plan: "/plans/podman_system_test"
+
+ - job: propose_downstream
+ trigger: release
+ update_release: false
+ dist_git_branches:
+ - fedora-all
+
+ - job: koji_build
+ trigger: commit
+ dist_git_branches:
+ - fedora-all
+
+ - job: bodhi_update
+ trigger: commit
+ dist_git_branches:
+ - fedora-branched # rawhide updates are created automatically
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/Makefile
new/container-selinux-2.215.0/Makefile
--- old/container-selinux-2.211.0/Makefile 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/Makefile 2023-05-22 16:52:49.000000000
+0200
@@ -4,6 +4,7 @@
# Point SHAREDIR to DATADIR by default to not break existing users
DATADIR ?= /usr/share
SHAREDIR ?= ${DATADIR}
+SYSCONFDIR ?= /etc
all: ${TARGETS:=.pp.bz2}
@@ -30,6 +31,9 @@
install -D -pm 644 container_selinux.8
${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
install -D -pm 644 container_contexts
${DESTDIR}${SHAREDIR}/containers/selinux/contexts
+install.selinux-user:
+ install -D -pm 644 container_u
${DESTDIR}${SYSCONFDIR}/selinux/targeted/contexts/users/container_u
+
install.udica-templates:
install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
install -pm 644 udica-templates/*.cil
$(DESTDIR)$(SHAREDIR)/udica/templates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.211.0/container-selinux.spec.rpkg
new/container-selinux-2.215.0/container-selinux.spec.rpkg
--- old/container-selinux-2.211.0/container-selinux.spec.rpkg 2023-04-22
13:28:56.000000000 +0200
+++ new/container-selinux-2.215.0/container-selinux.spec.rpkg 1970-01-01
01:00:00.000000000 +0100
@@ -1,122 +0,0 @@
-# For automatic rebuilds in COPR
-
-# The following tag is to get correct syntax highlighting for this file in vim
text editor
-# vim: syntax=spec
-
-%global debug_package %{nil}
-
-# container-selinux stuff (prefix with ds_ for version/release etc.)
-# Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
-%global moduletype services
-%global modulenames container
-
-# Usage: _format var format
-# Expand 'modulenames' into various formats as needed
-# Format must contain '$x' somewhere to do anything useful
-%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" ";
done;
-
-Name: {{{ git_dir_name }}}
-Epoch: 101
-Version: {{{ git_dir_version }}}
-Release: 1%{?dist}
-License: GPLv2
-URL: https://github.com/containers/container-selinux
-Summary: SELinux policies for container runtimes
-VCS: {{{ git_dir_vcs }}}
-Source: {{{ git_dir_pack }}}
-BuildArch: noarch
-BuildRequires: make
-BuildRequires: git-core
-BuildRequires: pkgconfig(systemd)
-BuildRequires: selinux-policy >= %_selinux_policy_version
-BuildRequires: selinux-policy-devel >= %_selinux_policy_version
-# RE: rhbz#1195804 - ensure min NVR for selinux-policy
-Requires: selinux-policy >= %_selinux_policy_version
-Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
-Requires(post): policycoreutils
-Requires(post): libselinux-utils
-Requires(post): sed
-Obsoletes: %{name} <= 2:1.12.5-13
-Obsoletes: docker-selinux <= 2:1.12.4-28
-Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
-Conflicts: udica < 0.2.6-1
-Conflicts: k3s-selinux <= 0.4-1
-
-%description
-SELinux policy modules for use with container runtimes.
-
-%prep
-{{{ git_dir_setup_macro }}}
-
-# Remove some lines for RHEL 8 build
-%if ! 0%{?fedora} && 0%{?rhel} <= 8
-sed -i 's/watch watch_reads//' container.if
-sed -i '/sysfs_t:dir watch/d' container.te
-sed -i '/systemd_chat_resolved/d' container.te
-%endif
-
-sed -i 's/man: install-policy/man:/' Makefile
-sed -i 's/install: man/install:/' Makefile
-
-# https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
-sed -i '/user_namespace/d' container.te
-%endif
-
-%build
-make
-
-%install
-# install policy modules
-%_format MODULES $x.pp.bz2
-%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates
-
-%check
-
-%pre
-%selinux_relabel_pre -s %{selinuxtype}
-
-%post
-# Install all modules in a single transaction
-if [ $1 -eq 1 ]; then
- %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
-fi
-%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
-. %{_sysconfdir}/selinux/config
-sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e
"container_file_t" -e "}" -i
/etc/selinux/${SELINUXTYPE}/contexts/customizable_types
-matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R
%{_sharedstatedir}/containers &> /dev/null || :
-
-%postun
-if [ $1 -eq 0 ]; then
- %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
-fi
-
-%posttrans
-%selinux_relabel_post -s %{selinuxtype}
-
-#define license tag if not already defined
-%{!?_licensedir:%global license %doc}
-
-%files
-%doc README.md
-%{_datadir}/selinux/*
-%{_mandir}/man8/*
-%dir %{_datadir}/containers/selinux
-%{_datadir}/containers/selinux/contexts
-%dir %{_datadir}/udica/templates/
-%{_datadir}/udica/templates/*
-
-%triggerpostun -- container-selinux < 2:2.162.1-3
-if %{_sbindir}/selinuxenabled ; then
- echo "Fixing Rootless SELinux labels in homedir"
- %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*
2> /dev/null
-fi
-
-%changelog
-{{{ git_dir_changelog }}}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/container.fc
new/container-selinux-2.215.0/container.fc
--- old/container-selinux-2.211.0/container.fc 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/container.fc 2023-05-22 16:52:49.000000000
+0200
@@ -59,6 +59,7 @@
/etc/crio(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/registry(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -116,7 +117,8 @@
/var/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
-/(var|opt)/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/var/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/opt/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/container.if
new/container-selinux-2.215.0/container.if
--- old/container-selinux-2.211.0/container.if 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/container.if 2023-05-22 16:52:49.000000000
+0200
@@ -522,6 +522,7 @@
files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
+ files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file,
"config.env")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/container.te
new/container-selinux-2.215.0/container.te
--- old/container-selinux-2.211.0/container.te 2023-04-22 13:28:56.000000000
+0200
+++ new/container-selinux-2.215.0/container.te 2023-05-22 16:52:49.000000000
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.211.0)
+policy_module(container, 2.215.0)
gen_require(`
class passwd rootok;
@@ -81,7 +81,7 @@
range_transition container_runtime_t conmon_exec_t:process s0;
')
-type spc_t, container_domain;
+type spc_t;
domain_type(spc_t)
role system_r types spc_t;
@@ -205,6 +205,7 @@
manage_lnk_files_pattern(container_runtime_domain, container_home_t,
container_home_t)
userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t,
dir, ".container")
userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
manage_dirs_pattern(container_runtime_domain, container_config_t,
container_config_t)
manage_files_pattern(container_runtime_domain, container_config_t,
container_config_t)
@@ -217,7 +218,10 @@
manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
manage_files_pattern(container_runtime_domain, container_log_t,
container_log_t)
manage_lnk_files_pattern(container_runtime_domain, container_log_t,
container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
logging_log_filetrans(container_runtime_domain, container_log_t, { dir file
lnk_file })
+
allow container_runtime_domain container_log_t:dir_file_class_set {
relabelfrom relabelto };
filetrans_pattern(container_runtime_domain, container_var_lib_t,
container_log_t, file, "container-json.log")
allow container_runtime_domain { container_var_lib_t container_ro_file_t
}:file entrypoint;
@@ -276,6 +280,16 @@
term_use_all_ttys(container_runtime_domain)
term_use_all_inherited_terms(container_runtime_domain)
+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
kernel_read_network_state(container_runtime_domain)
kernel_read_all_sysctls(container_runtime_domain)
kernel_rw_net_sysctls(container_runtime_domain)
@@ -390,7 +404,10 @@
')
optional_policy(`
- iptables_domtrans(container_runtime_domain)
+ gen_require(`
+ role unconfined_r;
+ ')
+ iptables_run(container_runtime_domain, unconfined_r)
container_read_pid_files(iptables_t)
container_read_state(iptables_t)
@@ -458,33 +475,38 @@
dev_rw_lvm_control(container_runtime_domain)
dev_read_mtrr(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
+
files_getattr_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_files(container_runtime_domain)
files_manage_isid_type_symlinks(container_runtime_domain)
files_manage_isid_type_chr_files(container_runtime_domain)
files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
files_exec_isid_files(container_runtime_domain)
files_mounton_isid(container_runtime_domain)
files_mounton_non_security(container_runtime_domain)
files_mounton_isid_type_chr_file(container_runtime_domain)
-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
fs_manage_cgroup_dirs(container_runtime_domain)
fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
-fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)
term_use_generic_ptys(container_runtime_domain)
@@ -648,12 +670,12 @@
role unconfined_r;
')
role unconfined_r types container_user_domain;
+ role unconfined_r types spc_t;
unconfined_domain(container_runtime_t)
unconfined_run_to(container_runtime_t, container_runtime_exec_t)
- role_transition unconfined_r container_runtime_exec_t system_r;
allow container_domain unconfined_domain_type:fifo_file {
rw_fifo_file_perms map };
allow container_runtime_domain unconfined_t:fifo_file setattr;
- allow unconfined_domain_type container_domain:process {transition
dyntransition };
+ allow unconfined_domain_type container_domain:process {transition
dyntransition};
allow unconfined_t unlabeled_t:key manage_key_perms;
allow container_runtime_t unconfined_t:process transition;
allow unconfined_domain_type { container_var_lib_t container_ro_file_t
}:file entrypoint;
@@ -692,7 +714,7 @@
#
# spc local policy
#
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file
entrypoint;
role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -706,11 +728,13 @@
allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
allow spc_t { container_ro_file_t container_file_t }:system module_load;
-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched
signal_perms };
ps_process_pattern(container_runtime_domain, spc_t)
allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom
};
allow spc_t unlabeled_t:key manage_key_perms;
allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+fs_fusefs_entrypoint(spc_t)
+corecmd_entrypoint_all_executables(spc_t)
init_dbus_chat(spc_t)
@@ -745,7 +769,10 @@
gen_require(`
attribute virt_domain;
type virtd_t;
+ role unconfined_r;
')
+ role unconfined_r types virt_domain;
+ role unconfined_r types virtd_t;
container_spc_read_state(virt_domain)
container_spc_rw_pipes(virt_domain)
allow container_runtime_t virtd_t:process transition;
@@ -858,7 +885,7 @@
allow container_domain self:unix_stream_socket { sendto
create_stream_socket_perms };
fs_rw_onload_sockets(container_domain)
fs_fusefs_entrypoint(container_domain)
-
+fs_fusefs_entrypoint(spc_t)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
@@ -1188,6 +1215,8 @@
attribute userdomain;
')
+ allow userdomain container_domain:process transition;
+
can_exec(userdomain, container_runtime_exec_t)
container_manage_files(userdomain)
container_manage_share_dirs(userdomain)
@@ -1280,6 +1309,7 @@
optional_policy(`
qemu_entry_type(container_kvm_t)
qemu_exec(container_kvm_t)
+ allow container_kvm_t qemu_exec_t:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
')
manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@@ -1316,8 +1346,8 @@
')
tunable_policy(`container_use_devices',`
- allow container_domain device_node:chr_file rw_chr_file_perms;
- allow container_domain device_node:blk_file rw_blk_file_perms;
+ allow container_domain device_node:chr_file {rw_chr_file_perms map};
+ allow container_domain device_node:blk_file {rw_blk_file_perms map};
')
tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -1384,7 +1414,6 @@
gen_require(`
type sysadm_t;
role sysadm_r;
- attribute userdomain;
role unconfined_r;
')
@@ -1403,6 +1432,7 @@
container_domain_template(container_device_plugin, container)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
+kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
# Standard container which needs to be allowed to use any device and
@@ -1441,3 +1471,32 @@
container_runtime_domtrans(sshd_t)
dontaudit systemd_logind_t iptables_var_run_t:dir read;
')
+
+role container_user_r;
+userdom_restricted_user_template(container_user)
+userdom_manage_home_role(container_user_r, container_user_t)
+
+allow container_user_t container_domain:process { getattr getcap getsched
sigchld sigkill signal signull sigstop };
+
+role container_user_r types container_domain;
+role container_user_r types container_user_domain;
+role container_user_r types container_net_domain;
+role container_user_r types container_file_type;
+container_runtime_run(container_user_t, container_user_r)
+
+fs_manage_cgroup_dirs(container_user_t)
+fs_manage_cgroup_files(container_user_t)
+
+selinux_compute_access_vector(container_user_t)
+systemd_dbus_chat_hostnamed(container_user_t)
+systemd_start_systemd_services(container_user_t)
+
+
+allow container_domain container_file_t:file entrypoint;
+allow container_domain container_ro_file_t:file { entrypoint execmod execute
execute_no_trans getattr ioctl lock map open read };
+allow container_domain container_var_lib_t:file entrypoint;
+allow container_domain fusefs_t:file { append create entrypoint execmod
execute execute_no_trans getattr ioctl link lock map mounton open read rename
setattr unlink watch watch_reads write };
+
+corecmd_entrypoint_all_executables(container_kvm_t)
+allow svirt_sandbox_domain exec_type:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
+allow svirt_sandbox_domain mountpoint:file entrypoint;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/container_u
new/container-selinux-2.215.0/container_u
--- old/container-selinux-2.211.0/container_u 1970-01-01 01:00:00.000000000
+0100
+++ new/container-selinux-2.215.0/container_u 2023-05-22 16:52:49.000000000
+0200
@@ -0,0 +1,8 @@
+system_r:init_t:s0 container_user_r:container_user_t:s0
+system_r:local_login_t:s0 container_user_r:container_user_t:s0
+system_r:remote_login_t:s0 container_user_r:container_user_t:s0
+system_r:sshd_t:s0 container_user_r:container_user_t:s0
+system_r:cockpit_session_t:s0 container_user_r:container_user_t:s0
+system_r:crond_t:s0 container_user_r:container_user_t:s0
container_user_r:cronjob_t:s0
+system_r:xdm_t:s0 container_user_r:container_user_t:s0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/rpm/container-selinux.spec
new/container-selinux-2.215.0/rpm/container-selinux.spec
--- old/container-selinux-2.211.0/rpm/container-selinux.spec 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.215.0/rpm/container-selinux.spec 2023-05-22
16:52:49.000000000 +0200
@@ -0,0 +1,157 @@
+%global debug_package %{nil}
+
+# container-selinux upstream
+%global git0 https://github.com/containers/container-selinux
+
+# container-selinux stuff (prefix with ds_ for version/release etc.)
+# Some bits borrowed from the openstack-selinux package
+%global selinuxtype targeted
+%global moduletype services
+%global modulenames container
+
+# Usage: _format var format
+# Expand 'modulenames' into various formats as needed
+# Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" ";
done;
+
+# copr_username is only set on copr environments, not on others like koji
+%if "%{?copr_username}" != "rhcontainerbot"
+%bcond_with copr
+%else
+%bcond_without copr
+%endif
+
+# RHEL 8 doesn't allow watch and systemd_chat_resolved
+%if 0%{?rhel} == 8
+%bcond_without no_watch
+%bcond_without no_systemd_chat_resolved
+%else
+%bcond_with no_watch
+%bcond_with no_systemd_chat_resolved
+%endif
+
+# https://github.com/containers/container-selinux/issues/203
+%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
+%bcond_without no_user_namespace
+%else
+%bcond_with no_user_namespace
+%endif
+
+Name: container-selinux
+# Set different Epochs for copr and koji
+%if %{with copr}
+Epoch: 101
+%else
+Epoch: 2
+%endif
+# Keep Version in upstream specfile at 0. It will be automatically set
+# to the correct value by Packit for copr and koji builds.
+# IGNORE this comment if you're looking at it in dist-git.
+Version: 0
+Release: %autorelease
+License: GPL-2.0-only
+URL: %{git0}
+Summary: SELinux policies for container runtimes
+Source0: %{git0}/archive/v%{version}.tar.gz
+BuildArch: noarch
+BuildRequires: make
+BuildRequires: git-core
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy >= %_selinux_policy_version
+BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+# RE: rhbz#1195804 - ensure min NVR for selinux-policy
+Requires: selinux-policy >= %_selinux_policy_version
+Requires(post): selinux-policy-base >= %_selinux_policy_version
+Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): policycoreutils
+Requires(post): libselinux-utils
+Requires(post): sed
+Obsoletes: %{name} <= 2:1.12.5-13
+Obsoletes: docker-selinux <= 2:1.12.4-28
+Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
+Conflicts: udica < 0.2.6-1
+Conflicts: k3s-selinux <= 0.4-1
+
+%description
+SELinux policy modules for use with container runtimes.
+
+%prep
+%autosetup -Sgit %{name}-%{version}
+
+sed -i 's/^man: install-policy/man:/' Makefile
+sed -i 's/^install: man/install:/' Makefile
+
+%if %{with no_watch}
+sed -i 's/watch watch_reads//' container.if
+sed -i 's/watch watch_reads//' container.te
+sed -i '/sysfs_t:dir watch/d' container.te
+%endif
+
+%if %{with no_systemd_chat_resolved}
+sed -i '/^systemd_chat_resolved/d' container.te
+%endif
+
+%if %{with no_user_namespace}
+sed -i '/user_namespace/d' container.te
+%endif
+
+%build
+make
+
+%install
+# install policy modules
+%_format MODULES $x.pp.bz2
+%{__make} DATADIR=%{buildroot}%{_datadir}
SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates
install.selinux-user
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post
+# Install all modules in a single transaction
+if [ $1 -eq 1 ]; then
+ %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
+fi
+%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
+%selinux_modules_install -s %{selinuxtype} $MODULES
+. %{_sysconfdir}/selinux/config
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e
"container_file_t" -e "}" -i
/etc/selinux/${SELINUXTYPE}/contexts/customizable_types
+matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R
%{_sharedstatedir}/containers &> /dev/null || :
+
+%postun
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+fi
+
+%posttrans
+%selinux_relabel_post -s %{selinuxtype}
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%doc README.md
+%{_datadir}/selinux/*
+%dir %{_datadir}/containers/selinux
+%{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica/templates/
+%{_datadir}/udica/templates/*
+%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/*
+%ghost
%{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
+
+%triggerpostun -- container-selinux < 2:2.162.1-3
+if %{_sbindir}/selinuxenabled ; then
+ echo "Fixing Rootless SELinux labels in homedir"
+ %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*
2> /dev/null
+fi
+
+%changelog
+%if 0%{?rhel} <= 8 && ! 0%{?fedora}
+* Mon May 01 2023 RH Container Bot <[email protected]>
+- Dummy changelog for CentOS Stream 8
+%else
+%autochangelog
+%endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.211.0/rpm/update-spec-version.sh
new/container-selinux-2.215.0/rpm/update-spec-version.sh
--- old/container-selinux-2.211.0/rpm/update-spec-version.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.215.0/rpm/update-spec-version.sh 2023-05-22
16:52:49.000000000 +0200
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# This script will update the Version field in the spec which is set to 0 by
+# default. Useful for local manual rpm builds where the Version needs to be set
+# correctly.
+
+SPEC_FILE=$(pwd)/container-selinux.spec
+LATEST_TAG=$(git tag --sort=creatordate | tail -1)
+LATEST_VERSION=$(echo $LATEST_TAG | sed -e 's/^v//')
+
+sed -i "s/^Version:.*/Version: $LATEST_VERSION/" $SPEC_FILE
