Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package container-selinux for openSUSE:Factory checked in at 2023-10-02 20:04:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/container-selinux (Old) and /work/SRC/openSUSE:Factory/.container-selinux.new.28202 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux" Mon Oct 2 20:04:17 2023 rev:19 rq:1112592 version:2.222.0 Changes: -------- --- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes 2023-05-24 20:21:58.124038697 +0200 +++ /work/SRC/openSUSE:Factory/.container-selinux.new.28202/container-selinux.changes 2023-10-02 20:05:05.723846109 +0200 @@ -1,0 +2,18 @@ +Wed Sep 20 14:21:29 UTC 2023 - Johannes Segitz <[email protected]> + +- Update to version 2.222: + * Allow containers to read/write inherited dri devices + +------------------------------------------------------------------- +Tue Aug 15 05:48:12 UTC 2023 - Johannes Segitz <[email protected]> + +- Update to version 2.221: + * Allow containers to shutdown sockets inherited from container + runtimes + * Allow spc_t to use execmod libraries on container file systems + * Add boolean to allow containers to read all cert files + * More MLS Policy allow rules + * Allow container runtimes using pasta bind icmp_socket to port_t + * Fix spc_t transitions from container_runtime_domain + +------------------------------------------------------------------- Old: ---- v2.215.0.tar.gz New: ---- v2.222.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ container-selinux.spec ++++++ --- /var/tmp/diff_new_pack.GMvzay/_old 2023-10-02 20:05:06.739882649 +0200 +++ /var/tmp/diff_new_pack.GMvzay/_new 2023-10-02 20:05:06.743882793 +0200 @@ -26,7 +26,7 @@ # Version of SELinux we were using %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') Name: container-selinux -Version: 2.215.0 +Version: 2.222.0 Release: 0 Summary: SELinux policies for container runtimes License: GPL-2.0-only ++++++ v2.215.0.tar.gz -> v2.222.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/.packit.sh new/container-selinux-2.222.0/.packit.sh --- old/container-selinux-2.215.0/.packit.sh 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/.packit.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -# Packit's default fix-spec-file often doesn't fetch version string correctly. -# This script handles any custom processing of the dist-git spec file and gets used by the -# fix-spec-file action in .packit.yaml - -set -eo pipefail - -# Set path to rpm spec file -SPEC_FILE=rpm/container-selinux.spec - -# Get Version from HEAD -HEAD_VERSION=$(grep '^policy_module' container.te | sed 's/[^0-9.]//g') - -# Generate source tarball -git archive --prefix=container-selinux-$HEAD_VERSION/ -o rpm/container-selinux-$HEAD_VERSION.tar.gz HEAD - -# RPM Spec modifications - -# Update Version in spec with Version from container.te -sed -i "s/^Version:.*/Version: $HEAD_VERSION/" $SPEC_FILE - -# Update Release in spec with Packit's release envvar -sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" $SPEC_FILE - -# Update Source tarball name in spec -sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-$HEAD_VERSION.tar.gz/" $SPEC_FILE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/.packit.yaml new/container-selinux-2.222.0/.packit.yaml --- old/container-selinux-2.215.0/.packit.yaml 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/.packit.yaml 2023-09-17 15:46:26.000000000 +0200 @@ -2,57 +2,29 @@ # See the documentation for more information: # https://packit.dev/docs/configuration/ -# Build targets can be found at: -# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/ - specfile_path: rpm/container-selinux.spec upstream_tag_template: v{version} +srpm_build_deps: + - make + jobs: - - &copr - job: copr_build - # Run on every PR + - job: copr_build trigger: pull_request - owner: rhcontainerbot - project: packit-builds enable_net: true - # x86_64 is assumed by default # container-selinux is noarch so we only need to test on one arch targets: &pr_copr_targets - - fedora-rawhide - - fedora-38 - - fedora-37 + - fedora-all - centos-stream-9 - centos-stream-8 - srpm_build_deps: - - make - - rpkg - actions: - fix-spec-file: - - bash .packit.sh - - <<: *copr - # Run on commit to main branch + # Run on commit to main branch + - job: copr_build trigger: commit branch: main + owner: rhcontainerbot project: podman-next - targets: - - fedora-rawhide-aarch64 - - fedora-rawhide-ppc64le - - fedora-rawhide-s390x - - fedora-rawhide-x86_64 - - fedora-38-aarch64 - - fedora-38-ppc64le - - fedora-38-s390x - - fedora-38-x86_64 - - fedora-37-aarch64 - - fedora-37-ppc64le - - fedora-37-s390x - - fedora-37-x86_64 - - centos-stream+epel-next-9-aarch64 - - centos-stream+epel-next-9-ppc64le - - centos-stream+epel-next-9-s390x - - centos-stream+epel-next-9-x86_64 + enable_net: true # All tests specified in the `/plans/` subdir # FIXME: uncomment e2e tests after disk space issues resolved on testing farm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/README.md new/container-selinux-2.222.0/README.md --- old/container-selinux-2.215.0/README.md 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/README.md 2023-09-17 15:46:26.000000000 +0200 @@ -8,7 +8,7 @@ **[`container_t` versus `svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)** Clarifys `container_t` versus `svirt_lxc_net_t` aliases -**[SELinux, Podman, and Libvert](https://danwalsh.livejournal.com/81143.html)** +**[SELinux, Podman, and Libvirt](https://danwalsh.livejournal.com/81143.html)** Information regarding SELinux blocking Podman container from talking to Libvirt **[Caution Relabeling Volumes with Container Runtimes](https://danwalsh.livejournal.com/76016.html)** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/container.fc new/container-selinux-2.222.0/container.fc --- old/container-selinux-2.215.0/container.fc 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/container.fc 2023-09-17 15:46:26.000000000 +0200 @@ -112,6 +112,8 @@ /var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) @@ -135,7 +137,6 @@ /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/container.te new/container-selinux-2.222.0/container.te --- old/container-selinux-2.215.0/container.te 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/container.te 2023-09-17 15:46:26.000000000 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.215.0) +policy_module(container, 2.222.0) gen_require(` class passwd rootok; @@ -19,6 +19,13 @@ ## <desc> ## <p> +## Allow all container domains to read cert files and directories +## </p> +## </desc> +gen_tunable(container_read_certs, false) + +## <desc> +## <p> ## Determine whether sshd can launch container engines ## </p> ## </desc> @@ -129,6 +136,7 @@ term_pty(container_devpts_t) typealias container_ro_file_t alias { container_share_t docker_share_t }; +typeattribute container_ro_file_t container_file_type, user_home_type; files_mountpoint(container_ro_file_t) userdom_user_home_content(container_ro_file_t) @@ -169,6 +177,7 @@ allow container_runtime_domain self:udp_socket create_socket_perms; allow container_runtime_domain self:capability2 block_suspend; allow container_runtime_domain container_port_t:tcp_socket name_bind; +allow container_runtime_domain port_t:icmp_socket name_bind; allow container_runtime_domain self:filesystem associate; allow container_runtime_domain self:packet_socket create_socket_perms; allow container_runtime_domain self:socket create_socket_perms; @@ -209,11 +218,12 @@ manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t) manage_files_pattern(container_runtime_domain, container_config_t, container_config_t) -files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container") +files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers") manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t) manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t) files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc") +files_manage_generic_locks(container_runtime_domain) manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t) manage_files_pattern(container_runtime_domain, container_log_t, container_log_t) @@ -247,8 +257,23 @@ manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto }; can_exec(container_runtime_domain, container_ro_file_t) + +manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) + +manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) + filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init") filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay") filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2") @@ -266,6 +291,7 @@ manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file }) +files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers") manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) @@ -274,6 +300,7 @@ manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom; allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(container_runtime_domain, container_devpts_t) @@ -295,6 +322,8 @@ kernel_rw_net_sysctls(container_runtime_domain) kernel_setsched(container_runtime_domain) kernel_rw_all_sysctls(container_runtime_domain) +kernel_mounton_all_proc(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) domain_obj_id_change_exemption(container_runtime_t) domain_subj_id_change_exemption(container_runtime_t) @@ -585,6 +614,10 @@ allow container_domain cephfs_t:file execmod; ') +tunable_policy(`container_read_certs',` + miscfiles_read_all_certs(container_domain) +') + gen_require(` type ecryptfs_t; ') @@ -606,17 +639,14 @@ fs_exec_fusefs_files(container_runtime_domain) storage_rw_fuse(container_runtime_domain) -optional_policy(` - files_search_all(container_domain) - container_read_share_files(container_domain) - container_exec_share_files(container_domain) - allow container_domain container_ro_file_t:file execmod; - container_lib_filetrans(container_domain,container_file_t, sock_file) - container_use_ptys(container_domain) - container_spc_stream_connect(container_domain) - fs_dontaudit_remount_tmpfs(container_domain) - dev_dontaudit_mounton_sysfs(container_domain) -') +files_search_all(container_domain) +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +allow container_domain container_ro_file_t:file execmod; +container_lib_filetrans(container_domain,container_file_t, sock_file) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) optional_policy(` apache_exec_modules(container_runtime_domain) @@ -722,7 +752,9 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) -allow container_runtime_domain spc_t:process2 nnp_transition; +allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition }; +allow spc_t container_file_type:file execmod; + admin_pattern(spc_t, kubernetes_file_t) allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; @@ -892,19 +924,29 @@ container_use_ptys(container_domain) container_spc_stream_connect(container_domain) fs_dontaudit_remount_tmpfs(container_domain) + +dev_dontaudit_mounton_sysfs(container_domain) dev_dontaudit_mounton_sysfs(container_domain) dev_dontaudit_mounton_sysfs(container_domain) -fs_mount_tmpfs(container_domain) - -dontaudit container_domain container_runtime_tmpfs_t:dir read; -allow container_domain container_runtime_tmpfs_t:dir mounton; - dev_getattr_mtrr_dev(container_domain) dev_list_sysfs(container_domain) -allow container_domain sysfs_t:dir watch; - +dev_mounton_sysfs(container_t) +dev_read_mtrr(container_domain) +dev_read_rand(container_domain) +dev_read_sysfs(container_domain) +dev_read_urand(container_domain) +dev_rw_inherited_dri(container_domain) dev_rw_kvm(container_domain) dev_rwx_zero(container_domain) +dev_write_rand(container_domain) +dev_write_urand(container_domain) +allow container_domain sysfs_t:dir watch; + + +fs_mount_tmpfs(container_domain) + +dontaudit container_domain container_runtime_tmpfs_t:dir read; +allow container_domain container_runtime_tmpfs_t:dir mounton; allow container_domain self:key manage_key_perms; dontaudit container_domain container_domain:key search; @@ -920,7 +962,7 @@ allow container_domain self:passwd rootok; allow container_domain self:filesystem associate; allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; +allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write }; kernel_getattr_proc(container_domain) kernel_list_all_proc(container_domain) @@ -970,18 +1012,9 @@ type cgroup_t; ') -dev_read_sysfs(container_domain) -dev_read_mtrr(container_domain) -dev_mounton_sysfs(container_t) - fs_mounton_cgroup(container_t) fs_unmount_cgroup(container_t) -dev_read_rand(container_domain) -dev_write_rand(container_domain) -dev_read_urand(container_domain) -dev_write_urand(container_domain) - files_read_kernel_modules(container_domain) allow container_file_t cgroup_t:filesystem associate; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/container_selinux.8 new/container-selinux-2.222.0/container_selinux.8 --- old/container-selinux-2.215.0/container_selinux.8 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/container_selinux.8 2023-09-17 15:46:26.000000000 +0200 @@ -332,7 +332,7 @@ .B STANDARD FILE CONTEXT SELinux defines the file context types for the container, if you wanted to -store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. +store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. .B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?' .br diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.215.0/rpm/container-selinux.spec new/container-selinux-2.222.0/rpm/container-selinux.spec --- old/container-selinux-2.215.0/rpm/container-selinux.spec 2023-05-22 16:52:49.000000000 +0200 +++ new/container-selinux-2.222.0/rpm/container-selinux.spec 2023-09-17 15:46:26.000000000 +0200 @@ -1,8 +1,5 @@ %global debug_package %{nil} -# container-selinux upstream -%global git0 https://github.com/containers/container-selinux - # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package %global selinuxtype targeted @@ -14,33 +11,22 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# copr_username is only set on copr environments, not on others like koji -%if "%{?copr_username}" != "rhcontainerbot" -%bcond_with copr -%else -%bcond_without copr -%endif - # RHEL 8 doesn't allow watch and systemd_chat_resolved -%if 0%{?rhel} == 8 -%bcond_without no_watch -%bcond_without no_systemd_chat_resolved -%else -%bcond_with no_watch -%bcond_with no_systemd_chat_resolved +%if %{defined rhel} && 0%{?rhel} == 8 +%define no_watch 1 +%define no_systemd_chat_resolved 1 +%global _selinux_policy_version 3.14.3-80.el8 %endif # https://github.com/containers/container-selinux/issues/203 -%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9 -%bcond_without no_user_namespace -%else -%bcond_with no_user_namespace +%if %{!defined fedora} && %{!defined rhel} || %{defined fedora} && 0%{?fedora} <= 37 || %{defined rhel} && 0%{?rhel} <= 9 +%define no_user_namespace 1 %endif Name: container-selinux # Set different Epochs for copr and koji -%if %{with copr} -Epoch: 101 +%if %{defined copr_username} +Epoch: 102 %else Epoch: 2 %endif @@ -50,9 +36,9 @@ Version: 0 Release: %autorelease License: GPL-2.0-only -URL: %{git0} +URL: https://github.com/containers/%{name} Summary: SELinux policies for container runtimes -Source0: %{git0}/archive/v%{version}.tar.gz +Source0: %{url}/archive/v%{version}.tar.gz BuildArch: noarch BuildRequires: make BuildRequires: git-core @@ -81,17 +67,17 @@ sed -i 's/^man: install-policy/man:/' Makefile sed -i 's/^install: man/install:/' Makefile -%if %{with no_watch} +%if %{defined no_watch} sed -i 's/watch watch_reads//' container.if sed -i 's/watch watch_reads//' container.te sed -i '/sysfs_t:dir watch/d' container.te %endif -%if %{with no_systemd_chat_resolved} +%if %{defined no_systemd_chat_resolved} sed -i '/^systemd_chat_resolved/d' container.te %endif -%if %{with no_user_namespace} +%if %{defined no_user_namespace} sed -i '/user_namespace/d' container.te %endif @@ -103,6 +89,9 @@ %_format MODULES $x.pp.bz2 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +rm %{buildroot}%{_mandir}/man8/container_selinux.8 + %pre %selinux_relabel_pre -s %{selinuxtype} @@ -138,7 +127,8 @@ %{_datadir}/containers/selinux/contexts %dir %{_datadir}/udica/templates/ %{_datadir}/udica/templates/* -%{_mandir}/man8/container_selinux.8.gz +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +#%%{_mandir}/man8/container_selinux.8.gz %{_sysconfdir}/selinux/targeted/contexts/users/* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames} @@ -149,9 +139,12 @@ fi %changelog -%if 0%{?rhel} <= 8 && ! 0%{?fedora} -* Mon May 01 2023 RH Container Bot <[email protected]> -- Dummy changelog for CentOS Stream 8 -%else +%if %{defined autochangelog} %autochangelog +%else +# NOTE: This changelog will be visible on CentOS 8 Stream builds +# Other envs are capable of handling autochangelog +* Tue Jun 13 2023 RH Container Bot <[email protected]> +- Placeholder changelog for envs that are not autochangelog-ready. +- Contact upstream if you need to report an issue with the build. %endif
