Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package container-selinux for openSUSE:Factory checked in at 2024-11-30 13:27:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/container-selinux (Old) and /work/SRC/openSUSE:Factory/.container-selinux.new.28523 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux" Sat Nov 30 13:27:11 2024 rev:22 rq:1227115 version:2.233.0 Changes: -------- --- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes 2024-07-14 08:49:35.486446625 +0200 +++ /work/SRC/openSUSE:Factory/.container-selinux.new.28523/container-selinux.changes 2024-11-30 13:27:17.328313342 +0100 @@ -1,0 +2,16 @@ +Thu Nov 07 12:04:40 UTC 2024 - [email protected] + +- Update to version 2.233.0: + * container_engine_t: small change to allow non root exec in a container + * RPM: explicitly list ghosted paths and skip mode verification + * container-selinux install on non selinux-policy-targeted systems (#332) + * set container_log_t type for /var/log/kube-apiserver + * Allow kubelet_t to create a sock file kubelet_var_lib_t + * dontaudit spc_t to mmap_zero + * Packit: update targets (#330) + * container_engine_t: another round of small improvements (#327) + * Allow container_device_plugin_t to use the network (#325) + * RPM: cleanup changelog (#324) + * TMT: Simplify tests + +------------------------------------------------------------------- Old: ---- container-selinux-2.232.1.tar.xz New: ---- container-selinux-2.233.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ container-selinux.spec ++++++ --- /var/tmp/diff_new_pack.YARZEz/_old 2024-11-30 13:27:18.056343666 +0100 +++ /var/tmp/diff_new_pack.YARZEz/_new 2024-11-30 13:27:18.060343832 +0100 @@ -26,7 +26,7 @@ # Version of SELinux we were using %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') Name: container-selinux -Version: 2.232.1 +Version: 2.233.0 Release: 0 Summary: SELinux policies for container runtimes License: GPL-2.0-only ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.YARZEz/_old 2024-11-30 13:27:18.104345665 +0100 +++ /var/tmp/diff_new_pack.YARZEz/_new 2024-11-30 13:27:18.108345831 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> - <param name="changesrevision">a68865582e123856c191fe0ecbbba9301758e591</param></service></servicedata> + <param name="changesrevision">3f06c141bebc00a07eec4c0ded038aac4f2ae3f0</param></service></servicedata> (No newline at EOF) ++++++ container-selinux-2.232.1.tar.xz -> container-selinux-2.233.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/.packit.yaml new/container-selinux-2.233.0/.packit.yaml --- old/container-selinux-2.232.1/.packit.yaml 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/.packit.yaml 2024-11-04 16:37:32.000000000 +0100 @@ -9,6 +9,7 @@ files_to_sync: - src: rpm/gating.yaml dest: gating.yaml + delete: true - src: plans/ dest: plans/ delete: true @@ -29,6 +30,8 @@ specfile_path: rpm/container-selinux.spec container-selinux-rhel: specfile_path: rpm/container-selinux.spec + container-selinux-eln: + specfile_path: rpm/container-selinux.spec srpm_build_deps: - make @@ -42,8 +45,18 @@ message: "Ephemeral COPR build failed. @containers/packit-build please check." enable_net: true # container-selinux is noarch so we only need to test on one arch + targets: &fedora_copr_targets + - fedora-development + - fedora-latest + - fedora-ltest-stable + - fedora-40 + + - job: copr_build + trigger: pull_request + packages: [container-selinux-eln] + notifications: *copr_build_failure_notification + enable_net: true targets: - - fedora-all - fedora-eln - job: copr_build @@ -51,7 +64,7 @@ packages: [container-selinux-centos] notifications: *copr_build_failure_notification enable_net: true - targets: + targets: ¢os_copr_targets - centos-stream-9 - centos-stream-10 @@ -84,37 +97,47 @@ notifications: &test_failure_notification failure_comment: message: "Tests failed. @containers/packit-build please check." - targets: - - fedora-all + targets: *fedora_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo # Tests for CentOS Stream - job: tests trigger: pull_request packages: [container-selinux-centos] notifications: *test_failure_notification - targets: - - centos-stream-9 - - centos-stream-10 + targets: *centos_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo + # FIXME: Re-enable once podman packit copr builds are re-enabled for el9 # Tests for RHEL - - job: tests - trigger: pull_request - packages: [container-selinux-rhel] - use_internal_tf: true - notifications: *test_failure_notification - targets: - epel-9-x86_64: - distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly] - # Use centos-stream-10 until we have epel-10 - # TODO: Enable after RHEL-10 gets selinux-policy >= 40.13.1 which is - # already on CentOS Stream 10. - #centos-stream-10-x86_64: - # distros: [RHEL-10-Beta-Nightly] + #- job: tests + # trigger: pull_request + # packages: [container-selinux-rhel] + # use_internal_tf: true + # notifications: *test_failure_notification + # targets: + # epel-9-x86_64: + # distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly] + # tf_extra_params: + # environments: + # - artifacts: + # - type: repository-file + # id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo + # - type: repository-file + # id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo - job: propose_downstream trigger: release packages: [container-selinux-fedora] - dist_git_branches: + dist_git_branches: &fedora_targets - fedora-all - job: propose_downstream @@ -126,8 +149,7 @@ - job: koji_build trigger: commit packages: [container-selinux-fedora] - dist_git_branches: - - fedora-all + dist_git_branches: *fedora_targets - job: bodhi_update trigger: commit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/container.fc new/container-selinux-2.233.0/container.fc --- old/container-selinux-2.232.1/container.fc 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/container.fc 2024-11-04 16:37:32.000000000 +0100 @@ -131,7 +131,7 @@ /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) @@ -162,6 +162,7 @@ /run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) +/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/container.if new/container-selinux-2.233.0/container.if --- old/container-selinux-2.232.1/container.if 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/container.if 2024-11-04 16:37:32.000000000 +0100 @@ -512,6 +512,7 @@ files_pid_filetrans($1, container_var_run_t, dir, "containers") files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") + logging_log_filetrans($1, container_log_t, dir, "kube-apiserver") logging_log_filetrans($1, container_log_t, dir, "lxc") files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") files_var_lib_filetrans($1, container_file_t, dir, "origin") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/container.te new/container-selinux-2.233.0/container.te --- old/container-selinux-2.232.1/container.te 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/container.te 2024-11-04 16:37:32.000000000 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.232.1) +policy_module(container, 2.234.0) gen_require(` class passwd rootok; @@ -757,6 +757,7 @@ # allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; +dontaudit spc_t self:memprotect mmap_zero; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) @@ -1450,11 +1451,14 @@ allow container_engine_t fusefs_t:dir { relabelfrom relabelto }; allow container_engine_t fusefs_t:file relabelto; allow container_engine_t kernel_t:system module_request; -allow container_engine_t null_device_t:chr_file mounton; +allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; allow container_engine_t random_device_t:chr_file mounton; allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; allow container_engine_t urandom_device_t:chr_file mounton; allow container_engine_t zero_device_t:chr_file mounton; +allow container_engine_t container_file_t:sock_file mounton; +allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms }; +allow container_engine_t devpts_t:chr_file setattr; manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) @@ -1483,6 +1487,17 @@ can_exec(container_runtime_t, kubelet_exec_t) allow kubelet_t kubelet_exec_t:file entrypoint; +type kubelet_var_lib_t; +files_type(kubelet_var_lib_t) + +manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) + +files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources") +filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources") + ifdef(`enable_mcs',` init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) ') @@ -1516,10 +1531,12 @@ # Standard container which needs to be allowed to use any device and # communicate with kubelet container_domain_template(container_device_plugin, container) +typeattribute container_device_plugin_t container_net_domain; allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; dev_rw_sysfs(container_device_plugin_t) kernel_read_debugfs(container_device_plugin_t) container_kubelet_stream_connect(container_device_plugin_t) +stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t) # Standard container which needs to be allowed to use any device and # modify kubelet configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/plans/all.fmf new/container-selinux-2.233.0/plans/all.fmf --- old/container-selinux-2.232.1/plans/all.fmf 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/plans/all.fmf 2024-11-04 16:37:32.000000000 +0100 @@ -12,7 +12,7 @@ when: initiator is not defined or initiator != packit /downstream: - summary: Run SELinux specific Podman e2e tests on bodhi / errata and dist-git PRs + summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs discover+: filter: tag:downstream adjust+: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/rpm/container-selinux.spec new/container-selinux-2.233.0/rpm/container-selinux.spec --- old/container-selinux-2.232.1/rpm/container-selinux.spec 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/rpm/container-selinux.spec 2024-11-04 16:37:32.000000000 +0100 @@ -2,7 +2,6 @@ # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted %global moduletype services %global modulenames container @@ -51,7 +50,8 @@ # RE: rhbz#1195804 - ensure min NVR for selinux-policy Requires: selinux-policy >= %_selinux_policy_version Requires(post): selinux-policy-base >= %_selinux_policy_version -Requires(post): selinux-policy-targeted >= %_selinux_policy_version +Requires(post): selinux-policy-any >= %_selinux_policy_version +Recommends: selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed @@ -90,7 +90,7 @@ rm %{buildroot}%{_mandir}/man8/container_selinux.8 %pre -%selinux_relabel_pre -s %{selinuxtype} +%selinux_relabel_pre %post # Install all modules in a single transaction @@ -98,21 +98,21 @@ %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null +%selinux_modules_install -s ${SELINUXTYPE} $MODULES sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker + %selinux_modules_uninstall %{modulenames} docker fi %posttrans -%selinux_relabel_post -s %{selinuxtype} +%selinux_relabel_post #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -127,8 +127,9 @@ %{_datadir}/udica/templates/* # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 #%%{_mandir}/man8/container_selinux.8.gz -%{_sysconfdir}/selinux/targeted/contexts/users/* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames} +%{_sysconfdir}/selinux/targeted/contexts/users/container_u +%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} +%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} %triggerpostun -- container-selinux < 2:2.162.1-3 if %{_sbindir}/selinuxenabled ; then @@ -137,12 +138,4 @@ fi %changelog -%if %{defined autochangelog} %autochangelog -%else -# NOTE: This changelog will be visible on CentOS 8 Stream builds -# Other envs are capable of handling autochangelog -* Tue Jun 13 2023 RH Container Bot <[email protected]> -- Placeholder changelog for envs that are not autochangelog-ready. -- Contact upstream if you need to report an issue with the build. -%endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/test/Makefile new/container-selinux-2.233.0/test/Makefile --- old/container-selinux-2.232.1/test/Makefile 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/test/Makefile 2024-11-04 16:37:32.000000000 +0100 @@ -2,22 +2,15 @@ basic_check: semodule --list=full | grep container semodule -B + rpm -Vqf /var/lib/selinux/*/active/modules/200/container -.PHONY: podman_e2e_test_upstream -podman_e2e_test_upstream: - bash ./podman-tests.sh e2e upstream +.PHONY: podman_e2e_test +podman_e2e_test: + bash ./podman-tests.sh e2e -.PHONY: podman_e2e_test_downstream -podman_e2e_test_downstream: - bash ./podman-tests.sh e2e downstream - -.PHONY: podman_system_test_upstream -podman_system_test_upstream: - bash ./podman-tests.sh system upstream - -.PHONY: podman_system_test_downstream -podman_system_test_downstream: - bash ./podman-tests.sh system downstream +.PHONY: podman_system_test +podman_system_test: + bash ./podman-tests.sh system clean: rm -rf podman-*dev* podman.spec diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/test/main.fmf new/container-selinux-2.233.0/test/main.fmf --- old/container-selinux-2.232.1/test/main.fmf 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/test/main.fmf 2024-11-04 16:37:32.000000000 +0100 @@ -6,24 +6,16 @@ - policycoreutils /basic_check: - summary: Run basic checks tag: [ upstream, downstream ] + summary: Run basic checks test: make basic_check -/upstream: - tag: upstream -/upstream/podman_e2e_test: - summary: Run SELinux specific Podman e2e tests on upstream PRs - test: make podman_e2e_test_upstream -/upstream/podman_system_test: - summary: Run SELinux specific Podman system tests on upstream PRs - test: make podman_system_test_upstream +/podman_e2e_test: + tag: [ upstream, downstream ] + summary: Run SELinux specific Podman e2e tests + test: make podman_e2e_test -/downstream: - tag: downstream -/downstream/podman_e2e_test: - summary: Run SELinux specific Podman e2e tests on downstream bodhi / errata and dist-git PRs - test: make podman_e2e_test_downstream -/downstream/podman_system_test: - summary: Run SELinux specific Podman system tests on downstream bodhi / errata and dist-git PRs - test: make podman_system_test_downstream +/podman_system_test: + tag: [ upstream, downstream ] + summary: Run SELinux specific Podman system tests + test: make podman_system_test diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.232.1/test/podman-tests.sh new/container-selinux-2.233.0/test/podman-tests.sh --- old/container-selinux-2.232.1/test/podman-tests.sh 2024-06-10 19:25:30.000000000 +0200 +++ new/container-selinux-2.233.0/test/podman-tests.sh 2024-11-04 16:37:32.000000000 +0100 @@ -2,37 +2,19 @@ set -exo pipefail +cat /etc/redhat-release + if [[ "$(id -u)" -ne 0 ]];then echo "Please run as superuser" exit 1 fi if [[ -z "$1" ]]; then - echo -e "Usage: podman-tests.sh TEST_TYPE STREAM\nTEST_TYPE can be 'e2e' or 'system'\nSTREAM can be 'upstream' or 'downstream'" + echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n" exit 1 fi TEST_TYPE=$1 -STREAM=$2 - -# `rhel` macro exists on RHEL, CentOS Stream, and Fedora ELN -# `centos` macro exists only on CentOS Stream -CENTOS_VERSION=$(rpm --eval '%{?centos}') -RHEL_VERSION=$(rpm --eval '%{?rhel}') - -# For upstream tests, we need to test with podman and other packages from the -# podman-next copr. For downstream tests (bodhi, errata), we don't need any -# additional setup -if [[ "$STREAM" == "upstream" ]]; then - # Use CentOS Stream 10 copr target for RHEL-10 until EPEL 10 becomes - # available - if [[ -n $CENTOS_VERSION || $RHEL_VERSION -ge 10 ]]; then - dnf -y copr enable rhcontainerbot/podman-next centos-stream-$CENTOS_VERSION - else - dnf -y copr enable rhcontainerbot/podman-next - fi - echo "priority=5" >> /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next.repo -fi # Remove testing-farm repos if they exist as these interfere with the packages # we want to install, especially when podman-next copr is involved @@ -69,18 +51,11 @@ popd -# Enable EPEL on RHEL/CentOS Stream envs to fetch bats -if [[ -n $(rpm --eval '%{?rhel}') ]]; then - # Until EPEL 10 is available use epel-9 for all RHEL and CentOS Stream - dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm - sed -i 's/$releasever/9/g' /etc/yum.repos.d/epel.repo -fi - # Install dependencies for running tests +# NOTE: bats will be fetched from Fedora repos on public testing-farm envs if EPEL repo is absent or disabled. dnf -y install bats golang # Print versions of distro and installed packages -cat /etc/redhat-release rpm -q bats container-selinux golang podman podman-tests selinux-policy if [[ "$TEST_TYPE" == "e2e" ]]; then
