Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rke2-selinux for openSUSE:Factory checked in at 2026-06-05 14:57:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rke2-selinux (Old) and /work/SRC/openSUSE:Factory/.rke2-selinux.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rke2-selinux" Fri Jun 5 14:57:32 2026 rev:9 rq:1357078 version:0.23.stable.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rke2-selinux/rke2-selinux.changes 2026-01-13 21:32:43.967444391 +0100 +++ /work/SRC/openSUSE:Factory/.rke2-selinux.new.2375/rke2-selinux.changes 2026-06-05 14:58:01.522661806 +0200 @@ -1,0 +2,20 @@ +Thu Jun 04 05:30:47 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.23.stable.1: + * Define versions to build selinux in centos10 to have support + for fresh rhel, almalinux and rocky installs + * Define specific policys for /run and /var/run in rhel9-10 + * Use transactional-update env in microos and slemicro + * Clean dapper if that is not necessary anymore + * Harden via checksum validation + * Pin GH Actions to commit sha + * Fix(policy): drop restorecon -F to preserve MCS labels + * Remove dapper and also remove version duplicate script + * Add FOSSA scanning workflow + * Fix missing context in /run/k3s/containerd + * fix snashots context + * fix: use restorecon only in rke2 directory and not in rancher + directory + * adding slash scape to containerd log policy + +------------------------------------------------------------------- Old: ---- rke2-selinux-0.22.stable.1.obscpio New: ---- rke2-selinux-0.23.stable.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rke2-selinux.spec ++++++ --- /var/tmp/diff_new_pack.DXjQEl/_old 2026-06-05 14:58:02.466700848 +0200 +++ /var/tmp/diff_new_pack.DXjQEl/_new 2026-06-05 14:58:02.466700848 +0200 @@ -46,7 +46,7 @@ %define container_policyver 2.164.2-1.1 Name: rke2-selinux -Version: 0.22.stable.1 +Version: 0.23.stable.1 Release: 0 Summary: SELinux policy module for rke2 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DXjQEl/_old 2026-06-05 14:58:02.546704156 +0200 +++ /var/tmp/diff_new_pack.DXjQEl/_new 2026-06-05 14:58:02.562704818 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/rancher/rke2-selinux</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.22.stable.1</param> + <param name="revision">v0.23.stable.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.DXjQEl/_old 2026-06-05 14:58:02.606706638 +0200 +++ /var/tmp/diff_new_pack.DXjQEl/_new 2026-06-05 14:58:02.610706803 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/rancher/rke2-selinux</param> - <param name="changesrevision">09645c96d91bf0f239e9f54603b959afdaca68a1</param></service></servicedata> + <param name="changesrevision">95659f017f74a6833be3d2576ce47e0755611c53</param></service></servicedata> (No newline at EOF) ++++++ rke2-selinux-0.22.stable.1.obscpio -> rke2-selinux-0.23.stable.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos10 new/rke2-selinux-0.23.stable.1/Dockerfile.centos10 --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos10 1970-01-01 01:00:00.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos10 2026-06-01 15:43:58.000000000 +0200 @@ -0,0 +1,28 @@ +FROM almalinux:10.0 AS build + +RUN yum -y --releasever=10.0 install \ + container-selinux-4:2.235.0-2.el10_0 \ + libsepol-devel-3.8-1.el10 \ + policycoreutils-3.8-1.el10 \ + policycoreutils-devel-3.8-1.el10 \ + selinux-policy-devel-40.13.26-1.el10 \ + git \ + rpm-build \ + yum-utils \ + ca-certificates + +ENV SOURCE=/source + +WORKDIR ${SOURCE} + +COPY . . + +ARG TAG +ARG SCRIPT=build + +RUN ${SOURCE}/policy/centos10/scripts/entry "${SCRIPT}" + +FROM scratch AS result +ENV SOURCE=/source + +COPY --from=build ${SOURCE}/dist /dist diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos10.dapper new/rke2-selinux-0.23.stable.1/Dockerfile.centos10.dapper --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos10.dapper 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos10.dapper 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -FROM almalinux:10 - -RUN yum install -y epel-release \ - && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python-pip ca-certificates - -ENV DAPPER_SOURCE /source -ENV DAPPER_OUTPUT ./dist -ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY -ENV HOME ${DAPPER_SOURCE} -WORKDIR ${DAPPER_SOURCE} - -ENTRYPOINT ["./policy/centos10/scripts/entry"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos8 new/rke2-selinux-0.23.stable.1/Dockerfile.centos8 --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos8 1970-01-01 01:00:00.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos8 2026-06-01 15:43:58.000000000 +0200 @@ -0,0 +1,21 @@ +FROM rockylinux:8 AS build + +RUN yum install -y epel-release \ + && yum install -y container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python2-pip ca-certificates + +ENV SOURCE=/source + +WORKDIR ${SOURCE} + +COPY . . + +ARG TAG +ARG SCRIPT=build + +RUN ${SOURCE}/policy/centos8/scripts/entry "${SCRIPT}" + +FROM scratch AS result +ENV SOURCE=/source + +COPY --from=build ${SOURCE}/dist /dist + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos8.dapper new/rke2-selinux-0.23.stable.1/Dockerfile.centos8.dapper --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos8.dapper 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos8.dapper 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -FROM rockylinux:8 - -RUN yum install -y epel-release \ - && yum install -y container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python2-pip ca-certificates - -ENV DAPPER_SOURCE /source -ENV DAPPER_OUTPUT ./dist -ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY -ENV HOME ${DAPPER_SOURCE} -WORKDIR ${DAPPER_SOURCE} - -ENTRYPOINT ["./policy/centos8/scripts/entry"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos9 new/rke2-selinux-0.23.stable.1/Dockerfile.centos9 --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos9 1970-01-01 01:00:00.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos9 2026-06-01 15:43:58.000000000 +0200 @@ -0,0 +1,20 @@ +FROM quay.io/centos/centos:stream9 AS build + +RUN yum install -y epel-release \ + && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python-pip ca-certificates + +ENV SOURCE=/source + +WORKDIR ${SOURCE} + +COPY . . + +ARG TAG +ARG SCRIPT=build + +RUN ${SOURCE}/policy/centos9/scripts/entry "${SCRIPT}" + +FROM scratch AS result +ENV SOURCE=/source + +COPY --from=build ${SOURCE}/dist /dist diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.centos9.dapper new/rke2-selinux-0.23.stable.1/Dockerfile.centos9.dapper --- old/rke2-selinux-0.22.stable.1/Dockerfile.centos9.dapper 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.centos9.dapper 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -FROM quay.io/centos/centos:stream9 - -RUN yum install -y epel-release \ - && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python-pip ca-certificates - -ENV DAPPER_SOURCE /source -ENV DAPPER_OUTPUT ./dist -ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY -ENV HOME ${DAPPER_SOURCE} -WORKDIR ${DAPPER_SOURCE} - -ENTRYPOINT ["./policy/centos9/scripts/entry"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.microos new/rke2-selinux-0.23.stable.1/Dockerfile.microos --- old/rke2-selinux-0.22.stable.1/Dockerfile.microos 1970-01-01 01:00:00.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.microos 2026-06-01 15:43:58.000000000 +0200 @@ -0,0 +1,22 @@ +ARG TUMBLEWEED=opensuse/tumbleweed +FROM ${TUMBLEWEED} AS build +ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround +RUN chmod +x /bin/clone3-workaround +SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] +RUN zypper install -y container-selinux git rpm-build selinux-policy-devel + +ENV SOURCE=/source + +WORKDIR ${SOURCE} + +COPY . . + +ARG TAG +ARG SCRIPT=build + +RUN ${SOURCE}/policy/microos/scripts/entry "${SCRIPT}" + +FROM scratch AS result +ENV SOURCE=/source + +COPY --from=build ${SOURCE}/dist /dist diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.microos.dapper new/rke2-selinux-0.23.stable.1/Dockerfile.microos.dapper --- old/rke2-selinux-0.22.stable.1/Dockerfile.microos.dapper 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.microos.dapper 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -ARG TUMBLEWEED=opensuse/tumbleweed -FROM ${TUMBLEWEED} -ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround -RUN chmod +x /bin/clone3-workaround -SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] -RUN zypper install -y container-selinux git rpm-build selinux-policy-devel - - -ENV DAPPER_SOURCE /source -ENV DAPPER_OUTPUT ./dist -ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY -ENV HOME ${DAPPER_SOURCE} -WORKDIR ${DAPPER_SOURCE} - -ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.slemicro new/rke2-selinux-0.23.stable.1/Dockerfile.slemicro --- old/rke2-selinux-0.22.stable.1/Dockerfile.slemicro 1970-01-01 01:00:00.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.slemicro 2026-06-01 15:43:58.000000000 +0200 @@ -0,0 +1,37 @@ +FROM registry.suse.com/suse/sle-micro/5.5:latest AS build + +RUN cat <<EOF >/etc/zypp/repos.d/repo-oss.repo +[repo-oss] +name=Main Repository +enabled=1 +autorefresh=1 +baseurl=http://download.opensuse.org/distribution/leap/15.6/repo/oss/ +EOF + +RUN cat <<EOF >/etc/zypp/repos.d/leap-micro.repo +[leap-micro] +name=Leap Updates +enabled=1 +autorefresh=1 +baseurl=https://download.opensuse.org/update/leap-micro/5.5/sle/ +EOF + +RUN zypper --gpg-auto-import-keys refresh +RUN zypper in -y -n --force-resolution container-selinux git rpm-build selinux-policy-devel + +ENV SOURCE=/source + +WORKDIR ${SOURCE} + +COPY . . + +ARG TAG +ARG SCRIPT=build + +RUN ${SOURCE}/policy/slemicro/scripts/entry "${SCRIPT}" + +FROM scratch AS result +ENV SOURCE=/source + +COPY --from=build ${SOURCE}/dist /dist + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Dockerfile.slemicro.dapper new/rke2-selinux-0.23.stable.1/Dockerfile.slemicro.dapper --- old/rke2-selinux-0.22.stable.1/Dockerfile.slemicro.dapper 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Dockerfile.slemicro.dapper 1970-01-01 01:00:00.000000000 +0100 @@ -1,28 +0,0 @@ -FROM registry.suse.com/suse/sle-micro/5.5:latest - -RUN cat <<EOF >/etc/zypp/repos.d/repo-oss.repo -[repo-oss] -name=Main Repository -enabled=1 -autorefresh=1 -baseurl=http://download.opensuse.org/distribution/leap/15.6/repo/oss/ -EOF - -RUN cat <<EOF >/etc/zypp/repos.d/leap-micro.repo -[leap-micro] -name=Leap Updates -enabled=1 -autorefresh=1 -baseurl=https://download.opensuse.org/update/leap-micro/5.5/sle/ -EOF - -RUN zypper --gpg-auto-import-keys refresh -RUN zypper in -y -n --force-resolution container-selinux git rpm-build selinux-policy-devel - -ENV DAPPER_SOURCE /source -ENV DAPPER_OUTPUT ./dist -ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY -ENV HOME ${DAPPER_SOURCE} -WORKDIR ${DAPPER_SOURCE} - -ENTRYPOINT ["./policy/slemicro/scripts/entry"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/Makefile new/rke2-selinux-0.23.stable.1/Makefile --- old/rke2-selinux-0.22.stable.1/Makefile 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/Makefile 2026-06-01 15:43:58.000000000 +0200 @@ -1,16 +1,13 @@ BUILD_TARGETS := $(addprefix build-,$(shell ls policy/)) -.dapper: - @echo Downloading dapper - @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp - @@chmod +x .dapper.tmp - @./.dapper.tmp -v - @mv .dapper.tmp .dapper - -$(BUILD_TARGETS): .dapper - ./.dapper -f Dockerfile.$(@:build-%=%).dapper ./policy/$(@:build-%=%)/scripts/build +$(BUILD_TARGETS): + docker buildx build \ + --target result --output=. \ + --build-arg TAG="${TAG}" \ + --build-arg SCRIPT=build \ + -f Dockerfile.$(@:build-%=%) . clean: - rm -rf dist/ Dockerfile.*.dapper[0-9]* + rm -rf dist/ .PHONY: $(BUILD_TARGETS) clean diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos10/rke2-selinux.spec new/rke2-selinux-0.23.stable.1/policy/centos10/rke2-selinux.spec --- old/rke2-selinux-0.22.stable.1/policy/centos10/rke2-selinux.spec 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos10/rke2-selinux.spec 2026-06-01 15:43:58.000000000 +0200 @@ -15,17 +15,17 @@ mkdir -p /var/run/k3s; \ umask 0077; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ -mkdir -p /var/lib/rancher/rke2/server; \ -restorecon -FRT 0 -i /etc/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/local/lib/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/lib/systemd/system/rke2*; \ -restorecon -FRT 0 /var/lib/cni; \ -restorecon -FRT 0 /opt/cni; \ -restorecon -FRT 0 /etc/cni; \ -restorecon -FRT 0 /var/lib/kubelet; \ -restorecon -FRT 0 /var/lib/rancher; \ -restorecon -FRT 0 /var/run/k3s; \ -restorecon -FRT 0 /var/run/flannel +mkdir -p /var/lib/rancher/rke2/server/db/snapshots; \ +restorecon -RT 0 -i /etc/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/local/lib/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/lib/systemd/system/rke2*; \ +restorecon -RT 0 /var/lib/cni; \ +restorecon -RT 0 /opt/cni; \ +restorecon -RT 0 /etc/cni; \ +restorecon -RT 0 /var/lib/kubelet; \ +restorecon -RT 0 /var/lib/rancher/rke2; \ +restorecon -RT 0 /var/run/k3s; \ +restorecon -RT 0 /var/run/flannel %define selinux_policyver 40.13.26-1 %define container_policyver 2.235.0-2 @@ -93,4 +93,4 @@ %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog -%include %{changelog_path} \ No newline at end of file +%include %{changelog_path} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos10/rke2.fc new/rke2-selinux-0.23.stable.1/policy/centos10/rke2.fc --- old/rke2-selinux-0.22.stable.1/policy/centos10/rke2.fc 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos10/rke2.fc 2026-06-01 15:43:58.000000000 +0200 @@ -22,11 +22,13 @@ /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/rancher/rke2/agent/containerd/containerd\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/agent/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) -#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) -#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) -#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/build new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/build --- old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/build 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/build 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -e -x cd $(dirname $0)/.. -. ./scripts/version +. ../../scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp @@ -13,15 +13,15 @@ . ../../scripts/gen-changelog $CHANGELOG_PATH rpmbuild \ - --define "rke2_selinux_version ${RPM_VERSION}" \ - --define "rke2_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - --define "changelog_path $CHANGELOG_PATH" \ - -ba rke2-selinux.spec + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + --define "changelog_path $CHANGELOG_PATH" \ + -ba rke2-selinux.spec cp -r dist/* /source/dist/centos10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/entry new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/entry --- old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/entry 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/entry 2026-06-01 15:43:58.000000000 +0200 @@ -2,11 +2,7 @@ set -ex if [ -e ./policy/centos10/scripts/"$1" ]; then - ./policy/centos10/scripts/"$@" + ./policy/centos10/scripts/"$@" else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . + exec "$@" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/version new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/version --- old/rke2-selinux-0.22.stable.1/policy/centos10/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos10/scripts/version 1970-01-01 01:00:00.000000000 +0100 @@ -1,62 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -VERSION=$TAG - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; -esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos8/rke2-selinux.spec new/rke2-selinux-0.23.stable.1/policy/centos8/rke2-selinux.spec --- old/rke2-selinux-0.22.stable.1/policy/centos8/rke2-selinux.spec 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos8/rke2-selinux.spec 2026-06-01 15:43:58.000000000 +0200 @@ -15,16 +15,16 @@ mkdir -p /var/run/k3s; \ umask 0077; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ -mkdir -p /var/lib/rancher/rke2/server; \ -restorecon -FR -i /etc/systemd/system/rke2*; \ -restorecon -FR -i /usr/lib/systemd/system/rke2*; \ -restorecon -FR /var/lib/cni; \ -restorecon -FR /opt/cni; \ -restorecon -FR /etc/cni; \ -restorecon -FR /var/lib/kubelet; \ -restorecon -FR /var/lib/rancher; \ -restorecon -FR /var/run/k3s; \ -restorecon -FR /var/run/flannel +mkdir -p /var/lib/rancher/rke2/server/db/snapshots; \ +restorecon -R -i /etc/systemd/system/rke2*; \ +restorecon -R -i /usr/lib/systemd/system/rke2*; \ +restorecon -R /var/lib/cni; \ +restorecon -R /opt/cni; \ +restorecon -R /etc/cni; \ +restorecon -R /var/lib/kubelet; \ +restorecon -R /var/lib/rancher/rke2; \ +restorecon -R /var/run/k3s; \ +restorecon -R /var/run/flannel %define selinux_policyver 3.13.1-252 %define container_policyver 2.167.0-1 @@ -92,4 +92,4 @@ %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog -%include %{changelog_path} \ No newline at end of file +%include %{changelog_path} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos8/rke2.fc new/rke2-selinux-0.23.stable.1/policy/centos8/rke2.fc --- old/rke2-selinux-0.22.stable.1/policy/centos8/rke2.fc 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos8/rke2.fc 2026-06-01 15:43:58.000000000 +0200 @@ -22,7 +22,7 @@ /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/rancher/rke2/agent/containerd/containerd\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/agent/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/build new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/build --- old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/build 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/build 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -e -x cd $(dirname $0)/.. -. ./scripts/version +. ../../scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp @@ -13,15 +13,15 @@ . ../../scripts/gen-changelog $CHANGELOG_PATH rpmbuild \ - --define "rke2_selinux_version ${RPM_VERSION}" \ - --define "rke2_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - --define "changelog_path $CHANGELOG_PATH" \ - -ba rke2-selinux.spec + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + --define "changelog_path $CHANGELOG_PATH" \ + -ba rke2-selinux.spec cp -r dist/* /source/dist/centos8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/entry new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/entry --- old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/entry 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/entry 2026-06-01 15:43:58.000000000 +0200 @@ -6,7 +6,3 @@ else exec "$@" fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/version new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/version --- old/rke2-selinux-0.22.stable.1/policy/centos8/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos8/scripts/version 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; -esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos9/rke2-selinux.spec new/rke2-selinux-0.23.stable.1/policy/centos9/rke2-selinux.spec --- old/rke2-selinux-0.22.stable.1/policy/centos9/rke2-selinux.spec 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos9/rke2-selinux.spec 2026-06-01 15:43:58.000000000 +0200 @@ -15,17 +15,17 @@ mkdir -p /var/run/k3s; \ umask 0077; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ -mkdir -p /var/lib/rancher/rke2/server; \ -restorecon -FRT 0 -i /etc/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/local/lib/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/lib/systemd/system/rke2*; \ -restorecon -FRT 0 /var/lib/cni; \ -restorecon -FRT 0 /opt/cni; \ -restorecon -FRT 0 /etc/cni; \ -restorecon -FRT 0 /var/lib/kubelet; \ -restorecon -FRT 0 /var/lib/rancher; \ -restorecon -FRT 0 /var/run/k3s; \ -restorecon -FRT 0 /var/run/flannel +mkdir -p /var/lib/rancher/rke2/server/db/snapshots; \ +restorecon -RT 0 -i /etc/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/local/lib/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/lib/systemd/system/rke2*; \ +restorecon -RT 0 /var/lib/cni; \ +restorecon -RT 0 /opt/cni; \ +restorecon -RT 0 /etc/cni; \ +restorecon -RT 0 /var/lib/kubelet; \ +restorecon -RT 0 /var/lib/rancher/rke2; \ +restorecon -RT 0 /var/run/k3s; \ +restorecon -RT 0 /var/run/flannel %define selinux_policyver 3.13.1-252 %define container_policyver 2.191.0-1 @@ -93,4 +93,4 @@ %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog -%include %{changelog_path} \ No newline at end of file +%include %{changelog_path} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos9/rke2.fc new/rke2-selinux-0.23.stable.1/policy/centos9/rke2.fc --- old/rke2-selinux-0.22.stable.1/policy/centos9/rke2.fc 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos9/rke2.fc 2026-06-01 15:43:58.000000000 +0200 @@ -22,11 +22,13 @@ /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/rancher/rke2/agent/containerd/containerd\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/agent/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) -#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) -#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) -#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/build new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/build --- old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/build 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/build 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -e -x cd $(dirname $0)/.. -. ./scripts/version +. ../../scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp @@ -14,15 +14,15 @@ . ../../scripts/gen-changelog $CHANGELOG_PATH rpmbuild \ - --define "rke2_selinux_version ${RPM_VERSION}" \ - --define "rke2_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - --define "changelog_path $CHANGELOG_PATH" \ - -ba rke2-selinux.spec + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + --define "changelog_path $CHANGELOG_PATH" \ + -ba rke2-selinux.spec cp -r dist/* /source/dist/centos9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/entry new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/entry --- old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/entry 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/entry 2026-06-01 15:43:58.000000000 +0200 @@ -6,7 +6,3 @@ else exec "$@" fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/version new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/version --- old/rke2-selinux-0.22.stable.1/policy/centos9/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/centos9/scripts/version 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; -esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/microos/rke2-selinux.spec new/rke2-selinux-0.23.stable.1/policy/microos/rke2-selinux.spec --- old/rke2-selinux-0.22.stable.1/policy/microos/rke2-selinux.spec 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/microos/rke2-selinux.spec 2026-06-01 15:43:58.000000000 +0200 @@ -2,8 +2,6 @@ %define rke2_relabel_files() \ umask 0022; \ -mkdir -p /etc/cni; \ -mkdir -p /opt/cni; \ mkdir -p /var/lib/cni; \ mkdir -p /var/lib/kubelet; \ mkdir -p /var/lib/rancher/rke2/data; \ @@ -15,16 +13,21 @@ mkdir -p /var/run/k3s; \ umask 0077; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ -mkdir -p /var/lib/rancher/rke2/server; \ -restorecon -FRT 0 -i /etc/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/lib/systemd/system/rke2*; \ -restorecon -FRT 0 /var/lib/cni; \ -restorecon -FRT 0 /opt/cni; \ -restorecon -FRT 0 /etc/cni; \ -restorecon -FRT 0 /var/lib/kubelet; \ -restorecon -FRT 0 /var/lib/rancher; \ -restorecon -FRT 0 /var/run/k3s; \ -restorecon -FRT 0 /var/run/flannel +mkdir -p /var/lib/rancher/rke2/server/db/snapshots; \ +restorecon -RT 0 /var/lib/cni; \ +restorecon -RT 0 /var/lib/kubelet; \ +restorecon -RT 0 /var/lib/rancher/rke2; \ +restorecon -RT 0 /var/run/k3s; \ +restorecon -RT 0 /var/run/flannel; \ +if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \ +umask 0022; \ +mkdir -p /etc/cni; \ +mkdir -p /opt/cni; \ +restorecon -RT 0 -i /etc/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/lib/systemd/system/rke2*; \ +restorecon -RT 0 /opt/cni; \ +restorecon -RT 0 /etc/cni; \ +fi %define selinux_policyver 20210716-3.1 %define container_policyver 2.164.2-1.1 @@ -74,7 +77,9 @@ %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then - /usr/sbin/load_policy + if [ -z "${TRANSACTIONAL_UPDATE}" ]; then + /usr/sbin/load_policy + fi %rke2_relabel_files fi; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/microos/rke2.fc new/rke2-selinux-0.23.stable.1/policy/microos/rke2.fc --- old/rke2-selinux-0.22.stable.1/policy/microos/rke2.fc 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/microos/rke2.fc 2026-06-01 15:43:58.000000000 +0200 @@ -22,7 +22,7 @@ /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/rancher/rke2/agent/containerd/containerd\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/agent/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/microos/scripts/build new/rke2-selinux-0.23.stable.1/policy/microos/scripts/build --- old/rke2-selinux-0.22.stable.1/policy/microos/scripts/build 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/microos/scripts/build 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -e -x cd $(dirname $0)/.. -. ./scripts/version +. ../../scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp @@ -13,15 +13,15 @@ . ../../scripts/gen-changelog $CHANGELOG_PATH rpmbuild \ - --define "rke2_selinux_version ${RPM_VERSION}" \ - --define "rke2_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - --define "changelog_path $CHANGELOG_PATH" \ - -ba rke2-selinux.spec + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + --define "changelog_path $CHANGELOG_PATH" \ + -ba rke2-selinux.spec cp -r dist/* /source/dist/microos diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/microos/scripts/entry new/rke2-selinux-0.23.stable.1/policy/microos/scripts/entry --- old/rke2-selinux-0.22.stable.1/policy/microos/scripts/entry 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/microos/scripts/entry 2026-06-01 15:43:58.000000000 +0200 @@ -6,7 +6,3 @@ else exec "$@" fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/microos/scripts/version new/rke2-selinux-0.23.stable.1/policy/microos/scripts/version --- old/rke2-selinux-0.22.stable.1/policy/microos/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/microos/scripts/version 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; -esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/slemicro/rke2-selinux.spec new/rke2-selinux-0.23.stable.1/policy/slemicro/rke2-selinux.spec --- old/rke2-selinux-0.22.stable.1/policy/slemicro/rke2-selinux.spec 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/slemicro/rke2-selinux.spec 2026-06-01 15:43:58.000000000 +0200 @@ -2,8 +2,6 @@ %define rke2_relabel_files() \ umask 0022; \ -mkdir -p /etc/cni; \ -mkdir -p /opt/cni; \ mkdir -p /var/lib/cni; \ mkdir -p /var/lib/kubelet; \ mkdir -p /var/lib/rancher/rke2/data; \ @@ -15,16 +13,21 @@ mkdir -p /var/run/k3s; \ umask 0077; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ -mkdir -p /var/lib/rancher/rke2/server; \ -restorecon -FRT 0 -i /etc/systemd/system/rke2*; \ -restorecon -FRT 0 -i /usr/lib/systemd/system/rke2*; \ -restorecon -FRT 0 /var/lib/cni; \ -restorecon -FRT 0 /opt/cni; \ -restorecon -FRT 0 /etc/cni; \ -restorecon -FRT 0 /var/lib/kubelet; \ -restorecon -FRT 0 /var/lib/rancher; \ -restorecon -FRT 0 /var/run/k3s; \ -restorecon -FRT 0 /var/run/flannel +mkdir -p /var/lib/rancher/rke2/server/db/snapshots; \ +restorecon -RT 0 /var/lib/cni; \ +restorecon -RT 0 /var/lib/kubelet; \ +restorecon -RT 0 /var/lib/rancher/rke2; \ +restorecon -RT 0 /var/run/k3s; \ +restorecon -RT 0 /var/run/flannel; \ +if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \ +umask 0022; \ +mkdir -p /etc/cni; \ +mkdir -p /opt/cni; \ +restorecon -RT 0 -i /etc/systemd/system/rke2*; \ +restorecon -RT 0 -i /usr/lib/systemd/system/rke2*; \ +restorecon -RT 0 /opt/cni; \ +restorecon -RT 0 /etc/cni; \ +fi %define selinux_policyver 20210716-3.1 %define selinux_policyver_build 3.13.1-252 @@ -75,7 +78,9 @@ %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then - /usr/sbin/load_policy + if [ -z "${TRANSACTIONAL_UPDATE}" ]; then + /usr/sbin/load_policy + fi %rke2_relabel_files fi; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/slemicro/rke2.fc new/rke2-selinux-0.23.stable.1/policy/slemicro/rke2.fc --- old/rke2-selinux-0.22.stable.1/policy/slemicro/rke2.fc 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/slemicro/rke2.fc 2026-06-01 15:43:58.000000000 +0200 @@ -23,7 +23,7 @@ /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/rancher/rke2/agent/containerd/containerd\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/agent/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/build new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/build --- old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/build 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/build 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -e -x cd $(dirname $0)/.. -. ./scripts/version +. ../../scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp @@ -13,16 +13,16 @@ . ../../scripts/gen-changelog $CHANGELOG_PATH rpmbuild \ - --define "rke2_selinux_version ${RPM_VERSION}" \ - --define "rke2_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - --define "changelog_path $CHANGELOG_PATH" \ - -ba rke2-selinux.spec + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + --define "changelog_path $CHANGELOG_PATH" \ + -ba rke2-selinux.spec mkdir -p /source/dist/slemicro cp -r dist/* /source/dist/slemicro diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/entry new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/entry --- old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/entry 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/entry 2026-06-01 15:43:58.000000000 +0200 @@ -6,7 +6,3 @@ else exec "$@" fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/version new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/version --- old/rke2-selinux-0.22.stable.1/policy/slemicro/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/policy/slemicro/scripts/version 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; -esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/scripts/gen-changelog new/rke2-selinux-0.23.stable.1/scripts/gen-changelog --- old/rke2-selinux-0.22.stable.1/scripts/gen-changelog 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/scripts/gen-changelog 2026-06-01 15:43:58.000000000 +0200 @@ -2,7 +2,7 @@ set -euo pipefail OUT="${1:?usage: gen-spec-changelog <output-path>}" -REPO="${DAPPER_SOURCE:-/source}" +REPO="${SOURCE:-/source}" RPM_VERSION="${RPM_VERSION:?RPM_VERSION missing}" RPM_RELEASE="${RPM_RELEASE:?RPM_RELEASE missing}" @@ -15,7 +15,7 @@ RANGE_ARGS=() if [[ -n "$COMMIT" ]]; then - if [[ "$TAG" =~ ^(v[0-9]+\.[0-9]+)\.([^.]+)\.([0-9]+)$ ]]; then + if [[ "$TAG" =~ ^(v[0-9]+\.[0-9]+)\.([^.]+)\.([0-9]+)$ ]]; then base="${BASH_REMATCH[1]}" channel="${BASH_REMATCH[2]}" release="${BASH_REMATCH[3]}" @@ -26,37 +26,40 @@ mapfile -t tag_list < <(git -C "$REPO" tag --list "${base}.${channel}.*" 2>/dev/null | sort -V) fi - prev_tag="" - for i in "${!tag_list[@]}"; do - if [[ "${tag_list[i]}" == "$TAG" ]]; then - break - fi - prev_tag="${tag_list[i]}" - done - - echo "Found previous tag: ${prev_tag:-<none>}" - - if [[ -n "$prev_tag" ]]; then - RANGE_ARGS=("${prev_tag}..${TAG}") - else - RANGE_ARGS=("${TAG}^..${TAG}") - fi - else - LATEST_TAG="$(git -C "$REPO" tag --list --sort=-v:refname | head -n1)" - echo $LATEST_TAG - RANGE_ARGS=("${LATEST_TAG}...${COMMIT}") - echo $RANGE_ARGS + prev_tag="" + for i in "${!tag_list[@]}"; do + if [[ "${tag_list[i]}" == "$TAG" ]]; then + break + fi + prev_tag="${tag_list[i]}" + done + + echo "Found previous tag: ${prev_tag:-<none>}" + + if [[ -n "$prev_tag" ]]; then + RANGE_ARGS=("${prev_tag}..${TAG}") + else + RANGE_ARGS=("${TAG}^..${TAG}") fi + else + LATEST_TAG="$(git -C "$REPO" tag --list --sort=-v:refname | head -n1)" + echo $LATEST_TAG + RANGE_ARGS=("${LATEST_TAG}...${COMMIT}") + echo $RANGE_ARGS + fi else - echo "COMMIT is missing: $COMMIT" - exit 1 + echo "COMMIT is missing: $COMMIT" + exit 1 fi - { echo "* ${DATE} ${PACKAGER} - ${RPM_VERSION}.${RPM_CHANNEL}.${RPM_RELEASE}" git_output="$(git -C "$REPO" log "${RANGE_ARGS[@]}" --no-merges --pretty='format:- %s' 2>/dev/null || true)" - printf '%s\n' "$git_output" -} > "$OUT" + if [[ -z "$git_output" ]]; then + printf '%s\n' "- No changelogs for this version" + else + printf '%s\n' "$git_output" + fi +} >"$OUT" sed -i 's/[\x00-\x1F\x7F]//g' "$OUT" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/scripts/sign-and-upload new/rke2-selinux-0.23.stable.1/scripts/sign-and-upload --- old/rke2-selinux-0.22.stable.1/scripts/sign-and-upload 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/scripts/sign-and-upload 2026-06-01 15:43:58.000000000 +0200 @@ -89,7 +89,9 @@ ;; esac -wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling +RPM_TOOLING_SHA256="fa468d7a4459eff0ae9924286f2a4faf50d101f110798ca675033f0156118c85" +wget -q https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling -O rpm_tooling +echo "${RPM_TOOLING_SHA256} rpm_tooling" | sha256sum -c - chmod +x rpm_tooling mv ./rpm_tooling /usr/bin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rke2-selinux-0.22.stable.1/scripts/version new/rke2-selinux-0.23.stable.1/scripts/version --- old/rke2-selinux-0.22.stable.1/scripts/version 2026-01-02 14:38:42.000000000 +0100 +++ new/rke2-selinux-0.23.stable.1/scripts/version 2026-06-01 15:43:58.000000000 +0200 @@ -1,40 +1,39 @@ #!/bin/bash TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} +COMMIT=${COMMIT:-${GITHUB_SHA:-unknown}} +TAG=${TAG:-${GITHUB_TAG}} +SOURCE=${SOURCE:-/source} + +git config --global --add safe.directory $SOURCE + +if [ -n "$(git status --porcelain --untracked-files=no)" ]; then + DIRTY="dirty" + TREE_STATE=dirty +fi + +if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then + TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit +fi -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd +COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) +if [ -z "$COMMIT" ]; then + COMMIT=$(git rev-parse HEAD || true) fi if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi + if [[ "$TREE_STATE" = "clean" ]]; then + VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. + fi else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" + VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 + echo "Version $VERSION does not match our expected format. Exiting." + exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' @@ -45,16 +44,16 @@ RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" + echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" + RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in - "testing"|"latest"|"stable") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" - exit 1 - ;; +"testing" | "latest" | "stable") + echo "RPM_CHANNEL matched our expected variants" + ;; +*) + echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" + exit 1 + ;; esac ++++++ rke2-selinux.obsinfo ++++++ --- /var/tmp/diff_new_pack.DXjQEl/_old 2026-06-05 14:58:02.818715406 +0200 +++ /var/tmp/diff_new_pack.DXjQEl/_new 2026-06-05 14:58:02.826715737 +0200 @@ -1,5 +1,5 @@ name: rke2-selinux -version: 0.22.stable.1 -mtime: 1767361122 -commit: 09645c96d91bf0f239e9f54603b959afdaca68a1 +version: 0.23.stable.1 +mtime: 1780321438 +commit: 95659f017f74a6833be3d2576ce47e0755611c53
