Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2021-08-12 09:01:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Thu Aug 12 09:01:02 2021 rev:8 rq:910793 version:2.164.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2021-04-26 16:39:07.730028314 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1899/container-selinux.changes
2021-08-12 09:01:48.066138103 +0200
@@ -1,0 +2,9 @@
+Mon Aug 9 07:44:17 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 2.164.2
+ * Don't setup users for writing to pid_sockets
+ * Allow container engines to be started from the staff user.
+ * Allow spc_t domains to set bpf rules on any domain
+ * Add support for k3s
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.160.1.tar.gz
New:
----
container-selinux-2.164.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.k5KNlK/_old 2021-08-12 09:01:48.466137465 +0200
+++ /var/tmp/diff_new_pack.k5KNlK/_new 2021-08-12 09:01:48.470137459 +0200
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.160.1
+Version: 2.164.2
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ container-selinux-2.160.1.tar.gz -> container-selinux-2.164.2.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.160.1/container.fc
new/container-selinux-2.164.2/container.fc
--- old/container-selinux-2.160.1/container.fc 2021-04-22 16:52:57.000000000
+0200
+++ new/container-selinux-2.164.2/container.fc 2021-08-02 19:18:31.000000000
+0200
@@ -5,6 +5,8 @@
/usr/libexec/docker/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/hyperkube.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -33,10 +35,13 @@
/usr/lib/docker/docker-novolume-plugin --
gen_context(system_u:object_r:container_auth_exec_t,s0)
/usr/lib/docker/[^/]*plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/lib/docker/[^/]*plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/k3s --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/bin/k3s --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/lib/systemd/system/docker.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/lxd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/containerd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/k3s.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/etc/docker(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/etc/docker-latest(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
@@ -60,6 +65,14 @@
/var/lib/containerd/[^/]*/snapshots(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containerd/[^/]*/sandboxes(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*
gen_context(system_u:object_r:container_file_t,s0)
+
/var/lib/containers(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/containers/overlay(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -85,6 +98,7 @@
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kublet(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log
gen_context(system_u:object_r:container_log_t,s0)
@@ -94,6 +108,21 @@
/var/lib/docker-latest/overlay(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/cni(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/rancher/k3s(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/rancher/k3s/data(/.*)?
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/rancher/k3s/storage(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d
gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d
gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*
<<none>>
+/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?
gen_context(system_u:object_r:container_share_t,s0)
+/var/run/flannel(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?
gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/var/lib/kubelet/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containers(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
+/var/log/pods(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
+
/var/run/containers(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/crio(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.160.1/container.if
new/container-selinux-2.164.2/container.if
--- old/container-selinux-2.160.1/container.if 2021-04-22 16:52:57.000000000
+0200
+++ new/container-selinux-2.164.2/container.if 2021-08-02 19:18:31.000000000
+0200
@@ -256,10 +256,13 @@
interface(`container_manage_config_files',`
gen_require(`
type container_config_t;
+ type kubernetes_file_t;
')
files_search_var_lib($1)
manage_files_pattern($1, container_config_t, container_config_t)
+ manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t)
+ manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t)
')
########################################
@@ -494,6 +497,7 @@
type kubernetes_file_t;
type container_runtime_tmpfs_t;
type container_kvm_var_run_t;
+ type data_home_t;
')
files_pid_filetrans($1, container_var_run_t, file, "container.pid")
@@ -529,9 +533,18 @@
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay2")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay2-images")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay2-layers")
+
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-images")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-layers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay2-images")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay2-layers")
+
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"atomic")
userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"kata-containers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"kata-containers")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir,
"shm")
files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
')
@@ -573,7 +586,6 @@
')
files_search_pids($1)
- files_write_all_pid_sockets($1)
allow $1 spc_t:unix_stream_socket connectto;
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.160.1/container.te
new/container-selinux-2.164.2/container.te
--- old/container-selinux-2.160.1/container.te 2021-04-22 16:52:57.000000000
+0200
+++ new/container-selinux-2.164.2/container.te 2021-08-02 19:18:31.000000000
+0200
@@ -1,4 +1,5 @@
-policy_module(container, 2.160.0)
+policy_module(container, 2.164.2)
+
gen_require(`
class passwd rootok;
')
@@ -114,6 +115,7 @@
#
allow container_runtime_domain self:capability { chown kill fowner fsetid
mknod net_admin net_bind_service net_raw setfcap sys_resource };
allow container_runtime_domain self:tun_socket { create_socket_perms relabelto
};
+allow container_runtime_domain self:lockdown { confidentiality integrity };
allow container_runtime_domain self:process ~setcurrent;
allow container_runtime_domain self:passwd rootok;
allow container_runtime_domain self:fd use;
@@ -434,7 +436,6 @@
fs_relabelfrom_tmpfs(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_getattr_all_fs(container_runtime_domain)
-fs_list_inotifyfs(container_runtime_domain)
fs_rw_inherited_tmpfs_files(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_search_tmpfs(container_runtime_domain)
@@ -453,7 +454,7 @@
systemd_status_all_unit_files(container_runtime_domain)
systemd_start_systemd_services(container_runtime_domain)
systemd_dbus_chat_logind(container_runtime_domain)
-systemd_dbus_chat_resolved(container_runtime_domain)
+systemd_chat_resolved(container_runtime_domain)
userdom_stream_connect(container_runtime_domain)
userdom_search_user_home_content(container_runtime_domain)
@@ -666,6 +667,9 @@
optional_policy(`
unconfined_domain_noaudit(spc_t)
domain_ptrace_all_domains(spc_t)
+ # This should eventually be in upstream policy.
+ # https://github.com/fedora-selinux/selinux-policy/pull/806
+ allow spc_t domain:bpf { map_create map_read map_write prog_load
prog_run };
')
optional_policy(`
@@ -845,7 +849,6 @@
kernel_get_sysvipc_info(container_domain)
fs_getattr_all_fs(container_domain)
-fs_list_inotifyfs(container_domain)
fs_rw_inherited_tmpfs_files(container_domain)
fs_read_tmpfs_symlinks(container_domain)
fs_search_tmpfs(container_domain)
@@ -1134,6 +1137,8 @@
container_runtime_run(user_t, user_r)
role user_r types container_user_domain;
+
+ staff_role_change_to(system_r)
')
gen_require(`
