Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2024-01-12 23:44:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.21961 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Fri Jan 12 23:44:15 2024 rev:20 rq:1138077 version:2.228.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2023-10-02 20:05:05.723846109 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.21961/container-selinux.changes
2024-01-12 23:44:32.380649782 +0100
@@ -1,0 +2,18 @@
+Thu Jan 11 08:37:53 UTC 2024 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 2.228:
+ * Allow container domains to watch fifo_files
+ * container_engine_t: improve for podman in kubernetes case
+ * Allow spc_t to transition to install_t domain
+ * Default to allowing containers to use dri devices
+ * Allow access to BPF Filesystems
+ * Fix kubernetes transition rule
+ * Label kubensenter as well as kubenswrapper
+ * Allow container domains to execute container_runtime_tmpfs_t files
+ * Allow container domains to ptrace themselves
+ * Allow container domains to use container_runtime_tmpfs_t as an entrypoint
+ * Add boolean to allow containers to use dri devices
+ * Give containers access to pod resources endpoint
+ * Label kubenswrapper kubelet_exec_t
+
+-------------------------------------------------------------------
Old:
----
v2.222.0.tar.gz
New:
----
v2.228.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.1F2de1/_old 2024-01-12 23:44:33.804701903 +0100
+++ /var/tmp/diff_new_pack.1F2de1/_new 2024-01-12 23:44:33.808702050 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.222.0
+Version: 2.228.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ v2.222.0.tar.gz -> v2.228.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/.packit.yaml
new/container-selinux-2.228.0/.packit.yaml
--- old/container-selinux-2.222.0/.packit.yaml 2023-09-17 15:46:26.000000000
+0200
+++ new/container-selinux-2.228.0/.packit.yaml 2024-01-11 04:11:38.000000000
+0100
@@ -11,36 +11,79 @@
jobs:
- job: copr_build
trigger: pull_request
+ notifications:
+ failure_comment:
+ message: "Ephemeral COPR build failed. @containers/packit-build please
check."
enable_net: true
# container-selinux is noarch so we only need to test on one arch
- targets: &pr_copr_targets
+ targets:
- fedora-all
- - centos-stream-9
- - centos-stream-8
+ - fedora-eln
+ - epel-9
+ - epel-8
# Run on commit to main branch
+ # Build targets managed in copr settings
- job: copr_build
trigger: commit
+ notifications:
+ failure_comment:
+ message: "podman-next COPR build failed. @containers/packit-build
please check."
branch: main
owner: rhcontainerbot
project: podman-next
enable_net: true
# All tests specified in the `/plans/` subdir
- # FIXME: uncomment e2e tests after disk space issues resolved on testing farm
- #- job: tests
- # trigger: pull_request
- # targets: *test_targets
- # identifier: podman_e2e_test
- # tmt_plan: "/plans/podman_e2e_test"
+ # Podman e2e tests for Fedora and CentOS Stream
+ - job: tests
+ trigger: pull_request
+ notifications:
+ failure_comment:
+ message: "podman e2e tests failed. @containers/packit-build please
check."
+ targets: &pr_test_targets
+ - fedora-all
+ - epel-9
+ - epel-8
+ identifier: podman_e2e_test
+ tmt_plan: "/plans/podman_e2e_test"
+ # Podman system tests for Fedora and CentOS Stream
- job: tests
trigger: pull_request
- # arch assumed to be x86_64 by default.
- targets: *pr_copr_targets
+ notifications:
+ failure_comment:
+ message: "podman system tests failed. @containers/packit-build please
check."
+ targets: *pr_test_targets
identifier: podman_system_test
tmt_plan: "/plans/podman_system_test"
+ # Podman e2e tests for RHEL
+ - job: tests
+ trigger: pull_request
+ use_internal_tf: true
+ notifications:
+ failure_comment:
+ message: "podman e2e tests failed on RHEL. @containers/packit-build
please check."
+ targets: &pr_test_targets_rhel
+ epel-9-x86_64:
+ distros: [RHEL-9.3.0-Nightly,RHEL-9.4.0-Nightly]
+ epel-8-x86_64:
+ distros: [RHEL-8.9.0-Nightly,RHEL-8.10.0-Nightly]
+ identifier: podman_e2e_test_internal
+ tmt_plan: "/plans/podman_e2e_test"
+
+ # Podman system tests for RHEL
+ - job: tests
+ trigger: pull_request
+ use_internal_tf: true
+ notifications:
+ failure_comment:
+ message: "podman system tests failed on RHEL. @containers/packit-build
please check."
+ targets: *pr_test_targets_rhel
+ identifier: podman_system_test_internal
+ tmt_plan: "/plans/podman_system_test"
+
- job: propose_downstream
trigger: release
update_release: false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/container.fc
new/container-selinux-2.228.0/container.fc
--- old/container-selinux-2.222.0/container.fc 2023-09-17 15:46:26.000000000
+0200
+++ new/container-selinux-2.228.0/container.fc 2024-01-11 04:11:38.000000000
+0100
@@ -9,6 +9,10 @@
/usr/local/s?bin/kubelet.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubenswrapper.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubenswrapper.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubensenter.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubensenter.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -126,6 +130,7 @@
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pod-resources/kubelet.sock
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/docker-latest(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log
gen_context(system_u:object_r:container_log_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/container.if
new/container-selinux-2.228.0/container.if
--- old/container-selinux-2.222.0/container.if 2023-09-17 15:46:26.000000000
+0200
+++ new/container-selinux-2.228.0/container.if 2024-01-11 04:11:38.000000000
+0100
@@ -573,7 +573,7 @@
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"kata-containers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"kata-containers")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir,
"shm")
- files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+ files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
')
########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/container.te
new/container-selinux-2.228.0/container.te
--- old/container-selinux-2.222.0/container.te 2023-09-17 15:46:26.000000000
+0200
+++ new/container-selinux-2.228.0/container.te 2024-01-11 04:11:38.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.222.0)
+policy_module(container, 2.228.0)
gen_require(`
class passwd rootok;
@@ -39,6 +39,13 @@
gen_tunable(container_use_devices, false)
## <desc>
+## <p>
+## Allow containers to use any dri device volume mounted into container
+## </p>
+## </desc>
+gen_tunable(container_use_dri_devices, true)
+
+## <desc>
## <p>
## Allow sandbox containers to manage cgroup (systemd)
## </p>
@@ -569,7 +576,6 @@
fs_manage_nfs_symlinks(container_runtime_domain)
fs_remount_nfs(container_runtime_domain)
fs_mount_nfs(container_runtime_domain)
- fs_unmount_nfs(container_runtime_domain)
fs_exec_nfs_files(container_runtime_domain)
kernel_rw_fs_sysctls(container_runtime_domain)
allow container_runtime_domain nfs_t:file execmod;
@@ -635,7 +641,6 @@
fs_manage_fusefs_files(container_runtime_domain)
fs_manage_fusefs_symlinks(container_runtime_domain)
fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)
@@ -646,7 +651,6 @@
container_lib_filetrans(container_domain,container_file_t, sock_file)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
optional_policy(`
apache_exec_modules(container_runtime_domain)
@@ -744,7 +748,7 @@
#
# spc local policy
#
-allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file
entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t
container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -775,6 +779,10 @@
systemd_dbus_chat_logind(spc_t)
')
+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
optional_policy(`
dbus_chat_system_bus(spc_t)
dbus_chat_session_bus(spc_t)
@@ -877,7 +885,7 @@
typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain,
container_user_domain;
allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t
container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t
container_file_t container_runtime_tmpfs_t}:file entrypoint;
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms
map };
allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -896,6 +904,7 @@
allow container_domain self:file rw_file_perms;
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -915,15 +924,12 @@
allow container_domain self:unix_stream_socket create_stream_socket_perms;
dontaudit container_domain self:capability2 block_suspend ;
allow container_domain self:unix_stream_socket { sendto
create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
fs_fusefs_entrypoint(spc_t)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
@@ -942,11 +948,9 @@
dev_write_urand(container_domain)
allow container_domain sysfs_t:dir watch;
-
-fs_mount_tmpfs(container_domain)
-
dontaudit container_domain container_runtime_tmpfs_t:dir read;
allow container_domain container_runtime_tmpfs_t:dir mounton;
+can_exec(container_domain, container_runtime_tmpfs_t)
allow container_domain self:key manage_key_perms;
dontaudit container_domain container_domain:key search;
@@ -979,16 +983,39 @@
kernel_read_irq_sysctls(container_domain)
kernel_get_sysvipc_info(container_domain)
+fs_dontaudit_getattr_all_dirs(container_domain)
+fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
+fs_list_cgroup_dirs(container_domain)
fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
-fs_dontaudit_getattr_all_dirs(container_domain)
-fs_dontaudit_getattr_all_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)
term_use_all_inherited_terms(container_domain)
@@ -1012,9 +1039,6 @@
type cgroup_t;
')
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
files_read_kernel_modules(container_domain)
allow container_file_t cgroup_t:filesystem associate;
@@ -1069,9 +1093,6 @@
')
dontaudit container_domain usermodehelper_t:file write;
-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
sysnet_read_config(container_domain)
allow container_domain self:cap_userns { chown dac_override fowner kill setgid
setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1099,20 +1120,6 @@
fs_manage_cgroup_files(container_domain)
')
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
storage_rw_fuse(container_domain)
allow container_domain fusefs_t:file { mounton execmod };
allow container_domain fusefs_t:filesystem remount;
@@ -1383,6 +1390,10 @@
allow container_domain device_node:blk_file {rw_blk_file_perms map};
')
+tunable_policy(`container_use_dri_devices',`
+ dev_rw_dri(container_domain)
+')
+
tunable_policy(`virt_sandbox_use_sys_admin',`
allow container_init_t self:capability sys_admin;
allow container_init_t self:cap_userns sys_admin;
@@ -1399,19 +1410,23 @@
fs_unmount_cgroup(container_engine_t)
fs_manage_cgroup_dirs(container_engine_t)
fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+
type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)
@@ -1533,3 +1548,8 @@
corecmd_entrypoint_all_executables(container_kvm_t)
allow svirt_sandbox_domain exec_type:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain mountpoint:file entrypoint;
+
+tunable_policy(`deny_ptrace',`',`
+ allow container_domain self:process ptrace;
+ allow spc_t self:process ptrace;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/plans/common_setup.sh
new/container-selinux-2.228.0/plans/common_setup.sh
--- old/container-selinux-2.222.0/plans/common_setup.sh 2023-09-17
15:46:26.000000000 +0200
+++ new/container-selinux-2.228.0/plans/common_setup.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-# Clean all prior dnf metadata
-dnf clean all
-
-# Disable rhcontainerbot/packit-builds to avoid testing with
-# packages built from unmerged content of other repos.
-dnf -y copr disable rhcontainerbot/packit-builds
-
-# Fetch podman and other dependencies from rhcontainerbot/podman-next.
-. /etc/os-release
-if [ $(NAME) == "CentOS Stream" ]; then
- dnf -y copr enable rhcontainerbot/podman-next
centos-stream+epel-next-$(VERSION)
-else
- dnf -y copr enable rhcontainerbot/podman-next
-fi
-dnf -y --disablerepo=testing-farm-* install bats golang podman podman-tests
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/plans/main.fmf
new/container-selinux-2.228.0/plans/main.fmf
--- old/container-selinux-2.222.0/plans/main.fmf 2023-09-17
15:46:26.000000000 +0200
+++ new/container-selinux-2.228.0/plans/main.fmf 2024-01-11
04:11:38.000000000 +0100
@@ -1,11 +1,64 @@
+# tmt does provide the `adjust` attribute to manage distro conditionals, but
+# the bash way has been rather convenient to read, manage and copy-paste
+# Ref: https://tmt.readthedocs.io/en/stable/spec/core.html#adjust
+prepare:
+ - how: shell
+ script: |
+ RHEL_RELEASE=$(rpm --eval %{?rhel})
+ ARCH=$(uname -m)
+ if [ $RHEL_RELEASE -eq 8 ]; then
+ echo "Disabling container-tools module..."
+ dnf -y module disable container-tools
+ fi
+ if [ -f /etc/centos-release ]; then
+ echo "Installing epel-release..."
+ dnf -y install epel-release
+ elif [ $RHEL_RELEASE -ge 8 ]; then
+ echo "Installing epel-release..."
+ dnf -y install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-$RHEL_RELEASE.noarch.rpm
+ echo "Enabling epel repo..."
+ dnf config-manager --set-enabled epel
+ cat /etc/yum.repos.d/epel.repo
+ fi
+ dnf -y copr enable rhcontainerbot/podman-next
+ dnf config-manager --save
--setopt="*:rhcontainerbot:podman-next.priority=5"
+ - how: install
+ package:
+ - bats
+ - golang
+ - podman
+ - podman-tests
+
/podman_e2e_test:
summary: Run SELinux specific Podman e2e tests
execute:
how: tmt
- script: bash plans/podman_e2e_test.sh
+ script: |
+ echo "Checking /etc/redhat-release..."
+ cat /etc/redhat-release
+ echo "Checking installed versions of required packages..."
+ rpm -q container-selinux golang podman
+ if [ -f /etc/fedora-release ]; then
+ echo "Resizing tmpfs..."
+ mount -o remount,size=10G /tmp
+ fi
+ echo "Fetching podman srpm from copr..."
+ dnf --disablerepo=*
--enablerepo=copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next download
--source podman
+ echo "Extracting podman source from srpm..."
+ rpm2cpio podman*.src.rpm | cpio -di
+ tar zxf podman-*-dev.tar.gz
+ echo "Running podman e2e tests..."
+ cd podman-*-dev/test/e2e
+ PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go
common_test.go libpod_suite_test.go run_selinux_test.go
/podman_system_test:
summary: Run SELinux specific Podman system tests
execute:
how: tmt
- script: bash plans/podman_system_test.sh
+ script: |
+ echo "Checking /etc/redhat-release..."
+ cat /etc/redhat-release
+ echo "Checking installed versions of required packages..."
+ rpm -q container-selinux podman podman-tests
+ echo "Running podman system tests..."
+ bats /usr/bin/podman /usr/share/podman/test/system/410-selinux.bats
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/plans/podman_e2e_test.sh
new/container-selinux-2.228.0/plans/podman_e2e_test.sh
--- old/container-selinux-2.222.0/plans/podman_e2e_test.sh 2023-09-17
15:46:26.000000000 +0200
+++ new/container-selinux-2.228.0/plans/podman_e2e_test.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-# Copr repo setup handled in common_setup.sh
-. ./plans/common_setup.sh
-
-# Fetch and prep Podman source from latest SRPM on
-# rhcontainerbot/podman-next copr
-dnf --disablerepo=*
--enablerepo=copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next download
--source podman
-rpm2cpio podman*.src.rpm | cpio -di
-tar zxf podman*.tar.gz
-cd podman/test/e2e
-
-# Run SELinux specific Podman e2e tests
-PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go
common_test.go libpod_suite_test.go run_selinux_test.go
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.222.0/plans/podman_system_test.sh
new/container-selinux-2.228.0/plans/podman_system_test.sh
--- old/container-selinux-2.222.0/plans/podman_system_test.sh 2023-09-17
15:46:26.000000000 +0200
+++ new/container-selinux-2.228.0/plans/podman_system_test.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-# Copr repo setup handled in common_setup.sh
-. ./plans/common_setup.sh
-
-# Run Podman's SELinux system tests
-bats /usr/bin/podman /usr/share/podman/test/system/410-selinux.bats
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.222.0/rpm/container-selinux.spec
new/container-selinux-2.228.0/rpm/container-selinux.spec
--- old/container-selinux-2.222.0/rpm/container-selinux.spec 2023-09-17
15:46:26.000000000 +0200
+++ new/container-selinux-2.228.0/rpm/container-selinux.spec 2024-01-11
04:11:38.000000000 +0100
@@ -71,6 +71,7 @@
sed -i 's/watch watch_reads//' container.if
sed -i 's/watch watch_reads//' container.te
sed -i '/sysfs_t:dir watch/d' container.te
+sed -i '/fifo_file watch/d' container.te
%endif
%if %{defined no_systemd_chat_resolved}
