Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2020-10-20 16:00:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.3486 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "container-selinux"

Tue Oct 20 16:00:25 2020 rev:2 rq:842071 version:2.145.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2020-10-10 19:03:54.320469836 +0200
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.3486/container-selinux.changes
    2020-10-20 16:03:29.521813228 +0200
@@ -1,0 +2,7 @@
+Wed Oct 14 12:57:07 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- Update to version 2.145.0
+  - Add support for kubernetes_file_t
+  - Allow container_t to open existing tun/tap
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.143.0.tar.gz

New:
----
  container-selinux-2.145.0.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.knyGMB/_old  2020-10-20 16:03:31.745814281 +0200
+++ /var/tmp/diff_new_pack.knyGMB/_new  2020-10-20 16:03:31.745814281 +0200
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.143.0
+Version:        2.145.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ container-selinux-2.143.0.tar.gz -> container-selinux-2.145.0.tar.gz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.143.0/container.fc 
new/container-selinux-2.145.0/container.fc
--- old/container-selinux-2.143.0/container.fc  2020-08-06 00:05:41.000000000 
+0200
+++ new/container-selinux-2.145.0/container.fc  2020-09-10 17:29:43.000000000 
+0200
@@ -1,8 +1,11 @@
 /root/\.docker gen_context(system_u:object_r:container_home_t,s0)
 
 /usr/libexec/docker/.* --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/.*   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/libexec/docker/docker.*   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/docker.*     --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/docker.*              --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/bin/docker.*                --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/containerd.*          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/bin/containerd.*            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/lxc-.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -34,6 +37,7 @@
 /usr/sbin/ocid.*               --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/lib/docker/docker-novolume-plugin --      
gen_context(system_u:object_r:container_auth_exec_t,s0)
 /usr/lib/docker/[^/]*plugin    --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/lib/docker/[^/]*plugin      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 
 /usr/lib/systemd/system/docker.*               --      
gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/lib/systemd/system/lxd.*          --      
gen_context(system_u:object_r:container_unit_file_t,s0)
@@ -112,3 +116,4 @@
 
 /var/log/lxc(/.*)?             
gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?             
gen_context(system_u:object_r:container_log_t,s0)
+/etc/kubernetes(/.*)?          
gen_context(system_u:object_r:kubernetes_file_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.143.0/container.if 
new/container-selinux-2.145.0/container.if
--- old/container-selinux-2.143.0/container.if  2020-08-06 00:05:41.000000000 
+0200
+++ new/container-selinux-2.145.0/container.if  2020-09-10 17:29:43.000000000 
+0200
@@ -490,6 +490,7 @@
        type container_log_t;
        type container_var_run_t;
        type container_home_t;
+       type kubernetes_file_t;
        type container_runtime_tmpfs_t;
     ')
 
@@ -530,7 +531,7 @@
     userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, 
"kata-containers")
     filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, 
"shm")
-
+    files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')
 
 ########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.143.0/container.te 
new/container-selinux-2.145.0/container.te
--- old/container-selinux-2.143.0/container.te  2020-08-06 00:05:41.000000000 
+0200
+++ new/container-selinux-2.145.0/container.te  2020-09-10 17:29:43.000000000 
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.143.0)
+policy_module(container, 2.145.0)
 gen_require(`
        class passwd rootok;
 ')
@@ -54,6 +54,9 @@
 type spc_var_run_t;
 files_pid_file(spc_var_run_t)
 
+type kubernetes_file_t;
+files_type(kubernetes_file_t)
+
 type container_var_lib_t alias docker_var_lib_t;
 files_type(container_var_lib_t)
 
@@ -585,6 +588,8 @@
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 allow container_runtime_domain spc_t:process2 nnp_transition;
+admin_pattern(spc_t, kubernetes_file_t)
+
 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;
 
@@ -720,7 +725,7 @@
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;
 allow container_domain self:tcp_socket create_socket_perms;
-allow container_domain self:tun_socket create_socket_perms;
+allow container_domain self:tun_socket { create_socket_perms relabelfrom 
relabelto };
 allow container_domain self:udp_socket create_socket_perms;
 allow container_domain self:unix_dgram_socket create_socket_perms;
 allow container_domain self:unix_stream_socket create_stream_socket_perms;


Reply via email to