Hello community, here is the log from the commit of package container-selinux for openSUSE:Factory checked in at 2020-10-20 16:00:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/container-selinux (Old) and /work/SRC/openSUSE:Factory/.container-selinux.new.3486 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux" Tue Oct 20 16:00:25 2020 rev:2 rq:842071 version:2.145.0 Changes: -------- --- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes 2020-10-10 19:03:54.320469836 +0200 +++ /work/SRC/openSUSE:Factory/.container-selinux.new.3486/container-selinux.changes 2020-10-20 16:03:29.521813228 +0200 @@ -1,0 +2,7 @@ +Wed Oct 14 12:57:07 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Update to version 2.145.0 + - Add support for kubernetes_file_t + - Allow container_t to open existing tun/tap + +------------------------------------------------------------------- Old: ---- container-selinux-2.143.0.tar.gz New: ---- container-selinux-2.145.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ container-selinux.spec ++++++ --- /var/tmp/diff_new_pack.knyGMB/_old 2020-10-20 16:03:31.745814281 +0200 +++ /var/tmp/diff_new_pack.knyGMB/_new 2020-10-20 16:03:31.745814281 +0200 @@ -26,7 +26,7 @@ # Version of SELinux we were using %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') Name: container-selinux -Version: 2.143.0 +Version: 2.145.0 Release: 0 Summary: SELinux policies for container runtimes License: GPL-2.0-only ++++++ container-selinux-2.143.0.tar.gz -> container-selinux-2.145.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.143.0/container.fc new/container-selinux-2.145.0/container.fc --- old/container-selinux-2.143.0/container.fc 2020-08-06 00:05:41.000000000 +0200 +++ new/container-selinux-2.145.0/container.fc 2020-09-10 17:29:43.000000000 +0200 @@ -1,8 +1,11 @@ /root/\.docker gen_context(system_u:object_r:container_home_t,s0) /usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) @@ -34,6 +37,7 @@ /usr/sbin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) /usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) @@ -112,3 +116,4 @@ /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.143.0/container.if new/container-selinux-2.145.0/container.if --- old/container-selinux-2.143.0/container.if 2020-08-06 00:05:41.000000000 +0200 +++ new/container-selinux-2.145.0/container.if 2020-09-10 17:29:43.000000000 +0200 @@ -490,6 +490,7 @@ type container_log_t; type container_var_run_t; type container_home_t; + type kubernetes_file_t; type container_runtime_tmpfs_t; ') @@ -530,7 +531,7 @@ userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") - + files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.143.0/container.te new/container-selinux-2.145.0/container.te --- old/container-selinux-2.143.0/container.te 2020-08-06 00:05:41.000000000 +0200 +++ new/container-selinux-2.145.0/container.te 2020-09-10 17:29:43.000000000 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.143.0) +policy_module(container, 2.145.0) gen_require(` class passwd rootok; ') @@ -54,6 +54,9 @@ type spc_var_run_t; files_pid_file(spc_var_run_t) +type kubernetes_file_t; +files_type(kubernetes_file_t) + type container_var_lib_t alias docker_var_lib_t; files_type(container_var_lib_t) @@ -585,6 +588,8 @@ domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) allow container_runtime_domain spc_t:process2 nnp_transition; +admin_pattern(spc_t, kubernetes_file_t) + allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; allow spc_t { container_ro_file_t container_file_t }:system module_load; @@ -720,7 +725,7 @@ allow container_domain self:shm create_shm_perms; allow container_domain self:socket create_socket_perms; allow container_domain self:tcp_socket create_socket_perms; -allow container_domain self:tun_socket create_socket_perms; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto }; allow container_domain self:udp_socket create_socket_perms; allow container_domain self:unix_dgram_socket create_socket_perms; allow container_domain self:unix_stream_socket create_stream_socket_perms;