diff --git a/.gitignore b/.gitignore index 1cb4754..3651e6b 100644 --- a/.gitignore +++ b/.gitignore @@ -136,3 +136,32 @@ /container-selinux-2750e78.tar.gz /container-selinux-fe6a25c.tar.gz /container-selinux-e2d5a9e.tar.gz +/container-selinux-746ea7a.tar.gz +/container-selinux-5d929d4.tar.gz +/container-selinux-464e922.tar.gz +/container-selinux-2908536.tar.gz +/container-selinux-9fb1698.tar.gz +/container-selinux-3c361a2.tar.gz +/container-selinux-9b3b66f.tar.gz +/container-selinux-0ef4703.tar.gz +/container-selinux-5d3c461.tar.gz +/container-selinux-1677bc4.tar.gz +/container-selinux-8573f8d.tar.gz +/container-selinux-54e2ac5.tar.gz +/container-selinux-667f0f3.tar.gz +/container-selinux-75f193a.tar.gz +/container-selinux-f330e81.tar.gz +/container-selinux-6d13bf9.tar.gz +/container-selinux-eb6dad0.tar.gz +/container-selinux-aeb85c4.tar.gz +/container-selinux-e78ac4f.tar.gz +/container-selinux-d89a599.tar.gz +/container-selinux-c9f0cb6.tar.gz +/v2.155.0.tar.gz +/container-selinux-5a60716.tar.gz +/container-selinux-e1092cd.tar.gz +/container-selinux-da28288.tar.gz +/container-selinux-233e620.tar.gz +/container-selinux-61b862a.tar.gz +/container-selinux-99b40c5.tar.gz +/container-selinux-563ba3f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index be5eb52..3d4ff98 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,9 +2,13 @@ # container-selinux %global git0 https://github.com/containers/container-selinux -%global commit0 e2d5a9eadb72a9aa90c4f5ba793011865620f367 +%global commit0 563ba3f2693f98de5e79a7fbf5889222ab9a454a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +# Used for comparing with latest upstream tag +# to decide whether to autobuild (non-rawhide only) +%define built_tag v2.164.1 + # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package %global selinuxtype targeted @@ -16,29 +20,26 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# Version of SELinux we were using -%global selinux_policyver 3.14.4-43 - # Hooked up to autobuilder, please check with @lsm5 before updating Name: container-selinux -%if 0%{?fedora} Epoch: 2 -%endif -Version: 2.143.0 -Release: 2.dev.git%{shortcommit0}%{?dist} +Version: 2.164.1 +Release: 2%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Patch: f33.patch BuildArch: noarch -BuildRequires: git +BuildRequires: make +BuildRequires: git-core BuildRequires: pkgconfig(systemd) -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} +BuildRequires: selinux-policy >= %_selinux_policy_version +BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires: selinux-policy >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires: selinux-policy >= %_selinux_policy_version +Requires(post): selinux-policy-base >= %_selinux_policy_version +Requires(post): selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed @@ -64,12 +65,6 @@ install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/ser install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}/%{_datadir}/containers/selinux install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts -# Currently shipped as part of selinux-policy package -#install -d %{buildroot}/%{_datadir}/man/man8 -#install -m 644 container_selinux.8 %{buildroot}/%{_datadir}/man/man8 - -# remove spec file -rm -rf container-selinux.spec %check @@ -109,31 +104,168 @@ fi # Currently shipped in selinux-policy-doc #%%{_datadir}/man/man8/container_selinux.8.gz +%triggerpostun -- container-selinux < 2:2.162.1-3 +if %{_sbindir}/selinuxenabled ; then + echo "Fixing Rootless SELinux labels in homedir" + %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null || true +fi + + # Hooked up to autobuilder, please check with @lsm5 before updating %changelog -* Wed Aug 05 22:10:34 GMT 2020 RH Container Bot - 2:2.143.0-2.dev.gite2d5a9e +* Mon Sep 27 2021 Lokesh Mandvekar - 2:2.164.1-2 +- Resolves: 1970644 + +* Mon Jul 19 2021 Dan Walsh - 2:2.164.1-1 +- Allow spc_t domains to set bpf rules on any domain + +* Sat Jun 12 2021 RH Container Bot - 2:2.163.0-2.dev.git99b40c5 +- bump to 2.163.0 +- autobuilt 99b40c5 + +* Tue May 25 2021 RH Container Bot - 2:2.162.2-2.dev.git61b862a +- bump to 2.162.2 +- autobuilt 61b862a + +* Mon May 17 2021 Dan Walsh - 2:2.162.1-3.dev.git233e620 +- Fix labels in users homedirs, before overlayfs is supported by default for non root users + +* Sun May 16 2021 RH Container Bot - 2:2.162.1-2.dev.git233e620 +- bump to 2.162.1 +- autobuilt 233e620 + +* Wed May 12 2021 RH Container Bot - 2:2.162.0-2.dev.gitda28288 +- bump to 2.162.0 +- autobuilt da28288 + +* Fri May 07 2021 RH Container Bot - 2:2.161.1-2.dev.gite1092cd +- bump to 2.161.1 +- autobuilt e1092cd + +* Tue Apr 20 2021 RH Container Bot - 2:2.160.0-3.dev.git5a60716 +- autobuilt 5a60716 + +* Wed Mar 31 2021 Lokesh Mandvekar - 2:2.160.0-2.dev.gitc9f0cb6 +- bump to v2.160.0 + +* Mon Mar 29 2021 RH Container Bot - 2:2.159.0-2.dev.gitd89a599 +- bump to 2.159.0 +- autobuilt d89a599 + +* Wed Feb 17 2021 Dan Walsh - 2:2.158.0-5.dev.gite78ac4f +- Rebuilt to use latest selinux-policy interfaces + +* Tue Feb 16 2021 RH Container Bot - 2:2.158.0-4.dev.gite78ac4f +- autobuilt e78ac4f + +* Fri Feb 12 2021 RH Container Bot - 2:2.158.0-3.dev.gitaeb85c4 +- autobuilt aeb85c4 + +* Thu Feb 11 2021 RH Container Bot - 2:2.158.0-2.dev.giteb6dad0 +- bump to 2.158.0 +- autobuilt eb6dad0 + +* Mon Feb 08 2021 RH Container Bot - 2:2.157.0-3.dev.git6d13bf9 +- autobuilt 6d13bf9 + +* Tue Feb 02 2021 RH Container Bot - 2:2.157.0-2.dev.gitf330e81 +- bump to 2.157.0 +- autobuilt f330e81 + +* Tue Jan 26 2021 Fedora Release Engineering - 2:2.156.0-3.dev.git75f193a +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 15 2021 RH Container Bot - 2:2.156.0-2.dev.git75f193a +- bump to 2.156.0 +- autobuilt 75f193a + +* Tue Jan 5 2021 RH Container Bot - 2:2.155.0-2.dev.git667f0f3 +- bump to 2.155.0 +- autobuilt 667f0f3 + +* Wed Dec 30 2020 RH Container Bot - 2:2.154.0-2.dev.git54e2ac5 +- bump to 2.154.0 +- autobuilt 54e2ac5 + +* Sat Dec 26 2020 RH Container Bot - 2:2.153.0-2.dev.git8573f8d +- bump to 2.153.0 +- autobuilt 8573f8d + +* Tue Dec 22 2020 RH Container Bot - 2:2.152.0-2.dev.git1677bc4 +- bump to 2.152.0 +- autobuilt 1677bc4 + +* Wed Dec 02 2020 Jindrich Novy - 2:2.151.0-4.dev.git5d3c461 +- remove bogus changelog dates emitted by build bot leading to build failure +- Related: #1715412 + +* Wed Dec 02 2020 Jindrich Novy - 2:2.151.0-3.dev.git5d3c461 +- remove %%fedora Epoch conditional +- Related: #1899626 + +* Thu Nov 5 2020 RH Container Bot - 2:2.151.0-2.dev.git5d3c461 +- bump to 2.151.0 +- autobuilt 5d3c461 + +* Fri Oct 23 2020 RH Container Bot - 2:2.150.0-2.dev.git0ef4703 +- bump to 2.150.0 +- autobuilt 0ef4703 + +* Thu Oct 15 2020 RH Container Bot - 2:2.148.0-3.dev.git9b3b66f +- autobuilt 9b3b66f + +* Wed Oct 14 2020 RH Container Bot - 2:2.148.0-2.dev.git3c361a2 +- bump to 2.148.0 +- autobuilt 3c361a2 + +* Mon Oct 12 2020 RH Container Bot - 2:2.147.0-2.dev.git9fb1698 +- bump to 2.147.0 +- autobuilt 9fb1698 + +* Thu Oct 8 2020 RH Container Bot - 2:2.146.0-2.dev.git2908536 +- bump to 2.146.0 +- autobuilt 2908536 + +* Thu Sep 10 2020 RH Container Bot - 2:2.145.0-2.dev.git464e922 +- bump to 2.145.0 +- autobuilt 464e922 + +* Mon Aug 31 2020 Lokesh Mandvekar - 2:2.144.0-5.dev.git5d929d4 +- Resolves: #1797554 - use _selinux_policy_version macro + +* Fri Aug 28 2020 Lokesh Mandvekar - 2:2.144.0-4.dev.git5d929d4 +- Resolves: #1780129 - bump min selinux-policy + +* Thu Aug 13 2020 RH Container Bot - 2:2.144.0-3.dev.git5d929d4 +- autobuilt 5d929d4 + +* Wed Aug 12 2020 RH Container Bot - 2:2.144.0-2.dev.git746ea7a +- bump to 2.144.0 +- autobuilt 746ea7a + +* Wed Aug 05 2020 RH Container Bot - 2:2.143.0-2.dev.gite2d5a9e - bump to 2.143.0 - autobuilt e2d5a9e * Mon Jul 27 2020 Fedora Release Engineering - 2:2.142.0-3.dev.gitfe6a25c - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Fri Jul 24 11:09:45 GMT 2020 RH Container Bot - 2:2.142.0-2.dev.gitfe6a25c +* Fri Jul 24 2020 RH Container Bot - 2:2.142.0-2.dev.gitfe6a25c - bump to 2.142.0 - autobuilt fe6a25c -* Fri Jul 24 10:09:44 GMT 2020 RH Container Bot - 2:2.141.0-2.dev.git2750e78 +* Fri Jul 24 2020 RH Container Bot - 2:2.141.0-2.dev.git2750e78 - bump to 2.141.0 - autobuilt 2750e78 * Thu Jul 23 2020 Merlin Mathesius - 2:2.140.0-2.dev.git965c7fb - Cleanup usage of %%{epoch} macro to allow building for ELN -* Thu Jul 23 19:10:26 GMT 2020 RH Container Bot - 2:2.140.0-2.dev.git965c7fb +* Thu Jul 23 2020 RH Container Bot - 2:2.140.0-2.dev.git965c7fb - bump to 2.140.0 - autobuilt 965c7fb -* Sat Jul 18 11:10:04 GMT 2020 RH Container Bot - 2:2.139.0-2.dev.git8c26927 +* Sat Jul 18 2020 RH Container Bot - 2:2.139.0-2.dev.git8c26927 - bump to 2.139.0 - autobuilt 8c26927 diff --git a/f33.patch b/f33.patch new file mode 100644 index 0000000..e47437a --- /dev/null +++ b/f33.patch @@ -0,0 +1,22 @@ +diff --git a/container.te b/container.te +index ead5b16..b07a100 100644 +--- a/container.te ++++ b/container.te +@@ -115,7 +115,7 @@ mls_trusted_object(container_runtime_t) + # + allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; + allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +-allow container_runtime_domain self:lockdown { confidentiality integrity }; ++# allow container_runtime_domain self:lockdown { confidentiality integrity }; + allow container_runtime_domain self:process ~setcurrent; + allow container_runtime_domain self:passwd rootok; + allow container_runtime_domain self:fd use; +@@ -454,7 +454,7 @@ modutils_domtrans_kmod(container_runtime_domain) + systemd_status_all_unit_files(container_runtime_domain) + systemd_start_systemd_services(container_runtime_domain) + systemd_dbus_chat_logind(container_runtime_domain) +-systemd_chat_resolved(container_runtime_domain) ++#systemd_chat_resolved(container_runtime_domain) + + userdom_stream_connect(container_runtime_domain) + userdom_search_user_home_content(container_runtime_domain) diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index c2182c7..0000000 --- a/gating.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_stable -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/lockdown.patch b/lockdown.patch new file mode 100644 index 0000000..872fcc0 --- /dev/null +++ b/lockdown.patch @@ -0,0 +1,12 @@ +diff --git a/container.te b/container.te +index 5cd29af..a9392cd 100644 +--- a/container.te ++++ b/container.te +@@ -115,7 +115,6 @@ mls_trusted_object(container_runtime_t) + # + allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; + allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +-allow container_runtime_domain self:lockdown { confidentiality integrity }; + allow container_runtime_domain self:process ~setcurrent; + allow container_runtime_domain self:passwd rootok; + allow container_runtime_domain self:fd use; diff --git a/sources b/sources index 4a623bf..f738a28 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-e2d5a9e.tar.gz) = 397524b618159d498b5a64946a8f1acc0bf54a611723336aae61165322c6ee2963aec18f9c84de039755ea1ef1e0a51fbec9b49e5969043536fa382a7c9ea233 +SHA512 (container-selinux-563ba3f.tar.gz) = fdafd3ca1094fb009893e664a2c59b81b7b95ba796ea7e960c0c2def45a0ed229f4dece63cd87faf14e6c1094848614633b322526bb2625c5df6df6abb568a50