diff --git a/.gitignore b/.gitignore index d582e45..9f4fa74 100644 --- a/.gitignore +++ b/.gitignore @@ -1,103 +1,25 @@ -/container-selinux-513572d.tar.gz -/container-selinux-bcdcb9a.tar.gz -/container-selinux-3bbbad5.tar.gz -/container-selinux-b9809fa.tar.gz -/container-selinux-ba28054.tar.gz -/container-selinux-9e004af.tar.gz -/container-selinux-ce95ddb.tar.gz -/container-selinux-f7333f9.tar.gz -/container-selinux-08bb6e0.tar.gz -/container-selinux-8f8caa6.tar.gz -/container-selinux-14f7c51.tar.gz -/container-selinux-c81ea26.tar.gz -/container-selinux-9027f8e.tar.gz -/container-selinux-ed3082b.tar.gz -/container-selinux-5212fea.tar.gz -/container-selinux-a80afba.tar.gz -/container-selinux-c5fd77f.tar.gz -/container-selinux-c89e9b5.tar.gz -/container-selinux-58324f3.tar.gz -/container-selinux-81ff96c.tar.gz -/container-selinux-a9260d4.tar.gz -/container-selinux-e37e93d.tar.gz -/container-selinux-de38c07.tar.gz -/container-selinux-0620186.tar.gz -/container-selinux-47e0448.tar.gz -/container-selinux-b430a71.tar.gz -/container-selinux-0b666c4.tar.gz -/container-selinux-7fe0136.tar.gz -/container-selinux-dca3b87.tar.gz -/container-selinux-f9a30e8.tar.gz -/container-selinux-d985665.tar.gz -/container-selinux-8ba32a4.tar.gz -/container-selinux-26c642a.tar.gz -/container-selinux-96e58bf.tar.gz -/container-selinux-599072a.tar.gz -/container-selinux-231b213.tar.gz -/container-selinux-d148550.tar.gz -/container-selinux-dfcc97d.tar.gz -/container-selinux-38a982b.tar.gz -/container-selinux-2377c73.tar.gz -/container-selinux-aece4ff.tar.gz -/container-selinux-663e003.tar.gz -/container-selinux-fd7d508.tar.gz -/container-selinux-fd50128.tar.gz -/container-selinux-bdc0137.tar.gz -/container-selinux-55c7d4d.tar.gz -/container-selinux-d248f91.tar.gz -/container-selinux-d213769.tar.gz -/container-selinux-701557f.tar.gz -/container-selinux-97f8dfc.tar.gz -/container-selinux-9b55129.tar.gz -/container-selinux-1ecf953.tar.gz -/container-selinux-284f9e7.tar.gz -/container-selinux-d346375.tar.gz -/container-selinux-bf5b26b.tar.gz -/container-selinux-dfaf8fd.tar.gz -/container-selinux-8ecc282.tar.gz -/container-selinux-0407867.tar.gz -/container-selinux-042f7cf.tar.gz -/container-selinux-25277c8.tar.gz -/container-selinux-c139a3d.tar.gz -/container-selinux-452b90d.tar.gz -/container-selinux-4e73492.tar.gz -/container-selinux-5721d74.tar.gz -/container-selinux-d7a3f33.tar.gz -/container-selinux-a62c2db.tar.gz -/container-selinux-99e2cfd.tar.gz -/container-selinux-87fae85.tar.gz -/container-selinux-5133af6.tar.gz -/container-selinux-2c57a17.tar.gz -/container-selinux-1362777.tar.gz -/container-selinux-6f01752.tar.gz -/container-selinux-1b655d9.tar.gz -/container-selinux-484806a.tar.gz -/container-selinux-21c2be6.tar.gz -/container-selinux-5e1f62f.tar.gz -/container-selinux-ec6fcad.tar.gz -/container-selinux-eb60838.tar.gz -/container-selinux-92af7fd.tar.gz -/container-selinux-c178849.tar.gz -/container-selinux-891a85f.tar.gz -/container-selinux-2c1a2ab.tar.gz -/container-selinux-5c98b56.tar.gz -/container-selinux-2521d0d.tar.gz -/container-selinux-619db17.tar.gz -/container-selinux-acc6941.tar.gz -/container-selinux-1e99f1d.tar.gz -/container-selinux-e3ebc68.tar.gz -/container-selinux-a6c9822.tar.gz -/container-selinux-aa7b807.tar.gz -/container-selinux-9a53d6c.tar.gz -/container-selinux-3b78187.tar.gz -/container-selinux-b0061dc.tar.gz -/container-selinux-1c24dcb.tar.gz -/container-selinux-b275a1f.tar.gz -/container-selinux-7baad79.tar.gz -/container-selinux-fc7111d.tar.gz -/container-selinux-453b816.tar.gz -/container-selinux-db771da.tar.gz -/container-selinux-544d71f.tar.gz -/container-selinux-9a75deb.tar.gz -/container-selinux-b68cf19.tar.gz -/container-selinux-4f7d6bb.tar.gz +/container-selinux-f958d0c.tar.gz +/v2.124.0.tar.gz +/v1.124.0.tar.gz +/v2.125.0.tar.gz +/v2.125.1.tar.gz +/v2.125.2.tar.gz +/v2.126.0.tar.gz +/v2.127.0.tar.gz +/v2.128.0.tar.gz +/v2.129.0.tar.gz +/v2.130.0.tar.gz +/v2.131.0.tar.gz +/v2.132.0.tar.gz +/v2.135.0.tar.gz +/v2.137.0.tar.gz +/v2.138.0.tar.gz +/v2.139.0.tar.gz +/v2.140.0.tar.gz +/v2.141.0.tar.gz +/v2.142.0.tar.gz +/v2.143.0.tar.gz +/v2.144.0.tar.gz +/v2.145.0.tar.gz +/v2.150.0.tar.gz +/v2.151.0.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 778934e..bc4b776 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/containers/container-selinux -%global commit0 4f7d6bb78724eb2fccd40bbaf96a668a94acc5ce +%global commit0 6b721daa0b9ff46a444e174995e5ac6600604db5 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -16,23 +16,28 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : - # Version of SELinux we were using -%global selinux_policyver 3.13.1-220 +%if 0%{?fedora} +%define selinux_policyver 3.14.4-43 +%else +%define selinux_policyver 3.14.3-20 +%endif + +# Used for comparing with latest upstream tag +# to decide whether to autobuild (non-rawhide only) +%define built_tag v2.151.0 +%define built_tag_strip %(b=%{built_tag}; echo ${b:1}) +%define download_url https://github.com/containers/%{name}/archive/%{built_tag}.tar.gz # Hooked up to autobuilder, please check with @lsm5 before updating Name: container-selinux -%if 0%{?fedora} Epoch: 2 -%endif -Version: 2.113.0 -Release: 1.dev.git%{shortcommit0}%{?dist} +Version: 2.151.0 +Release: 1%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes -Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Source0: %{download_url} BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -53,7 +58,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%autosetup -Sgit -n %{name}-%{built_tag_strip} %build make @@ -65,12 +70,17 @@ install -d %{buildroot}%{_datadir}/selinux/packages install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages +install -d %{buildroot}/%{_datadir}/containers/selinux +install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts # remove spec file rm -rf container-selinux.spec %check +%pre +%selinux_relabel_pre -s %{selinuxtype} + %post # Install all modules in a single transaction if [ $1 -eq 1 ]; then @@ -80,37 +90,175 @@ fi %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - %relabel_files - if [ $1 -eq 1 ]; then - restorecon -R %{_sharedstatedir}/docker &> /dev/null || : - restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - fi -fi +%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then -%{_sbindir}/semodule -n -r %{modulenames} &> /dev/null || : -if %{_sbindir}/selinuxenabled ; then -%{_sbindir}/load_policy -%relabel_files -fi + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker fi +%posttrans +%selinux_relabel_post -s %{selinuxtype} + #define license tag if not already defined %{!?_licensedir:%global license %doc} %files %doc README.md %{_datadir}/selinux/* +%dir %{_datadir}/containers +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts -# Hooked up to autobuilder, please check with @lsm5 before updating +# Hooked up to autobuilder (usually), please check with @lsm5 before updating %changelog +* Thu Nov 5 2020 RH Container Bot - 2:2.151.0-1 +- autobuilt v2.151.0 + +* Fri Oct 23 2020 RH Container Bot - 2:2.150.0-1 +- autobuilt v2.150.0 + +* Thu Sep 10 2020 RH Container Bot - 2:2.145.0-1 +- autobuilt v2.145.0 + +* Wed Aug 12 15:10:49 GMT 2020 RH Container Bot - 2:2.144.0-1 +- autobuilt v2.144.0 + +* Wed Aug 05 22:10:36 GMT 2020 RH Container Bot - 2:2.143.0-1 +- autobuilt v2.143.0 + +* Fri Jul 24 11:10:04 GMT 2020 RH Container Bot - 2:2.142.0-1 +- autobuilt v2.142.0 + +* Fri Jul 24 10:10:15 GMT 2020 RH Container Bot - 2:2.141.0-1 +- autobuilt v2.141.0 + +* Thu Jul 23 19:09:43 GMT 2020 RH Container Bot - 2:2.140.0-1 +- autobuilt v2.140.0 + +* Thu Jul 23 17:49:05 GMT 2020 RH Container Bot - 2:2.139.0-1 +- autobuilt v2.139.0 + +* Mon Jul 13 2020 RH Container Bot - 2:2.138.0-1 +- autobuilt v2.138.0 + +* Mon Jun 29 2020 Dan Walsh - 2:2.137.0-3 +- Fix commmit version + +* Thu Jun 11 2020 RH Container Bot - 2:2.137.0-1 +- autobuilt v2.137.0 + +* Tue Jun 02 2020 RH Container Bot - 2:2.135.0-1 +- autobuilt v2.135.0 + +* Wed Apr 15 2020 RH Container Bot - 2:2.132.0-1 +- autobuilt v2.132.0 + +* Thu Apr 09 2020 RH Container Bot - 2:2.131.0-1 +- autobuilt v2.131.0 + +* Mon Apr 06 2020 RH Container Bot - 2:2.130.0-1 +- autobuilt v2.130.0 + +* Mon Mar 30 2020 Dan Walsh - 2:2.126.0-2 +- Fix commmit version + +* Sun Mar 29 2020 RH Container Bot - 2:2.129.0-1 +- autobuilt v2.129.0 + +* Sun Mar 29 2020 RH Container Bot - 2:2.128.0-1 +- autobuilt v2.128.0 + +* Fri Mar 27 2020 RH Container Bot - 2:2.127.0-1 +- autobuilt v2.127.0 + +* Thu Mar 26 2020 Dan Walsh - 2:2.126.0-2 +- Add container_kvm_t for kata containers +- Add contaienr_init_t for systemd based containers +- Install container_contexts file + +* Thu Mar 26 2020 RH Container Bot - 2:2.126.0-1 +- autobuilt v2.126.0 + +* Mon Mar 23 2020 RH Container Bot - 2:2.125.2-1 +- autobuilt v2.125.2 + +* Mon Mar 23 2020 RH Container Bot - 2:2.125.1-1 +- autobuilt v2.125.1 + +* Fri Mar 20 2020 RH Container Bot - 2:2.125.0-1 +- autobuilt v2.125.0 + +* Fri Mar 20 2020 Lokesh Mandvekar - 2:2.124.0-4 +- upstream tags are messed up, says latest tag is v1.124.0 +- autobuild disabled for now, version fixed manually + +* Sat Feb 15 2020 RH Container Bot - 2:1.124.0-1 +- autobuilt v1.124.0 + +* Thu Feb 06 2020 Lokesh Mandvekar - 2:2.124.0-3 +- correct version + +* Tue Feb 04 2020 RH Container Bot - 2:2.124.0-2 +- bump to v1.124.0 +- autobuilt f958d0c + +* Fri Jan 03 2020 Jindrich Novy - 2:2.124.0-3 +- bump release to conserve upgrade path +- be sure to use newer selinux policy version + +* Mon Dec 23 2019 Jindrich Novy - 2:2.124.0-2 +- implement spec file refactoring by Zdenek Pytela, namely: + Change the uninstall command in the %%postun section of the specfile + to use the %%selinux_modules_uninstall macro which uses priority 200. + Change the install command in the %%post section if the specfile + to use the %%selinux_modules_install macro. + Replace relabel commands with using the %%selinux_relabel_pre and + %%selinux_relabel_post macros. + Change formatting so that the lines are vertically aligned + in the %%postun section. + (https://github.com/containers/container-selinux/pull/85) + +* Wed Dec 11 2019 Dan Walsh - 2:2.124.0-1 +- Allow systemd_logind_t to transition to container_runtime_exec_t + +* Fri Dec 06 2019 Adam Williamson - 2:2.123.0-2 +- Bump SELinux policy version requirement per zpytela + +* Wed Nov 27 2019 Dan Walsh - 2:2.123.0-1 +- Bump to v2.123.0 + +* Sun Oct 27 2019 RH Container Bot - 2:2.119.1-2 +- bump to v2.119.1 +- autobuilt 2ecb2a8 for fedora +- autobuilt c57a6f9 for centos + +* Thu Oct 24 2019 RH Container Bot - 2:2.119.0-2 +- bump to v2.119.0 +- autobuilt b383f07 for fedora +- autobuilt 42087be for centos + +* Fri Oct 11 2019 RH Container Bot - 2:2.118.0-2 +- bump to v2.118.0 +- autobuilt 79bdcb5 for fedora +- autobuilt 42087be for centos + +* Fri Sep 20 2019 Dan Walsh - 2.117-1 +- Add label for /usr/bin/crun + +* Thu Sep 5 2019 Dan Walsh - 2.116-1 +- Don't let container_runtime_t transition to svirt domains. + +* Wed Aug 21 2019 Dan Walsh - 2.115-1 +- Allow containers to execmod files on fusefs_t + +* Mon Aug 19 2019 Dan Walsh - 2.114-1 +- Allow containers to settatr on /proc/self/ lnk_files +- Allow containers to remount /proc + * Fri Aug 9 2019 Dan Walsh - 2.113-1 - Allow containers to name_bind to rawip_sockets. diff --git a/sources b/sources index 36cc5ee..82f9e27 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-4f7d6bb.tar.gz) = 74c509d0bec92d693f6673610f09346cb8b82520f178a8713064d020f1428e28e23a36200e40fe8db2fff2d1d6117f6ea33cb823a5114ad3041b222066779061 +SHA512 (v2.151.0.tar.gz) = 1d343cb90c7e8f9eb9df08e46c966532bae07ffde3c57d2616d669c493634cd6c54380da2b1b4b010bd4d8e8e506ce4400362dafc49826f82072876aa7e936c8