From 906fd74775d1b837723dd91c7b29bf85c18227a8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 19 Jan 2017 12:07:10 -0500 Subject: [PATCH 01/19] Add typebounds statement for container_t from container_runtime_t We should only label runc not runc* --- container-selinux.spec | 8 ++++++-- sources | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 1a6c66f..f2765fa 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 3bbbad57f5827b02f91f847eb559a59cca7967af +%global commit0 b9809fa7156c043e4306c0a14e0b20f72d0a31fa %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.3 +Version: 2.4 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jan 19 2017 Dan Walsh - 2:4.1-1 +- Add typebounds statement for container_t from container_runtime_t +- We should only label runc not runc* + * Tue Jan 17 2017 Dan Walsh - 2:3.1-1 - Fix labeling on /usr/bin/runc.* - Add sandbox_net_domain access to container.te diff --git a/sources b/sources index 93826a8..b95330e 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (container-selinux-bcdcb9a.tar.gz) = 382ed177ac878e56a7a4819b30362f0f797657ae4b87847e624124d06e4f56463a44c8a4d0ba60ebe02bf53128b43ec5d0ce5a6f9e0d6450594a9cef60531806 SHA512 (container-selinux-3bbbad5.tar.gz) = d255c5993bff90fb90030d6d0ced11eeed9a620878e24b99fdba7e8c66e130fcc88ac6f839fd84a96863f3d0fb57a41d4d4a59e30eb383ad999a75d22d8533a2 +SHA512 (container-selinux-b9809fa.tar.gz) = 796403b5951daaaf1de932d02d42be9a62ba877fcf67f5cbd9e489427e886cb9dcb990810d46a0359dabfe5ce132139c869c278d4a17b3690530e7cfd0f0575b From cf93502ad8b8e433571c6937a3c9393830990de9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 26 Jan 2017 07:31:56 +0100 Subject: [PATCH 02/19] Add typebounds statement for container_t from container_runtime_t We should only label runc not runc* --- container-selinux.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-selinux.spec b/container-selinux.spec index f2765fa..35076a4 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -58,7 +58,7 @@ Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils Obsoletes: %{name} <= 2:1.12.5-13 -Obsoletes: docker-selinux <= 2:1.12.4-28 +Obsoletes: docker-selinux Provides: docker-selinux = %{epoch}:%{version}-%{release} %description From 52bb8b3c703b4b5039ba55d84e22c4e8c6135668 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 27 Jan 2017 13:16:44 +0100 Subject: [PATCH 03/19] Fix typebounds problems --- .gitignore | 2 ++ container-selinux.spec | 9 ++++++--- sources | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 76331ee..7c86ea7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ /container-selinux-513572d.tar.gz /container-selinux-bcdcb9a.tar.gz /container-selinux-3bbbad5.tar.gz +/container-selinux-b9809fa.tar.gz +/container-selinux-ba28054.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 35076a4..617b44d 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 b9809fa7156c043e4306c0a14e0b20f72d0a31fa +%global commit0 ba280540e817275a9707798221baab18954a3ce8 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.4 +Version: 2.5 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -58,7 +58,7 @@ Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils Obsoletes: %{name} <= 2:1.12.5-13 -Obsoletes: docker-selinux +Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{epoch}:%{version}-%{release} %description @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Jan 27 2017 Dan Walsh - 2:5.1-1 +- Fix typebounds problems + * Thu Jan 19 2017 Dan Walsh - 2:4.1-1 - Add typebounds statement for container_t from container_runtime_t - We should only label runc not runc* diff --git a/sources b/sources index b95330e..88c3416 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ SHA512 (container-selinux-bcdcb9a.tar.gz) = 382ed177ac878e56a7a4819b30362f0f797657ae4b87847e624124d06e4f56463a44c8a4d0ba60ebe02bf53128b43ec5d0ce5a6f9e0d6450594a9cef60531806 SHA512 (container-selinux-3bbbad5.tar.gz) = d255c5993bff90fb90030d6d0ced11eeed9a620878e24b99fdba7e8c66e130fcc88ac6f839fd84a96863f3d0fb57a41d4d4a59e30eb383ad999a75d22d8533a2 SHA512 (container-selinux-b9809fa.tar.gz) = 796403b5951daaaf1de932d02d42be9a62ba877fcf67f5cbd9e489427e886cb9dcb990810d46a0359dabfe5ce132139c869c278d4a17b3690530e7cfd0f0575b +SHA512 (container-selinux-ba28054.tar.gz) = 3d71410947122b69e1b291dbf64071a8cbde386e8b9d1ea534cb5b822e293b0123b869fc212b8ab2ef7a976fdc93ab468c489b6aabb40f477530fd9ec830d6b4 From b336ef886d434b65fc5452a593c98e60d20456d2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 6 Feb 2017 10:29:22 -0500 Subject: [PATCH 04/19] Fix typebounds entrypoint problems --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7c86ea7..5eae1c2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /container-selinux-3bbbad5.tar.gz /container-selinux-b9809fa.tar.gz /container-selinux-ba28054.tar.gz +/container-selinux-9e004af.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 617b44d..731507d 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 ba280540e817275a9707798221baab18954a3ce8 +%global commit0 9e004afd7efa3e7357cc15783062452f63557df7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.5 +Version: 2.6 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Feb 6 2017 Dan Walsh - 2:6.1-1 +- Fix typebounds entrypoint problems + * Fri Jan 27 2017 Dan Walsh - 2:5.1-1 - Fix typebounds problems diff --git a/sources b/sources index 88c3416..720c023 100644 --- a/sources +++ b/sources @@ -2,3 +2,4 @@ SHA512 (container-selinux-bcdcb9a.tar.gz) = 382ed177ac878e56a7a4819b30362f0f7976 SHA512 (container-selinux-3bbbad5.tar.gz) = d255c5993bff90fb90030d6d0ced11eeed9a620878e24b99fdba7e8c66e130fcc88ac6f839fd84a96863f3d0fb57a41d4d4a59e30eb383ad999a75d22d8533a2 SHA512 (container-selinux-b9809fa.tar.gz) = 796403b5951daaaf1de932d02d42be9a62ba877fcf67f5cbd9e489427e886cb9dcb990810d46a0359dabfe5ce132139c869c278d4a17b3690530e7cfd0f0575b SHA512 (container-selinux-ba28054.tar.gz) = 3d71410947122b69e1b291dbf64071a8cbde386e8b9d1ea534cb5b822e293b0123b869fc212b8ab2ef7a976fdc93ab468c489b6aabb40f477530fd9ec830d6b4 +SHA512 (container-selinux-9e004af.tar.gz) = 04827c282a378ac1c3460f02dd3b757b3936422b659d4c0f6391864fda88a6bae1e773fd194b6f6b78918d4f6336a2623682f71a3899014cd97903018ed7d715 From c16486d0c37ffbc92308e65fa69c8de295ce10f5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Feb 2017 12:12:13 -0500 Subject: [PATCH 05/19] Add rules to allow container_runtimes to run with unconfined disabled --- .gitignore | 3 +++ container-selinux.spec | 13 +++++++++++-- sources | 6 +----- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 5eae1c2..70eac6f 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ /container-selinux-b9809fa.tar.gz /container-selinux-ba28054.tar.gz /container-selinux-9e004af.tar.gz +/container-selinux-ce95ddb.tar.gz +/container-selinux-f7333f9.tar.gz +/container-selinux-08bb6e0.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 731507d..01bb974 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 9e004afd7efa3e7357cc15783062452f63557df7 +%global commit0 08bb6e0a1a63b1312c88c2e201b58aeb0ffd5467 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.6 +Version: 2.9 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,15 @@ fi %{_datadir}/selinux/* %changelog +* Mon Feb 13 2017 Dan Walsh - 2:9.1-1 +- Add rules to allow container_runtimes to run with unconfined disabled + +* Thu Feb 9 2017 Dan Walsh - 2:8.1-1 +- Allow container_file_t to be stored on cgroup_t file systems + +* Tue Feb 7 2017 Dan Walsh - 2:7.1-1 +- Fix type in container interface file + * Mon Feb 6 2017 Dan Walsh - 2:6.1-1 - Fix typebounds entrypoint problems diff --git a/sources b/sources index 720c023..983bbdb 100644 --- a/sources +++ b/sources @@ -1,5 +1 @@ -SHA512 (container-selinux-bcdcb9a.tar.gz) = 382ed177ac878e56a7a4819b30362f0f797657ae4b87847e624124d06e4f56463a44c8a4d0ba60ebe02bf53128b43ec5d0ce5a6f9e0d6450594a9cef60531806 -SHA512 (container-selinux-3bbbad5.tar.gz) = d255c5993bff90fb90030d6d0ced11eeed9a620878e24b99fdba7e8c66e130fcc88ac6f839fd84a96863f3d0fb57a41d4d4a59e30eb383ad999a75d22d8533a2 -SHA512 (container-selinux-b9809fa.tar.gz) = 796403b5951daaaf1de932d02d42be9a62ba877fcf67f5cbd9e489427e886cb9dcb990810d46a0359dabfe5ce132139c869c278d4a17b3690530e7cfd0f0575b -SHA512 (container-selinux-ba28054.tar.gz) = 3d71410947122b69e1b291dbf64071a8cbde386e8b9d1ea534cb5b822e293b0123b869fc212b8ab2ef7a976fdc93ab468c489b6aabb40f477530fd9ec830d6b4 -SHA512 (container-selinux-9e004af.tar.gz) = 04827c282a378ac1c3460f02dd3b757b3936422b659d4c0f6391864fda88a6bae1e773fd194b6f6b78918d4f6336a2623682f71a3899014cd97903018ed7d715 +SHA512 (container-selinux-08bb6e0.tar.gz) = bba16bd77c6d34982637e4fc874ef1a741df7ca73a85ad1edfece5ae2838409efbe00ea44653acb63c22c6939c7afc72f7882715c9c4657d4427eff6f77d2a35 From 4a01ea2e1e790b72d5c93f57fa404fef2135dcca Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 2 Mar 2017 17:46:41 -0500 Subject: [PATCH 06/19] Add rules to allow container runtimes to run with unconfined disabled Add rules to support cgroup file systems mounted into container. --- .gitignore | 1 + container-selinux.spec | 10 +++++++--- sources | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 70eac6f..323f47a 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /container-selinux-ce95ddb.tar.gz /container-selinux-f7333f9.tar.gz /container-selinux-08bb6e0.tar.gz +/container-selinux-8f8caa6.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 01bb974..8095683 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 08bb6e0a1a63b1312c88c2e201b58aeb0ffd5467 +%global commit0 8f8caa66c11f8657ebf8ae50d7221ee3a97ac7d3 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.9 +Version: 2.10 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,7 +118,11 @@ fi %{_datadir}/selinux/* %changelog -* Mon Feb 13 2017 Dan Walsh - 2:9.1-1 +* Tue Feb 28 2017 Dan Walsh - 2.10-1 +- Add rules to allow container runtimes to run with unconfined disabled +- Add rules to support cgroup file systems mounted into container. + +* Mon Feb 13 2017 Dan Walsh - 2.9-1 - Add rules to allow container_runtimes to run with unconfined disabled * Thu Feb 9 2017 Dan Walsh - 2:8.1-1 diff --git a/sources b/sources index 983bbdb..9f28c00 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (container-selinux-08bb6e0.tar.gz) = bba16bd77c6d34982637e4fc874ef1a741df7ca73a85ad1edfece5ae2838409efbe00ea44653acb63c22c6939c7afc72f7882715c9c4657d4427eff6f77d2a35 +SHA512 (container-selinux-8f8caa6.tar.gz) = b273cb85c6afece175d917b043f92d4c126d03eaa4b2ad5c36c0a6430465a127ad25961d26b66730190723a6aefba4a8ffb694ea942c6b4eb5d6ee950b780856 From 241731ea64497f39089b6e9e2252123da8a34635 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 19 May 2017 07:22:22 -0400 Subject: [PATCH 07/19] Add labels for crio rename Break container_t rules out to use a separate container_domain Allow containers to be able to set namespaced SYCTLS Allow sandbox containers manage fuse files. Fixes to make container_runtimes work on MLS machines Bump version to allow handling of container_file_t filesystems Allow containers to mount, remount and umount container_file_t file systems Fixes to handle cap_userns Give container_t access to XFRM sockets Allow spc_t to dbus chat with init system Allow spc_t to dbus chat with init system Add rules to allow container runtimes to run with unconfined disabled Add rules to support cgroup file systems mounted into container. Fix typebounds entrypoint problems Fix typebounds problems Add typebounds statement for container_t from container_runtime_t We should only label runc not runc* --- .gitignore | 1 + container-selinux.spec | 23 +++++++++++++++++++++-- sources | 3 +-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 323f47a..0caac17 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /container-selinux-f7333f9.tar.gz /container-selinux-08bb6e0.tar.gz /container-selinux-8f8caa6.tar.gz +/container-selinux-14f7c51.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8095683..c3382fe 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 8f8caa66c11f8657ebf8ae50d7221ee3a97ac7d3 +%global commit0 14f7c51001a452a1cf3e162845c2915aeb167fac %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.10 +Version: 2.14 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,25 @@ fi %{_datadir}/selinux/* %changelog +* Fri May 19 2017 Dan Walsh - 2.14-1 +- Add labels for crio rename +- Break container_t rules out to use a separate container_domain +- Allow containers to be able to set namespaced SYCTLS +- Allow sandbox containers manage fuse files. +- Fixes to make container_runtimes work on MLS machines +- Bump version to allow handling of container_file_t filesystems +- Allow containers to mount, remount and umount container_file_t file systems +- Fixes to handle cap_userns +- Give container_t access to XFRM sockets +- Allow spc_t to dbus chat with init system +- Allow spc_t to dbus chat with init system +- Add rules to allow container runtimes to run with unconfined disabled +- Add rules to support cgroup file systems mounted into container. +- Fix typebounds entrypoint problems +- Fix typebounds problems +- Add typebounds statement for container_t from container_runtime_t +- We should only label runc not runc* + * Tue Feb 28 2017 Dan Walsh - 2.10-1 - Add rules to allow container runtimes to run with unconfined disabled - Add rules to support cgroup file systems mounted into container. diff --git a/sources b/sources index 9f28c00..b3c2342 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (container-selinux-08bb6e0.tar.gz) = bba16bd77c6d34982637e4fc874ef1a741df7ca73a85ad1edfece5ae2838409efbe00ea44653acb63c22c6939c7afc72f7882715c9c4657d4427eff6f77d2a35 -SHA512 (container-selinux-8f8caa6.tar.gz) = b273cb85c6afece175d917b043f92d4c126d03eaa4b2ad5c36c0a6430465a127ad25961d26b66730190723a6aefba4a8ffb694ea942c6b4eb5d6ee950b780856 +SHA512 (container-selinux-14f7c51.tar.gz) = 5a1c5f9574005aa714b08f5db429fa3afaa02f64d0694d4ad63dd2976c4a0f7bf1ff2697a0978bbbcd8c566d6453024390dbfc6579d188827dc2593a048695f2 From dceef8f75b210fbdf4170cf7aa7286ed3433ec6e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 31 May 2017 12:35:43 +0000 Subject: [PATCH 08/19] Allow container types to read/write container_runtime fifo files Allow a container runtime to mount on top of its own /proc --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0caac17..d3274e4 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /container-selinux-08bb6e0.tar.gz /container-selinux-8f8caa6.tar.gz /container-selinux-14f7c51.tar.gz +/container-selinux-c81ea26.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c3382fe..8bc7400 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 14f7c51001a452a1cf3e162845c2915aeb167fac +%global commit0 c81ea2691ffdb436229d20b6b7a92e2fd71d0553 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.14 +Version: 2.15 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed May 31 2017 Dan Walsh - 2.15-1 +- Allow container types to read/write container_runtime fifo files +- Allow a container runtime to mount on top of its own /proc + * Fri May 19 2017 Dan Walsh - 2.14-1 - Add labels for crio rename - Break container_t rules out to use a separate container_domain diff --git a/sources b/sources index b3c2342..10ffcf8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-14f7c51.tar.gz) = 5a1c5f9574005aa714b08f5db429fa3afaa02f64d0694d4ad63dd2976c4a0f7bf1ff2697a0978bbbcd8c566d6453024390dbfc6579d188827dc2593a048695f2 +SHA512 (container-selinux-c81ea26.tar.gz) = 984aeede05f41b693908271436a86947cb13366114dfa58de57e24bb985aff657090a1d060f8d066cf7bb918a4269a7172e225f013b0e039adfff680943de519 From 131573e601df1bc93a9648baeab82e764715a14c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 1 Jun 2017 22:17:09 +0000 Subject: [PATCH 09/19] Add default labeling for cri-o in /etc/crio directories --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index d3274e4..40bffaa 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /container-selinux-8f8caa6.tar.gz /container-selinux-14f7c51.tar.gz /container-selinux-c81ea26.tar.gz +/container-selinux-9027f8e.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8bc7400..0f62457 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 c81ea2691ffdb436229d20b6b7a92e2fd71d0553 +%global commit0 9027f8e958bbf8c98f1d6856ccd4c8b7b5da8d1c %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.15 +Version: 2.16 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jun 1 2017 Dan Walsh - 2.16-1 +- Add default labeling for cri-o in /etc/crio directories + * Wed May 31 2017 Dan Walsh - 2.15-1 - Allow container types to read/write container_runtime fifo files - Allow a container runtime to mount on top of its own /proc diff --git a/sources b/sources index 10ffcf8..d2d1e67 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c81ea26.tar.gz) = 984aeede05f41b693908271436a86947cb13366114dfa58de57e24bb985aff657090a1d060f8d066cf7bb918a4269a7172e225f013b0e039adfff680943de519 +SHA512 (container-selinux-9027f8e.tar.gz) = 19e561a9c71e0b3759a0fa79580cb816274fd90762c164f85e3de514102d7da702faaba9c4b2bf2dd54a39462ed52faea23e4fec2dc34c229267829635390ec6 From f20ad648b4c8d9046e08aefa3e5075dbf2464cd7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 5 Jun 2017 21:00:44 +0000 Subject: [PATCH 10/19] Revert change to run the container_runtime as ranged --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 40bffaa..67e2407 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /container-selinux-14f7c51.tar.gz /container-selinux-c81ea26.tar.gz /container-selinux-9027f8e.tar.gz +/container-selinux-ed3082b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 0f62457..41e4386 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 9027f8e958bbf8c98f1d6856ccd4c8b7b5da8d1c +%global commit0 ed3082b4d72740d197f4680749347ca507fc1203 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.16 +Version: 2.17 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 5 2017 Dan Walsh - 2.17-1 +- Revert change to run the container_runtime as ranged + * Thu Jun 1 2017 Dan Walsh - 2.16-1 - Add default labeling for cri-o in /etc/crio directories diff --git a/sources b/sources index d2d1e67..795ef44 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-9027f8e.tar.gz) = 19e561a9c71e0b3759a0fa79580cb816274fd90762c164f85e3de514102d7da702faaba9c4b2bf2dd54a39462ed52faea23e4fec2dc34c229267829635390ec6 +SHA512 (container-selinux-ed3082b.tar.gz) = a09ecf7002812d6f7deb878bd43a4c057cda41ad87b999ae43bc485f1f5a7229e7065131c9ec8da657005768fd814a612ab2cb84c66f7de74dab30197726568f From 8096ea4b976504b7bebe1fb27b1bc5600c8613c9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 6 Jun 2017 20:46:10 +0000 Subject: [PATCH 11/19] Fix labeling for CRI-O files in overlay subdirs --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 67e2407..f607f56 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /container-selinux-c81ea26.tar.gz /container-selinux-9027f8e.tar.gz /container-selinux-ed3082b.tar.gz +/container-selinux-5212fea.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 41e4386..565136d 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 ed3082b4d72740d197f4680749347ca507fc1203 +%global commit0 5212fea857a5296e1d22b3ac6b875eb59a86ebe7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.17 +Version: 2.18 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jun 6 2017 Dan Walsh - 2.18-1 +- Fix labeling for CRI-O files in overlay subdirs + * Mon Jun 5 2017 Dan Walsh - 2.17-1 - Revert change to run the container_runtime as ranged diff --git a/sources b/sources index 795ef44..0f81251 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-ed3082b.tar.gz) = a09ecf7002812d6f7deb878bd43a4c057cda41ad87b999ae43bc485f1f5a7229e7065131c9ec8da657005768fd814a612ab2cb84c66f7de74dab30197726568f +SHA512 (container-selinux-5212fea.tar.gz) = 3a796527dfbc1b0ad0b05f7db1a4342ffa8802cbb7778310e6b49f433e8bc5bd0b8fbe7240bff204cfde2169143bd1ad46002368e8a1c9b711f0e8b1ecacecd6 From 537beaa56461b7e619e52c162db258ccd5d19543 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 12 Jun 2017 19:42:49 +0000 Subject: [PATCH 12/19] Allow containers to create tun sockets --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f607f56..c64135c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /container-selinux-9027f8e.tar.gz /container-selinux-ed3082b.tar.gz /container-selinux-5212fea.tar.gz +/container-selinux-a80afba.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 565136d..996ee3a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 5212fea857a5296e1d22b3ac6b875eb59a86ebe7 +%global commit0 a80afba083834209e5683c8e0320734a4d9d0b64 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.18 +Version: 2.19 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 12 2017 Dan Walsh - 2.19-1 +- Allow containers to create tun sockets + * Tue Jun 6 2017 Dan Walsh - 2.18-1 - Fix labeling for CRI-O files in overlay subdirs diff --git a/sources b/sources index 0f81251..a3045ce 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-5212fea.tar.gz) = 3a796527dfbc1b0ad0b05f7db1a4342ffa8802cbb7778310e6b49f433e8bc5bd0b8fbe7240bff204cfde2169143bd1ad46002368e8a1c9b711f0e8b1ecacecd6 +SHA512 (container-selinux-a80afba.tar.gz) = 41e7c18cd221113799495d9ca93bbc2844795be5a39e62c16fc07956f6b36cc52ed6d49f2837aae268ad4356f96458835a57d57e72d5dcdb9e978095a0c96d38 From 97db3b1d48440e4a520c2a42350e0eac42f01976 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 30 Jun 2017 15:54:30 +0000 Subject: [PATCH 13/19] Allow container processes to getsession --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c64135c..5ecda31 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /container-selinux-ed3082b.tar.gz /container-selinux-5212fea.tar.gz /container-selinux-a80afba.tar.gz +/container-selinux-c5fd77f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 996ee3a..9abe5d1 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 a80afba083834209e5683c8e0320734a4d9d0b64 +%global commit0 c5fd77fc2496e04c2722d23860842b58a72d0178 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.19 +Version: 2.20 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Jun 30 2017 Dan Walsh - 2.20-1 +- Allow container processes to getsession + * Mon Jun 12 2017 Dan Walsh - 2.19-1 - Allow containers to create tun sockets diff --git a/sources b/sources index a3045ce..4ce51af 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-a80afba.tar.gz) = 41e7c18cd221113799495d9ca93bbc2844795be5a39e62c16fc07956f6b36cc52ed6d49f2837aae268ad4356f96458835a57d57e72d5dcdb9e978095a0c96d38 +SHA512 (container-selinux-c5fd77f.tar.gz) = 226880f6c73115034bd16b0c5acf6a79f35391fe51eec2ab499cf475d848e561f174dfaf14f7778c53363c4eee006b6b77cf558bd6e36b4474bfd44d9da8f8fa From c8a851dcbe1c18a930b8dcd525eaba60b9bb33e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 6 Jul 2017 10:49:00 +0000 Subject: [PATCH 14/19] Relabel runc and crio executables --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 9abe5d1..7fad32e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -22,7 +22,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 @@ -36,7 +36,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.20 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jul 6 2017 Dan Walsh - 2.20-2 +- Relabel runc and crio executables + * Fri Jun 30 2017 Dan Walsh - 2.20-1 - Allow container processes to getsession From 653c8c118c6b0fa0815c178fd59dc9e2eea5d59b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 11 Jul 2017 17:37:24 +0000 Subject: [PATCH 15/19] Allow containers to execmod on container_share_t files. --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 5ecda31..339f37c 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /container-selinux-5212fea.tar.gz /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz +/container-selinux-c89e9b5.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 7fad32e..1e50d15 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 c5fd77fc2496e04c2722d23860842b58a72d0178 +%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,8 +35,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.20 -Release: 2%{?dist} +Version: 2.21 +Release: 1%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jul 6 2017 Dan Walsh - 2.21-1 +- Allow containers to execmod on container_share_t files. + * Thu Jul 6 2017 Dan Walsh - 2.20-2 - Relabel runc and crio executables diff --git a/sources b/sources index 4ce51af..28ef135 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c5fd77f.tar.gz) = 226880f6c73115034bd16b0c5acf6a79f35391fe51eec2ab499cf475d848e561f174dfaf14f7778c53363c4eee006b6b77cf558bd6e36b4474bfd44d9da8f8fa +SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 From a8cfdedf9afe957bfb06c70c40519cfdca5730f2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 5 Sep 2017 20:41:43 +0000 Subject: [PATCH 16/19] Add additonal support for crio labeling. --- .gitignore | 1 + container-selinux.spec | 21 +++++++++++++++------ sources | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 339f37c..0ac645f 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz +/container-selinux-58324f3.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1e50d15..60adde7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,8 +2,8 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%if 0%{?fedora} -%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 +%if 0%{?fedora} || 0%{?rhel} > 7 +%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -25,17 +25,17 @@ %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using -%if 0%{?fedora} >= 22 +%if 0%{?fedora} >= 22 || 0%{?rhel} > 7 %global selinux_policyver 3.13.1-220 %else %global selinux_policyver 3.13.1-39 %endif Name: container-selinux -%if 0%{?fedora} || 0%{?centos} +%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.21 +Version: 2.22 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -51,7 +51,7 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} > 7 Requires(post): policycoreutils-python-utils %else Requires(post): policycoreutils-python @@ -118,6 +118,15 @@ fi %{_datadir}/selinux/* %changelog +* Tue Sep 5 2017 Dan Walsh - 2.22-1 +- Add additonal support for crio labeling. + +* Mon Aug 14 2017 Troy Dawson - 2.21-3 +- Fixup spec file conditionals + +* Wed Jul 26 2017 Fedora Release Engineering - 2:2.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Thu Jul 6 2017 Dan Walsh - 2.21-1 - Allow containers to execmod on container_share_t files. diff --git a/sources b/sources index 28ef135..46ccc4f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 +SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 From 7b9787a7637a424c7832414386b4eab306e672dd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 08:45:22 +0000 Subject: [PATCH 17/19] Allow container runtimes to create sockets in tmp dirs --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 60adde7..c096def 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a +%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.22 +Version: 2.23 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Sep 7 2017 Dan Walsh - 2.23-1 +- Allow container runtimes to create sockets in tmp dirs + * Tue Sep 5 2017 Dan Walsh - 2.22-1 - Add additonal support for crio labeling. From d84f4c0df3e6e9af920cbf051ecc4f44cbf737c6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 09:01:41 +0000 Subject: [PATCH 18/19] Allow container runtimes to create sockets in tmp dirs --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 0ac645f..16244c3 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz +/container-selinux-81ff96c.tar.gz diff --git a/sources b/sources index 46ccc4f..9f28103 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 +SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 From 36cbe12aca038e21e8ecfea4131b0085b462dc25 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 22 Sep 2017 11:11:40 +0000 Subject: [PATCH 19/19] Make sure container_runtime_t has all access of container_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 16244c3..109031b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz /container-selinux-81ff96c.tar.gz +/container-selinux-a9260d4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c096def..182d6d7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 +%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.23 +Version: 2.24 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Sep 22 2017 Dan Walsh - 2.24-1 +- Make sure container_runtime_t has all access of container_t + * Thu Sep 7 2017 Dan Walsh - 2.23-1 - Allow container runtimes to create sockets in tmp dirs diff --git a/sources b/sources index 9f28103..b692fbb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 +SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981