diff --git a/.gitignore b/.gitignore index 339f37c..a80c699 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,48 @@ /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz +/container-selinux-58324f3.tar.gz +/container-selinux-81ff96c.tar.gz +/container-selinux-a9260d4.tar.gz +/container-selinux-e37e93d.tar.gz +/container-selinux-de38c07.tar.gz +/container-selinux-0620186.tar.gz +/container-selinux-47e0448.tar.gz +/container-selinux-b430a71.tar.gz +/container-selinux-0b666c4.tar.gz +/container-selinux-7fe0136.tar.gz +/container-selinux-dca3b87.tar.gz +/container-selinux-f9a30e8.tar.gz +/container-selinux-d985665.tar.gz +/container-selinux-8ba32a4.tar.gz +/container-selinux-26c642a.tar.gz +/container-selinux-96e58bf.tar.gz +/container-selinux-599072a.tar.gz +/container-selinux-231b213.tar.gz +/container-selinux-d148550.tar.gz +/container-selinux-dfcc97d.tar.gz +/container-selinux-38a982b.tar.gz +/container-selinux-2377c73.tar.gz +/container-selinux-aece4ff.tar.gz +/container-selinux-663e003.tar.gz +/container-selinux-fd7d508.tar.gz +/container-selinux-fd50128.tar.gz +/container-selinux-bdc0137.tar.gz +/container-selinux-55c7d4d.tar.gz +/container-selinux-d248f91.tar.gz +/container-selinux-d213769.tar.gz +/container-selinux-701557f.tar.gz +/container-selinux-97f8dfc.tar.gz +/container-selinux-9b55129.tar.gz +/container-selinux-1ecf953.tar.gz +/container-selinux-284f9e7.tar.gz +/container-selinux-d346375.tar.gz +/container-selinux-bf5b26b.tar.gz +/container-selinux-dfaf8fd.tar.gz +/container-selinux-8ecc282.tar.gz +/container-selinux-0407867.tar.gz +<<<<<<< Updated upstream +/container-selinux-042f7cf.tar.gz +======= +/container-selinux-25277c8.tar.gz +>>>>>>> Stashed changes diff --git a/container-selinux.spec b/container-selinux.spec index bc0ea61..29e9372 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,12 +3,13 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 +%global commit0 452b90de0cbc75f0a55defa1d45b7bc337d4f076 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 -%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7}) %endif -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -22,7 +23,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 || 0%{?rhel} > 7 @@ -35,12 +36,16 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.21 -Release: 3%{?dist} +Version: 2.69 +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes +%if 0%{?fedora} || 0%{?rhel} >7 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +%else +Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz +%endif BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -57,6 +62,8 @@ Requires(post): policycoreutils-python-utils Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils +Requires(post): libsemanage >= 2.8-2 +Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{epoch}:%{version}-%{release} @@ -65,7 +72,11 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep +%if 0%{?fedora} || 0%{?rhel} > 7 %autosetup -Sgit -n %{name}-%{commit0} +%else +%autosetup -Sgit -n %{name}-%{el_commit0} +%endif %build make @@ -98,8 +109,12 @@ if %{_sbindir}/selinuxenabled ; then %relabel_files if [ $1 -eq 1 ]; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + restorecon -R %{_sharedstatedir}/containers &> /dev/null || : fi fi +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types + %postun if [ $1 -eq 0 ]; then @@ -117,7 +132,209 @@ fi %doc README.md %{_datadir}/selinux/* +%triggerin -- container-selinux < 2.69-2 +restorecon -R %{_sharedstatedir}/containers &> /dev/null || : +exit 0 + %changelog +* Fri Aug 10 2018 Dan Walsh - 2.69-2 +- Add trigger to relabel content on /var/lib/containers on older versions of +package + +* Wed Jul 25 2018 Dan Walsh - 2.69-1 +- dontaudit attempts to write to sysctl_kernel_t + +* Wed Jul 18 2018 Lokesh Mandvekar (Bot) - 2:2.68-2.gitc139a3d +- autobuilt c139a3d + +* Mon Jul 16 2018 Dan Walsh - 2.67-1 +- Add label for /var/lib/origin +- Add customizable_file_t to customizable_types + +* Thu Jul 12 2018 Fedora Release Engineering - 2:2.67-3.dev.git042f7cf +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Lokesh Mandvekar (Bot) - 2:2.67-2.git042f7cf +- autobuilt 042f7cf + +* Sat Jul 07 2018 Lokesh Mandvekar (Bot) - 2:2.67-1.git0407867 +- bump to 2.67 +- autobuilt 0407867 + +* Sat Jun 30 2018 Dan Walsh - 2.66-1 +- Allow container runtimes to dbus chat with systemd-resolved + +* Tue Jun 12 2018 Lokesh Mandvekar (Bot) - 2:2.64-1.gitdfaf8fd +- bump to 2.64 +- autobuilt dfaf8fd + +* Mon Jun 11 2018 Dan Walsh - 2.65-1 +- Add new type to handle containers running with a non priv user in a userns +- allow containers to map all sockets + +* Sun Jun 3 2018 Dan Walsh - 2.64-1.gitdfaf8fd +- Allow containers to create all socket classes + +* Wed May 30 2018 Dan Walsh - 2.63-1 +- Allow containers to create icmp packets + +* Fri May 25 2018 Lokesh Mandvekar (Bot) - 2:2.62-1.git1ecf953 +- bump to 2.62 +- autobuilt 1ecf953 + +* Mon May 21 2018 Dan Walsh - 2.61-1 +- Allow spc_t to load kernel modules from inside of container + +* Mon May 21 2018 Dan Walsh - 2.60-1 +- Allow containers to list cgroup directories + +* Mon May 21 2018 Dan Walsh - 2.59-1 +- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. + +* Mon May 21 2018 Dan Walsh - 2.58-2 +- Run restorecon /usr/bin/podman in postinstall + +* Fri May 18 2018 Dan Walsh - 2.58-1 +- Add labels to allow podman to be run from a systemd unit file + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 +- autobuilt commit d248f91 + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-11.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-10.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-9.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-8 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-7 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-6 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-5 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-4 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-3 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-2 +- autobuilt commit d248f91 + +* Thu Mar 15 2018 Dan Walsh - 2.55-1 +- Dontaudit attempts by containers to write to /proc/self + +* Wed Mar 14 2018 Dan Walsh - 2.54-1 +- Add rules for container domains to make writing custom policy easier +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Thu Mar 8 2018 Dan Walsh - 2.52-1 +- Add rules for container domains to make writing custom policy easier + +* Thu Mar 8 2018 Dan Walsh - 2.51-1 +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Wed Mar 7 2018 Dan Walsh - 2.50-1 +- Allow bin_t as a container_runtime_t entrypoint +- Add rules for running container runtimes on mls + +* Thu Feb 15 2018 Dan Walsh - 2.48-1 +- Allow container domains to map container_file_t directories + +* Sat Feb 10 2018 Dan Walsh - 2.47-1 +- Change default label of /exports to container_var_lib_t + +* Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 +- Escape macros in %%CHANGELOG + +* Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Dan Walsh - 2.46-1 +- Add support for nosuid_transition flags for container_runtime and unconfined domains +* Fri Feb 02 2018 Dan Walsh - 2.45-1 +- Allow containers to sendto their own stream sockets + +* Mon Jan 29 2018 Dan Walsh - 2.44-1 +- Allow container domains to read kernel ipc info + +* Mon Jan 22 2018 Dan Walsh - 2.43-1 +- Allow containers to memory map the fifo_files leaked into container from +container runtimes. + +* Tue Jan 16 2018 Dan Walsh - 2.42-1 +- Allow unconfined domains to transition to container types, when no-new-privs is set. + +* Tue Jan 9 2018 Dan Walsh - 2.41-1 +- Add support to nnp_transition for container domains +- Eliminates need for typebounds. + +* Tue Jan 9 2018 Dan Walsh - 2.40-1 +- Allow container_runtime_t to use user ttys +- Fixes bounds check for container_t + +* Mon Jan 8 2018 Dan Walsh - 2.39-1 +- Allow container runtimes to use interited terminals. This helps +satisfy the bounds check of container_t versus container_runtime_t. + +* Sat Jan 6 2018 Dan Walsh - 2.38-1 +- Allow container runtimes to mmap container_file_t devices +- Add labeling for rhel push plugin + +* Tue Dec 12 2017 Dan Walsh - 2.37-1 +- Allow containers to use inherited ttys +- Allow ostree to handle labels under /var/lib/containers/ostree + +* Mon Nov 27 2017 Dan Walsh - 2.36-1 +- Allow containers to relabelto/from all file types to container_file_t + +* Mon Nov 27 2017 Dan Walsh - 2.35-1 +- Allow container to map chr_files labeled container_file_t + +* Wed Nov 22 2017 Dan Walsh - 2.34-1 +- Dontaudit container processes getattr on kernel file systems + +* Sun Nov 19 2017 Dan Walsh - 2.33-1 +- Allow containers to read /etc/resolv.conf and /etc/hosts if volume +- mounted into container. + +* Wed Nov 8 2017 Dan Walsh - 2.32-1 +- Make sure users creating content in /var/lib with right labels + +* Thu Oct 26 2017 Dan Walsh - 2.31-1 +- Allow the container runtime to dbus chat with dnsmasq +- add dontaudit rules for container trying to write to /proc + +* Tue Oct 10 2017 Dan Walsh - 2.29-1 +- Add support for lxcd +- Add support for labeling of tmpfs storage created within a container. + +* Mon Oct 9 2017 Dan Walsh - 2.28-1 +- Allow a container to umount a container_file_t filesystem + +* Fri Sep 22 2017 Dan Walsh - 2.27-1 +- Allow container runtimes to work with the netfilter sockets +- Allow container_file_t to be an entrypoint for VM's +- Allow spc_t domains to transition to svirt_t + +* Fri Sep 22 2017 Dan Walsh - 2.24-1 +- Make sure container_runtime_t has all access of container_t + +* Thu Sep 7 2017 Dan Walsh - 2.23-1 +- Allow container runtimes to create sockets in tmp dirs + +* Tue Sep 5 2017 Dan Walsh - 2.22-1 +- Add additonal support for crio labeling. + * Mon Aug 14 2017 Troy Dawson - 2.21-3 - Fixup spec file conditionals @@ -200,7 +417,7 @@ fi - use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7 * Tue Jan 10 2017 Jonathan Lebon - 2:2.2-3 -- properly disable docker module in %post +- properly disable docker module in %%post * Sat Jan 07 2017 Lokesh Mandvekar - 2:2.2-2 - depend on selinux-policy-targeted diff --git a/getrlimit.patch b/getrlimit.patch new file mode 100644 index 0000000..e9edcbf --- /dev/null +++ b/getrlimit.patch @@ -0,0 +1,13 @@ +diff --git a/container.te b/container.te +index e768807..a469eda 100644 +--- a/container.te ++++ b/container.te +@@ -685,7 +685,7 @@ dev_list_sysfs(container_domain) + allow svirt_sandbox_domain self:key manage_key_perms; + dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; + +-allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; ++allow container_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; + allow container_domain self:fifo_file manage_file_perms; + allow container_domain self:msg all_msg_perms; + allow container_domain self:sem create_sem_perms; diff --git a/sources b/sources index 28ef135..dab2d47 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 +SHA512 (container-selinux-452b90d.tar.gz) = f9bc9c9fafd98aca03b755dc44807baec3aec2b0a97bd539be6b49bc2f1f571973bef8e8a716ef990255f4b26ef9650e2c03ce9bf3ee0961f99205e309475944