From 09deae175c2b7dbd59fc3ac6c1750d54493a4287 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 5 Sep 2017 20:41:21 +0000 Subject: [PATCH 01/44] Add additonal support for crio labeling. --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 339f37c..0ac645f 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz +/container-selinux-58324f3.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index bc0ea61..60adde7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 +%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,8 +35,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.21 -Release: 3%{?dist} +Version: 2.22 +Release: 1%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Sep 5 2017 Dan Walsh - 2.22-1 +- Add additonal support for crio labeling. + * Mon Aug 14 2017 Troy Dawson - 2.21-3 - Fixup spec file conditionals diff --git a/sources b/sources index 28ef135..46ccc4f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 +SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 From 05c43a0b6a51120dacb0756346c053f50f635ff9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 08:44:50 +0000 Subject: [PATCH 02/44] Allow container runtimes to create sockets in tmp dirs --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 60adde7..c096def 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a +%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.22 +Version: 2.23 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Sep 7 2017 Dan Walsh - 2.23-1 +- Allow container runtimes to create sockets in tmp dirs + * Tue Sep 5 2017 Dan Walsh - 2.22-1 - Add additonal support for crio labeling. From c2fb36e2841da5461373836e019293e1a56fd053 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 09:01:26 +0000 Subject: [PATCH 03/44] Allow container runtimes to create sockets in tmp dirs --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 0ac645f..16244c3 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz +/container-selinux-81ff96c.tar.gz diff --git a/sources b/sources index 46ccc4f..9f28103 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 +SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 From 7c18fad72f49a8ac682987da595b3704de0ef34a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 22 Sep 2017 11:11:03 +0000 Subject: [PATCH 04/44] Make sure container_runtime_t has all access of container_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 16244c3..109031b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz /container-selinux-81ff96c.tar.gz +/container-selinux-a9260d4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c096def..182d6d7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 +%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.23 +Version: 2.24 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Sep 22 2017 Dan Walsh - 2.24-1 +- Make sure container_runtime_t has all access of container_t + * Thu Sep 7 2017 Dan Walsh - 2.23-1 - Allow container runtimes to create sockets in tmp dirs diff --git a/sources b/sources index 9f28103..b692fbb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 +SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981 From e77111363f39d3a9a5dc02817f4325cb8a0cd99d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 4 Oct 2017 09:11:32 +0000 Subject: [PATCH 05/44] Allow container runtimes to work with the netfilter sockets Allow container_file_t to be an entrypoint for VM's Allow spc_t domains to transition to svirt_t --- .gitignore | 1 + container-selinux.spec | 9 +++++++-- sources | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 109031b..df07220 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ /container-selinux-58324f3.tar.gz /container-selinux-81ff96c.tar.gz /container-selinux-a9260d4.tar.gz +/container-selinux-e37e93d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 182d6d7..46524c7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf +%global commit0 e37e93dbe6cb058fc89c9c5de5ecd4c3be4354fb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.24 +Version: 2.27 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,11 @@ fi %{_datadir}/selinux/* %changelog +* Fri Sep 22 2017 Dan Walsh - 2.27-1 +- Allow container runtimes to work with the netfilter sockets +- Allow container_file_t to be an entrypoint for VM's +- Allow spc_t domains to transition to svirt_t + * Fri Sep 22 2017 Dan Walsh - 2.24-1 - Make sure container_runtime_t has all access of container_t diff --git a/sources b/sources index b692fbb..9baaa72 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981 +SHA512 (container-selinux-e37e93d.tar.gz) = faf644a4a13c0ffa1198d798390147f815d90aa27ca9af49df71575da1be8678bcbe12f0281f83b345945a29330c10df7c86f79f6862829902f71dc7e7431058 From 0ac36d82e6e9f7647de5df8e1aebdf5ebd7c63de Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 9 Oct 2017 13:30:25 +0000 Subject: [PATCH 06/44] Allow a container to umount a container_file_t filesystem --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index df07220..3661347 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /container-selinux-81ff96c.tar.gz /container-selinux-a9260d4.tar.gz /container-selinux-e37e93d.tar.gz +/container-selinux-de38c07.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 46524c7..3a4c3df 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 e37e93dbe6cb058fc89c9c5de5ecd4c3be4354fb +%global commit0 de38c07f355f6d885192ed974236a735be9e455c %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.27 +Version: 2.28 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Oct 9 2017 Dan Walsh - 2.28-1 +- Allow a container to umount a container_file_t filesystem + * Fri Sep 22 2017 Dan Walsh - 2.27-1 - Allow container runtimes to work with the netfilter sockets - Allow container_file_t to be an entrypoint for VM's diff --git a/sources b/sources index 9baaa72..5829058 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-e37e93d.tar.gz) = faf644a4a13c0ffa1198d798390147f815d90aa27ca9af49df71575da1be8678bcbe12f0281f83b345945a29330c10df7c86f79f6862829902f71dc7e7431058 +SHA512 (container-selinux-de38c07.tar.gz) = bada050900ceb4972ee75330a5ca6de49561c208f15b669261f8f028b0783bc1cf5cc64e9c6e6fa79c7988ccec001e8084b10e04683ccd3c414c4b0ad53c651b From cccf2f75f9171c67808cb8bc1e01fdf409310c25 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 10 Oct 2017 16:18:04 +0000 Subject: [PATCH 07/44] Add support for lxcd Add support for labeling of tmpfs storage created within a container. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3661347..eedfcc2 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /container-selinux-a9260d4.tar.gz /container-selinux-e37e93d.tar.gz /container-selinux-de38c07.tar.gz +/container-selinux-0620186.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 3a4c3df..1a9f183 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 de38c07f355f6d885192ed974236a735be9e455c +%global commit0 0620186b7396af617fa0f570e82e875e5b3ac8d7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.28 +Version: 2.29 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Oct 10 2017 Dan Walsh - 2.29-1 +- Add support for lxcd +- Add support for labeling of tmpfs storage created within a container. + * Mon Oct 9 2017 Dan Walsh - 2.28-1 - Allow a container to umount a container_file_t filesystem diff --git a/sources b/sources index 5829058..f7a2a23 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-de38c07.tar.gz) = bada050900ceb4972ee75330a5ca6de49561c208f15b669261f8f028b0783bc1cf5cc64e9c6e6fa79c7988ccec001e8084b10e04683ccd3c414c4b0ad53c651b +SHA512 (container-selinux-0620186.tar.gz) = e28dfec9ae2444714314eb77fd74b5ddb41cb044b1806d8096a796f3a9b765d78cbf2d2b156ef7e16f87e7ee0fcbf511074042b6fe6cde09cc989c6b23ea1bea From 46c33f1396e62b05b50abd52dcf0ae30ba86dfa6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 26 Oct 2017 11:38:29 +0000 Subject: [PATCH 08/44] Allow the container runtime to dbus chat with dnsmasq add dontaudit rules for container trying to write to /proc --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index eedfcc2..dfbcd0a 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /container-selinux-e37e93d.tar.gz /container-selinux-de38c07.tar.gz /container-selinux-0620186.tar.gz +/container-selinux-47e0448.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1a9f183..1990cdf 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 0620186b7396af617fa0f570e82e875e5b3ac8d7 +%global commit0 47e0448a47a97cddbb66fd35d8ae536f980307f1 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.29 +Version: 2.31 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Thu Oct 26 2017 Dan Walsh - 2.31-1 +- Allow the container runtime to dbus chat with dnsmasq +- add dontaudit rules for container trying to write to /proc + * Tue Oct 10 2017 Dan Walsh - 2.29-1 - Add support for lxcd - Add support for labeling of tmpfs storage created within a container. diff --git a/sources b/sources index f7a2a23..18fd0d9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-0620186.tar.gz) = e28dfec9ae2444714314eb77fd74b5ddb41cb044b1806d8096a796f3a9b765d78cbf2d2b156ef7e16f87e7ee0fcbf511074042b6fe6cde09cc989c6b23ea1bea +SHA512 (container-selinux-47e0448.tar.gz) = 675b11109c33a2e7ecfbf67828f80c4f7a7245605024f76394d4b55351de2d8f3009058f7842d6f20eb9845b5a0d56cb395c48f9e5387935b8ad973e342397fe From 2fa6d23dab62a3bdffff3c88d7e7824f6743e06b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 8 Nov 2017 21:10:53 +0000 Subject: [PATCH 09/44] Make sure users creating content in /var/lib with right labels --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index dfbcd0a..a4d000c 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ /container-selinux-de38c07.tar.gz /container-selinux-0620186.tar.gz /container-selinux-47e0448.tar.gz +/container-selinux-b430a71.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1990cdf..026fb14 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 47e0448a47a97cddbb66fd35d8ae536f980307f1 +%global commit0 b430a71a44ce80364ff3ef95fa8134afb35d667e %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.31 +Version: 2.32 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Wed Nov 8 2017 Dan Walsh - 2.32-1 +- Make sure users creating content in /var/lib with right labels + * Thu Oct 26 2017 Dan Walsh - 2.31-1 - Allow the container runtime to dbus chat with dnsmasq - add dontaudit rules for container trying to write to /proc diff --git a/sources b/sources index 18fd0d9..4e83c9e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-47e0448.tar.gz) = 675b11109c33a2e7ecfbf67828f80c4f7a7245605024f76394d4b55351de2d8f3009058f7842d6f20eb9845b5a0d56cb395c48f9e5387935b8ad973e342397fe +SHA512 (container-selinux-b430a71.tar.gz) = 7b89826e64c26bc57b86345dc482bca56d12ab730e9965b53802e97ed572b169aea3daf89d4f50b88ffa3878da157e6165dd2294d537e59fe97fafed9db141dc From d074c937301afa421219fe10347cc4cf2234a1aa Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 19 Nov 2017 11:41:48 +0000 Subject: [PATCH 10/44] Allow containers to read /etc/resolv.conf and /etc/hosts if volume mounted into container. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a4d000c..8d57c63 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ /container-selinux-0620186.tar.gz /container-selinux-47e0448.tar.gz /container-selinux-b430a71.tar.gz +/container-selinux-0b666c4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 026fb14..4ecf83a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 b430a71a44ce80364ff3ef95fa8134afb35d667e +%global commit0 0b666c4f1422d60dde6ffac69a919872385e289d %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.32 +Version: 2.33 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Sun Nov 19 2017 Dan Walsh - 2.33-1 +- Allow containers to read /etc/resolv.conf and /etc/hosts if volume +- mounted into container. + * Wed Nov 8 2017 Dan Walsh - 2.32-1 - Make sure users creating content in /var/lib with right labels diff --git a/sources b/sources index 4e83c9e..d591a60 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-b430a71.tar.gz) = 7b89826e64c26bc57b86345dc482bca56d12ab730e9965b53802e97ed572b169aea3daf89d4f50b88ffa3878da157e6165dd2294d537e59fe97fafed9db141dc +SHA512 (container-selinux-0b666c4.tar.gz) = 46833377d09ecd57d743f2277b225b6b381c55ac0b6f2331bc455f9e51cdd55774703d854735d98f9f4db54e0db7e14e29e4fb0229afd554cbe9efbd026bf20d From 101563938a4bf40cc9dd8b10bab939d0c27a3ddb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 22 Nov 2017 15:35:36 +0000 Subject: [PATCH 11/44] Dontaudit container processes getattr on kernel file systems --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 8d57c63..30cc055 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /container-selinux-47e0448.tar.gz /container-selinux-b430a71.tar.gz /container-selinux-0b666c4.tar.gz +/container-selinux-7fe0136.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 4ecf83a..930259e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 0b666c4f1422d60dde6ffac69a919872385e289d +%global commit0 7fe0136a943ef5428869ad930e5384b185ade39a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.33 +Version: 2.34 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Wed Nov 22 2017 Dan Walsh - 2.34-1 +- Dontaudit container processes getattr on kernel file systems + * Sun Nov 19 2017 Dan Walsh - 2.33-1 - Allow containers to read /etc/resolv.conf and /etc/hosts if volume - mounted into container. diff --git a/sources b/sources index d591a60..67ca532 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-0b666c4.tar.gz) = 46833377d09ecd57d743f2277b225b6b381c55ac0b6f2331bc455f9e51cdd55774703d854735d98f9f4db54e0db7e14e29e4fb0229afd554cbe9efbd026bf20d +SHA512 (container-selinux-7fe0136.tar.gz) = 93c80da31f8a6f4e333baed39d75f329467d3b4b9b499b486a2d635be62df072fedc28cd50c5cb005d4dbc2ae352d073b611b7d33b183c183f7ca551f307c39b From 5fada860fe47e1430c7ccc1abf9ae137fe3d4e2c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 13:22:27 +0000 Subject: [PATCH 12/44] Allow container to map chr_files labeled container_file_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 30cc055..a62e07f 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /container-selinux-b430a71.tar.gz /container-selinux-0b666c4.tar.gz /container-selinux-7fe0136.tar.gz +/container-selinux-dca3b87.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 930259e..ad1a2a4 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 7fe0136a943ef5428869ad930e5384b185ade39a +%global commit0 dca3b870c4ee54ffd5703f32cd3a13365053ae2f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.34 +Version: 2.35 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Nov 27 2017 Dan Walsh - 2.35-1 +- Allow container to map chr_files labeled container_file_t + * Wed Nov 22 2017 Dan Walsh - 2.34-1 - Dontaudit container processes getattr on kernel file systems diff --git a/sources b/sources index 67ca532..8fdbf39 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-7fe0136.tar.gz) = 93c80da31f8a6f4e333baed39d75f329467d3b4b9b499b486a2d635be62df072fedc28cd50c5cb005d4dbc2ae352d073b611b7d33b183c183f7ca551f307c39b +SHA512 (container-selinux-dca3b87.tar.gz) = 8be0d2a16f834156591a4ce27daaf1ceda98ca769c8e6b3be20c9d591afc3349e153424fb503e496b404407f96fd422cb482adab54e920e1487c98dc4d1c4e0d From 7b4c966172b89bdedbfb83093b01ce04249617ae Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 14:44:05 +0000 Subject: [PATCH 13/44] Allow container to map chr_files labeled container_file_t --- .gitignore | 1 + container-selinux.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index a62e07f..bb11c38 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /container-selinux-0b666c4.tar.gz /container-selinux-7fe0136.tar.gz /container-selinux-dca3b87.tar.gz +/container-selinux-f9a30e8.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index ad1a2a4..bc16ae6 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 dca3b870c4ee54ffd5703f32cd3a13365053ae2f +%global commit0 f9a30e8011afcfd159aa383d746e2c99f67c9b3a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 diff --git a/sources b/sources index 8fdbf39..203307c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-dca3b87.tar.gz) = 8be0d2a16f834156591a4ce27daaf1ceda98ca769c8e6b3be20c9d591afc3349e153424fb503e496b404407f96fd422cb482adab54e920e1487c98dc4d1c4e0d +SHA512 (container-selinux-f9a30e8.tar.gz) = 754a3851aa27dd977861cca8977354fc5899887c5c9e4e2b79c989ebb3c91c25d04e5c31ee6452732a1857ceed5fa7dce172b27c11691d52b552446928e36758 From ec964c3b6c08a92b7564c3c2e1ebfed6705ecec2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 14:57:59 +0000 Subject: [PATCH 14/44] Allow containers to relabelto/from all file types to container_file_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bb11c38..4c9bf29 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /container-selinux-7fe0136.tar.gz /container-selinux-dca3b87.tar.gz /container-selinux-f9a30e8.tar.gz +/container-selinux-d985665.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index bc16ae6..da103c2 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 f9a30e8011afcfd159aa383d746e2c99f67c9b3a +%global commit0 d985665b8129d2f8553621539c5a3355e36887a5 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.35 +Version: 2.36 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Nov 27 2017 Dan Walsh - 2.36-1 +- Allow containers to relabelto/from all file types to container_file_t + * Mon Nov 27 2017 Dan Walsh - 2.35-1 - Allow container to map chr_files labeled container_file_t diff --git a/sources b/sources index 203307c..4444f6e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-f9a30e8.tar.gz) = 754a3851aa27dd977861cca8977354fc5899887c5c9e4e2b79c989ebb3c91c25d04e5c31ee6452732a1857ceed5fa7dce172b27c11691d52b552446928e36758 +SHA512 (container-selinux-d985665.tar.gz) = 173c7f733d6588ec85436b28b1acff734777d1b506c6ba2f20019dedcda39969d8f6c159daa8c0e37940ef5ae2af1ac47b241a9f60e086a559e1e98b8353d24b From 1e73942a81108bb9174c564e31f31549be3b53cf Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Sun, 3 Dec 2017 21:38:21 -0500 Subject: [PATCH 15/44] remove git from builddep can't find git in the module ecosystem and git isn't critical for package build. Signed-off-by: Lokesh Mandvekar --- container-selinux.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index da103c2..dd44702 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -42,7 +42,6 @@ URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz BuildArch: noarch -BuildRequires: git BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} @@ -65,7 +64,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} %build make From 37a81188e5e07a72adf74604bc12473af655a9e3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 12 Dec 2017 13:12:31 +0000 Subject: [PATCH 16/44] Allow containers to use inherited ttys Allow ostree to handle labels under /var/lib/containers/ostree --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4c9bf29..6fb3e4a 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ /container-selinux-dca3b87.tar.gz /container-selinux-f9a30e8.tar.gz /container-selinux-d985665.tar.gz +/container-selinux-8ba32a4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index dd44702..5c691c3 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d985665b8129d2f8553621539c5a3355e36887a5 +%global commit0 8ba32a4fd3a235373e9871b90e60a61a1a382471 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.36 +Version: 2.37 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Dec 12 2017 Dan Walsh - 2.37-1 +- Allow containers to use inherited ttys +- Allow ostree to handle labels under /var/lib/containers/ostree + * Mon Nov 27 2017 Dan Walsh - 2.36-1 - Allow containers to relabelto/from all file types to container_file_t diff --git a/sources b/sources index 4444f6e..87e6ab9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d985665.tar.gz) = 173c7f733d6588ec85436b28b1acff734777d1b506c6ba2f20019dedcda39969d8f6c159daa8c0e37940ef5ae2af1ac47b241a9f60e086a559e1e98b8353d24b +SHA512 (container-selinux-8ba32a4.tar.gz) = f23324003695989d93a4fd149fcd7fc739c84aadedb0ac5919e00cdcef06c0fb89967e191391d1650d79f972d88ce6d966566b2a8762b4961343c748de63be9e From 25fdae5186df7c99257f6f19672606af62874897 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 6 Jan 2018 07:35:13 -0500 Subject: [PATCH 17/44] Allow container runtimes to mmap container_file_t devices Add labeling for rhel push plugin --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6fb3e4a..20ff007 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /container-selinux-f9a30e8.tar.gz /container-selinux-d985665.tar.gz /container-selinux-8ba32a4.tar.gz +/container-selinux-26c642a.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 5c691c3..03bea77 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 8ba32a4fd3a235373e9871b90e60a61a1a382471 +%global commit0 26c642ae12820ff55697d6101f33d8b5b4274296 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.37 +Version: 2.38 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Sat Jan 6 2018 Dan Walsh - 2.38-1 +- Allow container runtimes to mmap container_file_t devices +- Add labeling for rhel push plugin + * Tue Dec 12 2017 Dan Walsh - 2.37-1 - Allow containers to use inherited ttys - Allow ostree to handle labels under /var/lib/containers/ostree diff --git a/sources b/sources index 87e6ab9..9afc32c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-8ba32a4.tar.gz) = f23324003695989d93a4fd149fcd7fc739c84aadedb0ac5919e00cdcef06c0fb89967e191391d1650d79f972d88ce6d966566b2a8762b4961343c748de63be9e +SHA512 (container-selinux-26c642a.tar.gz) = ae172f6650b542a51963df4089687107363ec47727d8e5bacd8478df1aa2cb19c569801e7692b0e6a5b36d46efeffb0c3e3c9df76e678381265346ad79a0819e From d1d656e094f29679cbc121c1b22b5d5af10a7f9c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 8 Jan 2018 08:41:34 -0500 Subject: [PATCH 18/44] Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 20ff007..cc777fe 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /container-selinux-d985665.tar.gz /container-selinux-8ba32a4.tar.gz /container-selinux-26c642a.tar.gz +/container-selinux-96e58bf.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 03bea77..bf0ac61 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 26c642ae12820ff55697d6101f33d8b5b4274296 +%global commit0 96e58bf7fd152f24f6b95efc156d8cbb4446c354 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.38 +Version: 2.39 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jan 8 2018 Dan Walsh - 2.39-1 +- Allow container runtimes to use interited terminals. This helps +satisfy the bounds check of container_t versus container_runtime_t. + * Sat Jan 6 2018 Dan Walsh - 2.38-1 - Allow container runtimes to mmap container_file_t devices - Add labeling for rhel push plugin diff --git a/sources b/sources index 9afc32c..c291f4b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-26c642a.tar.gz) = ae172f6650b542a51963df4089687107363ec47727d8e5bacd8478df1aa2cb19c569801e7692b0e6a5b36d46efeffb0c3e3c9df76e678381265346ad79a0819e +SHA512 (container-selinux-96e58bf.tar.gz) = d496b4ba8aa1c47b47dbed644b9d8a9e97e154814b878280929108609820aa30b00aa6dba37edc83568fcd8c82343b82fae642db6c18e2deddfaf499cc8276c5 From 02d7c1189ea46711ca8b783666d5d958407d88e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 9 Jan 2018 09:30:30 -0500 Subject: [PATCH 19/44] Allow container_runtime_t to use user ttys Fixes bounds check for container_t --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cc777fe..9489df1 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ /container-selinux-8ba32a4.tar.gz /container-selinux-26c642a.tar.gz /container-selinux-96e58bf.tar.gz +/container-selinux-599072a.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index bf0ac61..a0a357a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 96e58bf7fd152f24f6b95efc156d8cbb4446c354 +%global commit0 599072a930b995ba13ca7a4a6add7e808aa9b01f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.39 +Version: 2.40 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 9 2018 Dan Walsh - 2.40-1 +- Allow container_runtime_t to use user ttys +- Fixes bounds check for container_t + * Mon Jan 8 2018 Dan Walsh - 2.39-1 - Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t. diff --git a/sources b/sources index c291f4b..4135ee4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-96e58bf.tar.gz) = d496b4ba8aa1c47b47dbed644b9d8a9e97e154814b878280929108609820aa30b00aa6dba37edc83568fcd8c82343b82fae642db6c18e2deddfaf499cc8276c5 +SHA512 (container-selinux-599072a.tar.gz) = d3b21648444c83623b952ce08e4317f1400c6e2ed54923512e6e8fafdf2abd539d85d4e1e5c9f19144666bb2792ca991a3f77f6f7e9b927a5869c4be16324684 From 755d669f2aaac83047aee74483c58cee867b5e3b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 9 Jan 2018 11:48:00 -0500 Subject: [PATCH 20/44] Add support to nnp_transition for container domains Eliminates need for typebounds. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9489df1..2339939 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ /container-selinux-26c642a.tar.gz /container-selinux-96e58bf.tar.gz /container-selinux-599072a.tar.gz +/container-selinux-231b213.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index a0a357a..f4b7e87 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 599072a930b995ba13ca7a4a6add7e808aa9b01f +%global commit0 231b213555c3a3d38dcfa69c854ab95d1c8bf6eb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.40 +Version: 2.41 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 9 2018 Dan Walsh - 2.41-1 +- Add support to nnp_transition for container domains +- Eliminates need for typebounds. + * Tue Jan 9 2018 Dan Walsh - 2.40-1 - Allow container_runtime_t to use user ttys - Fixes bounds check for container_t diff --git a/sources b/sources index 4135ee4..64b389b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-599072a.tar.gz) = d3b21648444c83623b952ce08e4317f1400c6e2ed54923512e6e8fafdf2abd539d85d4e1e5c9f19144666bb2792ca991a3f77f6f7e9b927a5869c4be16324684 +SHA512 (container-selinux-231b213.tar.gz) = be907960062135a71d82921b51b53e9fdbdd7db85200e511487469215cec014aa253b49525098282d817808d4862b2de46f0df0314811de70b6bb82a711cc9eb From 25560aa853f3cc6a19392cb6a9a29cb5a0071a47 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 16 Jan 2018 13:56:54 -0500 Subject: [PATCH 21/44] Allow unconfined domains to transition to container types, when no-new-privs is set. --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2339939..9361781 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /container-selinux-96e58bf.tar.gz /container-selinux-599072a.tar.gz /container-selinux-231b213.tar.gz +/container-selinux-d148550.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index f4b7e87..91ac826 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 231b213555c3a3d38dcfa69c854ab95d1c8bf6eb +%global commit0 d148550d8c829bd2ee557fe503d2b8f9df53db8f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.41 +Version: 2.42 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 16 2018 Dan Walsh - 2.42-1 +- Allow unconfined domains to transition to container types, when no-new-privs is set. + * Tue Jan 9 2018 Dan Walsh - 2.41-1 - Add support to nnp_transition for container domains - Eliminates need for typebounds. diff --git a/sources b/sources index 64b389b..3e23a9d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-231b213.tar.gz) = be907960062135a71d82921b51b53e9fdbdd7db85200e511487469215cec014aa253b49525098282d817808d4862b2de46f0df0314811de70b6bb82a711cc9eb +SHA512 (container-selinux-d148550.tar.gz) = 43b8f93c552a0879aa8743703dd0ccc75e7b207c6a4c4c14ec9b85f125307c8aab8914d48be983fc94b9ca1413c112a340ddf9bf0da0751986701c809ece5e27 From 914f38c2e11c49ed71a7c7cb0182aee18fa524e8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 22 Jan 2018 09:41:25 -0500 Subject: [PATCH 22/44] Allow containers to memory map the fifo_files leaked into container from container runtimes. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9361781..7bf8bd6 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ /container-selinux-599072a.tar.gz /container-selinux-231b213.tar.gz /container-selinux-d148550.tar.gz +/container-selinux-dfcc97d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 91ac826..a10c6c7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d148550d8c829bd2ee557fe503d2b8f9df53db8f +%global commit0 dfcc97d9c6a5b22d41c2b9d5693d86a65bd9db04 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.42 +Version: 2.43 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jan 22 2018 Dan Walsh - 2.43-1 +- Allow containers to memory map the fifo_files leaked into container from +container runtimes. + * Tue Jan 16 2018 Dan Walsh - 2.42-1 - Allow unconfined domains to transition to container types, when no-new-privs is set. diff --git a/sources b/sources index 3e23a9d..6a16252 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d148550.tar.gz) = 43b8f93c552a0879aa8743703dd0ccc75e7b207c6a4c4c14ec9b85f125307c8aab8914d48be983fc94b9ca1413c112a340ddf9bf0da0751986701c809ece5e27 +SHA512 (container-selinux-dfcc97d.tar.gz) = ed9cad7e2cd1de72bb1f505ee45789ede27ad4e8fc064c45b2435cb2b772b1c1aaff462907b77cd301d986fcd45e06aba9e191099fc7b573894a3f8b21306858 From cb5820985437c51e9ea005a674fd64bad9cafe8e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 29 Jan 2018 07:08:07 +0100 Subject: [PATCH 23/44] Allow container domains to read kernel ipc info --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 7bf8bd6..2ccd52a 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ /container-selinux-231b213.tar.gz /container-selinux-d148550.tar.gz /container-selinux-dfcc97d.tar.gz +/container-selinux-38a982b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index a10c6c7..d40abc1 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 dfcc97d9c6a5b22d41c2b9d5693d86a65bd9db04 +%global commit0 38a982b915dcd9f4a0a49217066fcc93c8ff4184 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.43 +Version: 2.44 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jan 29 2018 Dan Walsh - 2.44-1 +- Allow container domains to read kernel ipc info + * Mon Jan 22 2018 Dan Walsh - 2.43-1 - Allow containers to memory map the fifo_files leaked into container from container runtimes. diff --git a/sources b/sources index 6a16252..7f46c5c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-dfcc97d.tar.gz) = ed9cad7e2cd1de72bb1f505ee45789ede27ad4e8fc064c45b2435cb2b772b1c1aaff462907b77cd301d986fcd45e06aba9e191099fc7b573894a3f8b21306858 +SHA512 (container-selinux-38a982b.tar.gz) = 6b32edc3843d7dbe4329779181c7caf1a96d66faada19becfb7fe5d297a0757bcafcc944fa862114b6d0fafe68e145ce214523a3a68b28627b76fa51546e10a7 From 865272a8252e5697cf812af3e65627443e00c32e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 2 Feb 2018 13:41:02 -0500 Subject: [PATCH 24/44] Allow containers to sendto their own stream sockets --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index d40abc1..5ec50b0 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 38a982b915dcd9f4a0a49217066fcc93c8ff4184 +%global commit0 95b7c01e1c986e6069a2736dec393c657c11fe6e %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.44 +Version: 2.45 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Feb 02 2018 Dan Walsh - 2.45-1 +- Allow containers to sendto their own stream sockets + * Mon Jan 29 2018 Dan Walsh - 2.44-1 - Allow container domains to read kernel ipc info From 11bcaf7dda96343a963d2a415e29bb68fed86cd4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 3 Feb 2018 06:17:36 -0500 Subject: [PATCH 25/44] Add support for nosuid_transition flags for container_runtime and unconfined domains --- .gitignore | 1 + container-selinux.spec | 6 ++++-- sources | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2ccd52a..0d74309 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ /container-selinux-d148550.tar.gz /container-selinux-dfcc97d.tar.gz /container-selinux-38a982b.tar.gz +/container-selinux-2377c73.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 5ec50b0..c23ed40 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 95b7c01e1c986e6069a2736dec393c657c11fe6e +%global commit0 2377c73a19fa960792b4392ddf7d0c7a85585d9a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.45 +Version: 2.46 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,8 @@ fi %{_datadir}/selinux/* %changelog +* Sat Feb 03 2018 Dan Walsh - 2.46-1 +- Add support for nosuid_transition flags for container_runtime and unconfined domains * Fri Feb 02 2018 Dan Walsh - 2.45-1 - Allow containers to sendto their own stream sockets diff --git a/sources b/sources index 7f46c5c..4621a7d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-38a982b.tar.gz) = 6b32edc3843d7dbe4329779181c7caf1a96d66faada19becfb7fe5d297a0757bcafcc944fa862114b6d0fafe68e145ce214523a3a68b28627b76fa51546e10a7 +SHA512 (container-selinux-2377c73.tar.gz) = 705aae6cdc578a5dec3632d848db931217243dbd6b1dd87a63dc0f07cba16e0ead8f4ebebbe979453d5161c9ff7fe1dcc7c62766a38b0a2f84966ea9e669c020 From 7990181f15f09118c5375f27fe4c51bff3558343 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 10 Feb 2018 07:19:10 -0500 Subject: [PATCH 26/44] Change default label of /exports to container_var_lib_t --- .gitignore | 1 + container-selinux.spec | 15 ++++++++++++--- sources | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 0d74309..a1882f4 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /container-selinux-dfcc97d.tar.gz /container-selinux-38a982b.tar.gz /container-selinux-2377c73.tar.gz +/container-selinux-aece4ff.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c23ed40..12de1ea 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 2377c73a19fa960792b4392ddf7d0c7a85585d9a +%global commit0 aece4ff33825561eb153f6e697afbde309c46efb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.46 +Version: 2.47 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,15 @@ fi %{_datadir}/selinux/* %changelog +* Sat Feb 10 2018 Dan Walsh - 2.47-1 +- Change default label of /exports to container_var_lib_t + +* Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Sat Feb 03 2018 Dan Walsh - 2.46-1 - Add support for nosuid_transition flags for container_runtime and unconfined domains * Fri Feb 02 2018 Dan Walsh - 2.45-1 @@ -275,7 +284,7 @@ satisfy the bounds check of container_t versus container_runtime_t. - use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7 * Tue Jan 10 2017 Jonathan Lebon - 2:2.2-3 -- properly disable docker module in %post +- properly disable docker module in %%post * Sat Jan 07 2017 Lokesh Mandvekar - 2:2.2-2 - depend on selinux-policy-targeted diff --git a/sources b/sources index 4621a7d..81ef3da 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-2377c73.tar.gz) = 705aae6cdc578a5dec3632d848db931217243dbd6b1dd87a63dc0f07cba16e0ead8f4ebebbe979453d5161c9ff7fe1dcc7c62766a38b0a2f84966ea9e669c020 +SHA512 (container-selinux-aece4ff.tar.gz) = 23d14ce8b1e4176fb52591edf61ce3efb21a461ddb6df75ca2b50ea2f8746a0f74e3319163b56f936d0dda8736f1d38d2900d1f486743aa8b62a022dfadb7c7d From b65f998bdc9ab653b5b12efc877204809287aae9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Feb 2018 12:56:06 -0500 Subject: [PATCH 27/44] Allow container domains to map container_file_t directories --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a1882f4..51e935c 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,4 @@ /container-selinux-38a982b.tar.gz /container-selinux-2377c73.tar.gz /container-selinux-aece4ff.tar.gz +/container-selinux-663e003.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 12de1ea..8de89a0 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 aece4ff33825561eb153f6e697afbde309c46efb +%global commit0 663e003b8797564398648b20ad41cf094f87a86e %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.47 +Version: 2.48 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Feb 15 2018 Dan Walsh - 2.48-1 +- Allow container domains to map container_file_t directories + * Sat Feb 10 2018 Dan Walsh - 2.47-1 - Change default label of /exports to container_var_lib_t diff --git a/sources b/sources index 81ef3da..7d4636f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-aece4ff.tar.gz) = 23d14ce8b1e4176fb52591edf61ce3efb21a461ddb6df75ca2b50ea2f8746a0f74e3319163b56f936d0dda8736f1d38d2900d1f486743aa8b62a022dfadb7c7d +SHA512 (container-selinux-663e003.tar.gz) = e81b7b8e61e09ddb0ffdfe95b7135b3cf9d10719e325b9349364aad7c805e0944ee5baddb8763bf19202537ed8439c255259ec87cc32457da867a10d97cd8d4a From 42c98d07ea00f1084576ca67a2347b659d4e9e5c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 7 Mar 2018 06:01:03 +0000 Subject: [PATCH 28/44] Allow bin_t as a container_runtime_t entrypoint Add rules for running container runtimes on mls --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 51e935c..f40f3c1 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,4 @@ /container-selinux-2377c73.tar.gz /container-selinux-aece4ff.tar.gz /container-selinux-663e003.tar.gz +/container-selinux-fd7d508.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8de89a0..0879ce3 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 663e003b8797564398648b20ad41cf094f87a86e +%global commit0 fd7d5085365c3a04e601debbdb0c7f1ceb32afb7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.48 +Version: 2.50 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed Mar 7 2018 Dan Walsh - 2.50-1 +- Allow bin_t as a container_runtime_t entrypoint +- Add rules for running container runtimes on mls + * Thu Feb 15 2018 Dan Walsh - 2.48-1 - Allow container domains to map container_file_t directories diff --git a/sources b/sources index 7d4636f..2439e3e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-663e003.tar.gz) = e81b7b8e61e09ddb0ffdfe95b7135b3cf9d10719e325b9349364aad7c805e0944ee5baddb8763bf19202537ed8439c255259ec87cc32457da867a10d97cd8d4a +SHA512 (container-selinux-fd7d508.tar.gz) = 3c627b973db2e86bdd389463fc5f2298740472117e02b76c18a35ec266b273b5e2d2b35212f3d307d80f586f24f767a78850772250d5b773969ef48568043343 From 54c8bd7e7593816462cfc3ccd66e06deadea28eb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 8 Mar 2018 07:54:52 +0000 Subject: [PATCH 29/44] Allow shell_exec_t as a container_runtime_t entrypoint --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f40f3c1..790d38d 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ /container-selinux-aece4ff.tar.gz /container-selinux-663e003.tar.gz /container-selinux-fd7d508.tar.gz +/container-selinux-fd50128.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 0879ce3..031ee58 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 fd7d5085365c3a04e601debbdb0c7f1ceb32afb7 +%global commit0 fd5012800ea530d629af7e0290066002e17ac054 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.50 +Version: 2.51 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 8 2018 Dan Walsh - 2.51-1 +- Allow shell_exec_t as a container_runtime_t entrypoint + * Wed Mar 7 2018 Dan Walsh - 2.50-1 - Allow bin_t as a container_runtime_t entrypoint - Add rules for running container runtimes on mls diff --git a/sources b/sources index 2439e3e..5557ec4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-fd7d508.tar.gz) = 3c627b973db2e86bdd389463fc5f2298740472117e02b76c18a35ec266b273b5e2d2b35212f3d307d80f586f24f767a78850772250d5b773969ef48568043343 +SHA512 (container-selinux-fd50128.tar.gz) = 9f2b4a3e16bf31931488813ffb7167621836ab555657a21f29af07f9ebefa04e0cc50eaa2a25a3fd817799656023bdcf3b137f81aff98b2a1c0ba1e887529766 From 83446be47835da4a2bac3736c70dfd7eb0d3d969 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 8 Mar 2018 14:33:44 +0000 Subject: [PATCH 30/44] Add rules for container domains to make writing custom policy easier --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 790d38d..78abd50 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ /container-selinux-663e003.tar.gz /container-selinux-fd7d508.tar.gz /container-selinux-fd50128.tar.gz +/container-selinux-bdc0137.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 031ee58..e6a21af 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 fd5012800ea530d629af7e0290066002e17ac054 +%global commit0 bdc0137288e5fe3616c32cd0a02de9aee1503897 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.51 +Version: 2.52 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 8 2018 Dan Walsh - 2.52-1 +- Add rules for container domains to make writing custom policy easier + * Thu Mar 8 2018 Dan Walsh - 2.51-1 - Allow shell_exec_t as a container_runtime_t entrypoint diff --git a/sources b/sources index 5557ec4..49bd965 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-fd50128.tar.gz) = 9f2b4a3e16bf31931488813ffb7167621836ab555657a21f29af07f9ebefa04e0cc50eaa2a25a3fd817799656023bdcf3b137f81aff98b2a1c0ba1e887529766 +SHA512 (container-selinux-bdc0137.tar.gz) = 011891936937ad62122f4026e4247d8dbb3ae7c9317d37e419438924e8c4f37d9092f5f3739cd9ca9de526445c4a7a147a956646c852ef1abd9e4f456e77594b From adedc557be46812a9de49d32c69e2a6d7bfe82e0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 14 Mar 2018 10:52:34 -0400 Subject: [PATCH 31/44] Add rules for container domains to make writing custom policy easier Allow shell_exec_t as a container_runtime_t entrypoint --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 78abd50..51e8133 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,4 @@ /container-selinux-fd7d508.tar.gz /container-selinux-fd50128.tar.gz /container-selinux-bdc0137.tar.gz +/container-selinux-55c7d4d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index e6a21af..53ae942 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 bdc0137288e5fe3616c32cd0a02de9aee1503897 +%global commit0 55c7d4dfeb063bd6177ebe2e4c5b8c466facdb16 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.52 +Version: 2.54 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed Mar 14 2018 Dan Walsh - 2.54-1 +- Add rules for container domains to make writing custom policy easier +- Allow shell_exec_t as a container_runtime_t entrypoint + * Thu Mar 8 2018 Dan Walsh - 2.52-1 - Add rules for container domains to make writing custom policy easier diff --git a/sources b/sources index 49bd965..134881e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-bdc0137.tar.gz) = 011891936937ad62122f4026e4247d8dbb3ae7c9317d37e419438924e8c4f37d9092f5f3739cd9ca9de526445c4a7a147a956646c852ef1abd9e4f456e77594b +SHA512 (container-selinux-55c7d4d.tar.gz) = d148367e0e1112cb7430e891e5e6d29ca2edfe4af8ad7ca495938b2e1aed4354f41e5e0426c3ff96bf8f8c06a86ae6ef7f88207970009fe0cb1a6b67a5e75e3a From 5ec2d4ec4ab92eee7ac46bfaa8b57a34df94144d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Mar 2018 07:15:03 -0400 Subject: [PATCH 32/44] Dontaudit attempts by containers to write to /proc/self --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 51e8133..644c033 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ /container-selinux-fd50128.tar.gz /container-selinux-bdc0137.tar.gz /container-selinux-55c7d4d.tar.gz +/container-selinux-d248f91.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 53ae942..15610c7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 55c7d4dfeb063bd6177ebe2e4c5b8c466facdb16 +%global commit0 d248f9197acde3e7c489f2ee09c10f8b29ef1a68 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.54 +Version: 2.55 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 15 2018 Dan Walsh - 2.55-1 +- Dontaudit attempts by containers to write to /proc/self + * Wed Mar 14 2018 Dan Walsh - 2.54-1 - Add rules for container domains to make writing custom policy easier - Allow shell_exec_t as a container_runtime_t entrypoint diff --git a/sources b/sources index 134881e..eb6df7c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-55c7d4d.tar.gz) = d148367e0e1112cb7430e891e5e6d29ca2edfe4af8ad7ca495938b2e1aed4354f41e5e0426c3ff96bf8f8c06a86ae6ef7f88207970009fe0cb1a6b67a5e75e3a +SHA512 (container-selinux-d248f91.tar.gz) = 28f7a36228581fce097f3c0a3798a727300f609dc927d976c4cf0d8c10834a3695503b1f340bc73ba86fdca4906cd12cf0c73804a40dfd1e99aecaa9e2bc3917 From 6bc71a9dd6870d456a49a996eef747d8be0e572a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 18 May 2018 11:54:28 -0400 Subject: [PATCH 33/44] Add labels to allow podman to be run from a systemd unit file --- .gitignore | 1 + container-selinux.spec | 60 +++++++++++++++++++++++++++++++++++++----- sources | 2 +- 3 files changed, 55 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 644c033..041a4e4 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,4 @@ /container-selinux-bdc0137.tar.gz /container-selinux-55c7d4d.tar.gz /container-selinux-d248f91.tar.gz +/container-selinux-d213769.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 15610c7..dabdc01 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,12 +3,13 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d248f9197acde3e7c489f2ee09c10f8b29ef1a68 +%global commit0 d2137698cba817ee241a02210b7d63473bd38233 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 -%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7}) %endif -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -35,13 +36,18 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.55 -Release: 1%{?dist} +Version: 2.58 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes +%if 0%{?fedora} || 0%{?rhel} >7 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +%else +Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz +%endif BuildArch: noarch +BuildRequires: git BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} @@ -64,7 +70,11 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%setup -q -n %{name}-%{commit0} +%if 0%{?fedora} || 0%{?rhel} > 7 +%autosetup -Sgit -n %{name}-%{commit0} +%else +%autosetup -Sgit -n %{name}-%{el_commit0} +%endif %build make @@ -117,6 +127,42 @@ fi %{_datadir}/selinux/* %changelog +* Fri May 18 2018 Dan Walsh - 2.57-1 +- Add labels to allow podman to be run from a systemd unit file + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 +- autobuilt commit d248f91 + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-11.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-10.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-9.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-8 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-7 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-6 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-5 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-4 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-3 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-2 +- autobuilt commit d248f91 + * Thu Mar 15 2018 Dan Walsh - 2.55-1 - Dontaudit attempts by containers to write to /proc/self @@ -141,7 +187,7 @@ fi - Change default label of /exports to container_var_lib_t * Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 -- Escape macros in %%changelog +- Escape macros in %%CHANGELOG * Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index eb6df7c..480858b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d248f91.tar.gz) = 28f7a36228581fce097f3c0a3798a727300f609dc927d976c4cf0d8c10834a3695503b1f340bc73ba86fdca4906cd12cf0c73804a40dfd1e99aecaa9e2bc3917 +SHA512 (container-selinux-d213769.tar.gz) = 94c3b6b097b9ad6b943bfec4b0d28d38a6fd10057b75c4236f03e52383361d1209d4c96acd02c2295707db037b26e5269eec5ead077bd90017518ea58fd5cc7a From 6fd768c196da6eed1534fb3919e3ccfb15d27873 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 11:04:20 -0400 Subject: [PATCH 34/44] Run restorecon /usr/bin/podman in postinstall --- container-selinux.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index dabdc01..7e67c30 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -23,7 +23,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 || 0%{?rhel} > 7 @@ -37,7 +37,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.58 -Release: 1.git%{shortcommit0}%{?dist} +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -127,7 +127,10 @@ fi %{_datadir}/selinux/* %changelog -* Fri May 18 2018 Dan Walsh - 2.57-1 +* Mon May 21 2018 Dan Walsh - 2.58-2 +- Run restorecon /usr/bin/podman in postinstall + +* Fri May 18 2018 Dan Walsh - 2.58-1 - Add labels to allow podman to be run from a systemd unit file * Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 From 88b4cd2b81e72b752f8b13e42ae9c4e33bc685b9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 12:50:00 -0400 Subject: [PATCH 35/44] Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 041a4e4..511bfce 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ /container-selinux-55c7d4d.tar.gz /container-selinux-d248f91.tar.gz /container-selinux-d213769.tar.gz +/container-selinux-701557f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 7e67c30..dcd40e5 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d2137698cba817ee241a02210b7d63473bd38233 +%global commit0 701557f1cd94a488a191215db04123ae533c5142 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,8 +36,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.58 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.59 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.59-1 +- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. + * Mon May 21 2018 Dan Walsh - 2.58-2 - Run restorecon /usr/bin/podman in postinstall diff --git a/sources b/sources index 480858b..9bfdad7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d213769.tar.gz) = 94c3b6b097b9ad6b943bfec4b0d28d38a6fd10057b75c4236f03e52383361d1209d4c96acd02c2295707db037b26e5269eec5ead077bd90017518ea58fd5cc7a +SHA512 (container-selinux-701557f.tar.gz) = 407baf6258b40241905ca682e1f0f7ad7109bd05bb92efad8c88defdf257b374353b6dacfac343d0a6e2347236d80e408edf320e95e5bf31e97b26e7829e876e From e3d9388ccce3c6817d7bd0f6f2b4b80dabe743b9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 13:20:10 -0400 Subject: [PATCH 36/44] Allow containers to list cgroup directories --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 511bfce..513b13f 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,4 @@ /container-selinux-d248f91.tar.gz /container-selinux-d213769.tar.gz /container-selinux-701557f.tar.gz +/container-selinux-97f8dfc.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index dcd40e5..ae7d2ab 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 701557f1cd94a488a191215db04123ae533c5142 +%global commit0 97f8dfc2baf1c27f7e1de9ca3e11299f7e6c32d8 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.59 +Version: 2.60 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.60-1 +- Allow containers to list cgroup directories + * Mon May 21 2018 Dan Walsh - 2.59-1 - Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. diff --git a/sources b/sources index 9bfdad7..da629a0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-701557f.tar.gz) = 407baf6258b40241905ca682e1f0f7ad7109bd05bb92efad8c88defdf257b374353b6dacfac343d0a6e2347236d80e408edf320e95e5bf31e97b26e7829e876e +SHA512 (container-selinux-97f8dfc.tar.gz) = 3938f6b31a720571a948a5233c1a2b40417c87685fb22f78fb7b3d54fadde2cfe1cd53ad92fe150155ebd0a1ed4986598dbda866ca05e4948d5d919c99293ca9 From dfdaf6e51ece26e53ffa2e434a70e80cb383d1f0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 17:14:39 -0400 Subject: [PATCH 37/44] Allow spc_t to load kernel modules from inside of container --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 513b13f..0d68d82 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,4 @@ /container-selinux-d213769.tar.gz /container-selinux-701557f.tar.gz /container-selinux-97f8dfc.tar.gz +/container-selinux-9b55129.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index ae7d2ab..1f9138f 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 97f8dfc2baf1c27f7e1de9ca3e11299f7e6c32d8 +%global commit0 9b55129d5f2f7178a5423c7232cf99d74c1f94b3 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.60 +Version: 2.61 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.61-1 +- Allow spc_t to load kernel modules from inside of container + * Mon May 21 2018 Dan Walsh - 2.60-1 - Allow containers to list cgroup directories diff --git a/sources b/sources index da629a0..40a3367 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-97f8dfc.tar.gz) = 3938f6b31a720571a948a5233c1a2b40417c87685fb22f78fb7b3d54fadde2cfe1cd53ad92fe150155ebd0a1ed4986598dbda866ca05e4948d5d919c99293ca9 +SHA512 (container-selinux-9b55129.tar.gz) = ddafb1237c393ffc4a328e7fa824c5c1f8c0b910be5d8a732a58965f76a6ec561846c968cd7baad0f108f653d027b7b4513b7a9c23823757edd5ae436ffa61b6 From 22848b915a3b70dd7ec45bfe36b3c828550d6545 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 30 May 2018 11:10:46 -0400 Subject: [PATCH 38/44] Allow containers to create icmp packets --- .gitignore | 2 ++ container-selinux.spec | 11 +++++++++-- sources | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0d68d82..ba75bf5 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,5 @@ /container-selinux-701557f.tar.gz /container-selinux-97f8dfc.tar.gz /container-selinux-9b55129.tar.gz +/container-selinux-1ecf953.tar.gz +/container-selinux-284f9e7.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1f9138f..0a7cf66 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 9b55129d5f2f7178a5423c7232cf99d74c1f94b3 +%global commit0 284f9e75b1356de59299f5aa6e7045243749f420 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.61 +Version: 2.63 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,13 @@ fi %{_datadir}/selinux/* %changelog +* Wed May 30 2018 Dan Walsh - 2.63-1 +- Allow containers to create icmp packets + +* Fri May 25 2018 Lokesh Mandvekar (Bot) - 2:2.62-1.git1ecf953 +- bump to 2.62 +- autobuilt 1ecf953 + * Mon May 21 2018 Dan Walsh - 2.61-1 - Allow spc_t to load kernel modules from inside of container diff --git a/sources b/sources index 40a3367..3b91760 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-9b55129.tar.gz) = ddafb1237c393ffc4a328e7fa824c5c1f8c0b910be5d8a732a58965f76a6ec561846c968cd7baad0f108f653d027b7b4513b7a9c23823757edd5ae436ffa61b6 +SHA512 (container-selinux-284f9e7.tar.gz) = b14bc6666da449525e53990ea2598e004f4383c851b7647f34d2ac7ee779130a95808d2dfbdd8381e2c90461205fa8d9a93ace5027af1fff2e724ab5b9945ea1 From 35c49761f47c47e1a5763d48c73e0b88585e064f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 3 Jun 2018 06:09:56 -0400 Subject: [PATCH 39/44] Allow containers to create all socket classes --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 0a7cf66..916dbed 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 284f9e75b1356de59299f5aa6e7045243749f420 +%global commit0 d34637560ae7e992abdb70b2edafe9588e80c3aa %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.63 +Version: 2.64 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Sun Jun 3 2018 Dan Walsh - 2.64-1 +- Allow containers to create all socket classes + * Wed May 30 2018 Dan Walsh - 2.63-1 - Allow containers to create icmp packets From 68aea6cfc5f3bac6231b111fc490677228d2fe7d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 3 Jun 2018 06:15:26 -0400 Subject: [PATCH 40/44] Allow containers to create all socket classes --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ba75bf5..a473e8e 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,4 @@ /container-selinux-9b55129.tar.gz /container-selinux-1ecf953.tar.gz /container-selinux-284f9e7.tar.gz +/container-selinux-d346375.tar.gz diff --git a/sources b/sources index 3b91760..2bdfc14 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-284f9e7.tar.gz) = b14bc6666da449525e53990ea2598e004f4383c851b7647f34d2ac7ee779130a95808d2dfbdd8381e2c90461205fa8d9a93ace5027af1fff2e724ab5b9945ea1 +SHA512 (container-selinux-d346375.tar.gz) = 773ddd8f3c0280a1c88b75a619b961dfdc7aa95c807bebb161d80f04040dff3f039ca2eb0560f6ccf8a8d5367a96639c0fc634ac02b5ecd29b54dea028dcc9fc From 8ee655ff754fc39c1a9a58b0207bdccabb82484c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 11 Jun 2018 08:56:29 -0400 Subject: [PATCH 41/44] Add new type to handle containers running with a non priv user in a userns allow containers to map all sockets --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a473e8e..3605338 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,4 @@ /container-selinux-1ecf953.tar.gz /container-selinux-284f9e7.tar.gz /container-selinux-d346375.tar.gz +/container-selinux-bf5b26b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 916dbed..ee16a60 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d34637560ae7e992abdb70b2edafe9588e80c3aa +%global commit0 bf5b26b07c9fa182142566bdcd27e91f9355529c %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.64 +Version: 2.65 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 11 2018 Dan Walsh - 2.65-1 +- Add new type to handle containers running with a non priv user in a userns +- allow containers to map all sockets + * Sun Jun 3 2018 Dan Walsh - 2.64-1 - Allow containers to create all socket classes diff --git a/sources b/sources index 2bdfc14..0f22f53 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d346375.tar.gz) = 773ddd8f3c0280a1c88b75a619b961dfdc7aa95c807bebb161d80f04040dff3f039ca2eb0560f6ccf8a8d5367a96639c0fc634ac02b5ecd29b54dea028dcc9fc +SHA512 (container-selinux-bf5b26b.tar.gz) = 2227ef893bce792841ccca589c844ad8e9f5a067cb78f8f2c9f8d1224ac49ae9ec0d6894d2f165e90ecd253baf0e8e6ff94e55da4f535aa49d8cef6577ab211d From 74aab1944814a9b03cf7a1cf7094e875b373e35e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 16 Jun 2018 13:22:09 -0400 Subject: [PATCH 42/44] Add new type to handle containers running with a non priv user in a userns allow containers to map all sockets --- container-selinux.spec | 3 +++ getrlimit.patch | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 getrlimit.patch diff --git a/container-selinux.spec b/container-selinux.spec index ee16a60..554baee 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -46,6 +46,8 @@ Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz %else Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz %endif +patch: getrlimit.patch + BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -75,6 +77,7 @@ SELinux policy modules for use with container runtimes. %else %autosetup -Sgit -n %{name}-%{el_commit0} %endif +#%patch -p1 -b .getrlimit %build make diff --git a/getrlimit.patch b/getrlimit.patch new file mode 100644 index 0000000..e9edcbf --- /dev/null +++ b/getrlimit.patch @@ -0,0 +1,13 @@ +diff --git a/container.te b/container.te +index e768807..a469eda 100644 +--- a/container.te ++++ b/container.te +@@ -685,7 +685,7 @@ dev_list_sysfs(container_domain) + allow svirt_sandbox_domain self:key manage_key_perms; + dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; + +-allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; ++allow container_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; + allow container_domain self:fifo_file manage_file_perms; + allow container_domain self:msg all_msg_perms; + allow container_domain self:sem create_sem_perms; From 59afaa9ca76048c6c2bc97fc7390cbf58c001a71 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 16 Jul 2018 12:22:39 -0400 Subject: [PATCH 43/44] Add label for /var/lib/origin Add customizable_file_t to customizable_types --- .gitignore | 8 ++++++++ container-selinux.spec | 34 ++++++++++++++++++++++++++++------ sources | 2 +- 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 3605338..a80c699 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,11 @@ /container-selinux-284f9e7.tar.gz /container-selinux-d346375.tar.gz /container-selinux-bf5b26b.tar.gz +/container-selinux-dfaf8fd.tar.gz +/container-selinux-8ecc282.tar.gz +/container-selinux-0407867.tar.gz +<<<<<<< Updated upstream +/container-selinux-042f7cf.tar.gz +======= +/container-selinux-25277c8.tar.gz +>>>>>>> Stashed changes diff --git a/container-selinux.spec b/container-selinux.spec index 554baee..14d6d71 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 bf5b26b07c9fa182142566bdcd27e91f9355529c +%global commit0 25277c867c16433c505a22840bbe90e4902a1f69 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.65 +Version: 2.68 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -46,8 +46,6 @@ Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz %else Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz %endif -patch: getrlimit.patch - BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -64,6 +62,7 @@ Requires(post): policycoreutils-python-utils Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils +Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{epoch}:%{version}-%{release} @@ -77,7 +76,6 @@ SELinux policy modules for use with container runtimes. %else %autosetup -Sgit -n %{name}-%{el_commit0} %endif -#%patch -p1 -b .getrlimit %build make @@ -112,6 +110,9 @@ if %{_sbindir}/selinuxenabled ; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : fi fi +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types + %postun if [ $1 -eq 0 ]; then @@ -130,11 +131,32 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jul 16 2018 Dan Walsh - 2.67-1 +- Add label for /var/lib/origin +- Add customizable_file_t to customizable_types + +* Thu Jul 12 2018 Fedora Release Engineering - 2:2.67-3.dev.git042f7cf +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Lokesh Mandvekar (Bot) - 2:2.67-2.git042f7cf +- autobuilt 042f7cf + +* Sat Jul 07 2018 Lokesh Mandvekar (Bot) - 2:2.67-1.git0407867 +- bump to 2.67 +- autobuilt 0407867 + +* Sat Jun 30 2018 Dan Walsh - 2.66-1 +- Allow container runtimes to dbus chat with systemd-resolved + +* Tue Jun 12 2018 Lokesh Mandvekar (Bot) - 2:2.64-1.gitdfaf8fd +- bump to 2.64 +- autobuilt dfaf8fd + * Mon Jun 11 2018 Dan Walsh - 2.65-1 - Add new type to handle containers running with a non priv user in a userns - allow containers to map all sockets -* Sun Jun 3 2018 Dan Walsh - 2.64-1 +* Sun Jun 3 2018 Dan Walsh - 2.64-1.gitdfaf8fd - Allow containers to create all socket classes * Wed May 30 2018 Dan Walsh - 2.63-1 diff --git a/sources b/sources index 0f22f53..5acc311 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-bf5b26b.tar.gz) = 2227ef893bce792841ccca589c844ad8e9f5a067cb78f8f2c9f8d1224ac49ae9ec0d6894d2f165e90ecd253baf0e8e6ff94e55da4f535aa49d8cef6577ab211d +SHA512 (container-selinux-25277c8.tar.gz) = b75d2f255cde830eeea4b081528289fd005b51622c6a6d6336dca4cd97a86bd0ae2b34880110ca3e2b06a405e496f3b302130e98cb89d379bae9cc0a79c38366 From 514fcb5dc65a14cd2222b133aaedaed24a3ec786 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Aug 2018 07:16:25 -0600 Subject: [PATCH 44/44] Add trigger to relabel content on /var/lib/containers on older versions of package --- container-selinux.spec | 22 +++++++++++++++++++--- sources | 2 +- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 14d6d71..29e9372 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 25277c867c16433c505a22840bbe90e4902a1f69 +%global commit0 452b90de0cbc75f0a55defa1d45b7bc337d4f076 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,8 +36,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.68 -Release: 1.git%{shortcommit0}%{?dist} +Version: 2.69 +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -62,6 +62,7 @@ Requires(post): policycoreutils-python-utils Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils +Requires(post): libsemanage >= 2.8-2 Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 @@ -108,6 +109,7 @@ if %{_sbindir}/selinuxenabled ; then %relabel_files if [ $1 -eq 1 ]; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + restorecon -R %{_sharedstatedir}/containers &> /dev/null || : fi fi . %{_sysconfdir}/selinux/config @@ -130,7 +132,21 @@ fi %doc README.md %{_datadir}/selinux/* +%triggerin -- container-selinux < 2.69-2 +restorecon -R %{_sharedstatedir}/containers &> /dev/null || : +exit 0 + %changelog +* Fri Aug 10 2018 Dan Walsh - 2.69-2 +- Add trigger to relabel content on /var/lib/containers on older versions of +package + +* Wed Jul 25 2018 Dan Walsh - 2.69-1 +- dontaudit attempts to write to sysctl_kernel_t + +* Wed Jul 18 2018 Lokesh Mandvekar (Bot) - 2:2.68-2.gitc139a3d +- autobuilt c139a3d + * Mon Jul 16 2018 Dan Walsh - 2.67-1 - Add label for /var/lib/origin - Add customizable_file_t to customizable_types diff --git a/sources b/sources index 5acc311..dab2d47 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-25277c8.tar.gz) = b75d2f255cde830eeea4b081528289fd005b51622c6a6d6336dca4cd97a86bd0ae2b34880110ca3e2b06a405e496f3b302130e98cb89d379bae9cc0a79c38366 +SHA512 (container-selinux-452b90d.tar.gz) = f9bc9c9fafd98aca03b755dc44807baec3aec2b0a97bd539be6b49bc2f1f571973bef8e8a716ef990255f4b26ef9650e2c03ce9bf3ee0961f99205e309475944