diff --git a/.gitignore b/.gitignore index 51e935c..4d3f6eb 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,42 @@ /container-selinux-2377c73.tar.gz /container-selinux-aece4ff.tar.gz /container-selinux-663e003.tar.gz +/container-selinux-fd7d508.tar.gz +/container-selinux-fd50128.tar.gz +/container-selinux-bdc0137.tar.gz +/container-selinux-55c7d4d.tar.gz +/container-selinux-d248f91.tar.gz +/container-selinux-d213769.tar.gz +/container-selinux-701557f.tar.gz +/container-selinux-97f8dfc.tar.gz +/container-selinux-9b55129.tar.gz +/container-selinux-1ecf953.tar.gz +/container-selinux-284f9e7.tar.gz +/container-selinux-d346375.tar.gz +/container-selinux-bf5b26b.tar.gz +/container-selinux-dfaf8fd.tar.gz +/container-selinux-8ecc282.tar.gz +/container-selinux-0407867.tar.gz +/container-selinux-042f7cf.tar.gz +/container-selinux-25277c8.tar.gz +/container-selinux-c139a3d.tar.gz +/container-selinux-452b90d.tar.gz +/container-selinux-4e73492.tar.gz +/container-selinux-5721d74.tar.gz +/container-selinux-d7a3f33.tar.gz +/container-selinux-a62c2db.tar.gz +/container-selinux-99e2cfd.tar.gz +/container-selinux-87fae85.tar.gz +/container-selinux-5133af6.tar.gz +/container-selinux-2c57a17.tar.gz +/container-selinux-1362777.tar.gz +/container-selinux-6f01752.tar.gz +/container-selinux-1b655d9.tar.gz +/container-selinux-484806a.tar.gz +/container-selinux-21c2be6.tar.gz +/container-selinux-5e1f62f.tar.gz +/container-selinux-ec6fcad.tar.gz +/container-selinux-eb60838.tar.gz +/container-selinux-92af7fd.tar.gz +/container-selinux-c178849.tar.gz +/container-selinux-2521d0d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8de89a0..850dc4c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,12 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 663e003b8797564398648b20ad41cf094f87a86e -%else -# use upstream's RHEL-1.12 branch for CentOS 7 -%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 -%endif +%global commit0 2521d0d6082ea9057d827d257d27291bf6219aba %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -22,26 +17,23 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using -%if 0%{?fedora} >= 22 || 0%{?rhel} > 7 %global selinux_policyver 3.13.1-220 -%else -%global selinux_policyver 3.13.1-39 -%endif Name: container-selinux -%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 +%if 0%{?fedora} Epoch: 2 %endif -Version: 2.48 -Release: 1%{?dist} +Version: 2.89 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz BuildArch: noarch +BuildRequires: git BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} @@ -50,12 +42,8 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -%if 0%{?fedora} || 0%{?rhel} > 7 -Requires(post): policycoreutils-python-utils -%else -Requires(post): policycoreutils-python -%endif Requires(post): libselinux-utils +Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{epoch}:%{version}-%{release} @@ -64,7 +52,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%setup -q -n %{name}-%{commit0} +%autosetup -Sgit -n %{name}-%{commit0} %build make @@ -85,7 +73,7 @@ rm -rf container-selinux.spec %post # Install all modules in a single transaction if [ $1 -eq 1 ]; then - %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null @@ -97,8 +85,12 @@ if %{_sbindir}/selinuxenabled ; then %relabel_files if [ $1 -eq 1 ]; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + restorecon -R %{_sharedstatedir}/containers &> /dev/null || : fi fi +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then @@ -117,6 +109,192 @@ fi %{_datadir}/selinux/* %changelog +* Sat Mar 9 2019 Dan Walsh - 2.89-1 +- Allow all container domains to have container file types entrypoint +- Add new release to fix issues with udica +- Allow container_runtime_t to dyntransition to container domains + +* Fri Mar 1 2019 Dan Walsh - 2.86-1 +- Allow unconfined user and services to dyntrans to container domains, needed for CRIU +- Allow containers exectue hugetlb files. + +* Thu Feb 28 2019 Dan Walsh - 2.85-1 +- More allow rules to allow containers to run within containers + +* Thu Feb 28 2019 Dan Walsh - 2.84-1 +- More allow rules to allow containers to run within containers + +* Tue Feb 26 2019 Lokesh Mandvekar (Bot) - 2:2.82-2.git5e1f62f +- bump to 2.82 +- autobuilt 5e1f62f + +* Mon Feb 25 2019 Dan Walsh - 2.83-1 +- Allow containers to mounton cgroup and container_file_t + +* Sun Feb 10 2019 Dan Walsh - 2.82-1.nightly.git5e1f62f +- Allow confined users to use containers + +* Fri Feb 08 2019 Lokesh Mandvekar (Bot) - 2:2.80-3.git21c2be6 +- bump to 2.80 +- autobuilt 21c2be6 + +* Thu Feb 7 2019 Dan Walsh - 2.81-1 +- Add new labels for paths for containerd + +* Thu Jan 31 2019 Fedora Release Engineering - 2:2.80-2.git1b655d9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jan 22 2019 Dan Walsh - 2.80-1.nightly.git21c2be6 +- Don't allow containers to talk to contianer runtime sockets + +* Fri Jan 11 2019 Dan Walsh - 2.79-1 +- Fix labeling on /var/lib/registries + +* Thu Jan 10 2019 Dan Walsh - 2.78-1 +- Fix labeling for images in docker daemon user namespace + +* Mon Dec 17 2018 Dan Walsh - 2.77-1 +- Allow container-runtime to setattr on fifo_file handed into container runtime. + +* Tue Nov 13 2018 Lokesh Mandvekar (Bot) - 2:2.752.75-1.dev.git99e2cfd1 +- bump to 2.75 +- autobuilt 99e2cfd + +* Mon Nov 12 2018 Dan Walsh - 2.76-1 +- Allow containers to sendto dgram socket of container runtimes +- Needed to run container runtimes in notify socket unit files. + +* Tue Oct 30 2018 Dan Walsh - 2.75-1.dev.git99e2cfd +- Allow containers to use fuse file systems by default + +* Fri Oct 19 2018 Dan Walsh - 2.74-1 +- Allow containers to setexec themselves + +* Sat Sep 22 2018 Dan Walsh - 2.73-2 +- Remove requires for policycoreutils-python-utils we don't need it. + +* Wed Sep 12 2018 Dan Walsh - 2.73-1 +- Define spc_t as a container_domain, so that container_runtime will transition +to spc_t even when setup with nosuid. + +* Wed Sep 12 2018 Dan Walsh - 2.72-1 +- Allow container_runtimes to setattr on callers fifo_files +github.com/opencontainers/selinux +* Mon Aug 27 2018 Dan Walsh - 2.71-2 +- Fix restorecon to not error on missing directory + +* Wed Aug 22 2018 Dan Walsh - 2.71-1 +- Allow unconfined_r to transition to system_r over container_runtime_exec_t + +* Wed Aug 22 2018 Dan Walsh - 2.70-1 +- Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t + +* Wed Jul 25 2018 Dan Walsh - 2.69-1 +- dontaudit attempts to write to sysctl_kernel_t + +* Wed Jul 18 2018 Lokesh Mandvekar (Bot) - 2:2.68-2.gitc139a3d +- autobuilt c139a3d + +* Mon Jul 16 2018 Dan Walsh - 2.67-1 +- Add label for /var/lib/origin +- Add customizable_file_t to customizable_types + +* Thu Jul 12 2018 Fedora Release Engineering - 2:2.67-3.dev.git042f7cf +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Lokesh Mandvekar (Bot) - 2:2.67-2.git042f7cf +- autobuilt 042f7cf + +* Sat Jul 07 2018 Lokesh Mandvekar (Bot) - 2:2.67-1.git0407867 +- bump to 2.67 +- autobuilt 0407867 + +* Sat Jun 30 2018 Dan Walsh - 2.66-1 +- Allow container runtimes to dbus chat with systemd-resolved + +* Tue Jun 12 2018 Lokesh Mandvekar (Bot) - 2:2.64-1.gitdfaf8fd +- bump to 2.64 +- autobuilt dfaf8fd + +* Mon Jun 11 2018 Dan Walsh - 2.65-1 +- Add new type to handle containers running with a non priv user in a userns +- allow containers to map all sockets + +* Sun Jun 3 2018 Dan Walsh - 2.64-1.gitdfaf8fd +- Allow containers to create all socket classes + +* Wed May 30 2018 Dan Walsh - 2.63-1 +- Allow containers to create icmp packets + +* Fri May 25 2018 Lokesh Mandvekar (Bot) - 2:2.62-1.git1ecf953 +- bump to 2.62 +- autobuilt 1ecf953 + +* Mon May 21 2018 Dan Walsh - 2.61-1 +- Allow spc_t to load kernel modules from inside of container + +* Mon May 21 2018 Dan Walsh - 2.60-1 +- Allow containers to list cgroup directories + +* Mon May 21 2018 Dan Walsh - 2.59-1 +- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. + +* Mon May 21 2018 Dan Walsh - 2.58-2 +- Run restorecon /usr/bin/podman in postinstall + +* Fri May 18 2018 Dan Walsh - 2.58-1 +- Add labels to allow podman to be run from a systemd unit file + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 +- autobuilt commit d248f91 + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-11.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-10.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-9.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-8 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-7 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-6 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-5 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-4 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-3 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-2 +- autobuilt commit d248f91 + +* Thu Mar 15 2018 Dan Walsh - 2.55-1 +- Dontaudit attempts by containers to write to /proc/self + +* Wed Mar 14 2018 Dan Walsh - 2.54-1 +- Add rules for container domains to make writing custom policy easier +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Thu Mar 8 2018 Dan Walsh - 2.52-1 +- Add rules for container domains to make writing custom policy easier + +* Thu Mar 8 2018 Dan Walsh - 2.51-1 +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Wed Mar 7 2018 Dan Walsh - 2.50-1 +- Allow bin_t as a container_runtime_t entrypoint +- Add rules for running container runtimes on mls + * Thu Feb 15 2018 Dan Walsh - 2.48-1 - Allow container domains to map container_file_t directories @@ -124,7 +302,7 @@ fi - Change default label of /exports to container_var_lib_t * Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 -- Escape macros in %%changelog +- Escape macros in %%CHANGELOG * Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index 7d4636f..c9c3a02 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-663e003.tar.gz) = e81b7b8e61e09ddb0ffdfe95b7135b3cf9d10719e325b9349364aad7c805e0944ee5baddb8763bf19202537ed8439c255259ec87cc32457da867a10d97cd8d4a +SHA512 (container-selinux-2521d0d.tar.gz) = 316c85c5b7d061d7691047f09c721dd85fd65ed306991b8c49b2ba4aa88d25ed8ef68a8a8d8a38d331066beab79918253df93e7daf246d5de7bb76741e082115