From c7cb5127d914404def02a258e2904957f444beb4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 7 Mar 2018 06:00:55 +0000 Subject: [PATCH 01/44] Allow bin_t as a container_runtime_t entrypoint Add rules for running container runtimes on mls --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 51e935c..f40f3c1 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,4 @@ /container-selinux-2377c73.tar.gz /container-selinux-aece4ff.tar.gz /container-selinux-663e003.tar.gz +/container-selinux-fd7d508.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8de89a0..0879ce3 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 663e003b8797564398648b20ad41cf094f87a86e +%global commit0 fd7d5085365c3a04e601debbdb0c7f1ceb32afb7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.48 +Version: 2.50 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed Mar 7 2018 Dan Walsh - 2.50-1 +- Allow bin_t as a container_runtime_t entrypoint +- Add rules for running container runtimes on mls + * Thu Feb 15 2018 Dan Walsh - 2.48-1 - Allow container domains to map container_file_t directories diff --git a/sources b/sources index 7d4636f..2439e3e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-663e003.tar.gz) = e81b7b8e61e09ddb0ffdfe95b7135b3cf9d10719e325b9349364aad7c805e0944ee5baddb8763bf19202537ed8439c255259ec87cc32457da867a10d97cd8d4a +SHA512 (container-selinux-fd7d508.tar.gz) = 3c627b973db2e86bdd389463fc5f2298740472117e02b76c18a35ec266b273b5e2d2b35212f3d307d80f586f24f767a78850772250d5b773969ef48568043343 From 86dcbf0729360dc998ccbc41c975314c8d616239 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 8 Mar 2018 07:54:44 +0000 Subject: [PATCH 02/44] Allow shell_exec_t as a container_runtime_t entrypoint --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f40f3c1..790d38d 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ /container-selinux-aece4ff.tar.gz /container-selinux-663e003.tar.gz /container-selinux-fd7d508.tar.gz +/container-selinux-fd50128.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 0879ce3..031ee58 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 fd7d5085365c3a04e601debbdb0c7f1ceb32afb7 +%global commit0 fd5012800ea530d629af7e0290066002e17ac054 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.50 +Version: 2.51 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 8 2018 Dan Walsh - 2.51-1 +- Allow shell_exec_t as a container_runtime_t entrypoint + * Wed Mar 7 2018 Dan Walsh - 2.50-1 - Allow bin_t as a container_runtime_t entrypoint - Add rules for running container runtimes on mls diff --git a/sources b/sources index 2439e3e..5557ec4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-fd7d508.tar.gz) = 3c627b973db2e86bdd389463fc5f2298740472117e02b76c18a35ec266b273b5e2d2b35212f3d307d80f586f24f767a78850772250d5b773969ef48568043343 +SHA512 (container-selinux-fd50128.tar.gz) = 9f2b4a3e16bf31931488813ffb7167621836ab555657a21f29af07f9ebefa04e0cc50eaa2a25a3fd817799656023bdcf3b137f81aff98b2a1c0ba1e887529766 From 674c31073ec60bc4a91a5fd9c20c75a8da99758c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 8 Mar 2018 14:33:37 +0000 Subject: [PATCH 03/44] Add rules for container domains to make writing custom policy easier --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 790d38d..78abd50 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ /container-selinux-663e003.tar.gz /container-selinux-fd7d508.tar.gz /container-selinux-fd50128.tar.gz +/container-selinux-bdc0137.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 031ee58..e6a21af 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 fd5012800ea530d629af7e0290066002e17ac054 +%global commit0 bdc0137288e5fe3616c32cd0a02de9aee1503897 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.51 +Version: 2.52 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 8 2018 Dan Walsh - 2.52-1 +- Add rules for container domains to make writing custom policy easier + * Thu Mar 8 2018 Dan Walsh - 2.51-1 - Allow shell_exec_t as a container_runtime_t entrypoint diff --git a/sources b/sources index 5557ec4..49bd965 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-fd50128.tar.gz) = 9f2b4a3e16bf31931488813ffb7167621836ab555657a21f29af07f9ebefa04e0cc50eaa2a25a3fd817799656023bdcf3b137f81aff98b2a1c0ba1e887529766 +SHA512 (container-selinux-bdc0137.tar.gz) = 011891936937ad62122f4026e4247d8dbb3ae7c9317d37e419438924e8c4f37d9092f5f3739cd9ca9de526445c4a7a147a956646c852ef1abd9e4f456e77594b From bf9a01ccbb5fdd5609a54b141dac21ccaff2dfb1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 14 Mar 2018 10:52:26 -0400 Subject: [PATCH 04/44] Add rules for container domains to make writing custom policy easier Allow shell_exec_t as a container_runtime_t entrypoint --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 78abd50..51e8133 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,4 @@ /container-selinux-fd7d508.tar.gz /container-selinux-fd50128.tar.gz /container-selinux-bdc0137.tar.gz +/container-selinux-55c7d4d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index e6a21af..53ae942 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 bdc0137288e5fe3616c32cd0a02de9aee1503897 +%global commit0 55c7d4dfeb063bd6177ebe2e4c5b8c466facdb16 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.52 +Version: 2.54 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed Mar 14 2018 Dan Walsh - 2.54-1 +- Add rules for container domains to make writing custom policy easier +- Allow shell_exec_t as a container_runtime_t entrypoint + * Thu Mar 8 2018 Dan Walsh - 2.52-1 - Add rules for container domains to make writing custom policy easier diff --git a/sources b/sources index 49bd965..134881e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-bdc0137.tar.gz) = 011891936937ad62122f4026e4247d8dbb3ae7c9317d37e419438924e8c4f37d9092f5f3739cd9ca9de526445c4a7a147a956646c852ef1abd9e4f456e77594b +SHA512 (container-selinux-55c7d4d.tar.gz) = d148367e0e1112cb7430e891e5e6d29ca2edfe4af8ad7ca495938b2e1aed4354f41e5e0426c3ff96bf8f8c06a86ae6ef7f88207970009fe0cb1a6b67a5e75e3a From 33199652ef445b68b92996d778f86240ac340cc9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Mar 2018 07:14:57 -0400 Subject: [PATCH 05/44] Dontaudit attempts by containers to write to /proc/self --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 51e8133..644c033 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ /container-selinux-fd50128.tar.gz /container-selinux-bdc0137.tar.gz /container-selinux-55c7d4d.tar.gz +/container-selinux-d248f91.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 53ae942..15610c7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 55c7d4dfeb063bd6177ebe2e4c5b8c466facdb16 +%global commit0 d248f9197acde3e7c489f2ee09c10f8b29ef1a68 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.54 +Version: 2.55 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Mar 15 2018 Dan Walsh - 2.55-1 +- Dontaudit attempts by containers to write to /proc/self + * Wed Mar 14 2018 Dan Walsh - 2.54-1 - Add rules for container domains to make writing custom policy easier - Allow shell_exec_t as a container_runtime_t entrypoint diff --git a/sources b/sources index 134881e..eb6df7c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-55c7d4d.tar.gz) = d148367e0e1112cb7430e891e5e6d29ca2edfe4af8ad7ca495938b2e1aed4354f41e5e0426c3ff96bf8f8c06a86ae6ef7f88207970009fe0cb1a6b67a5e75e3a +SHA512 (container-selinux-d248f91.tar.gz) = 28f7a36228581fce097f3c0a3798a727300f609dc927d976c4cf0d8c10834a3695503b1f340bc73ba86fdca4906cd12cf0c73804a40dfd1e99aecaa9e2bc3917 From 756fee04092c6ae45953f044e27a0587ab33217c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 18 May 2018 11:54:18 -0400 Subject: [PATCH 06/44] Add labels to allow podman to be run from a systemd unit file --- .gitignore | 1 + container-selinux.spec | 60 +++++++++++++++++++++++++++++++++++++----- sources | 2 +- 3 files changed, 55 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 644c033..041a4e4 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,4 @@ /container-selinux-bdc0137.tar.gz /container-selinux-55c7d4d.tar.gz /container-selinux-d248f91.tar.gz +/container-selinux-d213769.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 15610c7..dabdc01 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,12 +3,13 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d248f9197acde3e7c489f2ee09c10f8b29ef1a68 +%global commit0 d2137698cba817ee241a02210b7d63473bd38233 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 -%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 +%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7}) %endif -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -35,13 +36,18 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.55 -Release: 1%{?dist} +Version: 2.58 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes +%if 0%{?fedora} || 0%{?rhel} >7 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +%else +Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz +%endif BuildArch: noarch +BuildRequires: git BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} @@ -64,7 +70,11 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%setup -q -n %{name}-%{commit0} +%if 0%{?fedora} || 0%{?rhel} > 7 +%autosetup -Sgit -n %{name}-%{commit0} +%else +%autosetup -Sgit -n %{name}-%{el_commit0} +%endif %build make @@ -117,6 +127,42 @@ fi %{_datadir}/selinux/* %changelog +* Fri May 18 2018 Dan Walsh - 2.57-1 +- Add labels to allow podman to be run from a systemd unit file + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 +- autobuilt commit d248f91 + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-11.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-10.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-9.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-8 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-7 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-6 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-5 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-4 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-3 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-2 +- autobuilt commit d248f91 + * Thu Mar 15 2018 Dan Walsh - 2.55-1 - Dontaudit attempts by containers to write to /proc/self @@ -141,7 +187,7 @@ fi - Change default label of /exports to container_var_lib_t * Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 -- Escape macros in %%changelog +- Escape macros in %%CHANGELOG * Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index eb6df7c..480858b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d248f91.tar.gz) = 28f7a36228581fce097f3c0a3798a727300f609dc927d976c4cf0d8c10834a3695503b1f340bc73ba86fdca4906cd12cf0c73804a40dfd1e99aecaa9e2bc3917 +SHA512 (container-selinux-d213769.tar.gz) = 94c3b6b097b9ad6b943bfec4b0d28d38a6fd10057b75c4236f03e52383361d1209d4c96acd02c2295707db037b26e5269eec5ead077bd90017518ea58fd5cc7a From 7c45987c4d36991409f352dcd930de76e4759017 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 11:04:14 -0400 Subject: [PATCH 07/44] Run restorecon /usr/bin/podman in postinstall --- container-selinux.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index dabdc01..7e67c30 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -23,7 +23,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 || 0%{?rhel} > 7 @@ -37,7 +37,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.58 -Release: 1.git%{shortcommit0}%{?dist} +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -127,7 +127,10 @@ fi %{_datadir}/selinux/* %changelog -* Fri May 18 2018 Dan Walsh - 2.57-1 +* Mon May 21 2018 Dan Walsh - 2.58-2 +- Run restorecon /usr/bin/podman in postinstall + +* Fri May 18 2018 Dan Walsh - 2.58-1 - Add labels to allow podman to be run from a systemd unit file * Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 From d59090688e606bde0527cd5f6d7f5a140cecc287 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 12:49:55 -0400 Subject: [PATCH 08/44] Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 041a4e4..511bfce 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ /container-selinux-55c7d4d.tar.gz /container-selinux-d248f91.tar.gz /container-selinux-d213769.tar.gz +/container-selinux-701557f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 7e67c30..dcd40e5 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d2137698cba817ee241a02210b7d63473bd38233 +%global commit0 701557f1cd94a488a191215db04123ae533c5142 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,8 +36,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.58 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.59 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.59-1 +- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. + * Mon May 21 2018 Dan Walsh - 2.58-2 - Run restorecon /usr/bin/podman in postinstall diff --git a/sources b/sources index 480858b..9bfdad7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d213769.tar.gz) = 94c3b6b097b9ad6b943bfec4b0d28d38a6fd10057b75c4236f03e52383361d1209d4c96acd02c2295707db037b26e5269eec5ead077bd90017518ea58fd5cc7a +SHA512 (container-selinux-701557f.tar.gz) = 407baf6258b40241905ca682e1f0f7ad7109bd05bb92efad8c88defdf257b374353b6dacfac343d0a6e2347236d80e408edf320e95e5bf31e97b26e7829e876e From 9e4b466b99323cb66f1711bf949003c3959a6bad Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 13:20:06 -0400 Subject: [PATCH 09/44] Allow containers to list cgroup directories --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 511bfce..513b13f 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,4 @@ /container-selinux-d248f91.tar.gz /container-selinux-d213769.tar.gz /container-selinux-701557f.tar.gz +/container-selinux-97f8dfc.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index dcd40e5..ae7d2ab 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 701557f1cd94a488a191215db04123ae533c5142 +%global commit0 97f8dfc2baf1c27f7e1de9ca3e11299f7e6c32d8 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.59 +Version: 2.60 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.60-1 +- Allow containers to list cgroup directories + * Mon May 21 2018 Dan Walsh - 2.59-1 - Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. diff --git a/sources b/sources index 9bfdad7..da629a0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-701557f.tar.gz) = 407baf6258b40241905ca682e1f0f7ad7109bd05bb92efad8c88defdf257b374353b6dacfac343d0a6e2347236d80e408edf320e95e5bf31e97b26e7829e876e +SHA512 (container-selinux-97f8dfc.tar.gz) = 3938f6b31a720571a948a5233c1a2b40417c87685fb22f78fb7b3d54fadde2cfe1cd53ad92fe150155ebd0a1ed4986598dbda866ca05e4948d5d919c99293ca9 From cdb16521764e4ecb9e8c94e7c97e44105d8cac72 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 May 2018 17:14:35 -0400 Subject: [PATCH 10/44] Allow spc_t to load kernel modules from inside of container --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 513b13f..0d68d82 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,4 @@ /container-selinux-d213769.tar.gz /container-selinux-701557f.tar.gz /container-selinux-97f8dfc.tar.gz +/container-selinux-9b55129.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index ae7d2ab..1f9138f 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 97f8dfc2baf1c27f7e1de9ca3e11299f7e6c32d8 +%global commit0 9b55129d5f2f7178a5423c7232cf99d74c1f94b3 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.60 +Version: 2.61 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon May 21 2018 Dan Walsh - 2.61-1 +- Allow spc_t to load kernel modules from inside of container + * Mon May 21 2018 Dan Walsh - 2.60-1 - Allow containers to list cgroup directories diff --git a/sources b/sources index da629a0..40a3367 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-97f8dfc.tar.gz) = 3938f6b31a720571a948a5233c1a2b40417c87685fb22f78fb7b3d54fadde2cfe1cd53ad92fe150155ebd0a1ed4986598dbda866ca05e4948d5d919c99293ca9 +SHA512 (container-selinux-9b55129.tar.gz) = ddafb1237c393ffc4a328e7fa824c5c1f8c0b910be5d8a732a58965f76a6ec561846c968cd7baad0f108f653d027b7b4513b7a9c23823757edd5ae436ffa61b6 From 1e4522a1fe01b29eee127df99822d7d64d4a77f5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 30 May 2018 11:10:40 -0400 Subject: [PATCH 11/44] Allow containers to create icmp packets --- .gitignore | 2 ++ container-selinux.spec | 11 +++++++++-- sources | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0d68d82..ba75bf5 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,5 @@ /container-selinux-701557f.tar.gz /container-selinux-97f8dfc.tar.gz /container-selinux-9b55129.tar.gz +/container-selinux-1ecf953.tar.gz +/container-selinux-284f9e7.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1f9138f..0a7cf66 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 9b55129d5f2f7178a5423c7232cf99d74c1f94b3 +%global commit0 284f9e75b1356de59299f5aa6e7045243749f420 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.61 +Version: 2.63 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,13 @@ fi %{_datadir}/selinux/* %changelog +* Wed May 30 2018 Dan Walsh - 2.63-1 +- Allow containers to create icmp packets + +* Fri May 25 2018 Lokesh Mandvekar (Bot) - 2:2.62-1.git1ecf953 +- bump to 2.62 +- autobuilt 1ecf953 + * Mon May 21 2018 Dan Walsh - 2.61-1 - Allow spc_t to load kernel modules from inside of container diff --git a/sources b/sources index 40a3367..3b91760 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-9b55129.tar.gz) = ddafb1237c393ffc4a328e7fa824c5c1f8c0b910be5d8a732a58965f76a6ec561846c968cd7baad0f108f653d027b7b4513b7a9c23823757edd5ae436ffa61b6 +SHA512 (container-selinux-284f9e7.tar.gz) = b14bc6666da449525e53990ea2598e004f4383c851b7647f34d2ac7ee779130a95808d2dfbdd8381e2c90461205fa8d9a93ace5027af1fff2e724ab5b9945ea1 From 9fd108e2ff8721475235c1f564aab586e87ca0d6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 3 Jun 2018 06:09:50 -0400 Subject: [PATCH 12/44] Allow containers to create all socket classes --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 0a7cf66..916dbed 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 284f9e75b1356de59299f5aa6e7045243749f420 +%global commit0 d34637560ae7e992abdb70b2edafe9588e80c3aa %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.63 +Version: 2.64 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Sun Jun 3 2018 Dan Walsh - 2.64-1 +- Allow containers to create all socket classes + * Wed May 30 2018 Dan Walsh - 2.63-1 - Allow containers to create icmp packets From 8e946df4fbf839529738f2c45a0b77d407deec5c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 3 Jun 2018 06:15:09 -0400 Subject: [PATCH 13/44] Allow containers to create all socket classes --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ba75bf5..a473e8e 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,4 @@ /container-selinux-9b55129.tar.gz /container-selinux-1ecf953.tar.gz /container-selinux-284f9e7.tar.gz +/container-selinux-d346375.tar.gz diff --git a/sources b/sources index 3b91760..2bdfc14 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-284f9e7.tar.gz) = b14bc6666da449525e53990ea2598e004f4383c851b7647f34d2ac7ee779130a95808d2dfbdd8381e2c90461205fa8d9a93ace5027af1fff2e724ab5b9945ea1 +SHA512 (container-selinux-d346375.tar.gz) = 773ddd8f3c0280a1c88b75a619b961dfdc7aa95c807bebb161d80f04040dff3f039ca2eb0560f6ccf8a8d5367a96639c0fc634ac02b5ecd29b54dea028dcc9fc From bc0cb4f1fa4f90f8edb835994d39c6dec0a59450 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 11 Jun 2018 08:56:05 -0400 Subject: [PATCH 14/44] Add new type to handle containers running with a non priv user in a userns allow containers to map all sockets --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a473e8e..3605338 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,4 @@ /container-selinux-1ecf953.tar.gz /container-selinux-284f9e7.tar.gz /container-selinux-d346375.tar.gz +/container-selinux-bf5b26b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 916dbed..ee16a60 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d34637560ae7e992abdb70b2edafe9588e80c3aa +%global commit0 bf5b26b07c9fa182142566bdcd27e91f9355529c %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.64 +Version: 2.65 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 11 2018 Dan Walsh - 2.65-1 +- Add new type to handle containers running with a non priv user in a userns +- allow containers to map all sockets + * Sun Jun 3 2018 Dan Walsh - 2.64-1 - Allow containers to create all socket classes diff --git a/sources b/sources index 2bdfc14..0f22f53 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d346375.tar.gz) = 773ddd8f3c0280a1c88b75a619b961dfdc7aa95c807bebb161d80f04040dff3f039ca2eb0560f6ccf8a8d5367a96639c0fc634ac02b5ecd29b54dea028dcc9fc +SHA512 (container-selinux-bf5b26b.tar.gz) = 2227ef893bce792841ccca589c844ad8e9f5a067cb78f8f2c9f8d1224ac49ae9ec0d6894d2f165e90ecd253baf0e8e6ff94e55da4f535aa49d8cef6577ab211d From 6c6c3368e52237956525d5b1248f8b15ad78df0e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 30 Jun 2018 07:26:26 -0400 Subject: [PATCH 15/44] Allow container runtimes to dbus chat with systemd-resolved --- container-selinux.spec | 13 ++++++++++--- sources | 2 +- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index ee16a60..85a962f 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 bf5b26b07c9fa182142566bdcd27e91f9355529c +%global commit0 8ecc282b93f70c91e6cfc23e5ddbe55a2628eaf8 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.65 +Version: 2.66 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,11 +127,18 @@ fi %{_datadir}/selinux/* %changelog +* Sat Jun 30 2018 Dan Walsh - 2.66-1 +- Allow container runtimes to dbus chat with systemd-resolved + +* Tue Jun 12 2018 Lokesh Mandvekar (Bot) - 2:2.64-1.gitdfaf8fd +- bump to 2.64 +- autobuilt dfaf8fd + * Mon Jun 11 2018 Dan Walsh - 2.65-1 - Add new type to handle containers running with a non priv user in a userns - allow containers to map all sockets -* Sun Jun 3 2018 Dan Walsh - 2.64-1 +* Sun Jun 3 2018 Dan Walsh - 2.64-1.gitdfaf8fd - Allow containers to create all socket classes * Wed May 30 2018 Dan Walsh - 2.63-1 diff --git a/sources b/sources index 0f22f53..135dda2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-bf5b26b.tar.gz) = 2227ef893bce792841ccca589c844ad8e9f5a067cb78f8f2c9f8d1224ac49ae9ec0d6894d2f165e90ecd253baf0e8e6ff94e55da4f535aa49d8cef6577ab211d +SHA512 (container-selinux-8ecc282.tar.gz) = db120dceb1db050aa906f1fbc74a0c541345880e8c1eccf65355f1ce640c59e0493a025a3ab6c6b7c7ac385160694a0b23612572791412eb9d11eebe4da5460a From 2cb353eb8d9bb38c376d68b1aa2395d1cdb5ada7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 6 Jul 2018 07:39:50 -0400 Subject: [PATCH 16/44] Add policy for container_logreader_t --- .gitignore | 3 +++ container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3605338..75b3c4a 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ /container-selinux-284f9e7.tar.gz /container-selinux-d346375.tar.gz /container-selinux-bf5b26b.tar.gz +/container-selinux-dfaf8fd.tar.gz +/container-selinux-8ecc282.tar.gz +/container-selinux-0407867.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 85a962f..fd24d7a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 8ecc282b93f70c91e6cfc23e5ddbe55a2628eaf8 +%global commit0 04078674cd4f0125a2a650ca750ca9c3ca3529b9 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.66 +Version: 2.67 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -127,6 +127,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Jul 6 2018 Dan Walsh - 2.67-1 +- Add policy for container_logreader_t + * Sat Jun 30 2018 Dan Walsh - 2.66-1 - Allow container runtimes to dbus chat with systemd-resolved diff --git a/sources b/sources index 135dda2..b6f276e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-8ecc282.tar.gz) = db120dceb1db050aa906f1fbc74a0c541345880e8c1eccf65355f1ce640c59e0493a025a3ab6c6b7c7ac385160694a0b23612572791412eb9d11eebe4da5460a +SHA512 (container-selinux-0407867.tar.gz) = e72b17bd3e43538c4ea28361572a5a81316566183b1511d5ad5c03d3afc9b75840f3aecad74b13643d338b89e1c9605ae2b7ca61fae5a95626dac6e1bc0455d6 From 8aa7633b9c9dbb92face26b2f6a0486736b8f7a8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 16 Jul 2018 12:22:24 -0400 Subject: [PATCH 17/44] Add label for /var/lib/origin Add customizable_file_t to customizable_types --- .gitignore | 5 +++++ container-selinux.spec | 23 +++++++++++++++++++---- sources | 2 +- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 75b3c4a..a80c699 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,8 @@ /container-selinux-dfaf8fd.tar.gz /container-selinux-8ecc282.tar.gz /container-selinux-0407867.tar.gz +<<<<<<< Updated upstream +/container-selinux-042f7cf.tar.gz +======= +/container-selinux-25277c8.tar.gz +>>>>>>> Stashed changes diff --git a/container-selinux.spec b/container-selinux.spec index fd24d7a..14d6d71 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 04078674cd4f0125a2a650ca750ca9c3ca3529b9 +%global commit0 25277c867c16433c505a22840bbe90e4902a1f69 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.67 +Version: 2.68 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -62,6 +62,7 @@ Requires(post): policycoreutils-python-utils Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils +Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{epoch}:%{version}-%{release} @@ -109,6 +110,9 @@ if %{_sbindir}/selinuxenabled ; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : fi fi +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types + %postun if [ $1 -eq 0 ]; then @@ -127,8 +131,19 @@ fi %{_datadir}/selinux/* %changelog -* Fri Jul 6 2018 Dan Walsh - 2.67-1 -- Add policy for container_logreader_t +* Mon Jul 16 2018 Dan Walsh - 2.67-1 +- Add label for /var/lib/origin +- Add customizable_file_t to customizable_types + +* Thu Jul 12 2018 Fedora Release Engineering - 2:2.67-3.dev.git042f7cf +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Lokesh Mandvekar (Bot) - 2:2.67-2.git042f7cf +- autobuilt 042f7cf + +* Sat Jul 07 2018 Lokesh Mandvekar (Bot) - 2:2.67-1.git0407867 +- bump to 2.67 +- autobuilt 0407867 * Sat Jun 30 2018 Dan Walsh - 2.66-1 - Allow container runtimes to dbus chat with systemd-resolved diff --git a/sources b/sources index b6f276e..5acc311 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-0407867.tar.gz) = e72b17bd3e43538c4ea28361572a5a81316566183b1511d5ad5c03d3afc9b75840f3aecad74b13643d338b89e1c9605ae2b7ca61fae5a95626dac6e1bc0455d6 +SHA512 (container-selinux-25277c8.tar.gz) = b75d2f255cde830eeea4b081528289fd005b51622c6a6d6336dca4cd97a86bd0ae2b34880110ca3e2b06a405e496f3b302130e98cb89d379bae9cc0a79c38366 From a39f328a870e22c1b7628756e9eff0c3e255a31e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 25 Jul 2018 17:36:04 -0400 Subject: [PATCH 18/44] dontaudit attempts to write to sysctl_kernel_t --- .gitignore | 2 ++ container-selinux.spec | 10 ++++++++-- sources | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a80c699..60cb8d6 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ ======= /container-selinux-25277c8.tar.gz >>>>>>> Stashed changes +/container-selinux-c139a3d.tar.gz +/container-selinux-452b90d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 14d6d71..62e489e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 25277c867c16433c505a22840bbe90e4902a1f69 +%global commit0 452b90de0cbc75f0a55defa1d45b7bc337d4f076 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.68 +Version: 2.69 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -131,6 +131,12 @@ fi %{_datadir}/selinux/* %changelog +* Wed Jul 25 2018 Dan Walsh - 2.69-1 +- dontaudit attempts to write to sysctl_kernel_t + +* Wed Jul 18 2018 Lokesh Mandvekar (Bot) - 2:2.68-2.gitc139a3d +- autobuilt c139a3d + * Mon Jul 16 2018 Dan Walsh - 2.67-1 - Add label for /var/lib/origin - Add customizable_file_t to customizable_types diff --git a/sources b/sources index 5acc311..dab2d47 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-25277c8.tar.gz) = b75d2f255cde830eeea4b081528289fd005b51622c6a6d6336dca4cd97a86bd0ae2b34880110ca3e2b06a405e496f3b302130e98cb89d379bae9cc0a79c38366 +SHA512 (container-selinux-452b90d.tar.gz) = f9bc9c9fafd98aca03b755dc44807baec3aec2b0a97bd539be6b49bc2f1f571973bef8e8a716ef990255f4b26ef9650e2c03ce9bf3ee0961f99205e309475944 From 00ca04d5cacb49b413b4984c0d42c40c6a997510 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Aug 2018 07:12:10 -0600 Subject: [PATCH 19/44] Add trigger to relabel content on /var/lib/containers on older versions of package --- container-selinux.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/container-selinux.spec b/container-selinux.spec index 62e489e..aa7cafe 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -37,7 +37,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.69 -Release: 1.git%{shortcommit0}%{?dist} +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -108,6 +108,7 @@ if %{_sbindir}/selinuxenabled ; then %relabel_files if [ $1 -eq 1 ]; then restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + restorecon -R %{_sharedstatedir}/containers &> /dev/null || : fi fi . %{_sysconfdir}/selinux/config @@ -130,7 +131,15 @@ fi %doc README.md %{_datadir}/selinux/* +%triggerin -- container-selinux < 2.69-2 +restorecon -R %{_sharedstatedir}/containers &> /dev/null || : +exit 0 + %changelog +* Fri Aug 10 2018 Dan Walsh - 2.69-2 +- Add trigger to relabel content on /var/lib/containers on older versions of +package + * Wed Jul 25 2018 Dan Walsh - 2.69-1 - dontaudit attempts to write to sysctl_kernel_t From bf41ee3359f905f4cb543baef9b7ea8f061c1c56 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Aug 2018 07:14:01 -0600 Subject: [PATCH 20/44] Add trigger to relabel content on /var/lib/containers on older versions of package --- container-selinux.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/container-selinux.spec b/container-selinux.spec index aa7cafe..29e9372 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -62,6 +62,7 @@ Requires(post): policycoreutils-python-utils Requires(post): policycoreutils-python %endif Requires(post): libselinux-utils +Requires(post): libsemanage >= 2.8-2 Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 From 02a599cecb197d9c2261d1af30e4895e806f7bca Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Aug 2018 08:14:38 -0600 Subject: [PATCH 21/44] Relabel /var/lib/containers if directory is mislabeled --- container-selinux.spec | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 29e9372..f410cd3 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -37,7 +37,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.69 -Release: 2.git%{shortcommit0}%{?dist} +Release: 3.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -114,7 +114,7 @@ if %{_sbindir}/selinuxenabled ; then fi . %{_sysconfdir}/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types - +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R -v %{_sharedstatedir}/containers &> /dev/null %postun if [ $1 -eq 0 ]; then @@ -132,14 +132,9 @@ fi %doc README.md %{_datadir}/selinux/* -%triggerin -- container-selinux < 2.69-2 -restorecon -R %{_sharedstatedir}/containers &> /dev/null || : -exit 0 - %changelog -* Fri Aug 10 2018 Dan Walsh - 2.69-2 -- Add trigger to relabel content on /var/lib/containers on older versions of -package +* Fri Aug 10 2018 Dan Walsh - 2.69-3 +- Relabel /var/lib/containers if directory is mislabeled * Wed Jul 25 2018 Dan Walsh - 2.69-1 - dontaudit attempts to write to sysctl_kernel_t From d782494c7574efff7c8b0d47b3f2cf934deaa48f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 21 Aug 2018 11:47:03 -0700 Subject: [PATCH 22/44] Relabel /var/lib/containers if directory is mislabeled gi --- container-selinux.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-selinux.spec b/container-selinux.spec index f410cd3..1bd1668 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -135,7 +135,7 @@ fi %changelog * Fri Aug 10 2018 Dan Walsh - 2.69-3 - Relabel /var/lib/containers if directory is mislabeled - +gi * Wed Jul 25 2018 Dan Walsh - 2.69-1 - dontaudit attempts to write to sysctl_kernel_t From 042fa3fb2ab0d6d8d9144872f6c0d18b2e84e9a0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 22 Aug 2018 07:32:35 -0700 Subject: [PATCH 23/44] Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 60cb8d6..211b827 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ >>>>>>> Stashed changes /container-selinux-c139a3d.tar.gz /container-selinux-452b90d.tar.gz +/container-selinux-4e73492.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1bd1668..40c07a0 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 452b90de0cbc75f0a55defa1d45b7bc337d4f076 +%global commit0 4e73492e3e0f48ccfa84c946706359648cc6986e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,8 +36,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.69 -Release: 3.git%{shortcommit0}%{?dist} +Version: 2.70 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -133,6 +133,9 @@ fi %{_datadir}/selinux/* %changelog +* Wed Aug 22 2018 Dan Walsh - 2.70-1 +- Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t + * Fri Aug 10 2018 Dan Walsh - 2.69-3 - Relabel /var/lib/containers if directory is mislabeled gi diff --git a/sources b/sources index dab2d47..683a5b7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-452b90d.tar.gz) = f9bc9c9fafd98aca03b755dc44807baec3aec2b0a97bd539be6b49bc2f1f571973bef8e8a716ef990255f4b26ef9650e2c03ce9bf3ee0961f99205e309475944 +SHA512 (container-selinux-4e73492.tar.gz) = 53bbccd00a37095165b27f03411304753bb41351bc29c756f026b3ae17bc1012dac3d1953c323a3dd75df578955f781710fd524e09f90f70a9e816165120594b From 1146613931f42f617bb6c376b5862386468f647d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 22 Aug 2018 18:19:53 -0700 Subject: [PATCH 24/44] Allow unconfined_r to transition to system_r over container_runtime_exec_t Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t --- .gitignore | 1 + container-selinux.spec | 7 ++++--- sources | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 211b827..addd98e 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,4 @@ /container-selinux-c139a3d.tar.gz /container-selinux-452b90d.tar.gz /container-selinux-4e73492.tar.gz +/container-selinux-5721d74.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 40c07a0..5b9a90f 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 4e73492e3e0f48ccfa84c946706359648cc6986e +%global commit0 5721d746acccaa840a9af5be6ee30ca3b0c2a2bb %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %else # use upstream's RHEL-1.12 branch for CentOS 7 @@ -36,7 +36,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.70 +Version: 2.71 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -133,7 +133,8 @@ fi %{_datadir}/selinux/* %changelog -* Wed Aug 22 2018 Dan Walsh - 2.70-1 +* Wed Aug 22 2018 Dan Walsh - 2.71-1 +- Allow unconfined_r to transition to system_r over container_runtime_exec_t - Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t * Fri Aug 10 2018 Dan Walsh - 2.69-3 diff --git a/sources b/sources index 683a5b7..c7f4eec 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-4e73492.tar.gz) = 53bbccd00a37095165b27f03411304753bb41351bc29c756f026b3ae17bc1012dac3d1953c323a3dd75df578955f781710fd524e09f90f70a9e816165120594b +SHA512 (container-selinux-5721d74.tar.gz) = 6c965d64022967cffad10fc7f69ef7111998c91dc6a5be4c227f00d82d6af6c4c6b9c86d1f6809204a7ee8bf950483b32efb5ee8ce05a0ad71a5e57c7f3230b3 From cfa5d8310e274a5384dce8fb98024d9fefd4b255 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Aug 2018 09:14:56 -0400 Subject: [PATCH 25/44] Fix restorecon to not error on missing directory --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 5b9a90f..be54c4e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -37,7 +37,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.71 -Release: 1.git%{shortcommit0}%{?dist} +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -114,7 +114,7 @@ if %{_sbindir}/selinuxenabled ; then fi . %{_sysconfdir}/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types -matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R -v %{_sharedstatedir}/containers &> /dev/null +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then @@ -133,6 +133,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Aug 27 2018 Dan Walsh - 2.71-2 +- Fix restorecon to not error on missing directory + * Wed Aug 22 2018 Dan Walsh - 2.71-1 - Allow unconfined_r to transition to system_r over container_runtime_exec_t - Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t From 913c2876a8b21e8978d5cbf4e4158dd7046e632f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 12 Sep 2018 07:46:20 -0400 Subject: [PATCH 26/44] Allow container_runtimes to setattr on callers fifo_files --- container-selinux.spec | 40 ++++++++++------------------------------ 1 file changed, 10 insertions(+), 30 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index be54c4e..2b5276c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,14 +2,8 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 5721d746acccaa840a9af5be6ee30ca3b0c2a2bb +%global commit0 f6c7f410ca8bfe20bd0a217dd75b22735a32f212 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) -%else -# use upstream's RHEL-1.12 branch for CentOS 7 -%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 -%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7}) -%endif # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -26,26 +20,18 @@ %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using -%if 0%{?fedora} >= 22 || 0%{?rhel} > 7 %global selinux_policyver 3.13.1-220 -%else -%global selinux_policyver 3.13.1-39 -%endif Name: container-selinux -%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 +%if 0%{?fedora} Epoch: 2 %endif -Version: 2.71 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.72 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes -%if 0%{?fedora} || 0%{?rhel} >7 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -%else -Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz -%endif BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -56,13 +42,8 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -%if 0%{?fedora} || 0%{?rhel} > 7 Requires(post): policycoreutils-python-utils -%else -Requires(post): policycoreutils-python -%endif Requires(post): libselinux-utils -Requires(post): libsemanage >= 2.8-2 Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 @@ -72,11 +53,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%if 0%{?fedora} || 0%{?rhel} > 7 %autosetup -Sgit -n %{name}-%{commit0} -%else -%autosetup -Sgit -n %{name}-%{el_commit0} -%endif %build make @@ -116,6 +93,7 @@ fi sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + %postun if [ $1 -eq 0 ]; then %{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : @@ -133,16 +111,18 @@ fi %{_datadir}/selinux/* %changelog +* Wed Sep 12 2018 Dan Walsh - 2.72-1 +- Allow container_runtimes to setattr on callers fifo_files + * Mon Aug 27 2018 Dan Walsh - 2.71-2 - Fix restorecon to not error on missing directory * Wed Aug 22 2018 Dan Walsh - 2.71-1 - Allow unconfined_r to transition to system_r over container_runtime_exec_t + +* Wed Aug 22 2018 Dan Walsh - 2.70-1 - Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t -* Fri Aug 10 2018 Dan Walsh - 2.69-3 -- Relabel /var/lib/containers if directory is mislabeled -gi * Wed Jul 25 2018 Dan Walsh - 2.69-1 - dontaudit attempts to write to sysctl_kernel_t From 9aaa11d503572b3a0f171447d6080fee068bbb56 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 13 Sep 2018 09:34:22 -0400 Subject: [PATCH 27/44] Define spc_t as a container_domain, so that container_runtime will transition to spc_t even when setup with nosuid. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index addd98e..5d8f5df 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,4 @@ /container-selinux-452b90d.tar.gz /container-selinux-4e73492.tar.gz /container-selinux-5721d74.tar.gz +/container-selinux-d7a3f33.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 2b5276c..5445396 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 f6c7f410ca8bfe20bd0a217dd75b22735a32f212 +%global commit0 d7a3f33548ae5c5912006dc2b14270d650f5e52f %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.72 +Version: 2.73 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -111,6 +111,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed Sep 12 2018 Dan Walsh - 2.73-1 +- Define spc_t as a container_domain, so that container_runtime will transition +to spc_t even when setup with nosuid. + * Wed Sep 12 2018 Dan Walsh - 2.72-1 - Allow container_runtimes to setattr on callers fifo_files diff --git a/sources b/sources index c7f4eec..22fed4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-5721d74.tar.gz) = 6c965d64022967cffad10fc7f69ef7111998c91dc6a5be4c227f00d82d6af6c4c6b9c86d1f6809204a7ee8bf950483b32efb5ee8ce05a0ad71a5e57c7f3230b3 +SHA512 (container-selinux-d7a3f33.tar.gz) = c2db2bc9e1bc8de49631d8d40210bcb065af21892c4ee4f94f13dcbb1bbd61c18b95b086aa0f83205c060b497581e1ed7bb9dda5c927b32cebc48c456bdfd553 From cbb35d458f97fe47aaa8c68ab8ef7e703fe1e266 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 22 Sep 2018 06:40:52 -0400 Subject: [PATCH 28/44] Remove requires for policycoreutils-python-utils we don't need it. --- container-selinux.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 5445396..84d6f98 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -27,7 +27,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.73 -Release: 1.git%{shortcommit0}%{?dist} +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -42,7 +42,6 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -Requires(post): policycoreutils-python-utils Requires(post): libselinux-utils Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 @@ -93,7 +92,6 @@ fi sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - %postun if [ $1 -eq 0 ]; then %{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : @@ -111,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Sat Sep 22 2018 Dan Walsh - 2.73-2 +- Remove requires for policycoreutils-python-utils we don't need it. + * Wed Sep 12 2018 Dan Walsh - 2.73-1 - Define spc_t as a container_domain, so that container_runtime will transition to spc_t even when setup with nosuid. From c59cf7259999a04b6762afdab458860dc6db53ec Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 19 Oct 2018 17:46:14 -0400 Subject: [PATCH 29/44] Allow containers to setexec themselves --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 5d8f5df..2e1d733 100644 --- a/.gitignore +++ b/.gitignore @@ -66,3 +66,4 @@ /container-selinux-4e73492.tar.gz /container-selinux-5721d74.tar.gz /container-selinux-d7a3f33.tar.gz +/container-selinux-a62c2db.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 84d6f98..b8ebc9c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 d7a3f33548ae5c5912006dc2b14270d650f5e52f +%global commit0 a62c2dbcdbe98d3f975d617f55faabafe7835357 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,8 +26,8 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.73 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.74 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Oct 19 2018 Dan Walsh - 2.74-1 +- Allow containers to setexec themselves + * Sat Sep 22 2018 Dan Walsh - 2.73-2 - Remove requires for policycoreutils-python-utils we don't need it. diff --git a/sources b/sources index 22fed4c..f8be47a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d7a3f33.tar.gz) = c2db2bc9e1bc8de49631d8d40210bcb065af21892c4ee4f94f13dcbb1bbd61c18b95b086aa0f83205c060b497581e1ed7bb9dda5c927b32cebc48c456bdfd553 +SHA512 (container-selinux-a62c2db.tar.gz) = d74911fcb3c4102515c56af2893bbdc03b2e45214a93fd5f1cabc1b55bfa526e3f79da35be3250ab5fb5045a1d4b34809f0965644885844182e166d2f0c1af78 From a94f741648a6441ea34b76d69d1c642c3ef68ba7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 30 Oct 2018 08:34:33 -0400 Subject: [PATCH 30/44] Allow containers to use fuse file systems by default --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 2e1d733..2884676 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,4 @@ /container-selinux-5721d74.tar.gz /container-selinux-d7a3f33.tar.gz /container-selinux-a62c2db.tar.gz +/container-selinux-99e2cfd.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index b8ebc9c..f833f39 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 a62c2dbcdbe98d3f975d617f55faabafe7835357 +%global commit0 99e2cfd56536d1c2463ad7a68c29bb478eb67e8a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.74 +Version: 2.75 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Oct 30 2018 Dan Walsh - 2.75-1 +- Allow containers to use fuse file systems by default + * Fri Oct 19 2018 Dan Walsh - 2.74-1 - Allow containers to setexec themselves @@ -121,7 +124,7 @@ to spc_t even when setup with nosuid. * Wed Sep 12 2018 Dan Walsh - 2.72-1 - Allow container_runtimes to setattr on callers fifo_files - +github.com/opencontainers/selinux * Mon Aug 27 2018 Dan Walsh - 2.71-2 - Fix restorecon to not error on missing directory diff --git a/sources b/sources index f8be47a..16a8920 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-a62c2db.tar.gz) = d74911fcb3c4102515c56af2893bbdc03b2e45214a93fd5f1cabc1b55bfa526e3f79da35be3250ab5fb5045a1d4b34809f0965644885844182e166d2f0c1af78 +SHA512 (container-selinux-99e2cfd.tar.gz) = 489f420cb14bf6049eab9f2939bb61a98cdae43bc2d78d3607760922158e519d3bf6781b8f652ce6ed74ce03d8f453ee621860471324c932fe723c645b9ef8cd From 20a70176d88e29e3729c2d4228e3ef857b0a7c87 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 12 Nov 2018 15:49:25 -0500 Subject: [PATCH 31/44] Allow containers to sendto dgram socket of container runtimes Needed to run container runtimes in notify socket unit files. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2884676..f991c91 100644 --- a/.gitignore +++ b/.gitignore @@ -68,3 +68,4 @@ /container-selinux-d7a3f33.tar.gz /container-selinux-a62c2db.tar.gz /container-selinux-99e2cfd.tar.gz +/container-selinux-87fae85.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index f833f39..cb00b61 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 99e2cfd56536d1c2463ad7a68c29bb478eb67e8a +%global commit0 87fae856c438047d472db4e1b083e8a8f8ed3103 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.75 +Version: 2.76 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Nov 12 2018 Dan Walsh - 2.76-1 +- Allow containers to sendto dgram socket of container runtimes +- Needed to run container runtimes in notify socket unit files. + * Tue Oct 30 2018 Dan Walsh - 2.75-1 - Allow containers to use fuse file systems by default diff --git a/sources b/sources index 16a8920..29f4f57 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-99e2cfd.tar.gz) = 489f420cb14bf6049eab9f2939bb61a98cdae43bc2d78d3607760922158e519d3bf6781b8f652ce6ed74ce03d8f453ee621860471324c932fe723c645b9ef8cd +SHA512 (container-selinux-87fae85.tar.gz) = 4ec03e76830fa2dc15602831cda3e9ca846b62d3f806049785bb94004f079314e6a2039987f02251ff54aa4a9ed890d558506861fe0986264cc610920a7f85df From 3b465957a6bc2285cb8b65a16970c652188e7efb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 17 Dec 2018 14:24:55 -0500 Subject: [PATCH 32/44] Allow container-runtime to setattr on fifo_file handed into container runtime. --- .gitignore | 1 + container-selinux.spec | 13 ++++++++++--- sources | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index f991c91..13b5e67 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,4 @@ /container-selinux-a62c2db.tar.gz /container-selinux-99e2cfd.tar.gz /container-selinux-87fae85.tar.gz +/container-selinux-5133af6.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index cb00b61..feb3430 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 87fae856c438047d472db4e1b083e8a8f8ed3103 +%global commit0 5133af638a0b746e1ff3bd6d452038fdad7e7e98 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.76 +Version: 2.77 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,11 +109,18 @@ fi %{_datadir}/selinux/* %changelog +* Mon Dec 17 2018 Dan Walsh - 2.77-1 +- Allow container-runtime to setattr on fifo_file handed into container runtime. + +* Tue Nov 13 2018 Lokesh Mandvekar (Bot) - 2:2.752.75-1.dev.git99e2cfd1 +- bump to 2.75 +- autobuilt 99e2cfd + * Mon Nov 12 2018 Dan Walsh - 2.76-1 - Allow containers to sendto dgram socket of container runtimes - Needed to run container runtimes in notify socket unit files. -* Tue Oct 30 2018 Dan Walsh - 2.75-1 +* Tue Oct 30 2018 Dan Walsh - 2.75-1.dev.git99e2cfd - Allow containers to use fuse file systems by default * Fri Oct 19 2018 Dan Walsh - 2.74-1 diff --git a/sources b/sources index 29f4f57..b350407 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-87fae85.tar.gz) = 4ec03e76830fa2dc15602831cda3e9ca846b62d3f806049785bb94004f079314e6a2039987f02251ff54aa4a9ed890d558506861fe0986264cc610920a7f85df +SHA512 (container-selinux-5133af6.tar.gz) = e4e3c98ad0c8d9b3ed53c5753092505f8a65dfda13138cb238cc288b2d311fb755e900af93e7b7fa84b5824b2cd352eaf11ab1b90353f698b52235fc1af7d063 From ef386e48596783513688ca7171bbbbe3ff8571a2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 17 Dec 2018 15:48:05 -0500 Subject: [PATCH 33/44] Allow container-runtime to setattr on fifo_file handed into container runtime. --- .gitignore | 1 + container-selinux.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 13b5e67..633f42d 100644 --- a/.gitignore +++ b/.gitignore @@ -70,3 +70,4 @@ /container-selinux-99e2cfd.tar.gz /container-selinux-87fae85.tar.gz /container-selinux-5133af6.tar.gz +/container-selinux-2c57a17.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index feb3430..6424576 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 5133af638a0b746e1ff3bd6d452038fdad7e7e98 +%global commit0 2c57a17ab66c245a86dd00e03ec2b8e70ff76203 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) diff --git a/sources b/sources index b350407..4ba60f5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-5133af6.tar.gz) = e4e3c98ad0c8d9b3ed53c5753092505f8a65dfda13138cb238cc288b2d311fb755e900af93e7b7fa84b5824b2cd352eaf11ab1b90353f698b52235fc1af7d063 +SHA512 (container-selinux-2c57a17.tar.gz) = a136937d766f2727d4ca51dd2ca73b16c484bf7a6ccd09634ce2b29d46620a8152b7535e5b4663fe10d9ac502493c680e0d35b2b0eea7bbec8d54fb7de12eef2 From 40f5d3a9976b8806a28ae0361ea04df1e25fc7b6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 10 Jan 2019 15:18:28 -0500 Subject: [PATCH 34/44] Fix labeling for images in docker daemon user namespace --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 633f42d..9e4f3dc 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,4 @@ /container-selinux-87fae85.tar.gz /container-selinux-5133af6.tar.gz /container-selinux-2c57a17.tar.gz +/container-selinux-1362777.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 6424576..0998d68 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 2c57a17ab66c245a86dd00e03ec2b8e70ff76203 +%global commit0 13627777f8398d68d7de180ee4c07d454dc2d69b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.77 +Version: 2.78 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jan 10 2019 Dan Walsh - 2.78-1 +- Fix labeling for images in docker daemon user namespace + * Mon Dec 17 2018 Dan Walsh - 2.77-1 - Allow container-runtime to setattr on fifo_file handed into container runtime. diff --git a/sources b/sources index 4ba60f5..c5af941 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-2c57a17.tar.gz) = a136937d766f2727d4ca51dd2ca73b16c484bf7a6ccd09634ce2b29d46620a8152b7535e5b4663fe10d9ac502493c680e0d35b2b0eea7bbec8d54fb7de12eef2 +SHA512 (container-selinux-1362777.tar.gz) = 2bbf208a2c0995ce5133e6846ad6f080efd6ca809bf21c3839214d6758f3c19bec0ee9d4f4cd03a4cf036300abd78502f7aeacdfc2dfcf09aa97893d6a86fbb1 From 8e95799c9fbc3b59cb30d9e11c48826782acf7b3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 11 Jan 2019 11:08:21 -0500 Subject: [PATCH 35/44] Fix labeling on /var/lib/registries --- .gitignore | 4 +--- container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 9e4f3dc..a593471 100644 --- a/.gitignore +++ b/.gitignore @@ -56,11 +56,8 @@ /container-selinux-dfaf8fd.tar.gz /container-selinux-8ecc282.tar.gz /container-selinux-0407867.tar.gz -<<<<<<< Updated upstream /container-selinux-042f7cf.tar.gz -======= /container-selinux-25277c8.tar.gz ->>>>>>> Stashed changes /container-selinux-c139a3d.tar.gz /container-selinux-452b90d.tar.gz /container-selinux-4e73492.tar.gz @@ -72,3 +69,4 @@ /container-selinux-5133af6.tar.gz /container-selinux-2c57a17.tar.gz /container-selinux-1362777.tar.gz +/container-selinux-6f01752.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 0998d68..11005b1 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 13627777f8398d68d7de180ee4c07d454dc2d69b +%global commit0 6f01752858c0ee79dddf0e4c1bf845fb35d9eaf6 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.78 +Version: 2.79 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Jan 11 2019 Dan Walsh - 2.79-1 +- Fix labeling on /var/lib/registries + * Thu Jan 10 2019 Dan Walsh - 2.78-1 - Fix labeling for images in docker daemon user namespace diff --git a/sources b/sources index c5af941..f70aa72 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-1362777.tar.gz) = 2bbf208a2c0995ce5133e6846ad6f080efd6ca809bf21c3839214d6758f3c19bec0ee9d4f4cd03a4cf036300abd78502f7aeacdfc2dfcf09aa97893d6a86fbb1 +SHA512 (container-selinux-6f01752.tar.gz) = eedd30e77a39667b0352279975858febe7f1eb9910a663de2ad7c12076ab5f345d2350c51c870778009047141dfbcfdd17fa11c105f6ea23f2dde0b6885d31c2 From 257ab1218204210953ce0b109ff4596ca18560d0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 22 Jan 2019 14:56:44 +0100 Subject: [PATCH 36/44] Don't allow containers to talk to contianer runtime sockets --- container-selinux.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 11005b1..03831dc 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 6f01752858c0ee79dddf0e4c1bf845fb35d9eaf6 +%global commit0 1b655d9aae4ec9859101b87d693566531b3dc4ff %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.79 +Version: 2.80 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -73,7 +73,7 @@ rm -rf container-selinux.spec %post # Install all modules in a single transaction if [ $1 -eq 1 ]; then - %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 22 2019 Dan Walsh - 2.80-1 +- Don't allow containers to talk to contianer runtime sockets + * Fri Jan 11 2019 Dan Walsh - 2.79-1 - Fix labeling on /var/lib/registries From 86cfbf7fec5ed9e59fcd22cdb48bbdfa56d8ea8b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 22 Jan 2019 15:07:13 +0100 Subject: [PATCH 37/44] Don't allow containers to talk to contianer runtime sockets --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index a593471..01cef0a 100644 --- a/.gitignore +++ b/.gitignore @@ -70,3 +70,4 @@ /container-selinux-2c57a17.tar.gz /container-selinux-1362777.tar.gz /container-selinux-6f01752.tar.gz +/container-selinux-1b655d9.tar.gz diff --git a/sources b/sources index f70aa72..ed72e9c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-6f01752.tar.gz) = eedd30e77a39667b0352279975858febe7f1eb9910a663de2ad7c12076ab5f345d2350c51c870778009047141dfbcfdd17fa11c105f6ea23f2dde0b6885d31c2 +SHA512 (container-selinux-1b655d9.tar.gz) = a6b7747d7fa769e4e90898c8b6b465785d21cd22e9b30bfa874aff15091ea0c577e1f245242b3d25814190e6b00e0e54da5bb59ae26239e8aacb3da1f375e16e From ff12c78349be6b1709f5136d4a82ec66324771a8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Feb 2019 10:02:43 -0700 Subject: [PATCH 38/44] Add new labels for paths for containerd --- .gitignore | 1 + container-selinux.spec | 12 +++++++++--- sources | 1 + 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 01cef0a..3280214 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,4 @@ /container-selinux-1362777.tar.gz /container-selinux-6f01752.tar.gz /container-selinux-1b655d9.tar.gz +/container-selinux-484806a.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 03831dc..72c6fa8 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 1b655d9aae4ec9859101b87d693566531b3dc4ff +%global commit0 484806a3fb3235827dcad0ac65a2b87a1a964a48 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,8 +26,8 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.80 -Release: 1.git%{shortcommit0}%{?dist} +Version: 2.81 +Release: 2.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -109,6 +109,12 @@ fi %{_datadir}/selinux/* %changelog +* Thu Feb 7 2019 Dan Walsh - 2.81-1 +- Add new labels for paths for containerd + +* Thu Jan 31 2019 Fedora Release Engineering - 2:2.80-2.git1b655d9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Tue Jan 22 2019 Dan Walsh - 2.80-1 - Don't allow containers to talk to contianer runtime sockets diff --git a/sources b/sources index ed72e9c..636ff3b 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (container-selinux-1b655d9.tar.gz) = a6b7747d7fa769e4e90898c8b6b465785d21cd22e9b30bfa874aff15091ea0c577e1f245242b3d25814190e6b00e0e54da5bb59ae26239e8aacb3da1f375e16e +SHA512 (container-selinux-484806a.tar.gz) = abda91a9690694fc4a862fd11a386887740c5ffba60bd69b436fd02cd9fc85392e959b88bcff4d7e15b3e5cd0e32f1489d6294180628a953e2738ae86fb127ea From 983f0edb9a9ff41dc232136e832668a57676ef5d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 10 Feb 2019 07:37:27 -0700 Subject: [PATCH 39/44] Allow confined users to use containers --- .gitignore | 2 ++ container-selinux.spec | 15 +++++++++++---- sources | 3 +-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 3280214..b8974bb 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,5 @@ /container-selinux-6f01752.tar.gz /container-selinux-1b655d9.tar.gz /container-selinux-484806a.tar.gz +/container-selinux-21c2be6.tar.gz +/container-selinux-5e1f62f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 72c6fa8..5e01e51 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 484806a3fb3235827dcad0ac65a2b87a1a964a48 +%global commit0 5e1f62fe319ebbef46bcabc8cc5e22d209411dda %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,8 +26,8 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.81 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.82 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -109,13 +109,20 @@ fi %{_datadir}/selinux/* %changelog +* Sun Feb 10 2019 Dan Walsh - 2.82-1 +- Allow confined users to use containers + +* Fri Feb 08 2019 Lokesh Mandvekar (Bot) - 2:2.80-3.git21c2be6 +- bump to 2.80 +- autobuilt 21c2be6 + * Thu Feb 7 2019 Dan Walsh - 2.81-1 - Add new labels for paths for containerd * Thu Jan 31 2019 Fedora Release Engineering - 2:2.80-2.git1b655d9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Tue Jan 22 2019 Dan Walsh - 2.80-1 +* Tue Jan 22 2019 Dan Walsh - 2.80-1.nightly.git21c2be6 - Don't allow containers to talk to contianer runtime sockets * Fri Jan 11 2019 Dan Walsh - 2.79-1 diff --git a/sources b/sources index 636ff3b..e46329b 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (container-selinux-1b655d9.tar.gz) = a6b7747d7fa769e4e90898c8b6b465785d21cd22e9b30bfa874aff15091ea0c577e1f245242b3d25814190e6b00e0e54da5bb59ae26239e8aacb3da1f375e16e -SHA512 (container-selinux-484806a.tar.gz) = abda91a9690694fc4a862fd11a386887740c5ffba60bd69b436fd02cd9fc85392e959b88bcff4d7e15b3e5cd0e32f1489d6294180628a953e2738ae86fb127ea +SHA512 (container-selinux-5e1f62f.tar.gz) = 8184e4191cbce80e8ecf65f82e64f6b85eeda0b7b958be099b97100aaa78c71e3d0adec642eafb7e58037ba0a5b0452da7674d7e6c02a8f3c125f67629425ea7 From fd4d04b49577bda7c0d4fa46dc0e997ffdb476e5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 25 Feb 2019 10:09:06 -0500 Subject: [PATCH 40/44] Allow containers to mounton cgroup and container_file_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index b8974bb..794e800 100644 --- a/.gitignore +++ b/.gitignore @@ -74,3 +74,4 @@ /container-selinux-484806a.tar.gz /container-selinux-21c2be6.tar.gz /container-selinux-5e1f62f.tar.gz +/container-selinux-ec6fcad.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 5e01e51..da57321 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 5e1f62fe319ebbef46bcabc8cc5e22d209411dda +%global commit0 ec6fcadf8820fefd8d231375a5648856323a3fba %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.82 +Version: 2.83 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Feb 25 2019 Dan Walsh - 2.83-1 +- Allow containers to mounton cgroup and container_file_t + * Sun Feb 10 2019 Dan Walsh - 2.82-1 - Allow confined users to use containers diff --git a/sources b/sources index e46329b..06e646f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-5e1f62f.tar.gz) = 8184e4191cbce80e8ecf65f82e64f6b85eeda0b7b958be099b97100aaa78c71e3d0adec642eafb7e58037ba0a5b0452da7674d7e6c02a8f3c125f67629425ea7 +SHA512 (container-selinux-ec6fcad.tar.gz) = cd7308534a58d5bdf75431c64b8d5b0ea75fac4d032a171c156c5350805299d97afee7971fee9e51653081025027e6d4db31c78023a1f2420a34db151b536e42 From 6760b13f3ba59cc5dee3373880a44a76785e710e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 28 Feb 2019 08:16:33 -0500 Subject: [PATCH 41/44] More allow rules to allow containers to run within containers --- .gitignore | 1 + container-selinux.spec | 13 ++++++++++--- sources | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 794e800..5a95dfc 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,4 @@ /container-selinux-21c2be6.tar.gz /container-selinux-5e1f62f.tar.gz /container-selinux-ec6fcad.tar.gz +/container-selinux-eb60838.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index da57321..24f448c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 ec6fcadf8820fefd8d231375a5648856323a3fba +%global commit0 eb60838b8e9b88aeb1c3a7f68c93ccfd8a67fbdd %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.83 +Version: 2.84 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,10 +109,17 @@ fi %{_datadir}/selinux/* %changelog +* Thu Feb 28 2019 Dan Walsh - 2.84-1 +- More allow rules to allow containers to run within containers + +* Tue Feb 26 2019 Lokesh Mandvekar (Bot) - 2:2.82-2.git5e1f62f +- bump to 2.82 +- autobuilt 5e1f62f + * Mon Feb 25 2019 Dan Walsh - 2.83-1 - Allow containers to mounton cgroup and container_file_t -* Sun Feb 10 2019 Dan Walsh - 2.82-1 +* Sun Feb 10 2019 Dan Walsh - 2.82-1.nightly.git5e1f62f - Allow confined users to use containers * Fri Feb 08 2019 Lokesh Mandvekar (Bot) - 2:2.80-3.git21c2be6 diff --git a/sources b/sources index 06e646f..c285974 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-ec6fcad.tar.gz) = cd7308534a58d5bdf75431c64b8d5b0ea75fac4d032a171c156c5350805299d97afee7971fee9e51653081025027e6d4db31c78023a1f2420a34db151b536e42 +SHA512 (container-selinux-eb60838.tar.gz) = b4a4ae04d48de49dac9d588be5efc7abfaee7a8a82dd6186f51485e1e63a857fa84145a75aef265bbf66a089d818619b912f6a27bba064c45758dd15ae3fde44 From d9e4e8f3cf296791d2b466f650d156a7262ce22c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 28 Feb 2019 14:52:35 -0500 Subject: [PATCH 42/44] More allow rules to allow containers to run within containers --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 5a95dfc..d72e619 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,4 @@ /container-selinux-5e1f62f.tar.gz /container-selinux-ec6fcad.tar.gz /container-selinux-eb60838.tar.gz +/container-selinux-92af7fd.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 24f448c..def291f 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 eb60838b8e9b88aeb1c3a7f68c93ccfd8a67fbdd +%global commit0 92af7fdb6d11c4c28c1b9bc2711766ef0acd031b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.84 +Version: 2.85 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Feb 28 2019 Dan Walsh - 2.85-1 +- More allow rules to allow containers to run within containers + * Thu Feb 28 2019 Dan Walsh - 2.84-1 - More allow rules to allow containers to run within containers diff --git a/sources b/sources index c285974..aa7b869 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-eb60838.tar.gz) = b4a4ae04d48de49dac9d588be5efc7abfaee7a8a82dd6186f51485e1e63a857fa84145a75aef265bbf66a089d818619b912f6a27bba064c45758dd15ae3fde44 +SHA512 (container-selinux-92af7fd.tar.gz) = 2ac368ec88cb5ddd4d16db2d5d5f8bc45674aa797a30e5c92993ebc898a273592c2ef58662b45d44f2e42e9794151df6c62c01cc41f658bdeedbbdcb66f2bcc6 From 90ca0bef7ffe904fb85a1538721b2e5ec2beeb4d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 1 Mar 2019 09:02:10 -0500 Subject: [PATCH 43/44] Allow unconfined user and services to dyntrans to container domains, needed for CRIU Allow containers exectue hugetlb files. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index d72e619..52b3488 100644 --- a/.gitignore +++ b/.gitignore @@ -77,3 +77,4 @@ /container-selinux-ec6fcad.tar.gz /container-selinux-eb60838.tar.gz /container-selinux-92af7fd.tar.gz +/container-selinux-c178849.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index def291f..4b74727 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 92af7fdb6d11c4c28c1b9bc2711766ef0acd031b +%global commit0 c1788491847627d39266b5b22e85c8b094f76d77 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.85 +Version: 2.86 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,10 @@ fi %{_datadir}/selinux/* %changelog +* Fri Mar 1 2019 Dan Walsh - 2.86-1 +- Allow unconfined user and services to dyntrans to container domains, needed for CRIU +- Allow containers exectue hugetlb files. + * Thu Feb 28 2019 Dan Walsh - 2.85-1 - More allow rules to allow containers to run within containers diff --git a/sources b/sources index aa7b869..81063d9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-92af7fd.tar.gz) = 2ac368ec88cb5ddd4d16db2d5d5f8bc45674aa797a30e5c92993ebc898a273592c2ef58662b45d44f2e42e9794151df6c62c01cc41f658bdeedbbdcb66f2bcc6 +SHA512 (container-selinux-c178849.tar.gz) = cb5234b21c61236d81ea8532629633f5a635496c70c20d6969f303ab476adaec3e64d67f8eb56c3ae1672698486281679fe8b4c6dda3c3f80556df317c23ff48 From cb7d9309bc271974ec16c2ad89a64901dc35f635 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 9 Mar 2019 08:47:23 -0500 Subject: [PATCH 44/44] Allow all container domains to have container file types entrypoint Add new release to fix issues with udica Allow container_runtime_t to dyntransition to container domains --- .gitignore | 1 + container-selinux.spec | 9 +++++++-- sources | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 52b3488..4d3f6eb 100644 --- a/.gitignore +++ b/.gitignore @@ -78,3 +78,4 @@ /container-selinux-eb60838.tar.gz /container-selinux-92af7fd.tar.gz /container-selinux-c178849.tar.gz +/container-selinux-2521d0d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 4b74727..850dc4c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%global commit0 c1788491847627d39266b5b22e85c8b094f76d77 +%global commit0 2521d0d6082ea9057d827d257d27291bf6219aba %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -26,7 +26,7 @@ Name: container-selinux %if 0%{?fedora} Epoch: 2 %endif -Version: 2.86 +Version: 2.89 Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} @@ -109,6 +109,11 @@ fi %{_datadir}/selinux/* %changelog +* Sat Mar 9 2019 Dan Walsh - 2.89-1 +- Allow all container domains to have container file types entrypoint +- Add new release to fix issues with udica +- Allow container_runtime_t to dyntransition to container domains + * Fri Mar 1 2019 Dan Walsh - 2.86-1 - Allow unconfined user and services to dyntrans to container domains, needed for CRIU - Allow containers exectue hugetlb files. diff --git a/sources b/sources index 81063d9..c9c3a02 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c178849.tar.gz) = cb5234b21c61236d81ea8532629633f5a635496c70c20d6969f303ab476adaec3e64d67f8eb56c3ae1672698486281679fe8b4c6dda3c3f80556df317c23ff48 +SHA512 (container-selinux-2521d0d.tar.gz) = 316c85c5b7d061d7691047f09c721dd85fd65ed306991b8c49b2ba4aa88d25ed8ef68a8a8d8a38d331066beab79918253df93e7daf246d5de7bb76741e082115