diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index ceb3a01..d119390 100644 --- a/.gitignore +++ b/.gitignore @@ -224,3 +224,12 @@ /v2.228.0.tar.gz /v2.228.1.tar.gz /v2.229.0.tar.gz +/v2.229.1.tar.gz +/v2.230.0.tar.gz +/v2.231.0.tar.gz +/v2.232.1.tar.gz +/v2.233.0.tar.gz +/v2.234.1.tar.gz +/v2.234.2.tar.gz +/v2.235.0.tar.gz +/v2.236.0.tar.gz diff --git a/.packit.yaml b/.packit.yaml index 0f6b9fd..cc1d83b 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -2,30 +2,78 @@ # See the documentation for more information: # https://packit.dev/docs/configuration/ -specfile_path: rpm/container-selinux.spec +downstream_package_name: container-selinux upstream_tag_template: v{version} +# Ref: https://packit.dev/docs/configuration#files_to_sync +files_to_sync: + - src: rpm/gating.yaml + dest: gating.yaml + delete: true + - src: plans/ + dest: plans/ + delete: true + mkpath: true + - src: test/ + dest: test/ + delete: true + mkpath: true + - src: .fmf/ + dest: .fmf/ + delete: true + - .packit.yaml + +packages: + container-selinux-fedora: + pkg_tool: fedpkg + specfile_path: rpm/container-selinux.spec + container-selinux-centos: + pkg_tool: centpkg + specfile_path: rpm/container-selinux.spec + container-selinux-eln: + specfile_path: rpm/container-selinux.spec + srpm_build_deps: - make jobs: - job: copr_build trigger: pull_request - notifications: + packages: [container-selinux-fedora] + notifications: &copr_build_failure_notification failure_comment: message: "Ephemeral COPR build failed. @containers/packit-build please check." enable_net: true # container-selinux is noarch so we only need to test on one arch + targets: &fedora_copr_targets + - fedora-all-x86_64 + - fedora-all-aarch64 + + - job: copr_build + trigger: pull_request + packages: [container-selinux-eln] + notifications: *copr_build_failure_notification + enable_net: true targets: - - fedora-all - - fedora-eln - - epel-9 - - epel-8 + - fedora-eln-x86_64 + - fedora-eln-aarch64 + + - job: copr_build + trigger: pull_request + packages: [container-selinux-centos] + notifications: *copr_build_failure_notification + enable_net: true + targets: ¢os_copr_targets + - centos-stream-9-x86_64 + - centos-stream-9-aarch64 + - centos-stream-10-x86_64 + - centos-stream-10-aarch64 # Run on commit to main branch # Build targets managed in copr settings - job: copr_build trigger: commit + packages: [container-selinux-fedora] notifications: failure_comment: message: "podman-next COPR build failed. @containers/packit-build please check." @@ -35,67 +83,51 @@ jobs: enable_net: true # All tests specified in the `/plans/` subdir - # Podman e2e tests for Fedora and CentOS Stream + # Tests for Fedora - job: tests trigger: pull_request - notifications: + packages: [container-selinux-fedora] + notifications: &test_failure_notification failure_comment: - message: "podman e2e tests failed. @containers/packit-build please check." - targets: &pr_test_targets - - fedora-all - - epel-9 - - epel-8 - identifier: podman_e2e_test - tmt_plan: "/plans/podman_e2e_test" + message: "Tests failed. @containers/packit-build please check." + targets: *fedora_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo - # Podman system tests for Fedora and CentOS Stream + # Tests for CentOS Stream - job: tests trigger: pull_request - notifications: - failure_comment: - message: "podman system tests failed. @containers/packit-build please check." - targets: *pr_test_targets - identifier: podman_system_test - tmt_plan: "/plans/podman_system_test" - - # Podman e2e tests for RHEL - - job: tests - trigger: pull_request - use_internal_tf: true - notifications: - failure_comment: - message: "podman e2e tests failed on RHEL. @containers/packit-build please check." - targets: &pr_test_targets_rhel - epel-9-x86_64: - distros: [RHEL-9.3.0-Nightly,RHEL-9.4.0-Nightly] - epel-8-x86_64: - distros: [RHEL-8.9.0-Nightly,RHEL-8.10.0-Nightly] - identifier: podman_e2e_test_internal - tmt_plan: "/plans/podman_e2e_test" - - # Podman system tests for RHEL - - job: tests - trigger: pull_request - use_internal_tf: true - notifications: - failure_comment: - message: "podman system tests failed on RHEL. @containers/packit-build please check." - targets: *pr_test_targets_rhel - identifier: podman_system_test_internal - tmt_plan: "/plans/podman_system_test" + packages: [container-selinux-centos] + notifications: *test_failure_notification + targets: *centos_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo - job: propose_downstream trigger: release - update_release: false - dist_git_branches: + packages: [container-selinux-fedora] + dist_git_branches: &fedora_targets - fedora-all + - job: propose_downstream + trigger: release + packages: [container-selinux-centos] + dist_git_branches: + - c10s + - job: koji_build trigger: commit - dist_git_branches: - - fedora-all + packages: [container-selinux-fedora] + dist_git_branches: *fedora_targets - job: bodhi_update trigger: commit + packages: [container-selinux-fedora] dist_git_branches: - fedora-branched # rawhide updates are created automatically diff --git a/README.packit b/README.packit index 115b422..f5cc99f 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.88.0.post1.dev4+gc070191b. +The file was generated using packit 1.2.0.post1.dev13+g55ed4527. diff --git a/container-selinux.spec b/container-selinux.spec index 70a34f3..cf61d09 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,7 +2,6 @@ # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted %global moduletype services %global modulenames container @@ -11,29 +10,32 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# RHEL 8 doesn't allow watch and systemd_chat_resolved -%if %{defined rhel} && 0%{?rhel} == 8 -%define no_watch 1 -%define no_systemd_chat_resolved 1 -%global _selinux_policy_version 3.14.3-80.el8 +# RHEL < 10 and Fedora < 40 use file context entries in /var/run +%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40 +%define legacy_var_run 1 %endif # https://github.com/containers/container-selinux/issues/203 -%if %{!defined fedora} && %{!defined rhel} || %{defined fedora} && 0%{?fedora} <= 37 || %{defined rhel} && 0%{?rhel} <= 9 +%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9 %define no_user_namespace 1 %endif +# copr_build is more intuitive than copr_username +%if %{defined copr_username} +%define copr_build 1 +%endif + Name: container-selinux # Set different Epochs for copr and koji -%if %{defined copr_username} +%if %{defined copr_build} Epoch: 102 %else -Epoch: 2 +Epoch: 4 %endif # Keep Version in upstream specfile at 0. It will be automatically set # to the correct value by Packit for copr and koji builds. # IGNORE this comment if you're looking at it in dist-git. -Version: 2.229.0 +Version: 2.236.0 Release: %autorelease License: GPL-2.0-only URL: https://github.com/containers/%{name} @@ -48,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy Requires: selinux-policy >= %_selinux_policy_version Requires(post): selinux-policy-base >= %_selinux_policy_version -Requires(post): selinux-policy-targeted >= %_selinux_policy_version +Requires(post): selinux-policy-any >= %_selinux_policy_version +Recommends: selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed @@ -67,21 +70,14 @@ SELinux policy modules for use with container runtimes. sed -i 's/^man: install-policy/man:/' Makefile sed -i 's/^install: man/install:/' Makefile -%if %{defined no_watch} -sed -i 's/watch watch_reads//' container.if -sed -i 's/watch watch_reads//' container.te -sed -i '/sysfs_t:dir watch/d' container.te -sed -i '/fifo_file watch/d' container.te -%endif - -%if %{defined no_systemd_chat_resolved} -sed -i '/^systemd_chat_resolved/d' container.te -%endif - %if %{defined no_user_namespace} sed -i '/user_namespace/d' container.te %endif +%if %{defined legacy_var_run} +sed -i 's|^/run/|/var/run/|' container.fc +%endif + %build make @@ -90,11 +86,8 @@ make %_format MODULES $x.pp.bz2 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user -# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 -rm %{buildroot}%{_mandir}/man8/container_selinux.8 - %pre -%selinux_relabel_pre -s %{selinuxtype} +%selinux_relabel_pre %post # Install all modules in a single transaction @@ -102,21 +95,21 @@ if [ $1 -eq 1 ]; then %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null +%selinux_modules_install -s ${SELINUXTYPE} $MODULES sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker + %selinux_modules_uninstall %{modulenames} docker fi %posttrans -%selinux_relabel_post -s %{selinuxtype} +%selinux_relabel_post #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -126,12 +119,14 @@ fi %{_datadir}/selinux/* %dir %{_datadir}/containers/selinux %{_datadir}/containers/selinux/contexts +%dir %{_datadir}/udica %dir %{_datadir}/udica/templates/ %{_datadir}/udica/templates/* # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 -#%%{_mandir}/man8/container_selinux.8.gz -%{_sysconfdir}/selinux/targeted/contexts/users/* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames} +%{_mandir}/man8/container_selinux.8.gz +%{_sysconfdir}/selinux/targeted/contexts/users/container_u +%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} +%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} %triggerpostun -- container-selinux < 2:2.162.1-3 if %{_sbindir}/selinuxenabled ; then diff --git a/gating.yaml b/gating.yaml index c2182c7..c692db7 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,6 +1,14 @@ --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_stable +decision_contexts: + - bodhi_update_push_stable + - bodhi_update_push_testing rules: - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + +--- !Policy +product_versions: + - rhel-* +decision_context: osci_compose_gate +rules: [] diff --git a/plans/main.fmf b/plans/main.fmf new file mode 100644 index 0000000..baa8b2f --- /dev/null +++ b/plans/main.fmf @@ -0,0 +1,20 @@ +discover: + how: fmf +execute: + how: tmt +prepare: + - when: distro == centos-stream or distro == rhel + how: shell + script: | + dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm + dnf -y config-manager --set-enabled epel + order: 10 + - when: initiator == packit + how: shell + script: | + COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo" + if compgen -G $COPR_REPO_FILE > /dev/null; then + sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE + fi + dnf -y upgrade --allowerasing + order: 20 diff --git a/sources b/sources index 05ff519..f7b9b50 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v2.229.0.tar.gz) = 1341e0a6996d1ff2b06a0095f6720595f0775dff27f1f45702b3e03ea78f3b45708f55400b4dc8bfc4586efec4f72528512e8fbe461629a55a18936f8e6df30d +SHA512 (v2.236.0.tar.gz) = 02f4cf1549bbe8c647fc2d2af9f239a23b47e67964d2ee66a45578b6494a9257185f210a61a3e666470489698760b6dd336db3e6a867002fdac68f64689d3841 diff --git a/test/main.fmf b/test/main.fmf new file mode 100644 index 0000000..4b186d5 --- /dev/null +++ b/test/main.fmf @@ -0,0 +1,17 @@ +require: + - attr + - bats + - container-selinux + - podman-tests + - policycoreutils + +/basic_check: + summary: Run basic checks + test: | + semodule --list=full | grep container + semodule -B + rpm -Vqf /var/lib/selinux/*/active/modules/200/container + +/podman_system_test: + summary: Run SELinux specific Podman system tests + test: bash ./podman-tests.sh diff --git a/test/podman-tests.sh b/test/podman-tests.sh new file mode 100644 index 0000000..faa504b --- /dev/null +++ b/test/podman-tests.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -exo pipefail + +cat /etc/redhat-release + +if [[ "$(id -u)" -ne 0 ]];then + echo "Please run as superuser" + exit 1 +fi + +# Print versions of distro and installed packages +rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy + +# Run podman system tests +bats /usr/share/podman/test/system/410-selinux.bats