From 695905d02e3a17966eeb3cf87dd9d1d3e06f1375 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 19 May 2017 07:21:42 -0400 Subject: [PATCH 01/33] Add labels for crio rename Break container_t rules out to use a separate container_domain Allow containers to be able to set namespaced SYCTLS Allow sandbox containers manage fuse files. Fixes to make container_runtimes work on MLS machines Bump version to allow handling of container_file_t filesystems Allow containers to mount, remount and umount container_file_t file systems Fixes to handle cap_userns Give container_t access to XFRM sockets Allow spc_t to dbus chat with init system Allow spc_t to dbus chat with init system Add rules to allow container runtimes to run with unconfined disabled Add rules to support cgroup file systems mounted into container. Fix typebounds entrypoint problems Fix typebounds problems Add typebounds statement for container_t from container_runtime_t We should only label runc not runc* --- .gitignore | 1 + container-selinux.spec | 23 +++++++++++++++++++++-- sources | 3 +-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 323f47a..0caac17 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /container-selinux-f7333f9.tar.gz /container-selinux-08bb6e0.tar.gz /container-selinux-8f8caa6.tar.gz +/container-selinux-14f7c51.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8095683..c3382fe 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 8f8caa66c11f8657ebf8ae50d7221ee3a97ac7d3 +%global commit0 14f7c51001a452a1cf3e162845c2915aeb167fac %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.10 +Version: 2.14 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,25 @@ fi %{_datadir}/selinux/* %changelog +* Fri May 19 2017 Dan Walsh - 2.14-1 +- Add labels for crio rename +- Break container_t rules out to use a separate container_domain +- Allow containers to be able to set namespaced SYCTLS +- Allow sandbox containers manage fuse files. +- Fixes to make container_runtimes work on MLS machines +- Bump version to allow handling of container_file_t filesystems +- Allow containers to mount, remount and umount container_file_t file systems +- Fixes to handle cap_userns +- Give container_t access to XFRM sockets +- Allow spc_t to dbus chat with init system +- Allow spc_t to dbus chat with init system +- Add rules to allow container runtimes to run with unconfined disabled +- Add rules to support cgroup file systems mounted into container. +- Fix typebounds entrypoint problems +- Fix typebounds problems +- Add typebounds statement for container_t from container_runtime_t +- We should only label runc not runc* + * Tue Feb 28 2017 Dan Walsh - 2.10-1 - Add rules to allow container runtimes to run with unconfined disabled - Add rules to support cgroup file systems mounted into container. diff --git a/sources b/sources index 9f28c00..b3c2342 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (container-selinux-08bb6e0.tar.gz) = bba16bd77c6d34982637e4fc874ef1a741df7ca73a85ad1edfece5ae2838409efbe00ea44653acb63c22c6939c7afc72f7882715c9c4657d4427eff6f77d2a35 -SHA512 (container-selinux-8f8caa6.tar.gz) = b273cb85c6afece175d917b043f92d4c126d03eaa4b2ad5c36c0a6430465a127ad25961d26b66730190723a6aefba4a8ffb694ea942c6b4eb5d6ee950b780856 +SHA512 (container-selinux-14f7c51.tar.gz) = 5a1c5f9574005aa714b08f5db429fa3afaa02f64d0694d4ad63dd2976c4a0f7bf1ff2697a0978bbbcd8c566d6453024390dbfc6579d188827dc2593a048695f2 From 23a6ec68676649db42aabb9c654431a37529b9c9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 31 May 2017 12:29:46 +0000 Subject: [PATCH 02/33] Allow container types to read/write container_runtime fifo files Allow a container runtime to mount on top of its own /proc --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0caac17..d3274e4 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /container-selinux-08bb6e0.tar.gz /container-selinux-8f8caa6.tar.gz /container-selinux-14f7c51.tar.gz +/container-selinux-c81ea26.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c3382fe..8bc7400 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 14f7c51001a452a1cf3e162845c2915aeb167fac +%global commit0 c81ea2691ffdb436229d20b6b7a92e2fd71d0553 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.14 +Version: 2.15 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Wed May 31 2017 Dan Walsh - 2.15-1 +- Allow container types to read/write container_runtime fifo files +- Allow a container runtime to mount on top of its own /proc + * Fri May 19 2017 Dan Walsh - 2.14-1 - Add labels for crio rename - Break container_t rules out to use a separate container_domain diff --git a/sources b/sources index b3c2342..10ffcf8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-14f7c51.tar.gz) = 5a1c5f9574005aa714b08f5db429fa3afaa02f64d0694d4ad63dd2976c4a0f7bf1ff2697a0978bbbcd8c566d6453024390dbfc6579d188827dc2593a048695f2 +SHA512 (container-selinux-c81ea26.tar.gz) = 984aeede05f41b693908271436a86947cb13366114dfa58de57e24bb985aff657090a1d060f8d066cf7bb918a4269a7172e225f013b0e039adfff680943de519 From cd373dfe6ed1ec4f782d15b4ebaa4d9ceae63224 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 1 Jun 2017 22:03:44 +0000 Subject: [PATCH 03/33] Add default labeling for cri-o in /etc/crio directories --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index d3274e4..40bffaa 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /container-selinux-8f8caa6.tar.gz /container-selinux-14f7c51.tar.gz /container-selinux-c81ea26.tar.gz +/container-selinux-9027f8e.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 8bc7400..0f62457 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 c81ea2691ffdb436229d20b6b7a92e2fd71d0553 +%global commit0 9027f8e958bbf8c98f1d6856ccd4c8b7b5da8d1c %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.15 +Version: 2.16 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jun 1 2017 Dan Walsh - 2.16-1 +- Add default labeling for cri-o in /etc/crio directories + * Wed May 31 2017 Dan Walsh - 2.15-1 - Allow container types to read/write container_runtime fifo files - Allow a container runtime to mount on top of its own /proc diff --git a/sources b/sources index 10ffcf8..d2d1e67 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c81ea26.tar.gz) = 984aeede05f41b693908271436a86947cb13366114dfa58de57e24bb985aff657090a1d060f8d066cf7bb918a4269a7172e225f013b0e039adfff680943de519 +SHA512 (container-selinux-9027f8e.tar.gz) = 19e561a9c71e0b3759a0fa79580cb816274fd90762c164f85e3de514102d7da702faaba9c4b2bf2dd54a39462ed52faea23e4fec2dc34c229267829635390ec6 From 7bb0b37bf3c638db1054ca25716ceef06bf56ebf Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 5 Jun 2017 20:21:30 +0000 Subject: [PATCH 04/33] Revert change to run the container_runtime as ranged --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 40bffaa..67e2407 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /container-selinux-14f7c51.tar.gz /container-selinux-c81ea26.tar.gz /container-selinux-9027f8e.tar.gz +/container-selinux-ed3082b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 0f62457..41e4386 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 9027f8e958bbf8c98f1d6856ccd4c8b7b5da8d1c +%global commit0 ed3082b4d72740d197f4680749347ca507fc1203 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.16 +Version: 2.17 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 5 2017 Dan Walsh - 2.17-1 +- Revert change to run the container_runtime as ranged + * Thu Jun 1 2017 Dan Walsh - 2.16-1 - Add default labeling for cri-o in /etc/crio directories diff --git a/sources b/sources index d2d1e67..795ef44 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-9027f8e.tar.gz) = 19e561a9c71e0b3759a0fa79580cb816274fd90762c164f85e3de514102d7da702faaba9c4b2bf2dd54a39462ed52faea23e4fec2dc34c229267829635390ec6 +SHA512 (container-selinux-ed3082b.tar.gz) = a09ecf7002812d6f7deb878bd43a4c057cda41ad87b999ae43bc485f1f5a7229e7065131c9ec8da657005768fd814a612ab2cb84c66f7de74dab30197726568f From df84d0dd5d1d3dda4f2ae8ce26117391a6631f44 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 6 Jun 2017 20:24:29 +0000 Subject: [PATCH 05/33] Fix labeling for CRI-O files in overlay subdirs --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 67e2407..f607f56 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /container-selinux-c81ea26.tar.gz /container-selinux-9027f8e.tar.gz /container-selinux-ed3082b.tar.gz +/container-selinux-5212fea.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 41e4386..565136d 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 ed3082b4d72740d197f4680749347ca507fc1203 +%global commit0 5212fea857a5296e1d22b3ac6b875eb59a86ebe7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.17 +Version: 2.18 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jun 6 2017 Dan Walsh - 2.18-1 +- Fix labeling for CRI-O files in overlay subdirs + * Mon Jun 5 2017 Dan Walsh - 2.17-1 - Revert change to run the container_runtime as ranged diff --git a/sources b/sources index 795ef44..0f81251 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-ed3082b.tar.gz) = a09ecf7002812d6f7deb878bd43a4c057cda41ad87b999ae43bc485f1f5a7229e7065131c9ec8da657005768fd814a612ab2cb84c66f7de74dab30197726568f +SHA512 (container-selinux-5212fea.tar.gz) = 3a796527dfbc1b0ad0b05f7db1a4342ffa8802cbb7778310e6b49f433e8bc5bd0b8fbe7240bff204cfde2169143bd1ad46002368e8a1c9b711f0e8b1ecacecd6 From 128d9afe4d06eee25bd4874e488590129b4d127b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 12 Jun 2017 18:23:25 +0000 Subject: [PATCH 06/33] Allow containers to create tun sockets --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f607f56..c64135c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /container-selinux-9027f8e.tar.gz /container-selinux-ed3082b.tar.gz /container-selinux-5212fea.tar.gz +/container-selinux-a80afba.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 565136d..996ee3a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 5212fea857a5296e1d22b3ac6b875eb59a86ebe7 +%global commit0 a80afba083834209e5683c8e0320734a4d9d0b64 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.18 +Version: 2.19 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jun 12 2017 Dan Walsh - 2.19-1 +- Allow containers to create tun sockets + * Tue Jun 6 2017 Dan Walsh - 2.18-1 - Fix labeling for CRI-O files in overlay subdirs diff --git a/sources b/sources index 0f81251..a3045ce 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-5212fea.tar.gz) = 3a796527dfbc1b0ad0b05f7db1a4342ffa8802cbb7778310e6b49f433e8bc5bd0b8fbe7240bff204cfde2169143bd1ad46002368e8a1c9b711f0e8b1ecacecd6 +SHA512 (container-selinux-a80afba.tar.gz) = 41e7c18cd221113799495d9ca93bbc2844795be5a39e62c16fc07956f6b36cc52ed6d49f2837aae268ad4356f96458835a57d57e72d5dcdb9e978095a0c96d38 From 0a04ede43e82e802ec65bf49a68a1f976a7453c7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 30 Jun 2017 15:54:16 +0000 Subject: [PATCH 07/33] Allow container processes to getsession --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c64135c..5ecda31 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /container-selinux-ed3082b.tar.gz /container-selinux-5212fea.tar.gz /container-selinux-a80afba.tar.gz +/container-selinux-c5fd77f.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 996ee3a..9abe5d1 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 a80afba083834209e5683c8e0320734a4d9d0b64 +%global commit0 c5fd77fc2496e04c2722d23860842b58a72d0178 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.19 +Version: 2.20 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Jun 30 2017 Dan Walsh - 2.20-1 +- Allow container processes to getsession + * Mon Jun 12 2017 Dan Walsh - 2.19-1 - Allow containers to create tun sockets diff --git a/sources b/sources index a3045ce..4ce51af 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-a80afba.tar.gz) = 41e7c18cd221113799495d9ca93bbc2844795be5a39e62c16fc07956f6b36cc52ed6d49f2837aae268ad4356f96458835a57d57e72d5dcdb9e978095a0c96d38 +SHA512 (container-selinux-c5fd77f.tar.gz) = 226880f6c73115034bd16b0c5acf6a79f35391fe51eec2ab499cf475d848e561f174dfaf14f7778c53363c4eee006b6b77cf558bd6e36b4474bfd44d9da8f8fa From 7ff0bdeaffa2a6be499768d62cc27a4a3a0fb4fb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 6 Jul 2017 10:48:37 +0000 Subject: [PATCH 08/33] Relabel runc and crio executables --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 9abe5d1..7fad32e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -22,7 +22,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 @@ -36,7 +36,7 @@ Name: container-selinux Epoch: 2 %endif Version: 2.20 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jul 6 2017 Dan Walsh - 2.20-2 +- Relabel runc and crio executables + * Fri Jun 30 2017 Dan Walsh - 2.20-1 - Allow container processes to getsession From 9832a5f1a397ff17bc0c6f7f51701c0e2fadd75c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 11 Jul 2017 17:37:12 +0000 Subject: [PATCH 09/33] Allow containers to execmod on container_share_t files. --- .gitignore | 1 + container-selinux.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 5ecda31..339f37c 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /container-selinux-5212fea.tar.gz /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz +/container-selinux-c89e9b5.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 7fad32e..1e50d15 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} -%global commit0 c5fd77fc2496e04c2722d23860842b58a72d0178 +%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,8 +35,8 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} Epoch: 2 %endif -Version: 2.20 -Release: 2%{?dist} +Version: 2.21 +Release: 1%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Jul 6 2017 Dan Walsh - 2.21-1 +- Allow containers to execmod on container_share_t files. + * Thu Jul 6 2017 Dan Walsh - 2.20-2 - Relabel runc and crio executables diff --git a/sources b/sources index 4ce51af..28ef135 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c5fd77f.tar.gz) = 226880f6c73115034bd16b0c5acf6a79f35391fe51eec2ab499cf475d848e561f174dfaf14f7778c53363c4eee006b6b77cf558bd6e36b4474bfd44d9da8f8fa +SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 From caaff805ad734e4534e50c13a61c141384557b9a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 5 Sep 2017 20:40:42 +0000 Subject: [PATCH 10/33] Add additonal support for crio labeling. --- .gitignore | 1 + container-selinux.spec | 21 +++++++++++++++------ sources | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 339f37c..0ac645f 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /container-selinux-a80afba.tar.gz /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz +/container-selinux-58324f3.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1e50d15..60adde7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,8 +2,8 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%if 0%{?fedora} -%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7 +%if 0%{?fedora} || 0%{?rhel} > 7 +%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -25,17 +25,17 @@ %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using -%if 0%{?fedora} >= 22 +%if 0%{?fedora} >= 22 || 0%{?rhel} > 7 %global selinux_policyver 3.13.1-220 %else %global selinux_policyver 3.13.1-39 %endif Name: container-selinux -%if 0%{?fedora} || 0%{?centos} +%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.21 +Version: 2.22 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -51,7 +51,7 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} > 7 Requires(post): policycoreutils-python-utils %else Requires(post): policycoreutils-python @@ -118,6 +118,15 @@ fi %{_datadir}/selinux/* %changelog +* Tue Sep 5 2017 Dan Walsh - 2.22-1 +- Add additonal support for crio labeling. + +* Mon Aug 14 2017 Troy Dawson - 2.21-3 +- Fixup spec file conditionals + +* Wed Jul 26 2017 Fedora Release Engineering - 2:2.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Thu Jul 6 2017 Dan Walsh - 2.21-1 - Allow containers to execmod on container_share_t files. diff --git a/sources b/sources index 28ef135..46ccc4f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050 +SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 From a285f680504913f3897edccf644967fbf38176f0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 08:45:09 +0000 Subject: [PATCH 11/33] Allow container runtimes to create sockets in tmp dirs --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index 60adde7..c096def 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 58324f302613d8a9cf14896b9ca7e1348f9d6f0a +%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.22 +Version: 2.23 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Thu Sep 7 2017 Dan Walsh - 2.23-1 +- Allow container runtimes to create sockets in tmp dirs + * Tue Sep 5 2017 Dan Walsh - 2.22-1 - Add additonal support for crio labeling. From 485df1a6a4703cf208027afa9fe53b42b592cea0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2017 09:01:33 +0000 Subject: [PATCH 12/33] Allow container runtimes to create sockets in tmp dirs --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 0ac645f..16244c3 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /container-selinux-c5fd77f.tar.gz /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz +/container-selinux-81ff96c.tar.gz diff --git a/sources b/sources index 46ccc4f..9f28103 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-58324f3.tar.gz) = cf794466e1b819a24b56f993f5f2e036a594c59fdb6a656400b9a27e4337287917a798e43b50d61fb1de64c869b2fcf4a6156b63a7b5775a22a16709fcbe8e08 +SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 From 89a5c31e92464b9e010396f383092ed63ca59222 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 22 Sep 2017 11:11:20 +0000 Subject: [PATCH 13/33] Make sure container_runtime_t has all access of container_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 16244c3..109031b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /container-selinux-c89e9b5.tar.gz /container-selinux-58324f3.tar.gz /container-selinux-81ff96c.tar.gz +/container-selinux-a9260d4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index c096def..182d6d7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 81ff96c3e100ec23f7934000e96adab56762fd96 +%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.23 +Version: 2.24 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Sep 22 2017 Dan Walsh - 2.24-1 +- Make sure container_runtime_t has all access of container_t + * Thu Sep 7 2017 Dan Walsh - 2.23-1 - Allow container runtimes to create sockets in tmp dirs diff --git a/sources b/sources index 9f28103..b692fbb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-81ff96c.tar.gz) = 4d1fac6319e0f45ed6daf0413bdb4f9bbc6389d8aef3039a5d089084937df9baa67106f33dfd50911d81f47a8f7867cdd1c74a441e8a86fe5d57c87299a46c98 +SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981 From 4d68bd6e3503d22caa907f1fc43df215d625a630 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 4 Oct 2017 09:11:49 +0000 Subject: [PATCH 14/33] Allow container runtimes to work with the netfilter sockets Allow container_file_t to be an entrypoint for VM's Allow spc_t domains to transition to svirt_t --- .gitignore | 1 + container-selinux.spec | 9 +++++++-- sources | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 109031b..df07220 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ /container-selinux-58324f3.tar.gz /container-selinux-81ff96c.tar.gz /container-selinux-a9260d4.tar.gz +/container-selinux-e37e93d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 182d6d7..46524c7 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf +%global commit0 e37e93dbe6cb058fc89c9c5de5ecd4c3be4354fb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.24 +Version: 2.27 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,11 @@ fi %{_datadir}/selinux/* %changelog +* Fri Sep 22 2017 Dan Walsh - 2.27-1 +- Allow container runtimes to work with the netfilter sockets +- Allow container_file_t to be an entrypoint for VM's +- Allow spc_t domains to transition to svirt_t + * Fri Sep 22 2017 Dan Walsh - 2.24-1 - Make sure container_runtime_t has all access of container_t diff --git a/sources b/sources index b692fbb..9baaa72 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981 +SHA512 (container-selinux-e37e93d.tar.gz) = faf644a4a13c0ffa1198d798390147f815d90aa27ca9af49df71575da1be8678bcbe12f0281f83b345945a29330c10df7c86f79f6862829902f71dc7e7431058 From 7e365500a8870850d27c13f68e77d6753be1927d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 9 Oct 2017 13:30:47 +0000 Subject: [PATCH 15/33] Allow a container to umount a container_file_t filesystem --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index df07220..3661347 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /container-selinux-81ff96c.tar.gz /container-selinux-a9260d4.tar.gz /container-selinux-e37e93d.tar.gz +/container-selinux-de38c07.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 46524c7..3a4c3df 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 e37e93dbe6cb058fc89c9c5de5ecd4c3be4354fb +%global commit0 de38c07f355f6d885192ed974236a735be9e455c %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.27 +Version: 2.28 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Oct 9 2017 Dan Walsh - 2.28-1 +- Allow a container to umount a container_file_t filesystem + * Fri Sep 22 2017 Dan Walsh - 2.27-1 - Allow container runtimes to work with the netfilter sockets - Allow container_file_t to be an entrypoint for VM's diff --git a/sources b/sources index 9baaa72..5829058 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-e37e93d.tar.gz) = faf644a4a13c0ffa1198d798390147f815d90aa27ca9af49df71575da1be8678bcbe12f0281f83b345945a29330c10df7c86f79f6862829902f71dc7e7431058 +SHA512 (container-selinux-de38c07.tar.gz) = bada050900ceb4972ee75330a5ca6de49561c208f15b669261f8f028b0783bc1cf5cc64e9c6e6fa79c7988ccec001e8084b10e04683ccd3c414c4b0ad53c651b From db10f72ff2b541668f3f40e6271d2abfad865d12 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 10 Oct 2017 16:18:26 +0000 Subject: [PATCH 16/33] Add support for lxcd Add support for labeling of tmpfs storage created within a container. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3661347..eedfcc2 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /container-selinux-a9260d4.tar.gz /container-selinux-e37e93d.tar.gz /container-selinux-de38c07.tar.gz +/container-selinux-0620186.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 3a4c3df..1a9f183 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 de38c07f355f6d885192ed974236a735be9e455c +%global commit0 0620186b7396af617fa0f570e82e875e5b3ac8d7 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.28 +Version: 2.29 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Oct 10 2017 Dan Walsh - 2.29-1 +- Add support for lxcd +- Add support for labeling of tmpfs storage created within a container. + * Mon Oct 9 2017 Dan Walsh - 2.28-1 - Allow a container to umount a container_file_t filesystem diff --git a/sources b/sources index 5829058..f7a2a23 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-de38c07.tar.gz) = bada050900ceb4972ee75330a5ca6de49561c208f15b669261f8f028b0783bc1cf5cc64e9c6e6fa79c7988ccec001e8084b10e04683ccd3c414c4b0ad53c651b +SHA512 (container-selinux-0620186.tar.gz) = e28dfec9ae2444714314eb77fd74b5ddb41cb044b1806d8096a796f3a9b765d78cbf2d2b156ef7e16f87e7ee0fcbf511074042b6fe6cde09cc989c6b23ea1bea From 22a11a24ba523bcd7ca0a1749f3edba4365f1b9d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 26 Oct 2017 11:38:44 +0000 Subject: [PATCH 17/33] Allow the container runtime to dbus chat with dnsmasq add dontaudit rules for container trying to write to /proc --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index eedfcc2..dfbcd0a 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /container-selinux-e37e93d.tar.gz /container-selinux-de38c07.tar.gz /container-selinux-0620186.tar.gz +/container-selinux-47e0448.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1a9f183..1990cdf 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 0620186b7396af617fa0f570e82e875e5b3ac8d7 +%global commit0 47e0448a47a97cddbb66fd35d8ae536f980307f1 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.29 +Version: 2.31 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Thu Oct 26 2017 Dan Walsh - 2.31-1 +- Allow the container runtime to dbus chat with dnsmasq +- add dontaudit rules for container trying to write to /proc + * Tue Oct 10 2017 Dan Walsh - 2.29-1 - Add support for lxcd - Add support for labeling of tmpfs storage created within a container. diff --git a/sources b/sources index f7a2a23..18fd0d9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-0620186.tar.gz) = e28dfec9ae2444714314eb77fd74b5ddb41cb044b1806d8096a796f3a9b765d78cbf2d2b156ef7e16f87e7ee0fcbf511074042b6fe6cde09cc989c6b23ea1bea +SHA512 (container-selinux-47e0448.tar.gz) = 675b11109c33a2e7ecfbf67828f80c4f7a7245605024f76394d4b55351de2d8f3009058f7842d6f20eb9845b5a0d56cb395c48f9e5387935b8ad973e342397fe From c642d7e1534c1b7532ad239e066e7785ddc0edb6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 8 Nov 2017 21:15:16 +0000 Subject: [PATCH 18/33] Make sure users creating content in /var/lib with right labels --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index dfbcd0a..a4d000c 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ /container-selinux-de38c07.tar.gz /container-selinux-0620186.tar.gz /container-selinux-47e0448.tar.gz +/container-selinux-b430a71.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 1990cdf..026fb14 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 47e0448a47a97cddbb66fd35d8ae536f980307f1 +%global commit0 b430a71a44ce80364ff3ef95fa8134afb35d667e %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.31 +Version: 2.32 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Wed Nov 8 2017 Dan Walsh - 2.32-1 +- Make sure users creating content in /var/lib with right labels + * Thu Oct 26 2017 Dan Walsh - 2.31-1 - Allow the container runtime to dbus chat with dnsmasq - add dontaudit rules for container trying to write to /proc diff --git a/sources b/sources index 18fd0d9..4e83c9e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-47e0448.tar.gz) = 675b11109c33a2e7ecfbf67828f80c4f7a7245605024f76394d4b55351de2d8f3009058f7842d6f20eb9845b5a0d56cb395c48f9e5387935b8ad973e342397fe +SHA512 (container-selinux-b430a71.tar.gz) = 7b89826e64c26bc57b86345dc482bca56d12ab730e9965b53802e97ed572b169aea3daf89d4f50b88ffa3878da157e6165dd2294d537e59fe97fafed9db141dc From 947138ab8121dbd2c7b87f94735c4493329275f5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 19 Nov 2017 11:42:04 +0000 Subject: [PATCH 19/33] Allow containers to read /etc/resolv.conf and /etc/hosts if volume mounted into container. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a4d000c..8d57c63 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ /container-selinux-0620186.tar.gz /container-selinux-47e0448.tar.gz /container-selinux-b430a71.tar.gz +/container-selinux-0b666c4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 026fb14..4ecf83a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 b430a71a44ce80364ff3ef95fa8134afb35d667e +%global commit0 0b666c4f1422d60dde6ffac69a919872385e289d %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.32 +Version: 2.33 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,10 @@ fi %{_datadir}/selinux/* %changelog +* Sun Nov 19 2017 Dan Walsh - 2.33-1 +- Allow containers to read /etc/resolv.conf and /etc/hosts if volume +- mounted into container. + * Wed Nov 8 2017 Dan Walsh - 2.32-1 - Make sure users creating content in /var/lib with right labels diff --git a/sources b/sources index 4e83c9e..d591a60 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-b430a71.tar.gz) = 7b89826e64c26bc57b86345dc482bca56d12ab730e9965b53802e97ed572b169aea3daf89d4f50b88ffa3878da157e6165dd2294d537e59fe97fafed9db141dc +SHA512 (container-selinux-0b666c4.tar.gz) = 46833377d09ecd57d743f2277b225b6b381c55ac0b6f2331bc455f9e51cdd55774703d854735d98f9f4db54e0db7e14e29e4fb0229afd554cbe9efbd026bf20d From 426e651721fe83bca9399d4ade447c36ce95f39f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 22 Nov 2017 15:35:58 +0000 Subject: [PATCH 20/33] Dontaudit container processes getattr on kernel file systems --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 8d57c63..30cc055 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /container-selinux-47e0448.tar.gz /container-selinux-b430a71.tar.gz /container-selinux-0b666c4.tar.gz +/container-selinux-7fe0136.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 4ecf83a..930259e 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 0b666c4f1422d60dde6ffac69a919872385e289d +%global commit0 7fe0136a943ef5428869ad930e5384b185ade39a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.33 +Version: 2.34 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Wed Nov 22 2017 Dan Walsh - 2.34-1 +- Dontaudit container processes getattr on kernel file systems + * Sun Nov 19 2017 Dan Walsh - 2.33-1 - Allow containers to read /etc/resolv.conf and /etc/hosts if volume - mounted into container. diff --git a/sources b/sources index d591a60..67ca532 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-0b666c4.tar.gz) = 46833377d09ecd57d743f2277b225b6b381c55ac0b6f2331bc455f9e51cdd55774703d854735d98f9f4db54e0db7e14e29e4fb0229afd554cbe9efbd026bf20d +SHA512 (container-selinux-7fe0136.tar.gz) = 93c80da31f8a6f4e333baed39d75f329467d3b4b9b499b486a2d635be62df072fedc28cd50c5cb005d4dbc2ae352d073b611b7d33b183c183f7ca551f307c39b From 31e82a57c94b0ba096673ab6f092d25ab1aa67d9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 13:22:45 +0000 Subject: [PATCH 21/33] Allow container to map chr_files labeled container_file_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 30cc055..a62e07f 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /container-selinux-b430a71.tar.gz /container-selinux-0b666c4.tar.gz /container-selinux-7fe0136.tar.gz +/container-selinux-dca3b87.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 930259e..ad1a2a4 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 7fe0136a943ef5428869ad930e5384b185ade39a +%global commit0 dca3b870c4ee54ffd5703f32cd3a13365053ae2f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.34 +Version: 2.35 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Nov 27 2017 Dan Walsh - 2.35-1 +- Allow container to map chr_files labeled container_file_t + * Wed Nov 22 2017 Dan Walsh - 2.34-1 - Dontaudit container processes getattr on kernel file systems diff --git a/sources b/sources index 67ca532..8fdbf39 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-7fe0136.tar.gz) = 93c80da31f8a6f4e333baed39d75f329467d3b4b9b499b486a2d635be62df072fedc28cd50c5cb005d4dbc2ae352d073b611b7d33b183c183f7ca551f307c39b +SHA512 (container-selinux-dca3b87.tar.gz) = 8be0d2a16f834156591a4ce27daaf1ceda98ca769c8e6b3be20c9d591afc3349e153424fb503e496b404407f96fd422cb482adab54e920e1487c98dc4d1c4e0d From fd0719481c56e0cbffe52eca387725e69426934e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 14:44:12 +0000 Subject: [PATCH 22/33] Allow container to map chr_files labeled container_file_t --- .gitignore | 1 + container-selinux.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index a62e07f..bb11c38 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /container-selinux-0b666c4.tar.gz /container-selinux-7fe0136.tar.gz /container-selinux-dca3b87.tar.gz +/container-selinux-f9a30e8.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index ad1a2a4..bc16ae6 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 dca3b870c4ee54ffd5703f32cd3a13365053ae2f +%global commit0 f9a30e8011afcfd159aa383d746e2c99f67c9b3a %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 diff --git a/sources b/sources index 8fdbf39..203307c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-dca3b87.tar.gz) = 8be0d2a16f834156591a4ce27daaf1ceda98ca769c8e6b3be20c9d591afc3349e153424fb503e496b404407f96fd422cb482adab54e920e1487c98dc4d1c4e0d +SHA512 (container-selinux-f9a30e8.tar.gz) = 754a3851aa27dd977861cca8977354fc5899887c5c9e4e2b79c989ebb3c91c25d04e5c31ee6452732a1857ceed5fa7dce172b27c11691d52b552446928e36758 From 21cd0d4949adffbec1c4040655b03573732e1792 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Nov 2017 14:58:16 +0000 Subject: [PATCH 23/33] Allow containers to relabelto/from all file types to container_file_t --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bb11c38..4c9bf29 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /container-selinux-7fe0136.tar.gz /container-selinux-dca3b87.tar.gz /container-selinux-f9a30e8.tar.gz +/container-selinux-d985665.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index bc16ae6..da103c2 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 f9a30e8011afcfd159aa383d746e2c99f67c9b3a +%global commit0 d985665b8129d2f8553621539c5a3355e36887a5 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.35 +Version: 2.36 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -118,6 +118,9 @@ fi %{_datadir}/selinux/* %changelog +* Mon Nov 27 2017 Dan Walsh - 2.36-1 +- Allow containers to relabelto/from all file types to container_file_t + * Mon Nov 27 2017 Dan Walsh - 2.35-1 - Allow container to map chr_files labeled container_file_t diff --git a/sources b/sources index 203307c..4444f6e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-f9a30e8.tar.gz) = 754a3851aa27dd977861cca8977354fc5899887c5c9e4e2b79c989ebb3c91c25d04e5c31ee6452732a1857ceed5fa7dce172b27c11691d52b552446928e36758 +SHA512 (container-selinux-d985665.tar.gz) = 173c7f733d6588ec85436b28b1acff734777d1b506c6ba2f20019dedcda39969d8f6c159daa8c0e37940ef5ae2af1ac47b241a9f60e086a559e1e98b8353d24b From 06bc2d9bc10209894591e949fb03f9c31e96c755 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Sun, 3 Dec 2017 21:38:21 -0500 Subject: [PATCH 24/33] remove git from builddep can't find git in the module ecosystem and git isn't critical for package build. Signed-off-by: Lokesh Mandvekar --- container-selinux.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index da103c2..dd44702 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -42,7 +42,6 @@ URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz BuildArch: noarch -BuildRequires: git BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} @@ -65,7 +64,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} %build make From 25cb53d06ed9a3be6b05797eba486d0a06a84f42 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 12 Dec 2017 13:12:53 +0000 Subject: [PATCH 25/33] Allow containers to use inherited ttys Allow ostree to handle labels under /var/lib/containers/ostree --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4c9bf29..6fb3e4a 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ /container-selinux-dca3b87.tar.gz /container-selinux-f9a30e8.tar.gz /container-selinux-d985665.tar.gz +/container-selinux-8ba32a4.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index dd44702..5c691c3 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d985665b8129d2f8553621539c5a3355e36887a5 +%global commit0 8ba32a4fd3a235373e9871b90e60a61a1a382471 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.36 +Version: 2.37 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Dec 12 2017 Dan Walsh - 2.37-1 +- Allow containers to use inherited ttys +- Allow ostree to handle labels under /var/lib/containers/ostree + * Mon Nov 27 2017 Dan Walsh - 2.36-1 - Allow containers to relabelto/from all file types to container_file_t diff --git a/sources b/sources index 4444f6e..87e6ab9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d985665.tar.gz) = 173c7f733d6588ec85436b28b1acff734777d1b506c6ba2f20019dedcda39969d8f6c159daa8c0e37940ef5ae2af1ac47b241a9f60e086a559e1e98b8353d24b +SHA512 (container-selinux-8ba32a4.tar.gz) = f23324003695989d93a4fd149fcd7fc739c84aadedb0ac5919e00cdcef06c0fb89967e191391d1650d79f972d88ce6d966566b2a8762b4961343c748de63be9e From 373b35483798c0b0d387a8a2eb307d4dd5015cd5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 6 Jan 2018 07:35:29 -0500 Subject: [PATCH 26/33] Allow container runtimes to mmap container_file_t devices Add labeling for rhel push plugin --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6fb3e4a..20ff007 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /container-selinux-f9a30e8.tar.gz /container-selinux-d985665.tar.gz /container-selinux-8ba32a4.tar.gz +/container-selinux-26c642a.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 5c691c3..03bea77 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 8ba32a4fd3a235373e9871b90e60a61a1a382471 +%global commit0 26c642ae12820ff55697d6101f33d8b5b4274296 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.37 +Version: 2.38 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Sat Jan 6 2018 Dan Walsh - 2.38-1 +- Allow container runtimes to mmap container_file_t devices +- Add labeling for rhel push plugin + * Tue Dec 12 2017 Dan Walsh - 2.37-1 - Allow containers to use inherited ttys - Allow ostree to handle labels under /var/lib/containers/ostree diff --git a/sources b/sources index 87e6ab9..9afc32c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-8ba32a4.tar.gz) = f23324003695989d93a4fd149fcd7fc739c84aadedb0ac5919e00cdcef06c0fb89967e191391d1650d79f972d88ce6d966566b2a8762b4961343c748de63be9e +SHA512 (container-selinux-26c642a.tar.gz) = ae172f6650b542a51963df4089687107363ec47727d8e5bacd8478df1aa2cb19c569801e7692b0e6a5b36d46efeffb0c3e3c9df76e678381265346ad79a0819e From 0da116e4a745e15bf4b5c43f0651a28f05c7dc39 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 8 Jan 2018 08:41:55 -0500 Subject: [PATCH 27/33] Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 20ff007..cc777fe 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /container-selinux-d985665.tar.gz /container-selinux-8ba32a4.tar.gz /container-selinux-26c642a.tar.gz +/container-selinux-96e58bf.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 03bea77..bf0ac61 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 26c642ae12820ff55697d6101f33d8b5b4274296 +%global commit0 96e58bf7fd152f24f6b95efc156d8cbb4446c354 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.38 +Version: 2.39 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jan 8 2018 Dan Walsh - 2.39-1 +- Allow container runtimes to use interited terminals. This helps +satisfy the bounds check of container_t versus container_runtime_t. + * Sat Jan 6 2018 Dan Walsh - 2.38-1 - Allow container runtimes to mmap container_file_t devices - Add labeling for rhel push plugin diff --git a/sources b/sources index 9afc32c..c291f4b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-26c642a.tar.gz) = ae172f6650b542a51963df4089687107363ec47727d8e5bacd8478df1aa2cb19c569801e7692b0e6a5b36d46efeffb0c3e3c9df76e678381265346ad79a0819e +SHA512 (container-selinux-96e58bf.tar.gz) = d496b4ba8aa1c47b47dbed644b9d8a9e97e154814b878280929108609820aa30b00aa6dba37edc83568fcd8c82343b82fae642db6c18e2deddfaf499cc8276c5 From cb65ff1f2bbb639f235e43cb888f0eb38f1fb1df Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 9 Jan 2018 09:30:45 -0500 Subject: [PATCH 28/33] Allow container_runtime_t to use user ttys Fixes bounds check for container_t --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cc777fe..9489df1 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ /container-selinux-8ba32a4.tar.gz /container-selinux-26c642a.tar.gz /container-selinux-96e58bf.tar.gz +/container-selinux-599072a.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index bf0ac61..a0a357a 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 96e58bf7fd152f24f6b95efc156d8cbb4446c354 +%global commit0 599072a930b995ba13ca7a4a6add7e808aa9b01f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.39 +Version: 2.40 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 9 2018 Dan Walsh - 2.40-1 +- Allow container_runtime_t to use user ttys +- Fixes bounds check for container_t + * Mon Jan 8 2018 Dan Walsh - 2.39-1 - Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t. diff --git a/sources b/sources index c291f4b..4135ee4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-96e58bf.tar.gz) = d496b4ba8aa1c47b47dbed644b9d8a9e97e154814b878280929108609820aa30b00aa6dba37edc83568fcd8c82343b82fae642db6c18e2deddfaf499cc8276c5 +SHA512 (container-selinux-599072a.tar.gz) = d3b21648444c83623b952ce08e4317f1400c6e2ed54923512e6e8fafdf2abd539d85d4e1e5c9f19144666bb2792ca991a3f77f6f7e9b927a5869c4be16324684 From 4aa4cce607d7afbe51e4a498b21312b40c4835d9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 9 Jan 2018 11:48:13 -0500 Subject: [PATCH 29/33] Add support to nnp_transition for container domains Eliminates need for typebounds. --- .gitignore | 1 + container-selinux.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9489df1..2339939 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ /container-selinux-26c642a.tar.gz /container-selinux-96e58bf.tar.gz /container-selinux-599072a.tar.gz +/container-selinux-231b213.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index a0a357a..f4b7e87 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 599072a930b995ba13ca7a4a6add7e808aa9b01f +%global commit0 231b213555c3a3d38dcfa69c854ab95d1c8bf6eb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.40 +Version: 2.41 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,10 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 9 2018 Dan Walsh - 2.41-1 +- Add support to nnp_transition for container domains +- Eliminates need for typebounds. + * Tue Jan 9 2018 Dan Walsh - 2.40-1 - Allow container_runtime_t to use user ttys - Fixes bounds check for container_t diff --git a/sources b/sources index 4135ee4..64b389b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-599072a.tar.gz) = d3b21648444c83623b952ce08e4317f1400c6e2ed54923512e6e8fafdf2abd539d85d4e1e5c9f19144666bb2792ca991a3f77f6f7e9b927a5869c4be16324684 +SHA512 (container-selinux-231b213.tar.gz) = be907960062135a71d82921b51b53e9fdbdd7db85200e511487469215cec014aa253b49525098282d817808d4862b2de46f0df0314811de70b6bb82a711cc9eb From f846c338af6211138fa47db472108bb79d940d7a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 16 Jan 2018 13:57:08 -0500 Subject: [PATCH 30/33] Allow unconfined domains to transition to container types, when no-new-privs is set. --- .gitignore | 1 + container-selinux.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2339939..9361781 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /container-selinux-96e58bf.tar.gz /container-selinux-599072a.tar.gz /container-selinux-231b213.tar.gz +/container-selinux-d148550.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index f4b7e87..91ac826 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 231b213555c3a3d38dcfa69c854ab95d1c8bf6eb +%global commit0 d148550d8c829bd2ee557fe503d2b8f9df53db8f %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.41 +Version: 2.42 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Tue Jan 16 2018 Dan Walsh - 2.42-1 +- Allow unconfined domains to transition to container types, when no-new-privs is set. + * Tue Jan 9 2018 Dan Walsh - 2.41-1 - Add support to nnp_transition for container domains - Eliminates need for typebounds. diff --git a/sources b/sources index 64b389b..3e23a9d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-231b213.tar.gz) = be907960062135a71d82921b51b53e9fdbdd7db85200e511487469215cec014aa253b49525098282d817808d4862b2de46f0df0314811de70b6bb82a711cc9eb +SHA512 (container-selinux-d148550.tar.gz) = 43b8f93c552a0879aa8743703dd0ccc75e7b207c6a4c4c14ec9b85f125307c8aab8914d48be983fc94b9ca1413c112a340ddf9bf0da0751986701c809ece5e27 From de8c560d08840ccc7de43082ef1604bf724b4d58 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 29 Jan 2018 07:11:48 +0100 Subject: [PATCH 31/33] Allow container domains to read kernel ipc info --- .gitignore | 2 ++ container-selinux.spec | 11 +++++++++-- sources | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 9361781..2ccd52a 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,5 @@ /container-selinux-599072a.tar.gz /container-selinux-231b213.tar.gz /container-selinux-d148550.tar.gz +/container-selinux-dfcc97d.tar.gz +/container-selinux-38a982b.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 91ac826..d40abc1 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 d148550d8c829bd2ee557fe503d2b8f9df53db8f +%global commit0 38a982b915dcd9f4a0a49217066fcc93c8ff4184 %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.42 +Version: 2.44 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,13 @@ fi %{_datadir}/selinux/* %changelog +* Mon Jan 29 2018 Dan Walsh - 2.44-1 +- Allow container domains to read kernel ipc info + +* Mon Jan 22 2018 Dan Walsh - 2.43-1 +- Allow containers to memory map the fifo_files leaked into container from +container runtimes. + * Tue Jan 16 2018 Dan Walsh - 2.42-1 - Allow unconfined domains to transition to container types, when no-new-privs is set. diff --git a/sources b/sources index 3e23a9d..7f46c5c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-d148550.tar.gz) = 43b8f93c552a0879aa8743703dd0ccc75e7b207c6a4c4c14ec9b85f125307c8aab8914d48be983fc94b9ca1413c112a340ddf9bf0da0751986701c809ece5e27 +SHA512 (container-selinux-38a982b.tar.gz) = 6b32edc3843d7dbe4329779181c7caf1a96d66faada19becfb7fe5d297a0757bcafcc944fa862114b6d0fafe68e145ce214523a3a68b28627b76fa51546e10a7 From f4c446bc2c20d805a6cc0e2be3c93835e76146b5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 2 Feb 2018 13:41:12 -0500 Subject: [PATCH 32/33] Allow containers to sendto their own stream sockets --- container-selinux.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/container-selinux.spec b/container-selinux.spec index d40abc1..5ec50b0 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 38a982b915dcd9f4a0a49217066fcc93c8ff4184 +%global commit0 95b7c01e1c986e6069a2736dec393c657c11fe6e %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.44 +Version: 2.45 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,9 @@ fi %{_datadir}/selinux/* %changelog +* Fri Feb 02 2018 Dan Walsh - 2.45-1 +- Allow containers to sendto their own stream sockets + * Mon Jan 29 2018 Dan Walsh - 2.44-1 - Allow container domains to read kernel ipc info From e2a7448aaee32265ba23b6526e995e0592195832 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 10 Feb 2018 07:20:10 -0500 Subject: [PATCH 33/33] Change default label of /exports to container_var_lib_t --- .gitignore | 2 ++ container-selinux.spec | 17 ++++++++++++++--- sources | 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 2ccd52a..a1882f4 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,5 @@ /container-selinux-d148550.tar.gz /container-selinux-dfcc97d.tar.gz /container-selinux-38a982b.tar.gz +/container-selinux-2377c73.tar.gz +/container-selinux-aece4ff.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec index 5ec50b0..12de1ea 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -3,7 +3,7 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux %if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 95b7c01e1c986e6069a2736dec393c657c11fe6e +%global commit0 aece4ff33825561eb153f6e697afbde309c46efb %else # use upstream's RHEL-1.12 branch for CentOS 7 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 @@ -35,7 +35,7 @@ Name: container-selinux %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 Epoch: 2 %endif -Version: 2.45 +Version: 2.47 Release: 1%{?dist} License: GPLv2 URL: %{git0} @@ -117,6 +117,17 @@ fi %{_datadir}/selinux/* %changelog +* Sat Feb 10 2018 Dan Walsh - 2.47-1 +- Change default label of /exports to container_var_lib_t + +* Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Dan Walsh - 2.46-1 +- Add support for nosuid_transition flags for container_runtime and unconfined domains * Fri Feb 02 2018 Dan Walsh - 2.45-1 - Allow containers to sendto their own stream sockets @@ -273,7 +284,7 @@ satisfy the bounds check of container_t versus container_runtime_t. - use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7 * Tue Jan 10 2017 Jonathan Lebon - 2:2.2-3 -- properly disable docker module in %post +- properly disable docker module in %%post * Sat Jan 07 2017 Lokesh Mandvekar - 2:2.2-2 - depend on selinux-policy-targeted diff --git a/sources b/sources index 7f46c5c..81ef3da 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (container-selinux-38a982b.tar.gz) = 6b32edc3843d7dbe4329779181c7caf1a96d66faada19becfb7fe5d297a0757bcafcc944fa862114b6d0fafe68e145ce214523a3a68b28627b76fa51546e10a7 +SHA512 (container-selinux-aece4ff.tar.gz) = 23d14ce8b1e4176fb52591edf61ce3efb21a461ddb6df75ca2b50ea2f8746a0f74e3319163b56f936d0dda8736f1d38d2900d1f486743aa8b62a022dfadb7c7d