Update to 2.245.0 upstream release

Upstream tag: v2.245.0 Upstream commit: 3f7c37e9 Commit authored by Packit automation (https://packit.dev/)
Update to 2.244.0 upstream release
2025-12-15 15:49:15 +00:00 · 2025-12-01 15:51:17 +00:00 · 2025-11-07 19:05:10 +00:00 · 2025-09-05 14:44:40 +00:00 · 2025-08-19 16:05:32 +00:00 · 2025-08-07 12:54:13 +00:00
12 changed files with 520 additions and 409 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -74,3 +74,172 @@
 /container-selinux-484806a.tar.gz
 /container-selinux-21c2be6.tar.gz
 /container-selinux-5e1f62f.tar.gz
+/container-selinux-ec6fcad.tar.gz
+/container-selinux-eb60838.tar.gz
+/container-selinux-92af7fd.tar.gz
+/container-selinux-c178849.tar.gz
+/container-selinux-891a85f.tar.gz
+/container-selinux-2c1a2ab.tar.gz
+/container-selinux-5c98b56.tar.gz
+/container-selinux-2521d0d.tar.gz
+/container-selinux-619db17.tar.gz
+/container-selinux-acc6941.tar.gz
+/container-selinux-1e99f1d.tar.gz
+/container-selinux-e3ebc68.tar.gz
+/container-selinux-a6c9822.tar.gz
+/container-selinux-aa7b807.tar.gz
+/container-selinux-9a53d6c.tar.gz
+/container-selinux-3b78187.tar.gz
+/container-selinux-b0061dc.tar.gz
+/container-selinux-1c24dcb.tar.gz
+/container-selinux-b275a1f.tar.gz
+/container-selinux-7baad79.tar.gz
+/container-selinux-fc7111d.tar.gz
+/container-selinux-453b816.tar.gz
+/container-selinux-db771da.tar.gz
+/container-selinux-544d71f.tar.gz
+/container-selinux-9a75deb.tar.gz
+/container-selinux-b68cf19.tar.gz
+/container-selinux-4f7d6bb.tar.gz
+/container-selinux-028ab00.tar.gz
+/container-selinux-fddfbbb.tar.gz
+/container-selinux-c5ef5ac.tar.gz
+/container-selinux-bfde70a.tar.gz
+/container-selinux-79bdcb5.tar.gz
+/container-selinux-b383f07.tar.gz
+/container-selinux-2ecb2a8.tar.gz
+/container-selinux-6fb6dcf.tar.gz
+/container-selinux-a233788.tar.gz
+/container-selinux-4560dd4.tar.gz
+/container-selinux-661a904.tar.gz
+/container-selinux-0b25a4a.tar.gz
+/container-selinux-f958d0c.tar.gz
+/container-selinux-5624558.tar.gz
+/container-selinux-b321ea4.tar.gz
+/container-selinux-fde876b.tar.gz
+/container-selinux-ae0720d.tar.gz
+/container-selinux-867a377.tar.gz
+/container-selinux-6caf15d.tar.gz
+/container-selinux-363646f.tar.gz
+/container-selinux-f00d1f4.tar.gz
+/container-selinux-fd55ae0.tar.gz
+/container-selinux-9ce0dac.tar.gz
+/container-selinux-448dfbf.tar.gz
+/container-selinux-0a878bd.tar.gz
+/container-selinux-ff26015.tar.gz
+/container-selinux-0d99e89.tar.gz
+/container-selinux-441172a.tar.gz
+/container-selinux-6b721da.tar.gz
+/container-selinux-9884317.tar.gz
+/container-selinux-8c26927.tar.gz
+/container-selinux-965c7fb.tar.gz
+/container-selinux-2750e78.tar.gz
+/container-selinux-fe6a25c.tar.gz
+/container-selinux-e2d5a9e.tar.gz
+/container-selinux-746ea7a.tar.gz
+/container-selinux-5d929d4.tar.gz
+/container-selinux-464e922.tar.gz
+/container-selinux-2908536.tar.gz
+/container-selinux-9fb1698.tar.gz
+/container-selinux-3c361a2.tar.gz
+/container-selinux-9b3b66f.tar.gz
+/container-selinux-0ef4703.tar.gz
+/container-selinux-5d3c461.tar.gz
+/container-selinux-1677bc4.tar.gz
+/container-selinux-8573f8d.tar.gz
+/container-selinux-54e2ac5.tar.gz
+/container-selinux-667f0f3.tar.gz
+/container-selinux-75f193a.tar.gz
+/container-selinux-f330e81.tar.gz
+/container-selinux-6d13bf9.tar.gz
+/container-selinux-eb6dad0.tar.gz
+/container-selinux-aeb85c4.tar.gz
+/container-selinux-e78ac4f.tar.gz
+/container-selinux-d89a599.tar.gz
+/container-selinux-c9f0cb6.tar.gz
+/v2.155.0.tar.gz
+/container-selinux-5a60716.tar.gz
+/container-selinux-e1092cd.tar.gz
+/container-selinux-da28288.tar.gz
+/container-selinux-233e620.tar.gz
+/container-selinux-61b862a.tar.gz
+/container-selinux-99b40c5.tar.gz
+/container-selinux-563ba3f.tar.gz
+/v2.167.0.tar.gz
+/v2.168.0.tar.gz
+/v2.169.0.tar.gz
+/v2.170.0.tar.gz
+/v2.171.0.tar.gz
+/v2.172.0.tar.gz
+/v2.172.1.tar.gz
+/v2.173.0.tar.gz
+/v2.173.1.tar.gz
+/v2.173.2.tar.gz
+/v2.174.0.tar.gz
+/v2.176.0.tar.gz
+/v2.177.0.tar.gz
+/v2.178.0.tar.gz
+/v2.179.1.tar.gz
+/v2.180.0.tar.gz
+/v2.181.0.tar.gz
+/v2.183.0.tar.gz
+/v2.186.0.tar.gz
+/v2.187.0.tar.gz
+/v2.188.0.tar.gz
+/v2.189.0.tar.gz
+/v2.190.0.tar.gz
+/v2.190.1.tar.gz
+/v2.191.0.tar.gz
+/v2.193.0.tar.gz
+/v2.195.0.tar.gz
+/v2.195.1.tar.gz
+/v2.197.0.tar.gz
+/v2.198.0.tar.gz
+/v2.199.0.tar.gz
+/v2.200.0.tar.gz
+/v2.201.0.tar.gz
+/v2.202.0.tar.gz
+/v2.203.0.tar.gz
+/v2.204.0.tar.gz
+/v2.205.0.tar.gz
+/v2.206.0.tar.gz
+/v2.208.0.tar.gz
+/v2.209.0.tar.gz
+/v2.210.0.tar.gz
+/v2.211.0.tar.gz
+/v2.211.1.tar.gz
+/v2.213.0.tar.gz
+/v2.215.0.tar.gz
+/v2.216.0.tar.gz
+/v2.217.0.tar.gz
+/v2.218.0.tar.gz
+/v2.219.0.tar.gz
+/v2.221.tar.gz
+/v2.221.0.tar.gz
+/v2.221.1.tar.gz
+/v2.222.0.tar.gz
+/v2.224.0.tar.gz
+/v2.226.0.tar.gz
+/v2.227.0.tar.gz
+/v2.228.0.tar.gz
+/v2.228.1.tar.gz
+/v2.229.0.tar.gz
+/v2.229.1.tar.gz
+/v2.230.0.tar.gz
+/v2.231.0.tar.gz
+/packit-tmt-bodhi-reuse.zip
+/v2.232.1.tar.gz
+/v2.233.0.tar.gz
+/v2.234.1.tar.gz
+/v2.234.2.tar.gz
+/v2.235.0.tar.gz
+/v2.236.0.tar.gz
+/v2.237.0.tar.gz
+/v2.238.0.tar.gz
+/v2.239.0.tar.gz
+/v2.240.0.tar.gz
+/v2.241.0.tar.gz
+/v2.242.0.tar.gz
+/v2.243.0.tar.gz
+/v2.244.0.tar.gz
+/v2.245.0.tar.gz
--- a/.packit.yaml
+++ b/.packit.yaml
@ -0,0 +1,145 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+downstream_package_name: container-selinux
+upstream_tag_template: v{version}
+
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+    mkpath: true
+  - src: test/
+    dest: test/
+    delete: true
+    mkpath: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &eln_copr_targets
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # All tests specified in the `/plans/` subdir
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *test_failure_notification
+    targets: *eln_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-eln/rhcontainerbot-podman-next-fedora-eln.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-fedora]
+    dist_git_branches: &fedora_targets
+      - fedora-all
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches: *fedora_targets
+
+  - job: bodhi_update
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically
--- a/README.packit
+++ b/README.packit
@ -0,0 +1,3 @@
+This repository is maintained by packit.
+https://packit.dev/
+The file was generated using packit 1.13.0.
--- a/container-selinux.spec
+++ b/container-selinux.spec
@ -1,13 +1,7 @@
-%global debug_package   %{nil}
-
-# container-selinux
-%global git0 https://github.com/projectatomic/container-selinux
-%global commit0 5e1f62fe319ebbef46bcabc8cc5e22d209411dda
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+%global debug_package %{nil}

 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container

@ -16,43 +10,73 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;

-# Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif

-# Version of SELinux we were using
-%global selinux_policyver 3.13.1-220
+# https://github.com/containers/container-selinux/issues/203
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
+%define no_user_namespace 1
+%endif
+
+# set copr_build is more intuitive than copr_username
+%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" == "podman-next"
+%define next_build 1
+%endif

 Name: container-selinux
-%if 0%{?fedora}
-Epoch: 2
+# Set different Epoch for rhcontainerbot/podman-next copr build
+%if %{defined next_build}
+Epoch: 102
+%else
+Epoch: 4
 %endif
-Version: 2.82
-Release: 1.git%{shortcommit0}%{?dist}
-License: GPLv2
-URL: %{git0}
+# Keep Version in upstream specfile at 0. It will be automatically set
+# to the correct value by Packit for copr and koji builds.
+# IGNORE this comment if you're looking at it in dist-git.
+Version: 2.245.0
+Release: %autorelease
+License: GPL-2.0-only
+URL: https://github.com/containers/%{name}
 Summary: SELinux policies for container runtimes
-Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Source0: %{url}/archive/v%{version}.tar.gz
 BuildArch: noarch
-BuildRequires: git
+BuildRequires: make
+BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
-BuildRequires: selinux-policy >= %{selinux_policyver}
-BuildRequires: selinux-policy-devel >= %{selinux_policyver}
+BuildRequires: selinux-policy >= %_selinux_policy_version
+BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
-Requires: selinux-policy >= %{selinux_policyver}
-Requires(post): selinux-policy-base >= %{selinux_policyver}
-Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires: selinux-policy >= %_selinux_policy_version
+Requires(post): selinux-policy-base >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
 Obsoletes: %{name} <= 2:1.12.5-13
 Obsoletes: docker-selinux <= 2:1.12.4-28
-Provides: docker-selinux = %{epoch}:%{version}-%{release}
+Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
+Conflicts: udica < 0.2.6-1
+Conflicts: k3s-selinux <= 0.4-1

 %description
 SELinux policy modules for use with container runtimes.

 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%autosetup -Sgit %{name}-%{version}
+
+sed -i 's/^man: install-policy/man:/' Makefile
+sed -i 's/^install: man/install:/' Makefile
+
+%if %{defined no_user_namespace}
+sed -i '/user_namespace/d' container.te
+%endif
+
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif

 %build
 make
@ -60,407 +84,58 @@ make
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-install -d %{buildroot}%{_datadir}/selinux/packages
-install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
-install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
-install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
+%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user

-# remove spec file
-rm -rf container-selinux.spec
-
-%check
+%pre
+%selinux_relabel_pre

 %post
 # Install all modules in a single transaction
 if [ $1 -eq 1 ]; then
-	%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
+   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
-if %{_sbindir}/selinuxenabled ; then
-    %{_sbindir}/load_policy
-    %relabel_files
-    if [ $1 -eq 1 ]; then
-	restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
-	restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
-    fi
-fi
 . %{_sysconfdir}/selinux/config
-sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :

 %postun
 if [ $1 -eq 0 ]; then
-%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
-if %{_sbindir}/selinuxenabled ; then
-%{_sbindir}/load_policy
-%relabel_files
-fi
+   %selinux_modules_uninstall %{modulenames} docker
 fi

+%posttrans
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check
+
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}

 %files
 %doc README.md
 %{_datadir}/selinux/*
+%dir %{_datadir}/containers/selinux
+%{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
+%dir %{_datadir}/udica/templates/
+%{_datadir}/udica/templates/*
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
+
+%triggerpostun -- container-selinux < 2:2.162.1-3
+if %{_sbindir}/selinuxenabled ; then
+    echo "Fixing Rootless SELinux labels in homedir"
+    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null
+fi

 %changelog
-* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1
- Allow confined users to use containers
-
-* Fri Feb 08 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.80-3.git21c2be6
- bump to 2.80
- autobuilt 21c2be6
-
-* Thu Feb 7 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.81-1
- Add new labels for paths for containerd
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.80-2.git1b655d9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Jan 22 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.80-1.nightly.git21c2be6
- Don't allow containers to talk to contianer runtime sockets
-
-* Fri Jan 11 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.79-1
- Fix labeling on /var/lib/registries
-
-* Thu Jan 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.78-1
- Fix labeling for images in docker daemon user namespace
-
-* Mon Dec 17 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.77-1
- Allow container-runtime to setattr on fifo_file handed into container runtime.
-
-* Tue Nov 13 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.752.75-1.dev.git99e2cfd1
- bump to 2.75
- autobuilt 99e2cfd
-
-* Mon Nov 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.76-1
- Allow containers to sendto dgram socket of container runtimes
- Needed to run container runtimes in notify socket unit files.
-
-* Tue Oct 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.75-1.dev.git99e2cfd
- Allow containers to use fuse file systems by default
-
-* Fri Oct 19 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.74-1
- Allow containers to setexec themselves
-
-* Sat Sep 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.73-2
- Remove requires for policycoreutils-python-utils we don't need it.
-
-* Wed Sep 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.73-1
- Define spc_t as a container_domain, so that container_runtime will transition
-to spc_t even when setup with nosuid.
-
-* Wed Sep 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.72-1
- Allow container_runtimes to setattr on callers fifo_files
-github.com/opencontainers/selinux
-* Mon Aug 27 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.71-2
- Fix restorecon to not error on missing directory
-
-* Wed Aug 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.71-1
- Allow unconfined_r to transition to system_r over container_runtime_exec_t
-
-* Wed Aug 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.70-1
- Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t
-
-* Wed Jul 25 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-1
- dontaudit attempts to write to sysctl_kernel_t
-
-* Wed Jul 18 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.68-2.gitc139a3d
- autobuilt c139a3d
-
-* Mon Jul 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.67-1
- Add label for /var/lib/origin
- Add customizable_file_t to customizable_types
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.67-3.dev.git042f7cf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Jul 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-2.git042f7cf
- autobuilt 042f7cf
-
-* Sat Jul 07 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-1.git0407867
- bump to 2.67
- autobuilt 0407867
-
-* Sat Jun 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.66-1
- Allow container runtimes to dbus chat with systemd-resolved
-
-* Tue Jun 12 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.64-1.gitdfaf8fd
- bump to 2.64
- autobuilt dfaf8fd
-
-* Mon Jun 11 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.65-1
- Add new type to handle containers running with a non priv user in a userns
- allow containers to map all sockets
-
-* Sun Jun 3 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.64-1.gitdfaf8fd
- Allow containers to create all socket classes
-
-* Wed May 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.63-1
- Allow containers to create icmp packets
-
-* Fri May 25 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.62-1.git1ecf953
- bump to 2.62
- autobuilt 1ecf953
-
-* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
- Allow spc_t to load kernel modules from inside of container 
-
-* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
- Allow containers to list cgroup directories
-
-* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.59-1
- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.
-
-* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-2
- Run restorecon /usr/bin/podman in postinstall
-
-* Fri May 18 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-1
- Add labels to allow podman to be run from a systemd unit file
-
-* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-12.gitd248f91
- autobuilt commit d248f91
-
-* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-11.gitd248f91
- autobuilt commit d248f91
-
-* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-10.gitd248f91
- autobuilt commit d248f91
-
-* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-9.gitd248f91
- autobuilt commit d248f91
-
-* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-8
- autobuilt commit d248f91
-
-* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-7
- autobuilt commit d248f91
-
-* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-6
- autobuilt commit d248f91
-
-* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-5
- autobuilt commit d248f91
-
-* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-4
- autobuilt commit d248f91
-
-* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-3
- autobuilt commit d248f91
-
-* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-2
- autobuilt commit d248f91
-
-* Thu Mar 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.55-1
- Dontaudit attempts by containers to write to /proc/self
-
-* Wed Mar 14 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.54-1
-  Add rules for container domains to make writing custom policy easier
-  Allow shell_exec_t as a container_runtime_t entrypoint
-
-* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.52-1
- Add rules for container domains to make writing custom policy easier
-
-* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.51-1
- Allow shell_exec_t as a container_runtime_t entrypoint
-
-* Wed Mar 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.50-1
- Allow bin_t as a container_runtime_t entrypoint
- Add rules for running container runtimes on mls
-
-* Thu Feb 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.48-1
- Allow container domains to map container_file_t directories
-
-* Sat Feb 10 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.47-1
- Change default label of /exports to container_var_lib_t
-
-* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2:2.46-3
- Escape macros in %%CHANGELOG
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.46-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Sat Feb 03 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.46-1
- Add support for nosuid_transition flags for container_runtime and unconfined domains
-* Fri Feb 02 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.45-1
- Allow containers to sendto their own stream sockets
-
-* Mon Jan 29 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.44-1
- Allow container domains to read kernel ipc info
-
-* Mon Jan 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.43-1
- Allow containers to memory map the fifo_files leaked into container from
-container runtimes.
-
-* Tue Jan 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.42-1
- Allow unconfined domains to transition to container types, when no-new-privs is set.
-
-* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
- Add support to nnp_transition for container domains
- Eliminates need for typebounds.
-
-* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
- Allow container_runtime_t to use user ttys
- Fixes bounds check for container_t
-
-* Mon Jan 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.39-1
- Allow container runtimes to use interited terminals.  This helps
-satisfy the bounds check of container_t versus container_runtime_t.
-
-* Sat Jan 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.38-1
- Allow container runtimes to mmap container_file_t devices
- Add labeling for rhel push plugin
-
-* Tue Dec 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.37-1
- Allow containers to use inherited ttys
- Allow ostree to handle labels under /var/lib/containers/ostree
-
-* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
- Allow containers to relabelto/from all file types to container_file_t
-
-* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
- Allow container to map chr_files labeled container_file_t
-
-* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
- Dontaudit container processes getattr on kernel file systems
-
-* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
- Allow containers to read /etc/resolv.conf and /etc/hosts if volume
- mounted into container.
-
-* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.32-1
- Make sure users creating content in /var/lib with right labels
-
-* Thu Oct 26 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.31-1
- Allow the container runtime to dbus chat with dnsmasq
- add dontaudit rules for container trying to write to /proc
-
-* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
- Add support for lxcd
- Add support for labeling of tmpfs storage created within a container.
-
-* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
- Allow a container to umount a container_file_t filesystem
-
-* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
-  Allow container runtimes to work with the netfilter sockets
-  Allow container_file_t to be an entrypoint for VM's
-  Allow spc_t domains to transition to svirt_t
-
-* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
-     Make sure container_runtime_t has all access of container_t
-
-* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
- Allow container runtimes to create sockets in tmp dirs
-
-* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
- Add additonal support for crio labeling.
-
-* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
- Fixup spec file conditionals
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
- Allow containers to execmod on container_share_t files.
-
-* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
- Relabel runc and crio executables
-
-* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
- Allow container processes to getsession
-
-* Mon Jun 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.19-1
- Allow containers to create tun sockets
-
-* Tue Jun 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.18-1
- Fix labeling for CRI-O files in overlay subdirs
-
-* Mon Jun 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.17-1
- Revert change to run the container_runtime as ranged
-
-* Thu Jun 1 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.16-1
- Add default labeling for cri-o in /etc/crio directories
-
-* Wed May 31 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.15-1
- Allow container types to read/write container_runtime fifo files
- Allow a container runtime to mount on top of its own /proc
-
-* Fri May 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.14-1
- Add labels for crio rename
- Break container_t rules out to use a separate container_domain
- Allow containers to be able to set namespaced SYCTLS
- Allow sandbox containers manage fuse files.
- Fixes to make container_runtimes work on MLS machines
- Bump version to allow handling of container_file_t filesystems
- Allow containers to mount, remount and umount container_file_t file systems
- Fixes to handle cap_userns
- Give container_t access to XFRM sockets
- Allow spc_t to dbus chat with init system
- Allow spc_t to dbus chat with init system
- Add rules to allow container runtimes to run with unconfined disabled
- Add rules to support cgroup file systems mounted into container.
- Fix typebounds entrypoint problems
- Fix typebounds problems
- Add typebounds statement for container_t from container_runtime_t
- We should only label runc not runc*
-
-* Tue Feb 28 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.10-1
- Add rules to allow container runtimes to run with unconfined disabled
- Add rules to support cgroup file systems mounted into container.
-
-* Mon Feb 13 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.9-1
- Add rules to allow container_runtimes to run with unconfined disabled
-
-* Thu Feb 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:8.1-1
- Allow container_file_t to be stored on cgroup_t file systems
-
-* Tue Feb 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:7.1-1
- Fix type in container interface file
-
-* Mon Feb 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:6.1-1
- Fix typebounds entrypoint problems
-
-* Fri Jan 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:5.1-1
- Fix typebounds problems
-
-* Thu Jan 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:4.1-1
- Add typebounds statement for container_t from container_runtime_t
- We should only label runc not runc*
-
-* Tue Jan 17 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:3.1-1
- Fix labeling on /usr/bin/runc.*
- Add sandbox_net_domain access to container.te
- Remove containers ability to look at /etc content
-
-* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-4
- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7
-
-* Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
- properly disable docker module in %%post
-
-* Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
- depend on selinux-policy-targeted
- relabel docker-latest* files as well
-
-* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-1
- bump to v2.2
- additional labeling for ocid
-
-* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-2
- install policy at level 200
- From: Dan Walsh <dwalsh@redhat.com>
-
-* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-1
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
-standalone package)
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel
-
-* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:1.12.4-29
- new package (separated from docker)
+%autochangelog
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,14 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []
--- a/plans/main.fmf
+++ b/plans/main.fmf
@ -0,0 +1,30 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    - how: feature
+      epel: enabled
+    # TODO: Revisit this once https://github.com/teemtee/tmt/issues/3990 is in place.
+    # FIXME: For whatever reason, CentOS Stream envs end up upgrading container-selinux
+    # from podman-next instead of using the one installed by Packit. This apparently should
+    # be easier to handle once tmt#3990 is done. Things work as expected on Fedora already.
+    - when: initiator == packit
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+        fi
+
+/basic_check:
+    discover+:
+        test: /test/basic_check
+
+/podman_rootful_system:
+    discover+:
+        test: /test/podman_rootful_system
+
+/podman_rootless_system:
+    discover+:
+        test: /test/podman_rootless_system
--- a/plans/tmt.fmf
+++ b/plans/tmt.fmf
@ -0,0 +1,9 @@
+/:
+  inherit: false
+
+summary: Run tmt's integration tests
+plan:
+  import:
+    url: https://github.com/teemtee/tmt
+    path: /plans/friends
+    name: /podman
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (container-selinux-5e1f62f.tar.gz) = 8184e4191cbce80e8ecf65f82e64f6b85eeda0b7b958be099b97100aaa78c71e3d0adec642eafb7e58037ba0a5b0452da7674d7e6c02a8f3c125f67629425ea7
+SHA512 (v2.245.0.tar.gz) = 0bc85980780631ceccb38f2fde64ff7f3792be18d4501806532f097deedde70f446e2389c543dd78e9087b45cd1a6916c0e096e6ea42dd77ac377ad4111b7db2
--- a/test/main.fmf
+++ b/test/main.fmf
@ -0,0 +1,34 @@
+require:
+    - attr
+    - container-selinux
+    - podman-tests
+    - policycoreutils
+recommend:
+    - bats
+
+/basic_check:
+    summary: Run basic checks
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+/podman_rootful_system:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-rootful-tests.sh
+
+/podman_rootless_system:
+    summary: Run rootless Podman system tests
+    test: bash ./podman-rootless-tests.sh
+    require+:
+        - passt
+        - passt-selinux
+    environment:
+        ROOTLESS_USER: "fedora"
+    adjust:
+        - when: distro == centos-stream
+          environment+:
+            ROOTLESS_USER: "ec2-user"
+        - when: distro == rhel
+          environment+:
+            ROOTLESS_USER: "cloud-user"
--- a/test/podman-rootful-tests.sh
+++ b/test/podman-rootful-tests.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
+
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats
--- a/test/podman-rootless-tests.sh
+++ b/test/podman-rootless-tests.sh
@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy
+
+loginctl enable-linger "$ROOTLESS_USER"
+
+# Run podman system tests
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats"