Update to 2.245.0 upstream release

Upstream tag: v2.245.0
Upstream commit: 3f7c37e9

Commit authored by Packit automation (https://packit.dev/)

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -197,4 +197,49 @@
 /v2.198.0.tar.gz
 /v2.199.0.tar.gz
 /v2.200.0.tar.gz
+/v2.201.0.tar.gz
+/v2.202.0.tar.gz
+/v2.203.0.tar.gz
+/v2.204.0.tar.gz
+/v2.205.0.tar.gz
+/v2.206.0.tar.gz
+/v2.208.0.tar.gz
+/v2.209.0.tar.gz
+/v2.210.0.tar.gz
 /v2.211.0.tar.gz
+/v2.211.1.tar.gz
+/v2.213.0.tar.gz
+/v2.215.0.tar.gz
+/v2.216.0.tar.gz
+/v2.217.0.tar.gz
+/v2.218.0.tar.gz
+/v2.219.0.tar.gz
+/v2.221.tar.gz
+/v2.221.0.tar.gz
+/v2.221.1.tar.gz
+/v2.222.0.tar.gz
+/v2.224.0.tar.gz
+/v2.226.0.tar.gz
+/v2.227.0.tar.gz
+/v2.228.0.tar.gz
+/v2.228.1.tar.gz
+/v2.229.0.tar.gz
+/v2.229.1.tar.gz
+/v2.230.0.tar.gz
+/v2.231.0.tar.gz
+/packit-tmt-bodhi-reuse.zip
+/v2.232.1.tar.gz
+/v2.233.0.tar.gz
+/v2.234.1.tar.gz
+/v2.234.2.tar.gz
+/v2.235.0.tar.gz
+/v2.236.0.tar.gz
+/v2.237.0.tar.gz
+/v2.238.0.tar.gz
+/v2.239.0.tar.gz
+/v2.240.0.tar.gz
+/v2.241.0.tar.gz
+/v2.242.0.tar.gz
+/v2.243.0.tar.gz
+/v2.244.0.tar.gz
+/v2.245.0.tar.gz

.packit.yaml

@@ -0,0 +1,145 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+downstream_package_name: container-selinux
+upstream_tag_template: v{version}
+
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+    mkpath: true
+  - src: test/
+    dest: test/
+    delete: true
+    mkpath: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &eln_copr_targets
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # All tests specified in the `/plans/` subdir
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *test_failure_notification
+    targets: *eln_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-eln/rhcontainerbot-podman-next-fedora-eln.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-fedora]
+    dist_git_branches: &fedora_targets
+      - fedora-all
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches: *fedora_targets
+
+  - job: bodhi_update
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically

README.packit

@@ -0,0 +1,3 @@
+This repository is maintained by packit.
+https://packit.dev/
+The file was generated using packit 1.13.0.

container-selinux.spec

@@ -1,11 +1,7 @@
-%global debug_package   %{nil}
-
-# container-selinux
-%global git0 https://github.com/containers/container-selinux
+%global debug_package %{nil}
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container
 
@@ -14,14 +10,37 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
+
+# https://github.com/containers/container-selinux/issues/203
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
+%define no_user_namespace 1
+%endif
+
+# set copr_build is more intuitive than copr_username
+%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" == "podman-next"
+%define next_build 1
+%endif
+
 Name: container-selinux
-Epoch: 2
-Version: 2.211.0
+# Set different Epoch for rhcontainerbot/podman-next copr build
+%if %{defined next_build}
+Epoch: 102
+%else
+Epoch: 4
+%endif
+# Keep Version in upstream specfile at 0. It will be automatically set
+# to the correct value by Packit for copr and koji builds.
+# IGNORE this comment if you're looking at it in dist-git.
+Version: 2.245.0
 Release: %autorelease
-License: GPLv2
-URL: %{git0}
+License: GPL-2.0-only
+URL: https://github.com/containers/%{name}
 Summary: SELinux policies for container runtimes
-Source0: %{git0}/archive/v%{version}.tar.gz
+Source0: %{url}/archive/v%{version}.tar.gz
 BuildArch: noarch
 BuildRequires: make
 BuildRequires: git-core
@@ -31,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -45,31 +65,29 @@ Conflicts: k3s-selinux <= 0.4-1
 SELinux policy modules for use with container runtimes.
 
 %prep
-%autosetup -Sgit %{name}-%{built_tag_strip}
-# https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37
+%autosetup -Sgit %{name}-%{version}
+
+sed -i 's/^man: install-policy/man:/' Makefile
+sed -i 's/^install: man/install:/' Makefile
+
+%if %{defined no_user_namespace}
 sed -i '/user_namespace/d' container.te
 %endif
 
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif
+
 %build
 make
 
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-install -d %{buildroot}%{_datadir}/selinux/packages
-install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
-install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
-install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
-install -d %{buildroot}/%{_datadir}/containers/selinux
-install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
-install -d %{buildroot}%{_datadir}/udica/templates
-install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
-
-%check
+%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
 %pre
-%selinux_relabel_pre -s %{selinuxtype}
+%selinux_relabel_pre
 
 %post
 # Install all modules in a single transaction
@@ -77,21 +95,24 @@ if [ $1 -eq 1 ]; then
    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
-sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+   %selinux_modules_uninstall %{modulenames} docker
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -101,10 +122,14 @@ fi
 %{_datadir}/selinux/*
 %dir %{_datadir}/containers/selinux
 %{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
-# Currently shipped in selinux-policy-doc
-#%%{_datadir}/man/man8/container_selinux.8.gz
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then

gating.yaml

@@ -1,6 +1,14 @@
 --- !Policy
 product_versions:
   - fedora-*
-decision_context: bodhi_update_push_stable
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []

plans/main.fmf

@@ -0,0 +1,30 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    - how: feature
+      epel: enabled
+    # TODO: Revisit this once https://github.com/teemtee/tmt/issues/3990 is in place.
+    # FIXME: For whatever reason, CentOS Stream envs end up upgrading container-selinux
+    # from podman-next instead of using the one installed by Packit. This apparently should
+    # be easier to handle once tmt#3990 is done. Things work as expected on Fedora already.
+    - when: initiator == packit
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+        fi
+
+/basic_check:
+    discover+:
+        test: /test/basic_check
+
+/podman_rootful_system:
+    discover+:
+        test: /test/podman_rootful_system
+
+/podman_rootless_system:
+    discover+:
+        test: /test/podman_rootless_system

plans/tmt.fmf

@@ -0,0 +1,9 @@
+/:
+  inherit: false
+
+summary: Run tmt's integration tests
+plan:
+  import:
+    url: https://github.com/teemtee/tmt
+    path: /plans/friends
+    name: /podman

sources

@@ -1 +1 @@
-SHA512 (v2.211.0.tar.gz) = 76c795cf51e80a3996ff79d5f29952932c35124c3ed283d1f101c61b02499ea8769d886b99a61e3c8c794ed9729b0151de92b283ef18d7e12f5fd59e5568860a
+SHA512 (v2.245.0.tar.gz) = 0bc85980780631ceccb38f2fde64ff7f3792be18d4501806532f097deedde70f446e2389c543dd78e9087b45cd1a6916c0e096e6ea42dd77ac377ad4111b7db2

test/main.fmf

@@ -0,0 +1,34 @@
+require:
+    - attr
+    - container-selinux
+    - podman-tests
+    - policycoreutils
+recommend:
+    - bats
+
+/basic_check:
+    summary: Run basic checks
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+/podman_rootful_system:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-rootful-tests.sh
+
+/podman_rootless_system:
+    summary: Run rootless Podman system tests
+    test: bash ./podman-rootless-tests.sh
+    require+:
+        - passt
+        - passt-selinux
+    environment:
+        ROOTLESS_USER: "fedora"
+    adjust:
+        - when: distro == centos-stream
+          environment+:
+            ROOTLESS_USER: "ec2-user"
+        - when: distro == rhel
+          environment+:
+            ROOTLESS_USER: "cloud-user"

test/podman-rootful-tests.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
+
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats

test/podman-rootless-tests.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy
+
+loginctl enable-linger "$ROOTLESS_USER"
+
+# Run podman system tests
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats"

tests/tests.yml

@@ -1,16 +0,0 @@
-- hosts: localhost
-  tags:
-  - classic
-  roles:
-  - role: standard-test-basic
-    required_packages:
-    - policycoreutils
-    - container-selinux
-    - podman
-    tests:
-    - is-module-installed:
-        run: semodule --list=full | grep container
-    - can-rebuild-policy:
-        run: semodule -B
-    - can-run-podman:
-        run: podman run --rm quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current