Make sure container_runtime_t has all access of container_t

Allow a container runtime to mount on top of its own /proc

.gitignore

@@ -1,3 +1,21 @@
 /container-selinux-513572d.tar.gz
 /container-selinux-bcdcb9a.tar.gz
 /container-selinux-3bbbad5.tar.gz
+/container-selinux-b9809fa.tar.gz
+/container-selinux-ba28054.tar.gz
+/container-selinux-9e004af.tar.gz
+/container-selinux-ce95ddb.tar.gz
+/container-selinux-f7333f9.tar.gz
+/container-selinux-08bb6e0.tar.gz
+/container-selinux-8f8caa6.tar.gz
+/container-selinux-14f7c51.tar.gz
+/container-selinux-c81ea26.tar.gz
+/container-selinux-9027f8e.tar.gz
+/container-selinux-ed3082b.tar.gz
+/container-selinux-5212fea.tar.gz
+/container-selinux-a80afba.tar.gz
+/container-selinux-c5fd77f.tar.gz
+/container-selinux-c89e9b5.tar.gz
+/container-selinux-58324f3.tar.gz
+/container-selinux-81ff96c.tar.gz
+/container-selinux-a9260d4.tar.gz

container-selinux.spec

@@ -2,8 +2,8 @@
 
 # container-selinux
 %global git0 https://github.com/projectatomic/container-selinux
-%if 0%{?fedora}
-%global commit0 3bbbad57f5827b02f91f847eb559a59cca7967af
+%if 0%{?fedora} || 0%{?rhel} > 7
+%global commit0 a9260d44ecb10cc824ad0e18bcd22cb93a5dbdaf
 %else
 # use upstream's RHEL-1.12 branch for CentOS 7
 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1
@@ -22,20 +22,20 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
 # Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
 # Version of SELinux we were using
-%if 0%{?fedora} >= 22
+%if 0%{?fedora} >= 22 || 0%{?rhel} > 7
 %global selinux_policyver 3.13.1-220
 %else
 %global selinux_policyver 3.13.1-39
 %endif
 
 Name: container-selinux
-%if 0%{?fedora} || 0%{?centos}
+%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7
 Epoch: 2
 %endif
-Version: 2.3
+Version: 2.24
 Release: 1%{?dist}
 License: GPLv2
 URL: %{git0}
@@ -51,7 +51,7 @@ Requires: selinux-policy >= %{selinux_policyver}
 Requires(post): selinux-policy-base >= %{selinux_policyver}
 Requires(post): selinux-policy-targeted >= %{selinux_policyver}
 Requires(post): policycoreutils
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} > 7
 Requires(post): policycoreutils-python-utils
 %else
 Requires(post): policycoreutils-python
@@ -118,6 +118,88 @@ fi
 %{_datadir}/selinux/*
 
 %changelog
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
+-     Make sure container_runtime_t has all access of container_t
+
+* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
+- Allow container runtimes to create sockets in tmp dirs
+
+* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
+- Add additonal support for crio labeling.
+
+* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
+- Fixup spec file conditionals
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
+- Allow containers to execmod on container_share_t files.
+
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
+- Relabel runc and crio executables
+
+* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
+- Allow container processes to getsession
+
+* Mon Jun 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.19-1
+- Allow containers to create tun sockets
+
+* Tue Jun 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.18-1
+- Fix labeling for CRI-O files in overlay subdirs
+
+* Mon Jun 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.17-1
+- Revert change to run the container_runtime as ranged
+
+* Thu Jun 1 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.16-1
+- Add default labeling for cri-o in /etc/crio directories
+
+* Wed May 31 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.15-1
+- Allow container types to read/write container_runtime fifo files
+- Allow a container runtime to mount on top of its own /proc
+
+* Fri May 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.14-1
+- Add labels for crio rename
+- Break container_t rules out to use a separate container_domain
+- Allow containers to be able to set namespaced SYCTLS
+- Allow sandbox containers manage fuse files.
+- Fixes to make container_runtimes work on MLS machines
+- Bump version to allow handling of container_file_t filesystems
+- Allow containers to mount, remount and umount container_file_t file systems
+- Fixes to handle cap_userns
+- Give container_t access to XFRM sockets
+- Allow spc_t to dbus chat with init system
+- Allow spc_t to dbus chat with init system
+- Add rules to allow container runtimes to run with unconfined disabled
+- Add rules to support cgroup file systems mounted into container.
+- Fix typebounds entrypoint problems
+- Fix typebounds problems
+- Add typebounds statement for container_t from container_runtime_t
+- We should only label runc not runc*
+
+* Tue Feb 28 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.10-1
+- Add rules to allow container runtimes to run with unconfined disabled
+- Add rules to support cgroup file systems mounted into container.
+
+* Mon Feb 13 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.9-1
+- Add rules to allow container_runtimes to run with unconfined disabled
+
+* Thu Feb 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:8.1-1
+- Allow container_file_t to be stored on cgroup_t file systems
+
+* Tue Feb 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:7.1-1
+- Fix type in container interface file
+
+* Mon Feb 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:6.1-1
+- Fix typebounds entrypoint problems
+
+* Fri Jan 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:5.1-1
+- Fix typebounds problems
+
+* Thu Jan 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:4.1-1
+- Add typebounds statement for container_t from container_runtime_t
+- We should only label runc not runc*
+
 * Tue Jan 17 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:3.1-1
 - Fix labeling on /usr/bin/runc.*
 - Add sandbox_net_domain access to container.te

sources

@@ -1,2 +1 @@
-SHA512 (container-selinux-bcdcb9a.tar.gz) = 382ed177ac878e56a7a4819b30362f0f797657ae4b87847e624124d06e4f56463a44c8a4d0ba60ebe02bf53128b43ec5d0ce5a6f9e0d6450594a9cef60531806
-SHA512 (container-selinux-3bbbad5.tar.gz) = d255c5993bff90fb90030d6d0ced11eeed9a620878e24b99fdba7e8c66e130fcc88ac6f839fd84a96863f3d0fb57a41d4d4a59e30eb383ad999a75d22d8533a2
+SHA512 (container-selinux-a9260d4.tar.gz) = a28462bdbedd1ad8b94d8da8cb8577f1e2b7ddf441b689ae71d97e0152adb5b75f0f4601e5c2f2311642ec65605e1440b56bb07317246a18206964717af4d981