Change default label of /exports to container_var_lib_t

Eliminates need for typebounds.

.gitignore

@@ -8,3 +8,34 @@
 /container-selinux-f7333f9.tar.gz
 /container-selinux-08bb6e0.tar.gz
 /container-selinux-8f8caa6.tar.gz
+/container-selinux-14f7c51.tar.gz
+/container-selinux-c81ea26.tar.gz
+/container-selinux-9027f8e.tar.gz
+/container-selinux-ed3082b.tar.gz
+/container-selinux-5212fea.tar.gz
+/container-selinux-a80afba.tar.gz
+/container-selinux-c5fd77f.tar.gz
+/container-selinux-c89e9b5.tar.gz
+/container-selinux-58324f3.tar.gz
+/container-selinux-81ff96c.tar.gz
+/container-selinux-a9260d4.tar.gz
+/container-selinux-e37e93d.tar.gz
+/container-selinux-de38c07.tar.gz
+/container-selinux-0620186.tar.gz
+/container-selinux-47e0448.tar.gz
+/container-selinux-b430a71.tar.gz
+/container-selinux-0b666c4.tar.gz
+/container-selinux-7fe0136.tar.gz
+/container-selinux-dca3b87.tar.gz
+/container-selinux-f9a30e8.tar.gz
+/container-selinux-d985665.tar.gz
+/container-selinux-8ba32a4.tar.gz
+/container-selinux-26c642a.tar.gz
+/container-selinux-96e58bf.tar.gz
+/container-selinux-599072a.tar.gz
+/container-selinux-231b213.tar.gz
+/container-selinux-d148550.tar.gz
+/container-selinux-dfcc97d.tar.gz
+/container-selinux-38a982b.tar.gz
+/container-selinux-2377c73.tar.gz
+/container-selinux-aece4ff.tar.gz

container-selinux.spec

@@ -2,8 +2,8 @@
 
 # container-selinux
 %global git0 https://github.com/projectatomic/container-selinux
-%if 0%{?fedora}
-%global commit0 8f8caa66c11f8657ebf8ae50d7221ee3a97ac7d3
+%if 0%{?fedora} || 0%{?rhel} > 7
+%global commit0 aece4ff33825561eb153f6e697afbde309c46efb
 %else
 # use upstream's RHEL-1.12 branch for CentOS 7
 %global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1
@@ -22,27 +22,26 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
 # Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
 # Version of SELinux we were using
-%if 0%{?fedora} >= 22
+%if 0%{?fedora} >= 22 || 0%{?rhel} > 7
 %global selinux_policyver 3.13.1-220
 %else
 %global selinux_policyver 3.13.1-39
 %endif
 
 Name: container-selinux
-%if 0%{?fedora} || 0%{?centos}
+%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7
 Epoch: 2
 %endif
-Version: 2.10
+Version: 2.47
 Release: 1%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 BuildArch: noarch
-BuildRequires: git
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %{selinux_policyver}
 BuildRequires: selinux-policy-devel >= %{selinux_policyver}
@@ -51,7 +50,7 @@ Requires: selinux-policy >= %{selinux_policyver}
 Requires(post): selinux-policy-base >= %{selinux_policyver}
 Requires(post): selinux-policy-targeted >= %{selinux_policyver}
 Requires(post): policycoreutils
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} > 7
 Requires(post): policycoreutils-python-utils
 %else
 Requires(post): policycoreutils-python
@@ -65,7 +64,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release}
 SELinux policy modules for use with container runtimes.
 
 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%setup -q -n %{name}-%{commit0}
 
 %build
 make
@@ -118,6 +117,141 @@ fi
 %{_datadir}/selinux/*
 
 %changelog
+* Sat Feb 10 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.47-1
+- Change default label of /exports to container_var_lib_t
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2:2.46-3
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.46-1
+- Add support for nosuid_transition flags for container_runtime and unconfined domains
+* Fri Feb 02 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.45-1
+- Allow containers to sendto their own stream sockets
+
+* Mon Jan 29 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.44-1
+- Allow container domains to read kernel ipc info
+
+* Mon Jan 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.43-1
+- Allow containers to memory map the fifo_files leaked into container from
+container runtimes.
+
+* Tue Jan 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.42-1
+- Allow unconfined domains to transition to container types, when no-new-privs is set.
+
+* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
+- Add support to nnp_transition for container domains
+- Eliminates need for typebounds.
+
+* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
+- Allow container_runtime_t to use user ttys
+- Fixes bounds check for container_t
+
+* Mon Jan 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.39-1
+- Allow container runtimes to use interited terminals.  This helps
+satisfy the bounds check of container_t versus container_runtime_t.
+
+* Sat Jan 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.38-1
+- Allow container runtimes to mmap container_file_t devices
+- Add labeling for rhel push plugin
+
+* Tue Dec 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.37-1
+- Allow containers to use inherited ttys
+- Allow ostree to handle labels under /var/lib/containers/ostree
+
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
+- Allow containers to relabelto/from all file types to container_file_t
+
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
+- Allow container to map chr_files labeled container_file_t
+
+* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
+- Dontaudit container processes getattr on kernel file systems
+
+* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
+- Allow containers to read /etc/resolv.conf and /etc/hosts if volume
+- mounted into container.
+
+* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.32-1
+- Make sure users creating content in /var/lib with right labels
+
+* Thu Oct 26 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.31-1
+- Allow the container runtime to dbus chat with dnsmasq
+- add dontaudit rules for container trying to write to /proc
+
+* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
+- Add support for lxcd
+- Add support for labeling of tmpfs storage created within a container.
+
+* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
+- Allow a container to umount a container_file_t filesystem
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
+-  Allow container runtimes to work with the netfilter sockets
+-  Allow container_file_t to be an entrypoint for VM's
+-  Allow spc_t domains to transition to svirt_t
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
+-     Make sure container_runtime_t has all access of container_t
+
+* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
+- Allow container runtimes to create sockets in tmp dirs
+
+* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
+- Add additonal support for crio labeling.
+
+* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
+- Fixup spec file conditionals
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
+- Allow containers to execmod on container_share_t files.
+
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
+- Relabel runc and crio executables
+
+* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
+- Allow container processes to getsession
+
+* Mon Jun 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.19-1
+- Allow containers to create tun sockets
+
+* Tue Jun 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.18-1
+- Fix labeling for CRI-O files in overlay subdirs
+
+* Mon Jun 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.17-1
+- Revert change to run the container_runtime as ranged
+
+* Thu Jun 1 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.16-1
+- Add default labeling for cri-o in /etc/crio directories
+
+* Wed May 31 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.15-1
+- Allow container types to read/write container_runtime fifo files
+- Allow a container runtime to mount on top of its own /proc
+
+* Fri May 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.14-1
+- Add labels for crio rename
+- Break container_t rules out to use a separate container_domain
+- Allow containers to be able to set namespaced SYCTLS
+- Allow sandbox containers manage fuse files.
+- Fixes to make container_runtimes work on MLS machines
+- Bump version to allow handling of container_file_t filesystems
+- Allow containers to mount, remount and umount container_file_t file systems
+- Fixes to handle cap_userns
+- Give container_t access to XFRM sockets
+- Allow spc_t to dbus chat with init system
+- Allow spc_t to dbus chat with init system
+- Add rules to allow container runtimes to run with unconfined disabled
+- Add rules to support cgroup file systems mounted into container.
+- Fix typebounds entrypoint problems
+- Fix typebounds problems
+- Add typebounds statement for container_t from container_runtime_t
+- We should only label runc not runc*
+
 * Tue Feb 28 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.10-1
 - Add rules to allow container runtimes to run with unconfined disabled
 - Add rules to support cgroup file systems mounted into container.
@@ -150,7 +284,7 @@ fi
 - use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7
 
 * Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
-- properly disable docker module in %post
+- properly disable docker module in %%post
 
 * Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
 - depend on selinux-policy-targeted

sources

@@ -1,2 +1 @@
-SHA512 (container-selinux-08bb6e0.tar.gz) = bba16bd77c6d34982637e4fc874ef1a741df7ca73a85ad1edfece5ae2838409efbe00ea44653acb63c22c6939c7afc72f7882715c9c4657d4427eff6f77d2a35
-SHA512 (container-selinux-8f8caa6.tar.gz) = b273cb85c6afece175d917b043f92d4c126d03eaa4b2ad5c36c0a6430465a127ad25961d26b66730190723a6aefba4a8ffb694ea942c6b4eb5d6ee950b780856
+SHA512 (container-selinux-aece4ff.tar.gz) = 23d14ce8b1e4176fb52591edf61ce3efb21a461ddb6df75ca2b50ea2f8746a0f74e3319163b56f936d0dda8736f1d38d2900d1f486743aa8b62a022dfadb7c7d