Add trigger to relabel content on /var/lib/containers on older versions of

package

.gitignore

@@ -16,3 +16,48 @@
 /container-selinux-a80afba.tar.gz
 /container-selinux-c5fd77f.tar.gz
 /container-selinux-c89e9b5.tar.gz
+/container-selinux-58324f3.tar.gz
+/container-selinux-81ff96c.tar.gz
+/container-selinux-a9260d4.tar.gz
+/container-selinux-e37e93d.tar.gz
+/container-selinux-de38c07.tar.gz
+/container-selinux-0620186.tar.gz
+/container-selinux-47e0448.tar.gz
+/container-selinux-b430a71.tar.gz
+/container-selinux-0b666c4.tar.gz
+/container-selinux-7fe0136.tar.gz
+/container-selinux-dca3b87.tar.gz
+/container-selinux-f9a30e8.tar.gz
+/container-selinux-d985665.tar.gz
+/container-selinux-8ba32a4.tar.gz
+/container-selinux-26c642a.tar.gz
+/container-selinux-96e58bf.tar.gz
+/container-selinux-599072a.tar.gz
+/container-selinux-231b213.tar.gz
+/container-selinux-d148550.tar.gz
+/container-selinux-dfcc97d.tar.gz
+/container-selinux-38a982b.tar.gz
+/container-selinux-2377c73.tar.gz
+/container-selinux-aece4ff.tar.gz
+/container-selinux-663e003.tar.gz
+/container-selinux-fd7d508.tar.gz
+/container-selinux-fd50128.tar.gz
+/container-selinux-bdc0137.tar.gz
+/container-selinux-55c7d4d.tar.gz
+/container-selinux-d248f91.tar.gz
+/container-selinux-d213769.tar.gz
+/container-selinux-701557f.tar.gz
+/container-selinux-97f8dfc.tar.gz
+/container-selinux-9b55129.tar.gz
+/container-selinux-1ecf953.tar.gz
+/container-selinux-284f9e7.tar.gz
+/container-selinux-d346375.tar.gz
+/container-selinux-bf5b26b.tar.gz
+/container-selinux-dfaf8fd.tar.gz
+/container-selinux-8ecc282.tar.gz
+/container-selinux-0407867.tar.gz
+<<<<<<< Updated upstream
+/container-selinux-042f7cf.tar.gz
+=======
+/container-selinux-25277c8.tar.gz
+>>>>>>> Stashed changes

container-selinux.spec

@@ -3,12 +3,13 @@
 # container-selinux
 %global git0 https://github.com/projectatomic/container-selinux
 %if 0%{?fedora} || 0%{?rhel} > 7
-%global commit0 c89e9b5e450367cfbed32d6c166ce04353f2bba7
+%global commit0 452b90de0cbc75f0a55defa1d45b7bc337d4f076
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 %else
 # use upstream's RHEL-1.12 branch for CentOS 7
-%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1
+%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1
+%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7})
 %endif
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
@@ -22,7 +23,7 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
 # Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
 # Version of SELinux we were using
 %if 0%{?fedora} >= 22 || 0%{?rhel} > 7
@@ -35,12 +36,16 @@ Name: container-selinux
 %if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7
 Epoch: 2
 %endif
-Version: 2.21
-Release: 3%{?dist}
+Version: 2.69
+Release: 2.git%{shortcommit0}%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
+%if 0%{?fedora} || 0%{?rhel} >7
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+%else
+Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz
+%endif
 BuildArch: noarch
 BuildRequires: git
 BuildRequires: pkgconfig(systemd)
@@ -57,6 +62,8 @@ Requires(post): policycoreutils-python-utils
 Requires(post): policycoreutils-python
 %endif
 Requires(post): libselinux-utils
+Requires(post): libsemanage >= 2.8-2
+Requires(post): sed
 Obsoletes: %{name} <= 2:1.12.5-13
 Obsoletes: docker-selinux <= 2:1.12.4-28
 Provides: docker-selinux = %{epoch}:%{version}-%{release}
@@ -65,7 +72,11 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release}
 SELinux policy modules for use with container runtimes.
 
 %prep
+%if 0%{?fedora} || 0%{?rhel} > 7
 %autosetup -Sgit -n %{name}-%{commit0}
+%else
+%autosetup -Sgit -n %{name}-%{el_commit0}
+%endif
 
 %build
 make
@@ -98,8 +109,12 @@ if %{_sbindir}/selinuxenabled ; then
     %relabel_files
     if [ $1 -eq 1 ]; then
 	restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
+	restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
     fi
 fi
+. %{_sysconfdir}/selinux/config
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 
+
 
 %postun
 if [ $1 -eq 0 ]; then
@@ -117,7 +132,209 @@ fi
 %doc README.md
 %{_datadir}/selinux/*
 
+%triggerin -- container-selinux < 2.69-2
+restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
+exit 0
+
 %changelog
+* Fri Aug 10 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-2
+- Add trigger to relabel content on /var/lib/containers on older versions of
+package
+
+* Wed Jul 25 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-1
+- dontaudit attempts to write to sysctl_kernel_t
+
+* Wed Jul 18 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.68-2.gitc139a3d
+- autobuilt c139a3d
+
+* Mon Jul 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.67-1
+- Add label for /var/lib/origin
+- Add customizable_file_t to customizable_types
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.67-3.dev.git042f7cf
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-2.git042f7cf
+- autobuilt 042f7cf
+
+* Sat Jul 07 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-1.git0407867
+- bump to 2.67
+- autobuilt 0407867
+
+* Sat Jun 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.66-1
+- Allow container runtimes to dbus chat with systemd-resolved
+
+* Tue Jun 12 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.64-1.gitdfaf8fd
+- bump to 2.64
+- autobuilt dfaf8fd
+
+* Mon Jun 11 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.65-1
+- Add new type to handle containers running with a non priv user in a userns
+- allow containers to map all sockets
+
+* Sun Jun 3 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.64-1.gitdfaf8fd
+- Allow containers to create all socket classes
+
+* Wed May 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.63-1
+- Allow containers to create icmp packets
+
+* Fri May 25 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.62-1.git1ecf953
+- bump to 2.62
+- autobuilt 1ecf953
+
+* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
+- Allow spc_t to load kernel modules from inside of container 
+
+* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
+- Allow containers to list cgroup directories
+
+* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.59-1
+- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.
+
+* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-2
+- Run restorecon /usr/bin/podman in postinstall
+
+* Fri May 18 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-1
+- Add labels to allow podman to be run from a systemd unit file
+
+* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-12.gitd248f91
+- autobuilt commit d248f91
+
+* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-11.gitd248f91
+- autobuilt commit d248f91
+
+* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-10.gitd248f91
+- autobuilt commit d248f91
+
+* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-9.gitd248f91
+- autobuilt commit d248f91
+
+* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-8
+- autobuilt commit d248f91
+
+* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-7
+- autobuilt commit d248f91
+
+* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-6
+- autobuilt commit d248f91
+
+* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-5
+- autobuilt commit d248f91
+
+* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-4
+- autobuilt commit d248f91
+
+* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-3
+- autobuilt commit d248f91
+
+* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-2
+- autobuilt commit d248f91
+
+* Thu Mar 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.55-1
+- Dontaudit attempts by containers to write to /proc/self
+
+* Wed Mar 14 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.54-1
+-  Add rules for container domains to make writing custom policy easier
+-  Allow shell_exec_t as a container_runtime_t entrypoint
+
+* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.52-1
+- Add rules for container domains to make writing custom policy easier
+
+* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.51-1
+- Allow shell_exec_t as a container_runtime_t entrypoint
+
+* Wed Mar 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.50-1
+- Allow bin_t as a container_runtime_t entrypoint
+- Add rules for running container runtimes on mls
+
+* Thu Feb 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.48-1
+- Allow container domains to map container_file_t directories
+
+* Sat Feb 10 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.47-1
+- Change default label of /exports to container_var_lib_t
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2:2.46-3
+- Escape macros in %%CHANGELOG
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.46-1
+- Add support for nosuid_transition flags for container_runtime and unconfined domains
+* Fri Feb 02 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.45-1
+- Allow containers to sendto their own stream sockets
+
+* Mon Jan 29 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.44-1
+- Allow container domains to read kernel ipc info
+
+* Mon Jan 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.43-1
+- Allow containers to memory map the fifo_files leaked into container from
+container runtimes.
+
+* Tue Jan 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.42-1
+- Allow unconfined domains to transition to container types, when no-new-privs is set.
+
+* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
+- Add support to nnp_transition for container domains
+- Eliminates need for typebounds.
+
+* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
+- Allow container_runtime_t to use user ttys
+- Fixes bounds check for container_t
+
+* Mon Jan 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.39-1
+- Allow container runtimes to use interited terminals.  This helps
+satisfy the bounds check of container_t versus container_runtime_t.
+
+* Sat Jan 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.38-1
+- Allow container runtimes to mmap container_file_t devices
+- Add labeling for rhel push plugin
+
+* Tue Dec 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.37-1
+- Allow containers to use inherited ttys
+- Allow ostree to handle labels under /var/lib/containers/ostree
+
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
+- Allow containers to relabelto/from all file types to container_file_t
+
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
+- Allow container to map chr_files labeled container_file_t
+
+* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
+- Dontaudit container processes getattr on kernel file systems
+
+* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
+- Allow containers to read /etc/resolv.conf and /etc/hosts if volume
+- mounted into container.
+
+* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.32-1
+- Make sure users creating content in /var/lib with right labels
+
+* Thu Oct 26 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.31-1
+- Allow the container runtime to dbus chat with dnsmasq
+- add dontaudit rules for container trying to write to /proc
+
+* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
+- Add support for lxcd
+- Add support for labeling of tmpfs storage created within a container.
+
+* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
+- Allow a container to umount a container_file_t filesystem
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
+-  Allow container runtimes to work with the netfilter sockets
+-  Allow container_file_t to be an entrypoint for VM's
+-  Allow spc_t domains to transition to svirt_t
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
+-     Make sure container_runtime_t has all access of container_t
+
+* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
+- Allow container runtimes to create sockets in tmp dirs
+
+* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
+- Add additonal support for crio labeling.
+
 * Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
 - Fixup spec file conditionals
 
@@ -200,7 +417,7 @@ fi
 - use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7
 
 * Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
-- properly disable docker module in %post
+- properly disable docker module in %%post
 
 * Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
 - depend on selinux-policy-targeted

getrlimit.patch

@@ -0,0 +1,13 @@
+diff --git a/container.te b/container.te
+index e768807..a469eda 100644
+--- a/container.te
++++ b/container.te
+@@ -685,7 +685,7 @@ dev_list_sysfs(container_domain)
+ allow svirt_sandbox_domain self:key manage_key_perms;
+ dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+ 
+-allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
++allow container_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+ allow container_domain self:fifo_file manage_file_perms;
+ allow container_domain self:msg all_msg_perms;
+ allow container_domain self:sem create_sem_perms;

sources

@@ -1 +1 @@
-SHA512 (container-selinux-c89e9b5.tar.gz) = 20f6fd70b18b77162738fa806d91cb37d0cc9efb286441cfe624c833a5d556e880e1658f2a8e1b78b9fb532c5d9075b5b6eaa9d73c8a8c9969a5fbde0784b050
+SHA512 (container-selinux-452b90d.tar.gz) = f9bc9c9fafd98aca03b755dc44807baec3aec2b0a97bd539be6b49bc2f1f571973bef8e8a716ef990255f4b26ef9650e2c03ce9bf3ee0961f99205e309475944