container-selinux-2:2.123.0-2

- bump to v2.123.0
- autobuilt 0b25a4a for fedora
- autobuilt c57a6f9 for centos

Signed-off-by: RH Container Bot <rhcontainerbot@fedoraproject.org>

.gitignore

@@ -74,3 +74,42 @@
 /container-selinux-484806a.tar.gz
 /container-selinux-21c2be6.tar.gz
 /container-selinux-5e1f62f.tar.gz
+/container-selinux-ec6fcad.tar.gz
+/container-selinux-eb60838.tar.gz
+/container-selinux-92af7fd.tar.gz
+/container-selinux-c178849.tar.gz
+/container-selinux-891a85f.tar.gz
+/container-selinux-2c1a2ab.tar.gz
+/container-selinux-5c98b56.tar.gz
+/container-selinux-2521d0d.tar.gz
+/container-selinux-619db17.tar.gz
+/container-selinux-acc6941.tar.gz
+/container-selinux-1e99f1d.tar.gz
+/container-selinux-e3ebc68.tar.gz
+/container-selinux-a6c9822.tar.gz
+/container-selinux-aa7b807.tar.gz
+/container-selinux-9a53d6c.tar.gz
+/container-selinux-3b78187.tar.gz
+/container-selinux-b0061dc.tar.gz
+/container-selinux-1c24dcb.tar.gz
+/container-selinux-b275a1f.tar.gz
+/container-selinux-7baad79.tar.gz
+/container-selinux-fc7111d.tar.gz
+/container-selinux-453b816.tar.gz
+/container-selinux-db771da.tar.gz
+/container-selinux-544d71f.tar.gz
+/container-selinux-9a75deb.tar.gz
+/container-selinux-014f866.tar.gz
+/container-selinux-b68cf19.tar.gz
+/container-selinux-4f7d6bb.tar.gz
+/container-selinux-028ab00.tar.gz
+/container-selinux-42087be.tar.gz
+/container-selinux-fddfbbb.tar.gz
+/container-selinux-c5ef5ac.tar.gz
+/container-selinux-bfde70a.tar.gz
+/container-selinux-79bdcb5.tar.gz
+/container-selinux-46c7e70.tar.gz
+/container-selinux-b383f07.tar.gz
+/container-selinux-2ecb2a8.tar.gz
+/container-selinux-c57a6f9.tar.gz
+/container-selinux-0b25a4a.tar.gz

container-selinux.spec

@@ -1,8 +1,16 @@
-%global debug_package   %{nil}
+%global debug_package %{nil}
 
 # container-selinux
-%global git0 https://github.com/projectatomic/container-selinux
-%global commit0 5e1f62fe319ebbef46bcabc8cc5e22d209411dda
+%global git0 https://github.com/containers/container-selinux
+%if 0%{?fedora}
+%global commit0 0b25a4a5f05e1810f6bbeffcc40d89c3db5d2a30
+# record centos commit here as well so it can be added
+# to sources file for centos cbs build
+%global commit_centos c57a6f9dc5ba77606a7ca541065e3a1e9e00f11e
+%global shortcommit_centos %(c=%{commit_centos}; echo ${c:0:7})
+%else
+%global commit0 c57a6f9dc5ba77606a7ca541065e3a1e9e00f11e
+%endif
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
@@ -19,19 +27,22 @@
 # Relabel files
 %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
-# Version of SELinux we were using
+# Version of SELinux we are using
 %global selinux_policyver 3.13.1-220
 
 Name: container-selinux
 %if 0%{?fedora}
 Epoch: 2
 %endif
-Version: 2.82
-Release: 1.git%{shortcommit0}%{?dist}
+Version: 2.123.0
+Release: 2%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+PATCH0: kmod.patch
+PATCH1: pipes.patch
+Source1: %{git0}/archive/%{commit_centos}/%{name}-%{shortcommit_centos}.tar.gz
 BuildArch: noarch
 BuildRequires: git
 BuildRequires: pkgconfig(systemd)
@@ -73,7 +84,7 @@ rm -rf container-selinux.spec
 %post
 # Install all modules in a single transaction
 if [ $1 -eq 1 ]; then
-	%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
+   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
@@ -84,8 +95,8 @@ if %{_sbindir}/selinuxenabled ; then
     %{_sbindir}/load_policy
     %relabel_files
     if [ $1 -eq 1 ]; then
-	restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
-	restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
+      restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
+      restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
     fi
 fi
 . %{_sysconfdir}/selinux/config
@@ -94,7 +105,7 @@ matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedi
 
 %postun
 if [ $1 -eq 0 ]; then
-%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
+%{_sbindir}/semodule -n -r %{modulenames} &> /dev/null || :
 if %{_sbindir}/selinuxenabled ; then
 %{_sbindir}/load_policy
 %relabel_files
@@ -109,7 +120,161 @@ fi
 %{_datadir}/selinux/*
 
 %changelog
-* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1
+* Fri Dec 06 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.123.0-2
+- bump to v2.123.0
+- autobuilt 0b25a4a for fedora
+- autobuilt c57a6f9 for centos
+
+* Sun Oct 27 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.1-2
+- bump to v2.119.1
+- autobuilt 2ecb2a8 for fedora
+- autobuilt c57a6f9 for centos
+
+* Thu Oct 24 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.0-2
+- bump to v2.119.0
+- autobuilt b383f07 for fedora
+- autobuilt 46c7e70 for centos
+
+* Fri Oct 11 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.118.0-2
+- bump to v2.118.0
+- autobuilt 79bdcb5 for fedora
+- autobuilt 42087be for centos
+
+* Wed Sep 25 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.117.0-2
+- bump to v2.117.0
+- autobuilt bfde70a for fedora
+- autobuilt 42087be for centos
+
+* Thu Sep 05 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.116.0-2
+- bump to v2.116.0
+- autobuilt c5ef5ac for fedora
+- autobuilt 42087be for centos
+
+* Wed Aug 21 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.115.0-2
+- bump to v2.115.0
+- autobuilt fddfbbb for fedora
+- autobuilt 42087be for centos
+
+* Mon Aug 19 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.114.0-2
+- bump to v2.114.0
+- autobuilt 028ab00 for fedora
+- autobuilt 014f866 for centos
+
+* Fri Aug 09 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.113.0-2
+- bump to v2.113.0
+- autobuilt 4f7d6bb for fedora
+- autobuilt 014f866 for centos
+
+* Thu Aug 08 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.112.0-2
+- bump to v2.112.0
+- autobuilt b68cf19 for fedora
+- autobuilt 014f866 for centos
+
+* Thu Jul 18 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.111.0-1
+- bump to 2.111.0
+- autobuilt 9a75deb for fedora
+- autobuilt 014f866 for centos
+
+* Wed Jul 17 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.110.0-2.git544d71f
+- bump to 2.110.0
+- autobuilt 544d71f
+
+* Mon Jul 15 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.109.0-2.gitdb771da
+- bump to 2.109.0
+- autobuilt db771da
+
+* Mon Jul 8 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.109-1
+- Allow containers to accept connections on all socket types
+- Allow containers to connect to gssproxy stream sockets if added to container
+
+* Fri Jun 14 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.107-1
+- Allow containers to manipulate Onload files.
+
+* Tue Jun 11 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.106-1
+- Allow all unconfined domains to manage unlabeled keyrings
+- Add labeling for kubernetes pods
+
+* Mon Jun 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.104-1
+- Set proper labeling for container volumes in SilverBlue
+
+* Fri May 17 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.103-1
+- Set proper labeling for container volumes
+
+* Sun May 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.102-1
+- Allow all container domains to be entered from container_file_t
+
+* Fri May 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.101-1
+- Allow containers to read rpm cache and rpm databse
+
+* Tue Apr 23 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.100-1
+- Allow containers running as spc_t to create unlabeled_t kernel keyrings
+
+* Mon Apr 22 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.99-1
+- Fix labeling on /var/lib/containers/storage/overlay-layers,images to be sharable.
+
+* Mon Apr 15 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.98-1
+- Allow iptables to append to container_file_t
+
+* Fri Apr 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.97-1
+- Allow containers to read/write sysctl_kernel_ns_last_pid_t
+- Allow containers to manage fusefs sockets and named pipes
+
+* Thu Apr 4 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.96-1
+- Allow containers to read/write sysctl_kernel_ns_last_pid_t
+
+* Mon Apr 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.95-1
+- Allow containers to create fusefs sockets and named pipes
+
+* Thu Mar 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.94-1
+- Allow init_t to manage container content
+- Allow container domains to create fifo_files on fusefs file systems
+- Add boolean to allow containers to use ceph file systems
+
+* Tue Mar 26 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.91-1
+- Allow container runtimes to create unlabeled keyrings
+
+* Wed Mar 20 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.90-1
+- Allow containers to mount and umount fuse file systems.  This will allow us
+- to use buidlah within a user namespace separated container.
+
+* Sat Mar 9 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.89-1
+- Allow all container domains to have container file types entrypoint
+- Add new release to fix issues with udica
+- Allow container_runtime_t to dyntransition to container domains
+
+* Sat Mar 09 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.89-5.git2521d0d
+- bump to 2.89
+- autobuilt 2521d0d
+
+* Thu Mar 07 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.88-4.git5c98b56
+- bump to 2.88
+- autobuilt 5c98b56
+
+* Wed Mar 06 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-3.git2c1a2ab
+- autobuilt 2c1a2ab
+
+* Sat Mar 02 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-2.git891a85f
+- bump to 2.87
+- autobuilt 891a85f
+
+* Fri Mar 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.86-1
+- Allow unconfined user and services to dyntrans to container domains, needed for CRIU
+- Allow containers exectue hugetlb files.
+
+* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.85-1
+- More allow rules to allow containers to run within containers
+
+* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.84-1
+- More allow rules to allow containers to run within containers
+
+* Tue Feb 26 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.82-2.git5e1f62f
+- bump to 2.82
+- autobuilt 5e1f62f
+
+* Mon Feb 25 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.83-1
+- Allow containers to mounton cgroup and container_file_t
+
+* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1.nightly.git5e1f62f
 - Allow confined users to use containers
 
 * Fri Feb 08 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.80-3.git21c2be6

kmod.patch

@@ -0,0 +1,13 @@
+diff --git a/container.te b/container.te
+index a14f0b2..9d9ea34 100644
+--- a/container.te
++++ b/container.te
+@@ -422,7 +422,7 @@ term_getattr_pty_fs(container_runtime_t)
+ term_relabel_pty_fs(container_runtime_t)
+ term_mounton_unallocated_ttys(container_runtime_t)
+ 
+-modutils_domtrans_kmod(container_runtime_t)
++modutils_domtrans_insmod(container_runtime_t)
+ 
+ systemd_status_all_unit_files(container_runtime_t)
+ systemd_start_systemd_services(container_runtime_t)

named_pipes.patch

@@ -0,0 +1,13 @@
+diff --git a/container.te b/container.te
+index dbf3cdc..6472d1d 100644
+--- a/container.te
++++ b/container.te
+@@ -850,7 +850,7 @@ fs_manage_fusefs_dirs(container_domain)
+ fs_manage_fusefs_files(container_domain)
+ fs_manage_fusefs_symlinks(container_domain)
+ fs_manage_fusefs_named_sockets(container_domain)
+-fs_manage_fusefs_named_pipes(container_domain)
++#fs_manage_fusefs_named_pipes(container_domain)
+ fs_exec_fusefs_files(container_domain)
+ fs_unmount_xattr_fs(container_domain)
+ fs_mount_fusefs(container_domain)

pipes.patch

@@ -0,0 +1,13 @@
+diff --git a/container.te b/container.te
+index 04267bd..56d4a6e 100644
+--- a/container.te
++++ b/container.te
+@@ -850,7 +850,7 @@ fs_manage_fusefs_dirs(container_domain)
+ fs_manage_fusefs_files(container_domain)
+ fs_manage_fusefs_symlinks(container_domain)
+ fs_manage_fusefs_named_sockets(container_domain)
+-fs_manage_fusefs_named_pipes(container_domain)
++#fs_manage_fusefs_named_pipes(container_domain)
+ fs_exec_fusefs_files(container_domain)
+ fs_unmount_xattr_fs(container_domain)
+ fs_mount_fusefs(container_domain)

sources

@@ -1 +1,2 @@
-SHA512 (container-selinux-5e1f62f.tar.gz) = 8184e4191cbce80e8ecf65f82e64f6b85eeda0b7b958be099b97100aaa78c71e3d0adec642eafb7e58037ba0a5b0452da7674d7e6c02a8f3c125f67629425ea7
+SHA512 (container-selinux-0b25a4a.tar.gz) = 50c1f23670a3beb36afd7689c937da26a9ffeb1a75e6e1a73632201193df7f5ec118b8a0cfe8296eb175ac98440a70270353897933d42d7bbea5b1f90f36e770
+SHA512 (container-selinux-c57a6f9.tar.gz) = d807b912b40431ef23e81cdb45a15dac9fa5de5e037652c94d9b5b1e6d02699038507cf0463c0a819d5c4579373bf3b449c4865aa28b53983b85da07c0c6b2ee