container-selinux-2:2.164.1-2

- Resolves: 1970644

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

.gitignore

@@ -136,3 +136,32 @@
 /container-selinux-2750e78.tar.gz
 /container-selinux-fe6a25c.tar.gz
 /container-selinux-e2d5a9e.tar.gz
+/container-selinux-746ea7a.tar.gz
+/container-selinux-5d929d4.tar.gz
+/container-selinux-464e922.tar.gz
+/container-selinux-2908536.tar.gz
+/container-selinux-9fb1698.tar.gz
+/container-selinux-3c361a2.tar.gz
+/container-selinux-9b3b66f.tar.gz
+/container-selinux-0ef4703.tar.gz
+/container-selinux-5d3c461.tar.gz
+/container-selinux-1677bc4.tar.gz
+/container-selinux-8573f8d.tar.gz
+/container-selinux-54e2ac5.tar.gz
+/container-selinux-667f0f3.tar.gz
+/container-selinux-75f193a.tar.gz
+/container-selinux-f330e81.tar.gz
+/container-selinux-6d13bf9.tar.gz
+/container-selinux-eb6dad0.tar.gz
+/container-selinux-aeb85c4.tar.gz
+/container-selinux-e78ac4f.tar.gz
+/container-selinux-d89a599.tar.gz
+/container-selinux-c9f0cb6.tar.gz
+/v2.155.0.tar.gz
+/container-selinux-5a60716.tar.gz
+/container-selinux-e1092cd.tar.gz
+/container-selinux-da28288.tar.gz
+/container-selinux-233e620.tar.gz
+/container-selinux-61b862a.tar.gz
+/container-selinux-99b40c5.tar.gz
+/container-selinux-563ba3f.tar.gz

container-selinux.spec

@@ -2,9 +2,13 @@
 
 # container-selinux
 %global git0 https://github.com/containers/container-selinux
-%global commit0 e2d5a9eadb72a9aa90c4f5ba793011865620f367
+%global commit0 563ba3f2693f98de5e79a7fbf5889222ab9a454a
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
+# Used for comparing with latest upstream tag
+# to decide whether to autobuild (non-rawhide only)
+%define built_tag v2.164.1
+
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
 %global selinuxtype targeted
@@ -16,29 +20,26 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
-# Version of SELinux we were using
-%global selinux_policyver 3.14.4-43
-
 # Hooked up to autobuilder, please check with @lsm5 before updating
 Name: container-selinux
-%if 0%{?fedora}
 Epoch: 2
-%endif
-Version: 2.143.0
-Release: 2.dev.git%{shortcommit0}%{?dist}
+Version: 2.164.1
+Release: 2%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Patch: f33.patch
 BuildArch: noarch
-BuildRequires: git
+BuildRequires: make
+BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
-BuildRequires: selinux-policy >= %{selinux_policyver}
-BuildRequires: selinux-policy-devel >= %{selinux_policyver}
+BuildRequires: selinux-policy >= %_selinux_policy_version
+BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
-Requires: selinux-policy >= %{selinux_policyver}
-Requires(post): selinux-policy-base >= %{selinux_policyver}
-Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires: selinux-policy >= %_selinux_policy_version
+Requires(post): selinux-policy-base >= %_selinux_policy_version
+Requires(post): selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -64,12 +65,6 @@ install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/ser
 install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
 install -d %{buildroot}/%{_datadir}/containers/selinux
 install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
-# Currently shipped as part of selinux-policy package
-#install -d %{buildroot}/%{_datadir}/man/man8
-#install -m 644 container_selinux.8 %{buildroot}/%{_datadir}/man/man8
-
-# remove spec file
-rm -rf container-selinux.spec
 
 %check
 
@@ -109,31 +104,168 @@ fi
 # Currently shipped in selinux-policy-doc
 #%%{_datadir}/man/man8/container_selinux.8.gz
 
+%triggerpostun -- container-selinux < 2:2.162.1-3
+if %{_sbindir}/selinuxenabled ; then
+    echo "Fixing Rootless SELinux labels in homedir"
+    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null || true
+fi
+
+
 # Hooked up to autobuilder, please check with @lsm5 before updating
 %changelog
-* Wed Aug 05 22:10:34 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.143.0-2.dev.gite2d5a9e
+* Mon Sep 27 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.164.1-2
+- Resolves: 1970644
+
+* Mon Jul 19 2021 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.164.1-1
+- Allow spc_t domains to set bpf rules on any domain
+
+* Sat Jun 12 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.163.0-2.dev.git99b40c5
+- bump to 2.163.0
+- autobuilt 99b40c5
+
+* Tue May 25 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.162.2-2.dev.git61b862a
+- bump to 2.162.2
+- autobuilt 61b862a
+
+* Mon May 17 2021 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.162.1-3.dev.git233e620
+- Fix labels in users homedirs, before overlayfs is supported by default for non root users
+
+* Sun May 16 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.162.1-2.dev.git233e620
+- bump to 2.162.1
+- autobuilt 233e620
+
+* Wed May 12 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.162.0-2.dev.gitda28288
+- bump to 2.162.0
+- autobuilt da28288
+
+* Fri May 07 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.161.1-2.dev.gite1092cd
+- bump to 2.161.1
+- autobuilt e1092cd
+
+* Tue Apr 20 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.160.0-3.dev.git5a60716
+- autobuilt 5a60716
+
+* Wed Mar 31 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.160.0-2.dev.gitc9f0cb6
+- bump to v2.160.0
+
+* Mon Mar 29 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.159.0-2.dev.gitd89a599
+- bump to 2.159.0
+- autobuilt d89a599
+
+* Wed Feb 17 2021 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.158.0-5.dev.gite78ac4f
+- Rebuilt to use latest selinux-policy interfaces
+
+* Tue Feb 16 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.158.0-4.dev.gite78ac4f
+- autobuilt e78ac4f
+
+* Fri Feb 12 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.158.0-3.dev.gitaeb85c4
+- autobuilt aeb85c4
+
+* Thu Feb 11 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.158.0-2.dev.giteb6dad0
+- bump to 2.158.0
+- autobuilt eb6dad0
+
+* Mon Feb 08 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.157.0-3.dev.git6d13bf9
+- autobuilt 6d13bf9
+
+* Tue Feb 02 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.157.0-2.dev.gitf330e81
+- bump to 2.157.0
+- autobuilt f330e81
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.156.0-3.dev.git75f193a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 15 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.156.0-2.dev.git75f193a
+- bump to 2.156.0
+- autobuilt 75f193a
+
+* Tue Jan  5 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.155.0-2.dev.git667f0f3
+- bump to 2.155.0
+- autobuilt 667f0f3
+
+* Wed Dec 30 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.154.0-2.dev.git54e2ac5
+- bump to 2.154.0
+- autobuilt 54e2ac5
+
+* Sat Dec 26 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.153.0-2.dev.git8573f8d
+- bump to 2.153.0
+- autobuilt 8573f8d
+
+* Tue Dec 22 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.152.0-2.dev.git1677bc4
+- bump to 2.152.0
+- autobuilt 1677bc4
+
+* Wed Dec 02 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.151.0-4.dev.git5d3c461
+- remove bogus changelog dates emitted by build bot leading to build failure
+- Related: #1715412
+
+* Wed Dec 02 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.151.0-3.dev.git5d3c461
+- remove %%fedora Epoch conditional
+- Related: #1899626
+
+* Thu Nov  5 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.151.0-2.dev.git5d3c461
+- bump to 2.151.0
+- autobuilt 5d3c461
+
+* Fri Oct 23 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.150.0-2.dev.git0ef4703
+- bump to 2.150.0
+- autobuilt 0ef4703
+
+* Thu Oct 15 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.148.0-3.dev.git9b3b66f
+- autobuilt 9b3b66f
+
+* Wed Oct 14 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.148.0-2.dev.git3c361a2
+- bump to 2.148.0
+- autobuilt 3c361a2
+
+* Mon Oct 12 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.147.0-2.dev.git9fb1698
+- bump to 2.147.0
+- autobuilt 9fb1698
+
+* Thu Oct  8 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.146.0-2.dev.git2908536
+- bump to 2.146.0
+- autobuilt 2908536
+
+* Thu Sep 10 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.145.0-2.dev.git464e922
+- bump to 2.145.0
+- autobuilt 464e922
+
+* Mon Aug 31 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.144.0-5.dev.git5d929d4
+- Resolves: #1797554 - use _selinux_policy_version macro
+
+* Fri Aug 28 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.144.0-4.dev.git5d929d4
+- Resolves: #1780129 - bump min selinux-policy
+
+* Thu Aug 13 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.144.0-3.dev.git5d929d4
+- autobuilt 5d929d4
+
+* Wed Aug 12 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.144.0-2.dev.git746ea7a
+- bump to 2.144.0
+- autobuilt 746ea7a
+
+* Wed Aug 05 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.143.0-2.dev.gite2d5a9e
 - bump to 2.143.0
 - autobuilt e2d5a9e
 
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.142.0-3.dev.gitfe6a25c
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Fri Jul 24 11:09:45 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.142.0-2.dev.gitfe6a25c
+* Fri Jul 24 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.142.0-2.dev.gitfe6a25c
 - bump to 2.142.0
 - autobuilt fe6a25c
 
-* Fri Jul 24 10:09:44 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.141.0-2.dev.git2750e78
+* Fri Jul 24 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.141.0-2.dev.git2750e78
 - bump to 2.141.0
 - autobuilt 2750e78
 
 * Thu Jul 23 2020 Merlin Mathesius <mmathesi@redhat.com> - 2:2.140.0-2.dev.git965c7fb
 - Cleanup usage of %%{epoch} macro to allow building for ELN
 
-* Thu Jul 23 19:10:26 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.140.0-2.dev.git965c7fb
+* Thu Jul 23 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.140.0-2.dev.git965c7fb
 - bump to 2.140.0
 - autobuilt 965c7fb
 
-* Sat Jul 18 11:10:04 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.139.0-2.dev.git8c26927
+* Sat Jul 18 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.139.0-2.dev.git8c26927
 - bump to 2.139.0
 - autobuilt 8c26927
 

f33.patch

@@ -0,0 +1,22 @@
+diff --git a/container.te b/container.te
+index ead5b16..b07a100 100644
+--- a/container.te
++++ b/container.te
+@@ -115,7 +115,7 @@ mls_trusted_object(container_runtime_t)
+ #
+ allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
+ allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
+-allow container_runtime_domain self:lockdown { confidentiality integrity };
++# allow container_runtime_domain self:lockdown { confidentiality integrity };
+ allow container_runtime_domain self:process ~setcurrent;
+ allow container_runtime_domain self:passwd rootok;
+ allow container_runtime_domain self:fd use;
+@@ -454,7 +454,7 @@ modutils_domtrans_kmod(container_runtime_domain)
+ systemd_status_all_unit_files(container_runtime_domain)
+ systemd_start_systemd_services(container_runtime_domain)
+ systemd_dbus_chat_logind(container_runtime_domain)
+-systemd_chat_resolved(container_runtime_domain)
++#systemd_chat_resolved(container_runtime_domain)
+ 
+ userdom_stream_connect(container_runtime_domain)
+ userdom_search_user_home_content(container_runtime_domain)

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

lockdown.patch

@@ -0,0 +1,12 @@
+diff --git a/container.te b/container.te
+index 5cd29af..a9392cd 100644
+--- a/container.te
++++ b/container.te
+@@ -115,7 +115,6 @@ mls_trusted_object(container_runtime_t)
+ #
+ allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
+ allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
+-allow container_runtime_domain self:lockdown { confidentiality integrity };
+ allow container_runtime_domain self:process ~setcurrent;
+ allow container_runtime_domain self:passwd rootok;
+ allow container_runtime_domain self:fd use;

sources

@@ -1 +1 @@
-SHA512 (container-selinux-e2d5a9e.tar.gz) = 397524b618159d498b5a64946a8f1acc0bf54a611723336aae61165322c6ee2963aec18f9c84de039755ea1ef1e0a51fbec9b49e5969043536fa382a7c9ea233
+SHA512 (container-selinux-563ba3f.tar.gz) = fdafd3ca1094fb009893e664a2c59b81b7b95ba796ea7e960c0c2def45a0ed229f4dece63cd87faf14e6c1094848614633b322526bb2625c5df6df6abb568a50