Update to 2.231.0 upstream release

- Resolves: rhbz#2276827

Upstream tag: v2.231.0
Upstream commit: 5d983412

Commit authored by Packit automation (https://packit.dev/)

.gitignore

@@ -209,3 +209,20 @@
 /v2.211.0.tar.gz
 /v2.211.1.tar.gz
 /v2.213.0.tar.gz
+/v2.215.0.tar.gz
+/v2.216.0.tar.gz
+/v2.217.0.tar.gz
+/v2.218.0.tar.gz
+/v2.219.0.tar.gz
+/v2.221.tar.gz
+/v2.221.0.tar.gz
+/v2.221.1.tar.gz
+/v2.222.0.tar.gz
+/v2.224.0.tar.gz
+/v2.226.0.tar.gz
+/v2.227.0.tar.gz
+/v2.228.0.tar.gz
+/v2.228.1.tar.gz
+/v2.229.1.tar.gz
+/v2.230.0.tar.gz
+/v2.231.0.tar.gz

.packit.yaml

@@ -0,0 +1,101 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+specfile_path: rpm/container-selinux.spec
+upstream_tag_template: v{version}
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    notifications:
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    # container-selinux is noarch so we only need to test on one arch
+    targets:
+      - fedora-all
+      - fedora-eln
+      - epel-9
+      - epel-8
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
+    trigger: commit
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # All tests specified in the `/plans/` subdir
+  # Podman e2e tests for Fedora and CentOS Stream
+  - job: tests
+    trigger: pull_request
+    notifications:
+      failure_comment:
+        message: "podman e2e tests failed. @containers/packit-build please check."
+    targets: &pr_test_targets
+      - fedora-all
+      - epel-9
+      - epel-8
+    identifier: podman_e2e_test
+    tmt_plan: "/plans/podman_e2e_test"
+
+  # Podman system tests for Fedora and CentOS Stream
+  - job: tests
+    trigger: pull_request
+    notifications:
+      failure_comment:
+        message: "podman system tests failed. @containers/packit-build please check."
+    targets: *pr_test_targets
+    identifier: podman_system_test
+    tmt_plan: "/plans/podman_system_test"
+
+  # Podman e2e tests for RHEL
+  - job: tests
+    trigger: pull_request
+    use_internal_tf: true
+    notifications:
+      failure_comment:
+        message: "podman e2e tests failed on RHEL. @containers/packit-build please check."
+    targets: &pr_test_targets_rhel
+      epel-9-x86_64:
+        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
+      epel-8-x86_64:
+        distros: [RHEL-8.9.0-Nightly,RHEL-8-Nightly]
+    identifier: podman_e2e_test_internal
+    tmt_plan: "/plans/podman_e2e_test"
+
+  # Podman system tests for RHEL
+  - job: tests
+    trigger: pull_request
+    use_internal_tf: true
+    notifications:
+      failure_comment:
+        message: "podman system tests failed on RHEL. @containers/packit-build please check."
+    targets: *pr_test_targets_rhel
+    identifier: podman_system_test_internal
+    tmt_plan: "/plans/podman_system_test"
+
+  - job: propose_downstream
+    trigger: release
+    update_release: false
+    dist_git_branches:
+      - fedora-all
+
+  - job: koji_build
+    trigger: commit
+    dist_git_branches:
+      - fedora-all
+
+  - job: bodhi_update
+    trigger: commit
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically

README.packit

@@ -0,0 +1,3 @@
+This repository is maintained by packit.
+https://packit.dev/
+The file was generated using packit 0.95.0.

container-selinux.spec

@@ -1,7 +1,4 @@
-%global debug_package   %{nil}
-
-# container-selinux
-%global git0 https://github.com/containers/container-selinux
+%global debug_package %{nil}
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
@@ -14,14 +11,42 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
+# RHEL 8 doesn't allow watch and systemd_chat_resolved
+%if %{defined rhel} && 0%{?rhel} == 8
+%define no_watch 1
+%define no_systemd_chat_resolved 1
+%global _selinux_policy_version 3.14.3-80.el8
+%endif
+
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10
+%define legacy_var_run 1
+%endif
+%if %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
+
+# https://github.com/containers/container-selinux/issues/203
+%if %{!defined fedora} && %{!defined rhel} || %{defined fedora} && 0%{?fedora} <= 37 || %{defined rhel} && 0%{?rhel} <= 9
+%define no_user_namespace 1
+%endif
+
 Name: container-selinux
+# Set different Epochs for copr and koji
+%if %{defined copr_username}
+Epoch: 102
+%else
 Epoch: 2
-Version: 2.213.0
+%endif
+# Keep Version in upstream specfile at 0. It will be automatically set
+# to the correct value by Packit for copr and koji builds.
+# IGNORE this comment if you're looking at it in dist-git.
+Version: 2.231.0
 Release: %autorelease
 License: GPL-2.0-only
-URL: %{git0}
+URL: https://github.com/containers/%{name}
 Summary: SELinux policies for container runtimes
-Source0: %{git0}/archive/v%{version}.tar.gz
+Source0: %{url}/archive/v%{version}.tar.gz
 BuildArch: noarch
 BuildRequires: make
 BuildRequires: git-core
@@ -45,28 +70,40 @@ Conflicts: k3s-selinux <= 0.4-1
 SELinux policy modules for use with container runtimes.
 
 %prep
-%autosetup -Sgit %{name}-%{built_tag_strip}
-# https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37
+%autosetup -Sgit %{name}-%{version}
+
+sed -i 's/^man: install-policy/man:/' Makefile
+sed -i 's/^install: man/install:/' Makefile
+
+%if %{defined no_watch}
+sed -i 's/watch watch_reads//' container.if
+sed -i 's/watch watch_reads//' container.te
+sed -i '/sysfs_t:dir watch/d' container.te
+sed -i '/fifo_file watch/d' container.te
+%endif
+
+%if %{defined no_systemd_chat_resolved}
+sed -i '/^systemd_chat_resolved/d' container.te
+%endif
+
+%if %{defined no_user_namespace}
 sed -i '/user_namespace/d' container.te
 %endif
 
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif
+
 %build
 make
 
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-install -d %{buildroot}%{_datadir}/selinux/packages
-install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
-install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
-install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
-install -d %{buildroot}/%{_datadir}/containers/selinux
-install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
-install -d %{buildroot}%{_datadir}/udica/templates
-install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
+%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
-%check
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+rm %{buildroot}%{_mandir}/man8/container_selinux.8
 
 %pre
 %selinux_relabel_pre -s %{selinuxtype}
@@ -82,7 +119,7 @@ fi
 %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
 %selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
-sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
@@ -103,8 +140,10 @@ fi
 %{_datadir}/containers/selinux/contexts
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
-# Currently shipped in selinux-policy-doc
-#%%{_datadir}/man/man8/container_selinux.8.gz
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+#%%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then

sources

@@ -1 +1 @@
-SHA512 (v2.213.0.tar.gz) = 5973b104b99dbadf8d935f241c70a570efc27a1858c035fc343f4ed6a234cd083da1e5a6281e04902bc8fe5997f2bfefe58d698c9225a82353a0f3d57b30933b
+SHA512 (v2.231.0.tar.gz) = 1e1cf48dda96e72330719ec6b679cbb832e002903c94afee3d3a4754196712026a050bbf619e9b0fdba6efbd1c56aaf1e687cd0436cc3386ac23d5b5a83f6352