Update to 2.233.0 upstream release

Upstream tag: v2.233.0
Upstream commit: cc5da8a9

Commit authored by Packit automation (https://packit.dev/)

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -216,3 +216,16 @@
 /v2.219.0.tar.gz
 /v2.221.tar.gz
 /v2.221.0.tar.gz
+/v2.221.1.tar.gz
+/v2.222.0.tar.gz
+/v2.224.0.tar.gz
+/v2.226.0.tar.gz
+/v2.227.0.tar.gz
+/v2.228.0.tar.gz
+/v2.228.1.tar.gz
+/v2.229.0.tar.gz
+/v2.229.1.tar.gz
+/v2.230.0.tar.gz
+/v2.231.0.tar.gz
+/v2.232.1.tar.gz
+/v2.233.0.tar.gz

.packit.yaml

@@ -2,57 +2,146 @@
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/
 
-specfile_path: rpm/container-selinux.spec
+downstream_package_name: container-selinux
 upstream_tag_template: v{version}
 
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+  - src: test/
+    dest: test/
+    delete: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-rhel:
+    specfile_path: rpm/container-selinux.spec
+
 srpm_build_deps:
   - make
 
 jobs:
   - job: copr_build
     trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
     enable_net: true
     # container-selinux is noarch so we only need to test on one arch
-    targets: &pr_copr_targets
+    targets:
       - fedora-all
+      - fedora-eln
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_targets
       - centos-stream-9
-      - centos-stream-8
+      - centos-stream-10
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-rhel]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets:
+      - epel-9
 
   # Run on commit to main branch
+  # Build targets managed in copr settings
   - job: copr_build
     trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
     branch: main
     owner: rhcontainerbot
     project: podman-next
     enable_net: true
 
   # All tests specified in the `/plans/` subdir
-  # FIXME: uncomment e2e tests after disk space issues resolved on testing farm
-  #- job: tests
-  #  trigger: pull_request
-  #  targets: *test_targets
-  #  identifier: podman_e2e_test
-  #  tmt_plan: "/plans/podman_e2e_test"
-
+  # Tests for Fedora
   - job: tests
     trigger: pull_request
-    # arch assumed to be x86_64 by default.
-    targets: *pr_copr_targets
-    identifier: podman_system_test
-    tmt_plan: "/plans/podman_system_test"
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets:
+      - fedora-all
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
+
+  # Tests for RHEL
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-rhel]
+    use_internal_tf: true
+    notifications: *test_failure_notification
+    targets:
+      epel-9-x86_64:
+        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo
+          - type: repository-file
+            id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo
 
   - job: propose_downstream
     trigger: release
-    update_release: false
+    packages: [container-selinux-fedora]
     dist_git_branches:
       - fedora-all
 
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
   - job: koji_build
     trigger: commit
+    packages: [container-selinux-fedora]
     dist_git_branches:
       - fedora-all
 
   - job: bodhi_update
     trigger: commit
+    packages: [container-selinux-fedora]
     dist_git_branches:
       - fedora-branched # rawhide updates are created automatically

README.packit

@@ -1,3 +1,3 @@
 This repository is maintained by packit.
 https://packit.dev/
-The file was generated using packit 0.78.2.post2+g81828af.
+The file was generated using packit 0.101.0.

container-selinux.spec

@@ -11,21 +11,24 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
-# RHEL 8 doesn't allow watch and systemd_chat_resolved
-%if %{defined rhel} && 0%{?rhel} == 8
-%define no_watch 1
-%define no_systemd_chat_resolved 1
-%global _selinux_policy_version 3.14.3-80.el8
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
 %endif
 
 # https://github.com/containers/container-selinux/issues/203
-%if %{!defined fedora} && %{!defined rhel} || %{defined fedora} && 0%{?fedora} <= 37 || %{defined rhel} && 0%{?rhel} <= 9
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
 %define no_user_namespace 1
 %endif
 
+# copr_build is more intuitive than copr_username
+%if %{defined copr_username}
+%define copr_build 1
+%endif
+
 Name: container-selinux
 # Set different Epochs for copr and koji
-%if %{defined copr_username}
+%if %{defined copr_build}
 Epoch: 102
 %else
 Epoch: 2
@@ -33,7 +36,7 @@ Epoch: 2
 # Keep Version in upstream specfile at 0. It will be automatically set
 # to the correct value by Packit for copr and koji builds.
 # IGNORE this comment if you're looking at it in dist-git.
-Version: 2.221.0
+Version: 2.233.0
 Release: %autorelease
 License: GPL-2.0-only
 URL: https://github.com/containers/%{name}
@@ -67,20 +70,14 @@ SELinux policy modules for use with container runtimes.
 sed -i 's/^man: install-policy/man:/' Makefile
 sed -i 's/^install: man/install:/' Makefile
 
-%if %{defined no_watch}
-sed -i 's/watch watch_reads//' container.if
-sed -i 's/watch watch_reads//' container.te
-sed -i '/sysfs_t:dir watch/d' container.te
-%endif
-
-%if %{defined no_systemd_chat_resolved}
-sed -i '/^systemd_chat_resolved/d' container.te
-%endif
-
 %if %{defined no_user_namespace}
 sed -i '/user_namespace/d' container.te
 %endif
 
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif
+
 %build
 make
 
@@ -125,6 +122,7 @@ fi
 %{_datadir}/selinux/*
 %dir %{_datadir}/containers/selinux
 %{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120

gating.yaml

@@ -4,3 +4,9 @@ product_versions:
 decision_context: bodhi_update_push_stable
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []

plans/all.fmf

@@ -0,0 +1,20 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+
+/upstream:
+    summary: Run SELinux specific Podman tests on upstream PRs
+    discover+:
+        filter: tag:upstream
+    adjust+:
+        enabled: false
+        when: initiator is not defined or initiator != packit
+
+/downstream:
+    summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs
+    discover+:
+        filter: tag:downstream
+    adjust+:
+        enabled: false
+        when: initiator == packit

sources

@@ -1 +1 @@
-SHA512 (v2.221.0.tar.gz) = 71e4bbc1507f9d04dd78c5881814c57b2138ed91ff474f0ce6db5da5e14ce848d7fe41952284b3525fb222eaf364dcc84efbb2f7641d78ac9abf5343e481be5d
+SHA512 (v2.233.0.tar.gz) = f79380a3312cb57953bc1286ba7dcdbf29ab95ce72de79c5bac1eb6c4401d2bcb0c9875802c7198a9680af19affb34170581c609180408b21cc27cf680c3feb4

test/Makefile

@@ -0,0 +1,15 @@
+.PHONY: basic_check
+basic_check:
+	semodule --list=full | grep container
+	semodule -B
+
+.PHONY: podman_e2e_test
+podman_e2e_test:
+	bash ./podman-tests.sh e2e
+
+.PHONY: podman_system_test
+podman_system_test:
+	bash ./podman-tests.sh system
+
+clean:
+	rm -rf podman-*dev* podman.spec

test/main.fmf

@@ -0,0 +1,21 @@
+# Only common dependencies that are NOT required to run podman-tests.sh are
+# specified here. Everything else is in podman-tests.sh.
+require:
+    - cpio
+    - make
+    - policycoreutils
+
+/basic_check:
+    tag: [ upstream, downstream ]
+    summary: Run basic checks
+    test: make basic_check
+
+/podman_e2e_test:
+    tag: [ upstream, downstream ]
+    summary: Run SELinux specific Podman e2e tests
+    test: make podman_e2e_test
+
+/podman_system_test:
+    tag: [ upstream, downstream ]
+    summary: Run SELinux specific Podman system tests
+    test: make podman_system_test

test/podman-tests.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+if [[ -z "$1" ]]; then
+    echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n"
+    exit 1
+fi
+
+TEST_TYPE=$1
+
+# Remove testing-farm repos if they exist as these interfere with the packages
+# we want to install, especially when podman-next copr is involved
+rm -f /etc/yum.repos.d/tag-repository.repo
+
+# Fetch and extract latest podman source from the highest priority dnf repo
+# NOTE: On upstream pull-requests, the srpm will be fetched from the
+# podman-next copr while on bodhi updates, it will be fetched from Fedora's
+# official repos.
+PODMAN_DIR=$(mktemp -d)
+pushd $PODMAN_DIR
+
+# Download podman and podman-tests rpms, along with podman srpm
+dnf download podman podman-tests
+# Download srpm, srpm opts differ between dnf and dnf5
+rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman
+
+# Ensure podman-tests RPM and podman SRPM version-release match
+# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so
+# matching podman-tests and podman srpm is sufficient here.
+PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//")
+PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//")
+if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then
+    echo "podman-tests and podman srpm version-release don't match"
+    exit 1
+fi
+
+# Install downloaded podman and podman-tests rpms
+dnf -y install ./podman*.$(uname -m).rpm
+
+# Extract and untar podman source from srpm
+rpm2cpio $(ls podman*.src.rpm) | cpio -di
+tar zxf *.tar.gz
+
+popd
+
+# Install dependencies for running tests
+# NOTE: bats will be fetched from Fedora repos on public testing-farm envs if EPEL repo is absent or disabled.
+dnf -y install bats golang
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux golang podman podman-tests selinux-policy
+
+if [[ "$TEST_TYPE" == "e2e" ]]; then
+    # /tmp is often unsufficient
+    export TMPDIR=/var/tmp
+
+    # dnf5 contains breaking changes
+    # Either of `dnf` OR `dnf5` will be installed, never both.
+    # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`.
+    #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source"
+
+    # Run podman e2e tests
+    pushd $PODMAN_DIR/podman-*/test/e2e
+    PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
+    popd
+fi
+
+if [[ "$TEST_TYPE" == "system" ]]; then
+    # Run podman system tests
+    bats /usr/share/podman/test/system/410-selinux.bats
+fi