Update to 2.242.0 upstream release

Upstream tag: v2.242.0
Upstream commit: edfbda46

Commit authored by Packit automation (https://packit.dev/)

.gitignore

@@ -229,3 +229,14 @@
 /v2.231.0.tar.gz
 /packit-tmt-bodhi-reuse.zip
 /v2.232.1.tar.gz
+/v2.233.0.tar.gz
+/v2.234.1.tar.gz
+/v2.234.2.tar.gz
+/v2.235.0.tar.gz
+/v2.236.0.tar.gz
+/v2.237.0.tar.gz
+/v2.238.0.tar.gz
+/v2.239.0.tar.gz
+/v2.240.0.tar.gz
+/v2.241.0.tar.gz
+/v2.242.0.tar.gz

.packit.yaml

@@ -9,12 +9,15 @@ upstream_tag_template: v{version}
 files_to_sync:
   - src: rpm/gating.yaml
     dest: gating.yaml
+    delete: true
   - src: plans/
     dest: plans/
     delete: true
+    mkpath: true
   - src: test/
     dest: test/
     delete: true
+    mkpath: true
   - src: .fmf/
     dest: .fmf/
     delete: true
@@ -27,7 +30,7 @@ packages:
   container-selinux-centos:
     pkg_tool: centpkg
     specfile_path: rpm/container-selinux.spec
-  container-selinux-rhel:
+  container-selinux-eln:
     specfile_path: rpm/container-selinux.spec
 
 srpm_build_deps:
@@ -42,26 +45,29 @@ jobs:
         message: "Ephemeral COPR build failed. @containers/packit-build please check."
     enable_net: true
     # container-selinux is noarch so we only need to test on one arch
-    targets:
-      - fedora-all
-      - fedora-eln
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &eln_copr_targets
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
 
   - job: copr_build
     trigger: pull_request
     packages: [container-selinux-centos]
     notifications: *copr_build_failure_notification
     enable_net: true
-    targets:
-      - centos-stream-9
-      - centos-stream-10
-
-  - job: copr_build
-    trigger: pull_request
-    packages: [container-selinux-rhel]
-    notifications: *copr_build_failure_notification
-    enable_net: true
-    targets:
-      - epel-9
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
 
   # Run on commit to main branch
   # Build targets managed in copr settings
@@ -84,37 +90,41 @@ jobs:
     notifications: &test_failure_notification
       failure_comment:
         message: "Tests failed. @containers/packit-build please check."
-    targets:
-      - fedora-all
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *test_failure_notification
+    targets: *eln_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-eln/rhcontainerbot-podman-next-fedora-eln.repo
 
   # Tests for CentOS Stream
   - job: tests
     trigger: pull_request
     packages: [container-selinux-centos]
     notifications: *test_failure_notification
-    targets:
-      - centos-stream-9
-      - centos-stream-10
-
-  # Tests for RHEL
-  - job: tests
-    trigger: pull_request
-    packages: [container-selinux-rhel]
-    use_internal_tf: true
-    notifications: *test_failure_notification
-    targets:
-      epel-9-x86_64:
-        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
-      # Use centos-stream-10 until we have epel-10
-      # TODO: Enable after RHEL-10 gets selinux-policy >= 40.13.1 which is
-      # already on CentOS Stream 10.
-      #centos-stream-10-x86_64:
-        #  distros: [RHEL-10-Beta-Nightly]
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
 
   - job: propose_downstream
     trigger: release
     packages: [container-selinux-fedora]
-    dist_git_branches:
+    dist_git_branches: &fedora_targets
       - fedora-all
 
   - job: propose_downstream
@@ -126,8 +136,7 @@ jobs:
   - job: koji_build
     trigger: commit
     packages: [container-selinux-fedora]
-    dist_git_branches:
-      - fedora-all
+    dist_git_branches: *fedora_targets
 
   - job: bodhi_update
     trigger: commit

README.packit

@@ -1,3 +1,3 @@
 This repository is maintained by packit.
 https://packit.dev/
-The file was generated using packit 0.97.1.post1.dev6+gc8c0314a.
+The file was generated using packit 1.11.0.post1.dev7+gfdcdf3a32.

container-selinux.spec

@@ -2,7 +2,6 @@
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container
 
@@ -21,22 +20,22 @@
 %define no_user_namespace 1
 %endif
 
-# copr_build is more intuitive than copr_username
-%if %{defined copr_username}
-%define copr_build 1
+# set copr_build is more intuitive than copr_username
+%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" == "podman-next"
+%define next_build 1
 %endif
 
 Name: container-selinux
-# Set different Epochs for copr and koji
-%if %{defined copr_build}
+# Set different Epoch for rhcontainerbot/podman-next copr build
+%if %{defined next_build}
 Epoch: 102
 %else
-Epoch: 2
+Epoch: 4
 %endif
 # Keep Version in upstream specfile at 0. It will be automatically set
 # to the correct value by Packit for copr and koji builds.
 # IGNORE this comment if you're looking at it in dist-git.
-Version: 2.232.1
+Version: 2.242.0
 Release: %autorelease
 License: GPL-2.0-only
 URL: https://github.com/containers/%{name}
@@ -51,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -86,11 +86,8 @@ make
 %_format MODULES $x.pp.bz2
 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
-# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
-rm %{buildroot}%{_mandir}/man8/container_selinux.8
-
 %pre
-%selinux_relabel_pre -s %{selinuxtype}
+%selinux_relabel_pre
 
 %post
 # Install all modules in a single transaction
@@ -98,21 +95,24 @@ if [ $1 -eq 1 ]; then
    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+   %selinux_modules_uninstall %{modulenames} docker
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -126,9 +126,10 @@ fi
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
-#%%{_mandir}/man8/container_selinux.8.gz
-%{_sysconfdir}/selinux/targeted/contexts/users/*
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
+%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then

gating.yaml

@@ -1,7 +1,9 @@
 --- !Policy
 product_versions:
   - fedora-*
-decision_context: bodhi_update_push_stable
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
 

plans/all.fmf

@@ -1,20 +0,0 @@
-discover:
-    how: fmf
-execute:
-    how: tmt
-
-/upstream:
-    summary: Run SELinux specific Podman tests on upstream PRs
-    discover+:
-        filter: tag:upstream
-    adjust+:
-        enabled: false
-        when: initiator is not defined or initiator != packit
-
-/downstream:
-    summary: Run SELinux specific Podman e2e tests on bodhi / errata and dist-git PRs
-    discover+:
-        filter: tag:downstream
-    adjust+:
-        enabled: false
-        when: initiator == packit

plans/main.fmf

@@ -0,0 +1,20 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    - when: distro == centos-stream or distro == rhel
+      how: shell
+      script: |
+        dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm
+        dnf -y config-manager --set-enabled epel
+      order: 10
+    - when: initiator == packit
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+        fi
+        dnf -y upgrade --allowerasing
+      order: 20

sources

@@ -1 +1 @@
-SHA512 (v2.232.1.tar.gz) = babaf5f65b639493482392674717284574859e4bbb03e897843265708f4f5cceeb260712cdff09771076d99c18aa89718c0e95dc33839e72e809de9e80079ae2
+SHA512 (v2.242.0.tar.gz) = 48ed0644081cd1f52d2e842c46af9c7dd64685aab121a9a275da2ea75eb8b48b7b24ffc45658b6bc78b41a9bad116c3352e1bd540cfba298276519cd6ddea47c

test/Makefile

@@ -1,23 +0,0 @@
-.PHONY: basic_check
-basic_check:
-	semodule --list=full | grep container
-	semodule -B
-
-.PHONY: podman_e2e_test_upstream
-podman_e2e_test_upstream:
-	bash ./podman-tests.sh e2e upstream
-
-.PHONY: podman_e2e_test_downstream
-podman_e2e_test_downstream:
-	bash ./podman-tests.sh e2e downstream
-
-.PHONY: podman_system_test_upstream
-podman_system_test_upstream:
-	bash ./podman-tests.sh system upstream
-
-.PHONY: podman_system_test_downstream
-podman_system_test_downstream:
-	bash ./podman-tests.sh system downstream
-
-clean:
-	rm -rf podman-*dev* podman.spec

test/main.fmf

@@ -1,29 +1,17 @@
-# Only common dependencies that are NOT required to run podman-tests.sh are
-# specified here. Everything else is in podman-tests.sh.
 require:
-    - cpio
-    - make
+    - attr
+    - bats
+    - container-selinux
+    - podman-tests
     - policycoreutils
 
 /basic_check:
     summary: Run basic checks
-    tag: [ upstream, downstream ]
-    test: make basic_check
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
 
-/upstream:
-    tag: upstream
-/upstream/podman_e2e_test:
-    summary: Run SELinux specific Podman e2e tests on upstream PRs
-    test: make podman_e2e_test_upstream
-/upstream/podman_system_test:
-    summary: Run SELinux specific Podman system tests on upstream PRs
-    test: make podman_system_test_upstream
-
-/downstream:
-    tag: downstream
-/downstream/podman_e2e_test:
-    summary: Run SELinux specific Podman e2e tests on downstream bodhi / errata and dist-git PRs
-    test: make podman_e2e_test_downstream
-/downstream/podman_system_test:
-    summary: Run SELinux specific Podman system tests on downstream bodhi / errata and dist-git PRs
-    test: make podman_system_test_downstream
+/podman_system_test:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-tests.sh

test/podman-tests.sh

@@ -2,103 +2,15 @@
 
 set -exo pipefail
 
+cat /etc/redhat-release
+
 if [[ "$(id -u)" -ne 0 ]];then
     echo "Please run as superuser"
     exit 1
 fi
 
-if [[ -z "$1" ]]; then
-    echo -e "Usage: podman-tests.sh TEST_TYPE STREAM\nTEST_TYPE can be 'e2e' or 'system'\nSTREAM can be 'upstream' or 'downstream'"
-    exit 1
-fi
-
-TEST_TYPE=$1
-STREAM=$2
-
-# `rhel` macro exists on RHEL, CentOS Stream, and Fedora ELN
-# `centos` macro exists only on CentOS Stream
-CENTOS_VERSION=$(rpm --eval '%{?centos}')
-RHEL_VERSION=$(rpm --eval '%{?rhel}')
-
-# For upstream tests, we need to test with podman and other packages from the
-# podman-next copr. For downstream tests (bodhi, errata), we don't need any
-# additional setup
-if [[ "$STREAM" == "upstream" ]]; then
-    # Use CentOS Stream 10 copr target for RHEL-10 until EPEL 10 becomes
-    # available
-    if [[ -n $CENTOS_VERSION || $RHEL_VERSION -ge 10 ]]; then
-        dnf -y copr enable rhcontainerbot/podman-next centos-stream-$CENTOS_VERSION
-    else
-        dnf -y copr enable rhcontainerbot/podman-next
-    fi
-    echo "priority=5" >> /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next.repo
-fi
-
-# Remove testing-farm repos if they exist as these interfere with the packages
-# we want to install, especially when podman-next copr is involved
-rm -f /etc/yum.repos.d/tag-repository.repo
-
-# Fetch and extract latest podman source from the highest priority dnf repo
-# NOTE: On upstream pull-requests, the srpm will be fetched from the
-# podman-next copr while on bodhi updates, it will be fetched from Fedora's
-# official repos.
-PODMAN_DIR=$(mktemp -d)
-pushd $PODMAN_DIR
-
-# Download podman and podman-tests rpms, along with podman srpm
-dnf download podman podman-tests
-# Download srpm, srpm opts differ between dnf and dnf5
-rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman
-
-# Ensure podman-tests RPM and podman SRPM version-release match
-# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so
-# matching podman-tests and podman srpm is sufficient here.
-PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//")
-PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//")
-if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then
-    echo "podman-tests and podman srpm version-release don't match"
-    exit 1
-fi
-
-# Install downloaded podman and podman-tests rpms
-dnf -y install ./podman*.$(uname -m).rpm
-
-# Extract and untar podman source from srpm
-rpm2cpio $(ls podman*.src.rpm) | cpio -di
-tar zxf *.tar.gz
-
-popd
-
-# Enable EPEL on RHEL/CentOS Stream envs to fetch bats
-if [[ -n $(rpm --eval '%{?rhel}') ]]; then
-    # Until EPEL 10 is available use epel-9 for all RHEL and CentOS Stream
-    dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
-    sed -i 's/$releasever/9/g' /etc/yum.repos.d/epel.repo
-fi
-
-# Install dependencies for running tests
-dnf -y install bats golang
-
 # Print versions of distro and installed packages
-cat /etc/redhat-release
-rpm -q bats container-selinux golang podman podman-tests selinux-policy
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
 
-if [[ "$TEST_TYPE" == "e2e" ]]; then
-    # /tmp is often unsufficient
-    export TMPDIR=/var/tmp
-
-    # dnf5 contains breaking changes
-    # Either of `dnf` OR `dnf5` will be installed, never both.
-    # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`.
-    #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source"
-
-    # Run podman e2e tests
-    pushd $PODMAN_DIR/podman-*/test/e2e
-    PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
-    popd
-fi
-
-if [[ "$TEST_TYPE" == "system" ]]; then
-    # Run podman system tests
-    bats /usr/share/podman/test/system/410-selinux.bats
-fi
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats