Update to 2.233.0 upstream release

Upstream tag: v2.233.0
Upstream commit: cc5da8a9

Commit authored by Packit automation (https://packit.dev/)

.gitignore

@@ -227,19 +227,5 @@
 /v2.229.1.tar.gz
 /v2.230.0.tar.gz
 /v2.231.0.tar.gz
-/packit-tmt-bodhi-reuse.zip
 /v2.232.1.tar.gz
 /v2.233.0.tar.gz
-/v2.234.1.tar.gz
-/v2.234.2.tar.gz
-/v2.235.0.tar.gz
-/v2.236.0.tar.gz
-/v2.237.0.tar.gz
-/v2.238.0.tar.gz
-/v2.239.0.tar.gz
-/v2.240.0.tar.gz
-/v2.241.0.tar.gz
-/v2.242.0.tar.gz
-/v2.243.0.tar.gz
-/v2.244.0.tar.gz
-/v2.245.0.tar.gz

.packit.yaml

@@ -13,11 +13,9 @@ files_to_sync:
   - src: plans/
     dest: plans/
     delete: true
-    mkpath: true
   - src: test/
     dest: test/
     delete: true
-    mkpath: true
   - src: .fmf/
     dest: .fmf/
     delete: true
@@ -30,7 +28,7 @@ packages:
   container-selinux-centos:
     pkg_tool: centpkg
     specfile_path: rpm/container-selinux.spec
-  container-selinux-eln:
+  container-selinux-rhel:
     specfile_path: rpm/container-selinux.spec
 
 srpm_build_deps:
@@ -45,29 +43,26 @@ jobs:
         message: "Ephemeral COPR build failed. @containers/packit-build please check."
     enable_net: true
     # container-selinux is noarch so we only need to test on one arch
-    targets: &fedora_copr_targets
-      - fedora-all-x86_64
-      - fedora-all-aarch64
-
-  - job: copr_build
-    trigger: pull_request
-    packages: [container-selinux-eln]
-    notifications: *copr_build_failure_notification
-    enable_net: true
-    targets: &eln_copr_targets
-      - fedora-eln-x86_64
-      - fedora-eln-aarch64
+    targets:
+      - fedora-all
+      - fedora-eln
 
   - job: copr_build
     trigger: pull_request
     packages: [container-selinux-centos]
     notifications: *copr_build_failure_notification
     enable_net: true
-    targets: &centos_copr_targets
-      - centos-stream-9-x86_64
-      - centos-stream-9-aarch64
-      - centos-stream-10-x86_64
-      - centos-stream-10-aarch64
+    targets: &centos_targets
+      - centos-stream-9
+      - centos-stream-10
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-rhel]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets:
+      - epel-9
 
   # Run on commit to main branch
   # Build targets managed in copr settings
@@ -90,41 +85,47 @@ jobs:
     notifications: &test_failure_notification
       failure_comment:
         message: "Tests failed. @containers/packit-build please check."
-    targets: *fedora_copr_targets
+    targets:
+      - fedora-all
     tf_extra_params:
       environments:
         - artifacts:
           - type: repository-file
             id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
 
-  # Tests for Fedora
-  - job: tests
-    trigger: pull_request
-    packages: [container-selinux-eln]
-    notifications: *test_failure_notification
-    targets: *eln_copr_targets
-    tf_extra_params:
-      environments:
-        - artifacts:
-          - type: repository-file
-            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-eln/rhcontainerbot-podman-next-fedora-eln.repo
-
   # Tests for CentOS Stream
   - job: tests
     trigger: pull_request
     packages: [container-selinux-centos]
     notifications: *test_failure_notification
-    targets: *centos_copr_targets
+    targets: *centos_targets
     tf_extra_params:
       environments:
         - artifacts:
           - type: repository-file
             id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
 
+  # Tests for RHEL
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-rhel]
+    use_internal_tf: true
+    notifications: *test_failure_notification
+    targets:
+      epel-9-x86_64:
+        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo
+          - type: repository-file
+            id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo
+
   - job: propose_downstream
     trigger: release
     packages: [container-selinux-fedora]
-    dist_git_branches: &fedora_targets
+    dist_git_branches:
       - fedora-all
 
   - job: propose_downstream
@@ -136,7 +137,8 @@ jobs:
   - job: koji_build
     trigger: commit
     packages: [container-selinux-fedora]
-    dist_git_branches: *fedora_targets
+    dist_git_branches:
+      - fedora-all
 
   - job: bodhi_update
     trigger: commit

README.packit

@@ -1,3 +1,3 @@
 This repository is maintained by packit.
 https://packit.dev/
-The file was generated using packit 1.13.0.
+The file was generated using packit 0.101.0.

container-selinux.spec

@@ -2,6 +2,7 @@
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
+%global selinuxtype targeted
 %global moduletype services
 %global modulenames container
 
@@ -20,22 +21,22 @@
 %define no_user_namespace 1
 %endif
 
-# set copr_build is more intuitive than copr_username
-%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" == "podman-next"
-%define next_build 1
+# copr_build is more intuitive than copr_username
+%if %{defined copr_username}
+%define copr_build 1
 %endif
 
 Name: container-selinux
-# Set different Epoch for rhcontainerbot/podman-next copr build
-%if %{defined next_build}
+# Set different Epochs for copr and koji
+%if %{defined copr_build}
 Epoch: 102
 %else
-Epoch: 4
+Epoch: 2
 %endif
 # Keep Version in upstream specfile at 0. It will be automatically set
 # to the correct value by Packit for copr and koji builds.
 # IGNORE this comment if you're looking at it in dist-git.
-Version: 2.245.0
+Version: 2.233.0
 Release: %autorelease
 License: GPL-2.0-only
 URL: https://github.com/containers/%{name}
@@ -50,8 +51,7 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-any >= %_selinux_policy_version
-Recommends: selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -86,8 +86,11 @@ make
 %_format MODULES $x.pp.bz2
 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+rm %{buildroot}%{_mandir}/man8/container_selinux.8
+
 %pre
-%selinux_relabel_pre
+%selinux_relabel_pre -s %{selinuxtype}
 
 %post
 # Install all modules in a single transaction
@@ -95,24 +98,21 @@ if [ $1 -eq 1 ]; then
    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
+%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
-%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
-%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall %{modulenames} docker
+   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
 fi
 
 %posttrans
-%selinux_relabel_post
-
-# Empty placeholder check to silence rpmlint
-%check
+%selinux_relabel_post -s %{selinuxtype}
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -126,10 +126,9 @@ fi
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
-%{_mandir}/man8/container_selinux.8.gz
-%{_sysconfdir}/selinux/targeted/contexts/users/container_u
-%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
-%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
+#%%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then

gating.yaml

@@ -1,9 +1,7 @@
 --- !Policy
 product_versions:
   - fedora-*
-decision_contexts:
-  - bodhi_update_push_stable
-  - bodhi_update_push_testing
+decision_context: bodhi_update_push_stable
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
 

plans/all.fmf

@@ -0,0 +1,20 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+
+/upstream:
+    summary: Run SELinux specific Podman tests on upstream PRs
+    discover+:
+        filter: tag:upstream
+    adjust+:
+        enabled: false
+        when: initiator is not defined or initiator != packit
+
+/downstream:
+    summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs
+    discover+:
+        filter: tag:downstream
+    adjust+:
+        enabled: false
+        when: initiator == packit

plans/main.fmf

@@ -1,30 +0,0 @@
-discover:
-    how: fmf
-execute:
-    how: tmt
-prepare:
-    - how: feature
-      epel: enabled
-    # TODO: Revisit this once https://github.com/teemtee/tmt/issues/3990 is in place.
-    # FIXME: For whatever reason, CentOS Stream envs end up upgrading container-selinux
-    # from podman-next instead of using the one installed by Packit. This apparently should
-    # be easier to handle once tmt#3990 is done. Things work as expected on Fedora already.
-    - when: initiator == packit
-      how: shell
-      script: |
-        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
-        if compgen -G $COPR_REPO_FILE > /dev/null; then
-            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
-        fi
-
-/basic_check:
-    discover+:
-        test: /test/basic_check
-
-/podman_rootful_system:
-    discover+:
-        test: /test/podman_rootful_system
-
-/podman_rootless_system:
-    discover+:
-        test: /test/podman_rootless_system

plans/tmt.fmf

@@ -1,9 +0,0 @@
-/:
-  inherit: false
-
-summary: Run tmt's integration tests
-plan:
-  import:
-    url: https://github.com/teemtee/tmt
-    path: /plans/friends
-    name: /podman

sources

@@ -1 +1 @@
-SHA512 (v2.245.0.tar.gz) = 0bc85980780631ceccb38f2fde64ff7f3792be18d4501806532f097deedde70f446e2389c543dd78e9087b45cd1a6916c0e096e6ea42dd77ac377ad4111b7db2
+SHA512 (v2.233.0.tar.gz) = f79380a3312cb57953bc1286ba7dcdbf29ab95ce72de79c5bac1eb6c4401d2bcb0c9875802c7198a9680af19affb34170581c609180408b21cc27cf680c3feb4

test/Makefile

@@ -0,0 +1,15 @@
+.PHONY: basic_check
+basic_check:
+	semodule --list=full | grep container
+	semodule -B
+
+.PHONY: podman_e2e_test
+podman_e2e_test:
+	bash ./podman-tests.sh e2e
+
+.PHONY: podman_system_test
+podman_system_test:
+	bash ./podman-tests.sh system
+
+clean:
+	rm -rf podman-*dev* podman.spec

test/main.fmf

@@ -1,34 +1,21 @@
+# Only common dependencies that are NOT required to run podman-tests.sh are
+# specified here. Everything else is in podman-tests.sh.
 require:
-    - attr
-    - container-selinux
-    - podman-tests
+    - cpio
+    - make
     - policycoreutils
-recommend:
-    - bats
 
 /basic_check:
+    tag: [ upstream, downstream ]
     summary: Run basic checks
-    test: |
-        semodule --list=full | grep container
-        semodule -B
-        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+    test: make basic_check
 
-/podman_rootful_system:
+/podman_e2e_test:
+    tag: [ upstream, downstream ]
+    summary: Run SELinux specific Podman e2e tests
+    test: make podman_e2e_test
+
+/podman_system_test:
+    tag: [ upstream, downstream ]
     summary: Run SELinux specific Podman system tests
-    test: bash ./podman-rootful-tests.sh
-
-/podman_rootless_system:
-    summary: Run rootless Podman system tests
-    test: bash ./podman-rootless-tests.sh
-    require+:
-        - passt
-        - passt-selinux
-    environment:
-        ROOTLESS_USER: "fedora"
-    adjust:
-        - when: distro == centos-stream
-          environment+:
-            ROOTLESS_USER: "ec2-user"
-        - when: distro == rhel
-          environment+:
-            ROOTLESS_USER: "cloud-user"
+    test: make podman_system_test

test/podman-rootful-tests.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-set -exo pipefail
-
-cat /etc/redhat-release
-
-if [[ "$(id -u)" -ne 0 ]];then
-    echo "Please run as superuser"
-    exit 1
-fi
-
-# Print versions of distro and installed packages
-rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
-
-# Run podman system tests
-bats /usr/share/podman/test/system/410-selinux.bats

test/podman-rootless-tests.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -exo pipefail
-
-cat /etc/redhat-release
-
-# Print versions of distro and installed packages
-rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy
-
-loginctl enable-linger "$ROOTLESS_USER"
-
-# Run podman system tests
-su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats"
-su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats"
-su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats"

test/podman-tests.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+if [[ -z "$1" ]]; then
+    echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n"
+    exit 1
+fi
+
+TEST_TYPE=$1
+
+# Remove testing-farm repos if they exist as these interfere with the packages
+# we want to install, especially when podman-next copr is involved
+rm -f /etc/yum.repos.d/tag-repository.repo
+
+# Fetch and extract latest podman source from the highest priority dnf repo
+# NOTE: On upstream pull-requests, the srpm will be fetched from the
+# podman-next copr while on bodhi updates, it will be fetched from Fedora's
+# official repos.
+PODMAN_DIR=$(mktemp -d)
+pushd $PODMAN_DIR
+
+# Download podman and podman-tests rpms, along with podman srpm
+dnf download podman podman-tests
+# Download srpm, srpm opts differ between dnf and dnf5
+rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman
+
+# Ensure podman-tests RPM and podman SRPM version-release match
+# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so
+# matching podman-tests and podman srpm is sufficient here.
+PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//")
+PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//")
+if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then
+    echo "podman-tests and podman srpm version-release don't match"
+    exit 1
+fi
+
+# Install downloaded podman and podman-tests rpms
+dnf -y install ./podman*.$(uname -m).rpm
+
+# Extract and untar podman source from srpm
+rpm2cpio $(ls podman*.src.rpm) | cpio -di
+tar zxf *.tar.gz
+
+popd
+
+# Install dependencies for running tests
+# NOTE: bats will be fetched from Fedora repos on public testing-farm envs if EPEL repo is absent or disabled.
+dnf -y install bats golang
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux golang podman podman-tests selinux-policy
+
+if [[ "$TEST_TYPE" == "e2e" ]]; then
+    # /tmp is often unsufficient
+    export TMPDIR=/var/tmp
+
+    # dnf5 contains breaking changes
+    # Either of `dnf` OR `dnf5` will be installed, never both.
+    # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`.
+    #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source"
+
+    # Run podman e2e tests
+    pushd $PODMAN_DIR/podman-*/test/e2e
+    PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
+    popd
+fi
+
+if [[ "$TEST_TYPE" == "system" ]]; then
+    # Run podman system tests
+    bats /usr/share/podman/test/system/410-selinux.bats
+fi

tests/tests.yml

@@ -0,0 +1,16 @@
+- hosts: localhost
+  tags:
+  - classic
+  roles:
+  - role: standard-test-basic
+    required_packages:
+    - policycoreutils
+    - container-selinux
+    - podman
+    tests:
+    - is-module-installed:
+        run: semodule --list=full | grep container
+    - can-rebuild-policy:
+        run: semodule -B
+    - can-run-podman:
+        run: podman run --rm quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current