diff --git a/container-selinux-99b40c5.tar.gz b/container-selinux-99b40c5.tar.gz deleted file mode 100644 index 9c5168a9adc505d9e3a10217ef1b632d237ebea3..0000000000000000000000000000000000000000 Binary files a/container-selinux-99b40c5.tar.gz and /dev/null differ diff --git a/container-selinux.spec b/container-selinux.spec index 86150ff52c62075be95bb986beed361b16ae0ffe..4837570bcc9f73c112f2e568f8068c1a8e65e6b2 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -1,9 +1,4 @@ -%global debug_package %{nil} - -# container-selinux -%global git0 https://github.com/containers/container-selinux -%global commit0 99b40c5013ec2720a04b1d3579ef888281714c35 -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +%global debug_package %{nil} # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -18,15 +13,14 @@ Name: container-selinux Epoch: 2 -Version: 2.163 +Version: 2.230.0 Release: 1 -License: GPLv2 -URL: %{git0} +License: GPL-2.0-only +URL: https://github.com/containers/%{name} Summary: SELinux policies for container runtimes -Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -#fix ERROR 'unknown class lockdown' at token ';' -Patch0: fix.patch +Source0: %{url}/archive/v%{version}.tar.gz BuildArch: noarch +BuildRequires: make BuildRequires: git-core BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %_selinux_policy_version @@ -38,7 +32,7 @@ Requires(post): selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed -Obsoletes: %{name} <= 2:1.12.5-14 +Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} @@ -46,7 +40,10 @@ Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%autosetup -n %{name}-%{commit0} -p1 +%autosetup -Sgit %{name}-%{version} + +sed -i 's/^man: install-policy/man:/' Makefile +sed -i 's/^install: man/install:/' Makefile %build make @@ -54,14 +51,10 @@ make %install # install policy modules %_format MODULES $x.pp.bz2 -install -d %{buildroot}%{_datadir}/selinux/packages -install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services -install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services -install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages -install -d %{buildroot}/%{_datadir}/containers/selinux -install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts +%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user -%check +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +rm %{buildroot}%{_mandir}/man8/container_selinux.8 %pre %selinux_relabel_pre -s %{selinuxtype} @@ -77,7 +70,7 @@ fi %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null %selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config -sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun @@ -96,7 +89,12 @@ fi %{_datadir}/selinux/* %dir %{_datadir}/containers/selinux %{_datadir}/containers/selinux/contexts - +%dir %{_datadir}/udica/templates/ +%{_datadir}/udica/templates/* +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +#%%{_mandir}/man8/container_selinux.8.gz +%{_sysconfdir}/selinux/targeted/contexts/users/* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames} %triggerpostun -- container-selinux < 2:2.162.1-3 if %{_sbindir}/selinuxenabled ; then @@ -105,6 +103,14 @@ if %{_sbindir}/selinuxenabled ; then fi %changelog +* Tue Apr 09 2024 lijian - 2:2.230.0-1 +- Update container-selinux to v2.230.0 +- Allow containers to unmount file systems +- Add buildah as a container_runtime_exec_t label +- Additional rules for container_user_t +- Add some MLS rules to policy +- Add container_file_t and container_ro_file_t as user_home_type + * Mon May 23 2022 duyiwei - 2.163-1 - Update container-selinux to v2.163.0 diff --git a/container-selinux.yaml b/container-selinux.yaml new file mode 100644 index 0000000000000000000000000000000000000000..689d5ad68ee14e890e10ead97e2250117e14392b --- /dev/null +++ b/container-selinux.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: containers/container-selinux +tag_prefix: ^v +seperator: . diff --git a/fix.patch b/fix.patch deleted file mode 100644 index 90293df6bae1221ed0d4239484d05ce92378d299..0000000000000000000000000000000000000000 --- a/fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up container-selinux-2.161.1/container.te.orig container-selinux-2.161.1/container.te ---- container-selinux-2.161.1/container.te.orig 2021-05-06 14:55:57.952216763 +0200 -+++ container-selinux-2.161.1/container.te 2021-05-06 14:56:02.027287991 +0200 -@@ -114,7 +114,7 @@ mls_trusted_object(container_runtime_t) - # - allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; - allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; --allow container_runtime_domain self:lockdown { confidentiality integrity }; -+#allow container_runtime_domain self:lockdown { confidentiality integrity }; - allow container_runtime_domain self:process ~setcurrent; - allow container_runtime_domain self:passwd rootok; - allow container_runtime_domain self:fd use; diff --git a/v2.230.0.tar.gz b/v2.230.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ec5b90aa227e4f0aad1b927681f73e46e1b6a114 Binary files /dev/null and b/v2.230.0.tar.gz differ