diff --git a/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch b/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch deleted file mode 100644 index 0a954e7f4740bff60621f2f6713c826770afbe5a..0000000000000000000000000000000000000000 --- a/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2ab60ecaf03083775312e49a1c3cd98a8cb3eb46 Mon Sep 17 00:00:00 2001 -From: wujing -Date: Mon, 30 Aug 2021 11:11:00 +0800 -Subject: [PATCH] systemd_dbus_chat_resolved has been deprecated, use - systemd_chat_resolved instead - -Signed-off-by: wujing ---- - container.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/container.te b/container.te -index d17e4fe..63c5379 100644 ---- a/container.te -+++ b/container.te -@@ -427,7 +427,7 @@ modutils_domtrans_kmod(container_runtime_domain) - systemd_status_all_unit_files(container_runtime_domain) - systemd_start_systemd_services(container_runtime_domain) - systemd_dbus_chat_logind(container_runtime_domain) --systemd_dbus_chat_resolved(container_runtime_domain) -+systemd_chat_resolved(container_runtime_domain) - - userdom_stream_connect(container_runtime_domain) - userdom_search_user_home_content(container_runtime_domain) --- -2.31.1 - diff --git a/container-selinux-9884317.tar.gz b/container-selinux-9884317.tar.gz deleted file mode 100644 index ef21be84dc1a071b5edf0023ab2a21949908c58f..0000000000000000000000000000000000000000 Binary files a/container-selinux-9884317.tar.gz and /dev/null differ diff --git a/container-selinux-e78ac4f.tar.gz b/container-selinux-e78ac4f.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..aeeeb18aa3209f0e62703c8b5f90237a73d225fe Binary files /dev/null and b/container-selinux-e78ac4f.tar.gz differ diff --git a/container-selinux.spec b/container-selinux.spec index 2f55fe850fee6512f97285b5b107e8e517228a6d..acdca780fd80f8e7420b7545bddea6de4958e095 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -1,10 +1,14 @@ %global debug_package %{nil} # container-selinux -%global git0 https://github.com/projectatomic/container-selinux -%global commit0 988431700370bf7f554ab6507c836a9aa19e47ff +%global git0 https://github.com/containers/container-selinux +%global commit0 e78ac4f5b982112a1f018fb5964c3a8b27f0b65d %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +# Used for comparing with latest upstream tag +# to decide whether to autobuild (non-rawhide only) +%define built_tag v2.156.0 + # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package %global selinuxtype targeted @@ -16,43 +20,36 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : - -# Version of SELinux we were using -%global selinux_policyver 3.13.1-220 - -%define epoch 2 - Name: container-selinux Epoch: 2 -Version: 2.138 -Release: 5 +Version: 2.158.0 +Release: 1 License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz BuildArch: noarch -Patch1: 0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch +BuildRequires: make +BuildRequires: git-core BuildRequires: pkgconfig(systemd) -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} +BuildRequires: selinux-policy >= %_selinux_policy_version +BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires: selinux-policy >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires: selinux-policy >= %_selinux_policy_version +Requires(post): selinux-policy-base >= %_selinux_policy_version +Requires(post): selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 -Provides: docker-selinux = %{epoch}:%{version}-%{release} +Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} %description SELinux policy modules for use with container runtimes. %prep -%autosetup -n %{name}-%{commit0} -p1 +%autosetup -Sgit -n %{name}-%{commit0} %build make @@ -64,52 +61,51 @@ install -d %{buildroot}%{_datadir}/selinux/packages install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages - -# remove spec file -rm -rf container-selinux.spec +install -d %{buildroot}/%{_datadir}/containers/selinux +install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts %check +%pre +%selinux_relabel_pre -s %{selinuxtype} + %post # Install all modules in a single transaction if [ $1 -eq 1 ]; then - %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - %relabel_files - if [ $1 -eq 1 ]; then - restorecon -R %{_sharedstatedir}/docker &> /dev/null || : - restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - fi -fi +%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - %postun if [ $1 -eq 0 ]; then -%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : -if %{_sbindir}/selinuxenabled ; then -%{_sbindir}/load_policy -%relabel_files -fi + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker fi +%posttrans +%selinux_relabel_post -s %{selinuxtype} + #define license tag if not already defined %{!?_licensedir:%global license %doc} %files %doc README.md %{_datadir}/selinux/* +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts +# Currently shipped in selinux-policy-doc +#%%{_datadir}/man/man8/container_selinux.8.gz %changelog +* Wed Dec 1 2021 liqiuyu - 2.158-1 +- Update container-selinux to v2.158.0 + * Tue Oct 26 2021 caodongxia - 2.138-5 - DESC: systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead @@ -123,4 +119,4 @@ fi - Update container-selinux to v2.138.1 * Sat Sep 14 2019 openEuler Buildteam - 2.73-3 -- Package init +- Package init \ No newline at end of file