6 changed files with 453 additions and 101 deletions
--- a/.buildah.metadata
+++ b/.buildah.metadata
@ -1 +1 @@
-d3fcf1950a92f35210dc390cde164f6e428826d1 SOURCES/buildah-e94b4f9.tar.gz
+80d289a0e9aaf8feb827df7aec25897ffec47bdc SOURCES/release-1.11-rhel-9a4764a.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/buildah-e94b4f9.tar.gz
+SOURCES/release-1.11-rhel-9a4764a.tar.gz
--- a/SOURCES/1996.patch
+++ b/SOURCES/1996.patch
@ -0,0 +1,153 @@
 From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Thu, 21 Nov 2019 15:32:41 -0500
 Subject: [PATCH 1/3] bind: don't complain about missing mountpoints
 When we go to unmount a tree of mounts, if one of the directories isn't
 there, instead of returning an error as before, log a debug message and
 keep going.
 Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
 ---
 bind/mount.go | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/bind/mount.go b/bind/mount.go
 index e1ae323b9f..adde901fd1 100644
 --- a/bind/mount.go
 +++ b/bind/mount.go
@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
 		mount := getMountByID(id)
 		// check if this mountpoint is mounted
 		if err := unix.Lstat(mount.Mountpoint, &st); err != nil {
 +			if os.IsNotExist(err) {
 +				logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint)
 +				continue
 +			}
 			return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint)
 		}
 		if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) {
 From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Fri, 22 Nov 2019 14:22:26 -0500
 Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of
 UnmountMountpoints()
 Unmounting the rootfs with MNT_DETACH should unmount everything below
 it, so we don't need to use the more exhaustive method that our bind
 package uses for its bind mounts.
 Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
 ---
 chroot/run.go | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)
 diff --git a/chroot/run.go b/chroot/run.go
 index fbccbcdb0d..76ac78d1ff 100644
 --- a/chroot/run.go
 +++ b/chroot/run.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"sync"
 	"syscall"
 +	"time"
 	"unsafe"
 	"github.com/containers/buildah/bind"
@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool {
 // callback that will clean up its work.
 func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
 	var fs unix.Statfs_t
 -	removes := []string{}
 	undoBinds = func() error {
 -		if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil {
 -			logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
 -			if err == nil {
 -				err = err2
 +		if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil {
 +			retries := 0
 +			for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 {
 +				time.Sleep(50 * time.Millisecond)
 +				err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH)
 +				retries++
 +			}
 +			if err2 != nil {
 +				logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2)
 +				if err == nil {
 +					err = err2
 +				}
 			}
 		}
 		return err
@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
 	// attempting to interact with labeling, when they aren't allowed to do so.
 	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
 +
 	// Bind mount in everything we've been asked to mount.
 	for _, m := range spec.Mounts {
 		// Skip anything that we just mounted.
@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 			if !os.IsNotExist(err) {
 				return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target)
 			}
 -			// The target isn't there yet, so create it, and make a
 -			// note to remove it later.
 +			// The target isn't there yet, so create it.
 			if srcinfo.IsDir() {
 				if err = os.MkdirAll(target, 0111); err != nil {
 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
 				}
 -				removes = append(removes, target)
 			} else {
 				if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
 					return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
 				}
 				file.Close()
 -				removes = append(removes, target)
 			}
 		}
 		requestFlags := bindFlags
@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		if err := os.Mkdir(roEmptyDir, 0700); err != nil {
 			return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir)
 		}
 -		removes = append(removes, roEmptyDir)
 	}
 	// Set up any masked paths that we need to.  If we're running inside of
 From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Fri, 22 Nov 2019 14:52:25 -0500
 Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs
 Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
 ---
 tests/overlay.bats | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/tests/overlay.bats b/tests/overlay.bats
 index 04056f6804..7cc2d0c622 100644
 --- a/tests/overlay.bats
 +++ b/tests/overlay.bats
@@ -3,14 +3,14 @@
 load helpers
 @test "overlay specific level" {
 -  if test \! -e /usr/bin/fuse-overlays -a  "$BUILDAH_ISOLATION" = "rootless"; then
 +  if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then
     skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present
   fi
   image=alpine
   mkdir ${TESTDIR}/lower
   touch ${TESTDIR}/lower/foo
 -cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
 +  cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
   # This should succeed
   run_buildah --log-level=error run $cid ls /lower/foo
--- a/SOURCES/2031.patch
+++ b/SOURCES/2031.patch
@ -0,0 +1,147 @@
 From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
 From: Daniel J Walsh <dwalsh@redhat.com>
 Date: Tue, 17 Dec 2019 15:24:29 -0500
 Subject: [PATCH] Add support for FIPS-Mode backends
 If host is running in fips mode, then RHEL8.2 and beyond container images
 will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
 This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
 order to make all tools in the container follow the FIPS Mode rules.
 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 ---
 pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
 run_linux.go           |  2 +-
 2 files changed, 39 insertions(+), 11 deletions(-)
 diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
 index 80ca050165..ee2e9a7c84 100644
 --- a/pkg/secrets/secrets.go
 +++ b/pkg/secrets/secrets.go
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
 }
 // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
 +// Deprecated, Please use SecretMountWithUIDGID
 func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
 }
 -// SecretMountsWithUIDGID specifies the uid/gid of the owner
 -func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
 +// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
 +// mountLabel: MAC/SELinux label for container content
 +// containerWorkingDir: Private data for storing secrets on the host mounted in container.
 +// mountFile: Additional mount points required for the container.
 +// mountPoint: Container image mountpoint
 +// uid: to assign to content created for secrets
 +// gid: to assign to content created for secrets
 +// rootless: indicates whether container is running in rootless mode
 +// disableFips: indicates whether system should ignore fips mode
 +func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
 	var (
 		secretMounts []rspec.Mount
 		mountFiles   []string
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
 	}
 	for _, file := range mountFiles {
 		if _, err := os.Stat(file); err == nil {
 -			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
 +			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
 			if err != nil {
 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
 			}
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
 	// Add FIPS mode secret if /etc/system-fips exists on the host
 	_, err := os.Stat("/etc/system-fips")
 	if err == nil {
 -		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
 +		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
 		}
 	} else if os.IsNotExist(err) {
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
 // addSecretsFromMountsFile copies the contents of host directory to container directory
 // and returns a list of mounts
 -func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
 +func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
 	var mounts []rspec.Mount
 	defaultMountsPaths := getMounts(filePath)
 	for _, path := range defaultMountsPaths {
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
 		}
 		m := rspec.Mount{
 -			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
 +			Source:      ctrDirOrFileOnHost,
 			Destination: ctrDirOrFile,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
 // root filesystem if /etc/system-fips exists on hosts.
 // This enables the container to be FIPS compliant and run openssl in
 // FIPS mode as the host is also in FIPS mode.
 -func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
 +func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
 	secretsDir := "/run/secrets"
 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
 -			return errors.Wrapf(err, "making container directory on host failed")
 +			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
 		}
 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
 -			return errors.Wrap(err, "error applying correct labels")
 +			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
 		}
 	}
 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
 	if !mountExists(*mounts, secretsDir) {
 		m := rspec.Mount{
 -			Source:      filepath.Join(mountPrefix, secretsDir),
 +			Source:      ctrDirOnHost,
 			Destination: secretsDir,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
 		*mounts = append(*mounts, m)
 	}
 +	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
 +	destDir := "/etc/crypto-policies/back-ends"
 +	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
 +	if _, err := os.Stat(srcOnHost); err != nil {
 +		if os.IsNotExist(err) {
 +			return nil
 +		}
 +		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
 +	}
 +
 +	if !mountExists(*mounts, destDir) {
 +		m := rspec.Mount{
 +			Source:      srcOnHost,
 +			Destination: destDir,
 +			Type:        "bind",
 +			Options:     []string{"bind", "rprivate"},
 +		}
 +		*mounts = append(*mounts, m)
 +	}
 	return nil
 }
 diff --git a/run_linux.go b/run_linux.go
 index 4c2d73edde..c8e75eada6 100644
 --- a/run_linux.go
 +++ b/run_linux.go
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 	}
 	// Get the list of secrets mounts.
 -	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
 +	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
 	// Add temporary copies of the contents of volume locations at the
 	// volume locations, unless we already have something there.
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@ -1,48 +0,0 @@
 From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
 From: TomSweeneyRedHat <tsweeney@redhat.com>
 Date: Tue, 24 Mar 2020 20:10:22 -0400
 Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
 Stealing @nalind 's workaround to avoid refetching
 content after a file read failure.  Under the right
 circumstances that could be a symlink to a file meant
 to overwrite a good file with bad data.
 Testing:
 ```
 goodstuff
 [1] 14901
 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
 no FROM statement found
 goodstuff
 ```
 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
 ---
 imagebuildah/util.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
 --- a/imagebuildah/util.go.CVE-2020-10696
 +++ b/imagebuildah/util.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/buildah"
 	"github.com/containers/storage/pkg/chrootarchive"
 +	"github.com/containers/storage/pkg/ioutils"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
 		}
 		dockerfile := filepath.Join(dir, "Dockerfile")
 		// Assume this is a Dockerfile
 -		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
 +		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
 		}
 	}
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@ -1,54 +1,52 @@
 %global with_debug 1
 %global with_bundled 1
 %if 0%{?with_debug}
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
 %else
 %global debug_package   %{nil}
 %endif
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**};
 %else
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**};
 %endif
 %endif
-%global provider        github
+%global import_path github.com/containers/buildah
-%global provider_tld    com
+%global branch release-1.11-rhel
-%global project         containers
+%global commit0 9a4764a02bc6b877a52337a15dfe899a3a694e18
-%global repo            buildah
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 # https://github.com/projectatomic/buildah
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 %global commit          e94b4f98048e7371685731b97eefd6265e2f1fb3
 %global shortcommit     %(c=%{commit}; echo ${c:0:7})
-Name:           %{repo}
+Name: buildah
-Version:        1.5
+Version: 1.11.6
-Release:        8.git%{shortcommit}%{?dist}
+Release: 10%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
-URL:            https://%{provider_prefix}
+URL: https://%{name}.io
-Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
+ExcludeArch: i686
-# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+%if 0%{?branch:1}
-# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
-Patch0: buildah-CVE-2020-10696.patch
+%else
-ExclusiveArch:  x86_64 %{arm} aarch64 ppc64le s390x
+Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+%endif
-BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
+Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1784952
 Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: glib2-devel
 BuildRequires: libseccomp-devel
 BuildRequires: ostree-devel
 BuildRequires: glibc-static
 BuildRequires: go-md2man
 BuildRequires: gpgme-devel
 BuildRequires: device-mapper-devel
 BuildRequires: libassuan-devel
-BuildRequires:  libseccomp-devel
+BuildRequires: make
 Requires: runc >= 1.0.0-26
 Requires: containers-common
 Requires: container-selinux
-Provides:       %{repo} = %{version}-%{release}
+Requires: slirp4netns >= 0.3-0
 %description
 The %{name} package provides a command line tool which can be used to
@ -59,26 +57,51 @@ or
 * save container's root file system layer to create a new image
 * delete a working container or an image
 %package tests
 Summary: Tests for %{name}
 Requires: %{name} = %{version}-%{release}
 Requires: bzip2
 Requires: podman
 Requires: golang
 %description tests
 %{summary}
 This package contains system tests for %{name}
 %prep
-%autosetup -Sgit -n %{name}-%{commit}
+%if 0%{?branch:1}
 %autosetup -Sgit -n containers-%{name}-%{shortcommit0}
 %else
 %autosetup -Sgit -n %{name}-%{commit0}
 %endif
 sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
 sed -i '/docs install/d' Makefile
 %build
 mkdir _build
 pushd _build
-mkdir -p src/%{provider}.%{provider_tld}/%{project}
+mkdir -p src/github.com/containers
 ln -s $(dirs +1 -l) src/%{import_path}
 popd
 mv vendor src
-export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
+export GOPATH=$(pwd)/_build:$(pwd)
-export BUILDTAGS='seccomp exclude_graphdriver_btrfs'
+export BUILDTAGS='seccomp selinux btrfs_noversion exclude_graphdriver_btrfs'
 export GO111MODULE=off
 rm -f src/github.com/containers/storage/drivers/register/register_btrfs.go
 %gobuild -o %{name} %{import_path}/cmd/%{name}
-make docs
+%gobuild -o imgtype %{import_path}/tests/imgtype
 GOMD2MAN=go-md2man %{__make} -C docs
 %install
 export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
 make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
 cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system
 cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@ -92,14 +115,91 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/%{name}
 %files tests
 %license LICENSE
 %{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 %changelog
-* Thu Jun 25 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-8.gite94b4f9
+* Mon Apr 11 2022 Jindrich Novy <jnovy@redhat.com> - 1.11.6-10
- bump release to preserve upgrade path
+- update to the latest content of https://github.com/containers/buildah/tree/release-1.11-rhel
  (https://github.com/containers/buildah/commit/9a4764a)
 - fixes CVE-2022-27649
 - Resolves: #2067545
 * Tue Aug 17 2021 Jindrich Novy <jnovy@redhat.com> - 1.11.6-9
 - update to the latest content of https://github.com/containers/buildah/tree/release-1.11-rhel
  (https://github.com/containers/buildah/commit/6a746dc)
 - fixes CVE-2021-3602
 - Related: #1977942
 * Thu Jul 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-8
 - exclude i686 arch
 - Related: #1821193
-* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
+* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-7
 - fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1818127
+- Resolves: #1819393
 * Mon Feb 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
 - fix "COPY command takes long time with buildah"
 - Resolves: #1806118
 * Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
 - fix CVE-2020-1702
 - Resolves: #1801930
 - adding the first phase of FIPS fix
 - Related: #1784952
 * Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
 - compile in FIPS mode
 - Related: RHELPLAN-25139
 * Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-3
 - be sure to use golang >= 1.12.12-4
 - Related: RHELPLAN-25139
 * Sat Dec 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-2
 - fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()
 - bug reference 1772179
 - Related: RHELPLAN-25139
 * Thu Dec 05 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-1
 - update to buildah 1.11.6
 - Related: RHELPLAN-25139
 * Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.5-1
 - update to buildah 1.11.5
 - Related: RHELPLAN-25139
 * Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-2
 - fix %%gobuild macro to not to ignore BUILDTAGS
 - Related: RHELPLAN-25139
 * Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-1
 - update to 1.11.4
 - Related: RHELPLAN-25139
 * Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-5
 - Use autosetup macro again.
 * Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-4
 - Fix CVE-2019-10214 (#1734653).
 * Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-3
 - Resolves: #1721247 - enable fips mode
 * Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-2
 - Resolves: #1720654 - tests subpackage depends on golang explicitly
 * Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-1
 - Resolves: #1720654 - rebase to v1.9.0
 * Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.8.3-1
 - Resolves: #1720654 - rebase to v1.8.3
 * Tue Apr  9 2019 Eduardo Santiago <santiago@redhat.com> - 1.8-0.git021d607
 - package system tests
 * Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
 - re-enable debuginfo
`@ -1 +1 @@`
	`d3fcf1950a92f35210dc390cde164f6e428826d1 SOURCES/buildah-e94b4f9.tar.gz`	`80d289a0e9aaf8feb827df7aec25897ffec47bdc SOURCES/release-1.11-rhel-9a4764a.tar.gz`
`@ -1 +1 @@`
	`SOURCES/buildah-e94b4f9.tar.gz`	`SOURCES/release-1.11-rhel-9a4764a.tar.gz`