import UBI container-selinux-2.245.0-1.el9
This commit is contained in:
parent
1b033a65f4
commit
4be3cfdc1f
@ -1 +1 @@
|
||||
bb8157f7ea50a7da2f9f404f22f10f11a8b1b4b0 SOURCES/v2.240.0.tar.gz
|
||||
04a0423be83ceabfe0d688b11054d6fdb433a564 SOURCES/v2.245.0.tar.gz
|
||||
|
||||
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/v2.240.0.tar.gz
|
||||
SOURCES/v2.245.0.tar.gz
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
diff -up container-selinux-2.240.0/container.if.390 container-selinux-2.240.0/container.if
|
||||
--- container-selinux-2.240.0/container.if.390 2025-09-19 07:03:21.827502160 +0200
|
||||
+++ container-selinux-2.240.0/container.if 2025-09-19 07:03:35.383197574 +0200
|
||||
@@ -19,6 +19,7 @@ interface(`container_runtime_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
|
||||
allow container_runtime_t $1:fifo_file setattr;
|
||||
+ allow $1 container_runtime_t:bpf prog_run;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -up container-selinux-2.240.0/container.te.390 container-selinux-2.240.0/container.te
|
||||
--- container-selinux-2.240.0/container.te.390 2025-09-19 07:03:25.942964294 +0200
|
||||
+++ container-selinux-2.240.0/container.te 2025-09-19 07:04:49.113508085 +0200
|
||||
@@ -744,7 +744,7 @@ optional_policy(`
|
||||
allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
|
||||
fs_fusefs_entrypoint(unconfined_domain_type)
|
||||
|
||||
- domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t)
|
||||
+ container_runtime_domtrans(unconfined_domain_type)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -1335,6 +1335,7 @@ container_manage_share_files(init_t)
|
||||
container_manage_share_dirs(init_t)
|
||||
container_filetrans_named_content(init_t)
|
||||
container_runtime_read_tmpfs_files(init_t)
|
||||
+allow init_t container_runtime_t:bpf prog_run;
|
||||
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
@ -1,13 +0,0 @@
|
||||
diff -up container-selinux-2.240.0/container.te.397 container-selinux-2.240.0/container.te
|
||||
--- container-selinux-2.240.0/container.te.397 2025-09-19 07:01:45.736869927 +0200
|
||||
+++ container-selinux-2.240.0/container.te 2025-09-19 07:02:11.869541486 +0200
|
||||
@@ -1347,6 +1347,9 @@ allow container_domain init_t:unix_strea
|
||||
|
||||
allow container_t proc_t:filesystem remount;
|
||||
|
||||
+# Allow containers to access shared runtime directories for OCI runtime optimizations
|
||||
+allow container_t container_var_run_t:dir list_dir_perms;
|
||||
+
|
||||
# Container kvm - Policy for running kata containers
|
||||
container_domain_template(container_kvm, container)
|
||||
typeattribute container_kvm_t container_net_domain, container_user_domain;
|
||||
@ -1,23 +0,0 @@
|
||||
From d27647a022f01aa5f847383878cf67c616a5d98e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hunt <pehunt@redhat.com>
|
||||
Date: Fri, 7 Nov 2025 10:27:32 -0500
|
||||
Subject: [PATCH] container_engine_t: add necessary permissions to ssh in
|
||||
userns container
|
||||
|
||||
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
||||
---
|
||||
container.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/container.te b/container.te
|
||||
index 63ae6bf..3af1b2b 100644
|
||||
--- a/container.te
|
||||
+++ b/container.te
|
||||
@@ -1487,6 +1487,7 @@ allow container_engine_t kernel_t:system module_request;
|
||||
allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
|
||||
allow container_engine_t random_device_t:chr_file mounton;
|
||||
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
|
||||
+allow container_engine_t self:netlink_audit_socket nlmsg_relay;
|
||||
allow container_engine_t urandom_device_t:chr_file mounton;
|
||||
allow container_engine_t zero_device_t:chr_file mounton;
|
||||
allow container_engine_t container_file_t:sock_file mounton;
|
||||
@ -35,15 +35,12 @@ Epoch: 4
|
||||
# Keep Version in upstream specfile at 0. It will be automatically set
|
||||
# to the correct value by Packit for copr and koji builds.
|
||||
# IGNORE this comment if you're looking at it in dist-git.
|
||||
Version: 2.240.0
|
||||
Release: 4%{?dist}
|
||||
Version: 2.245.0
|
||||
Release: 1%{?dist}
|
||||
License: GPL-2.0-only
|
||||
URL: https://github.com/containers/%{name}
|
||||
Summary: SELinux policies for container runtimes
|
||||
Source0: %{url}/archive/v%{version}.tar.gz
|
||||
Patch1: https://github.com/containers/container-selinux/pull/397-backport.patch
|
||||
Patch2: https://github.com/containers/container-selinux/pull/390-backport.patch
|
||||
Patch3: https://patch-diff.githubusercontent.com/raw/containers/container-selinux/pull/412.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: make
|
||||
BuildRequires: git-core
|
||||
@ -141,18 +138,21 @@ if %{_sbindir}/selinuxenabled ; then
|
||||
fi
|
||||
|
||||
%changelog
|
||||
* Tue Feb 24 2026 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-4
|
||||
- Fix Selinux type container_engine_t is missing permissions to allow write to audit log
|
||||
- Resolves: RHEL-150544
|
||||
* Wed Feb 04 2026 Jindrich Novy <jnovy@redhat.com> - 4:2.245.0-1
|
||||
- update to https://github.com/containers/container-selinux/releases/tag/v2.245.0
|
||||
- Related: RHEL-111919
|
||||
|
||||
* Fri Oct 24 2025 Lokesh Mandvekar <lsm5@redhat.com> - 4:2.240.0-3
|
||||
- Delete 405.patch. This was reverted upstream. If it's needed for OCP, this
|
||||
can be revisited.
|
||||
- Resolves: RHEL-123749
|
||||
* Thu Dec 11 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.244.0-1
|
||||
- update to https://github.com/containers/container-selinux/releases/tag/v2.244.0
|
||||
- Resolves: RHEL-112187
|
||||
|
||||
* Fri Sep 19 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-2
|
||||
- Update container-selinux package to resolve OCP 4.20 issues
|
||||
- Resolves: RHEL-115180
|
||||
* Tue Sep 16 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.242.0-1
|
||||
- update to https://github.com/containers/container-selinux/releases/tag/v2.242.0
|
||||
- Related: RHEL-111919
|
||||
|
||||
* Mon Sep 01 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.241.0-1
|
||||
- update to https://github.com/containers/container-selinux/releases/tag/v2.241.0
|
||||
- Resolves: RHEL-112187
|
||||
|
||||
* Mon Aug 11 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-1
|
||||
- update to https://github.com/containers/container-selinux/releases/tag/v2.240.0
|
||||
@ -569,7 +569,7 @@ to spc_t even when setup with nosuid.
|
||||
- Label overlay directories under /var/lib/containers/ correctly
|
||||
|
||||
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
|
||||
- Allow spc_t to load kernel modules from inside of container
|
||||
- Allow spc_t to load kernel modules from inside of container
|
||||
|
||||
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
|
||||
- Allow containers to list cgroup directories
|
||||
|
||||
Loading…
Reference in New Issue
Block a user