import UBI container-selinux-2.245.0-1.el9

This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 19:56:35 -04:00
parent 1b033a65f4
commit 4be3cfdc1f
6 changed files with 18 additions and 85 deletions

View File

@ -1 +1 @@
bb8157f7ea50a7da2f9f404f22f10f11a8b1b4b0 SOURCES/v2.240.0.tar.gz
04a0423be83ceabfe0d688b11054d6fdb433a564 SOURCES/v2.245.0.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v2.240.0.tar.gz
SOURCES/v2.245.0.tar.gz

View File

@ -1,31 +0,0 @@
diff -up container-selinux-2.240.0/container.if.390 container-selinux-2.240.0/container.if
--- container-selinux-2.240.0/container.if.390 2025-09-19 07:03:21.827502160 +0200
+++ container-selinux-2.240.0/container.if 2025-09-19 07:03:35.383197574 +0200
@@ -19,6 +19,7 @@ interface(`container_runtime_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
allow container_runtime_t $1:fifo_file setattr;
+ allow $1 container_runtime_t:bpf prog_run;
')
########################################
diff -up container-selinux-2.240.0/container.te.390 container-selinux-2.240.0/container.te
--- container-selinux-2.240.0/container.te.390 2025-09-19 07:03:25.942964294 +0200
+++ container-selinux-2.240.0/container.te 2025-09-19 07:04:49.113508085 +0200
@@ -744,7 +744,7 @@ optional_policy(`
allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
fs_fusefs_entrypoint(unconfined_domain_type)
- domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t)
+ container_runtime_domtrans(unconfined_domain_type)
')
optional_policy(`
@@ -1335,6 +1335,7 @@ container_manage_share_files(init_t)
container_manage_share_dirs(init_t)
container_filetrans_named_content(init_t)
container_runtime_read_tmpfs_files(init_t)
+allow init_t container_runtime_t:bpf prog_run;
gen_require(`
attribute device_node;

View File

@ -1,13 +0,0 @@
diff -up container-selinux-2.240.0/container.te.397 container-selinux-2.240.0/container.te
--- container-selinux-2.240.0/container.te.397 2025-09-19 07:01:45.736869927 +0200
+++ container-selinux-2.240.0/container.te 2025-09-19 07:02:11.869541486 +0200
@@ -1347,6 +1347,9 @@ allow container_domain init_t:unix_strea
allow container_t proc_t:filesystem remount;
+# Allow containers to access shared runtime directories for OCI runtime optimizations
+allow container_t container_var_run_t:dir list_dir_perms;
+
# Container kvm - Policy for running kata containers
container_domain_template(container_kvm, container)
typeattribute container_kvm_t container_net_domain, container_user_domain;

View File

@ -1,23 +0,0 @@
From d27647a022f01aa5f847383878cf67c616a5d98e Mon Sep 17 00:00:00 2001
From: Peter Hunt <pehunt@redhat.com>
Date: Fri, 7 Nov 2025 10:27:32 -0500
Subject: [PATCH] container_engine_t: add necessary permissions to ssh in
userns container
Signed-off-by: Peter Hunt <pehunt@redhat.com>
---
container.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/container.te b/container.te
index 63ae6bf..3af1b2b 100644
--- a/container.te
+++ b/container.te
@@ -1487,6 +1487,7 @@ allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t self:netlink_audit_socket nlmsg_relay;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
allow container_engine_t container_file_t:sock_file mounton;

View File

@ -35,15 +35,12 @@ Epoch: 4
# Keep Version in upstream specfile at 0. It will be automatically set
# to the correct value by Packit for copr and koji builds.
# IGNORE this comment if you're looking at it in dist-git.
Version: 2.240.0
Release: 4%{?dist}
Version: 2.245.0
Release: 1%{?dist}
License: GPL-2.0-only
URL: https://github.com/containers/%{name}
Summary: SELinux policies for container runtimes
Source0: %{url}/archive/v%{version}.tar.gz
Patch1: https://github.com/containers/container-selinux/pull/397-backport.patch
Patch2: https://github.com/containers/container-selinux/pull/390-backport.patch
Patch3: https://patch-diff.githubusercontent.com/raw/containers/container-selinux/pull/412.patch
BuildArch: noarch
BuildRequires: make
BuildRequires: git-core
@ -141,18 +138,21 @@ if %{_sbindir}/selinuxenabled ; then
fi
%changelog
* Tue Feb 24 2026 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-4
- Fix Selinux type container_engine_t is missing permissions to allow write to audit log
- Resolves: RHEL-150544
* Wed Feb 04 2026 Jindrich Novy <jnovy@redhat.com> - 4:2.245.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.245.0
- Related: RHEL-111919
* Fri Oct 24 2025 Lokesh Mandvekar <lsm5@redhat.com> - 4:2.240.0-3
- Delete 405.patch. This was reverted upstream. If it's needed for OCP, this
can be revisited.
- Resolves: RHEL-123749
* Thu Dec 11 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.244.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.244.0
- Resolves: RHEL-112187
* Fri Sep 19 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-2
- Update container-selinux package to resolve OCP 4.20 issues
- Resolves: RHEL-115180
* Tue Sep 16 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.242.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.242.0
- Related: RHEL-111919
* Mon Sep 01 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.241.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.241.0
- Resolves: RHEL-112187
* Mon Aug 11 2025 Jindrich Novy <jnovy@redhat.com> - 4:2.240.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.240.0
@ -569,7 +569,7 @@ to spc_t even when setup with nosuid.
- Label overlay directories under /var/lib/containers/ correctly
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
- Allow spc_t to load kernel modules from inside of container
- Allow spc_t to load kernel modules from inside of container
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
- Allow containers to list cgroup directories