diff --git a/.container-selinux.metadata b/.container-selinux.metadata index 9eda71e..fc3b477 100644 --- a/.container-selinux.metadata +++ b/.container-selinux.metadata @@ -1 +1 @@ -bb8157f7ea50a7da2f9f404f22f10f11a8b1b4b0 SOURCES/v2.240.0.tar.gz +04a0423be83ceabfe0d688b11054d6fdb433a564 SOURCES/v2.245.0.tar.gz diff --git a/.gitignore b/.gitignore index 998a580..457a877 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v2.240.0.tar.gz +SOURCES/v2.245.0.tar.gz diff --git a/SOURCES/390-backport.patch b/SOURCES/390-backport.patch deleted file mode 100644 index 48e608a..0000000 --- a/SOURCES/390-backport.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up container-selinux-2.240.0/container.if.390 container-selinux-2.240.0/container.if ---- container-selinux-2.240.0/container.if.390 2025-09-19 07:03:21.827502160 +0200 -+++ container-selinux-2.240.0/container.if 2025-09-19 07:03:35.383197574 +0200 -@@ -19,6 +19,7 @@ interface(`container_runtime_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) - allow container_runtime_t $1:fifo_file setattr; -+ allow $1 container_runtime_t:bpf prog_run; - ') - - ######################################## -diff -up container-selinux-2.240.0/container.te.390 container-selinux-2.240.0/container.te ---- container-selinux-2.240.0/container.te.390 2025-09-19 07:03:25.942964294 +0200 -+++ container-selinux-2.240.0/container.te 2025-09-19 07:04:49.113508085 +0200 -@@ -744,7 +744,7 @@ optional_policy(` - allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; - fs_fusefs_entrypoint(unconfined_domain_type) - -- domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) -+ container_runtime_domtrans(unconfined_domain_type) - ') - - optional_policy(` -@@ -1335,6 +1335,7 @@ container_manage_share_files(init_t) - container_manage_share_dirs(init_t) - container_filetrans_named_content(init_t) - container_runtime_read_tmpfs_files(init_t) -+allow init_t container_runtime_t:bpf prog_run; - - gen_require(` - attribute device_node; diff --git a/SOURCES/397-backport.patch b/SOURCES/397-backport.patch deleted file mode 100644 index 35ab30f..0000000 --- a/SOURCES/397-backport.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up container-selinux-2.240.0/container.te.397 container-selinux-2.240.0/container.te ---- container-selinux-2.240.0/container.te.397 2025-09-19 07:01:45.736869927 +0200 -+++ container-selinux-2.240.0/container.te 2025-09-19 07:02:11.869541486 +0200 -@@ -1347,6 +1347,9 @@ allow container_domain init_t:unix_strea - - allow container_t proc_t:filesystem remount; - -+# Allow containers to access shared runtime directories for OCI runtime optimizations -+allow container_t container_var_run_t:dir list_dir_perms; -+ - # Container kvm - Policy for running kata containers - container_domain_template(container_kvm, container) - typeattribute container_kvm_t container_net_domain, container_user_domain; diff --git a/SOURCES/412.patch b/SOURCES/412.patch deleted file mode 100644 index 3a6e4f7..0000000 --- a/SOURCES/412.patch +++ /dev/null @@ -1,23 +0,0 @@ -From d27647a022f01aa5f847383878cf67c616a5d98e Mon Sep 17 00:00:00 2001 -From: Peter Hunt -Date: Fri, 7 Nov 2025 10:27:32 -0500 -Subject: [PATCH] container_engine_t: add necessary permissions to ssh in - userns container - -Signed-off-by: Peter Hunt ---- - container.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/container.te b/container.te -index 63ae6bf..3af1b2b 100644 ---- a/container.te -+++ b/container.te -@@ -1487,6 +1487,7 @@ allow container_engine_t kernel_t:system module_request; - allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; - allow container_engine_t random_device_t:chr_file mounton; - allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; -+allow container_engine_t self:netlink_audit_socket nlmsg_relay; - allow container_engine_t urandom_device_t:chr_file mounton; - allow container_engine_t zero_device_t:chr_file mounton; - allow container_engine_t container_file_t:sock_file mounton; diff --git a/SPECS/container-selinux.spec b/SPECS/container-selinux.spec index 16ea2aa..64d5734 100644 --- a/SPECS/container-selinux.spec +++ b/SPECS/container-selinux.spec @@ -35,15 +35,12 @@ Epoch: 4 # Keep Version in upstream specfile at 0. It will be automatically set # to the correct value by Packit for copr and koji builds. # IGNORE this comment if you're looking at it in dist-git. -Version: 2.240.0 -Release: 4%{?dist} +Version: 2.245.0 +Release: 1%{?dist} License: GPL-2.0-only URL: https://github.com/containers/%{name} Summary: SELinux policies for container runtimes Source0: %{url}/archive/v%{version}.tar.gz -Patch1: https://github.com/containers/container-selinux/pull/397-backport.patch -Patch2: https://github.com/containers/container-selinux/pull/390-backport.patch -Patch3: https://patch-diff.githubusercontent.com/raw/containers/container-selinux/pull/412.patch BuildArch: noarch BuildRequires: make BuildRequires: git-core @@ -141,18 +138,21 @@ if %{_sbindir}/selinuxenabled ; then fi %changelog -* Tue Feb 24 2026 Jindrich Novy - 4:2.240.0-4 -- Fix Selinux type container_engine_t is missing permissions to allow write to audit log -- Resolves: RHEL-150544 +* Wed Feb 04 2026 Jindrich Novy - 4:2.245.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.245.0 +- Related: RHEL-111919 -* Fri Oct 24 2025 Lokesh Mandvekar - 4:2.240.0-3 -- Delete 405.patch. This was reverted upstream. If it's needed for OCP, this -can be revisited. -- Resolves: RHEL-123749 +* Thu Dec 11 2025 Jindrich Novy - 4:2.244.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.244.0 +- Resolves: RHEL-112187 -* Fri Sep 19 2025 Jindrich Novy - 4:2.240.0-2 -- Update container-selinux package to resolve OCP 4.20 issues -- Resolves: RHEL-115180 +* Tue Sep 16 2025 Jindrich Novy - 4:2.242.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.242.0 +- Related: RHEL-111919 + +* Mon Sep 01 2025 Jindrich Novy - 4:2.241.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.241.0 +- Resolves: RHEL-112187 * Mon Aug 11 2025 Jindrich Novy - 4:2.240.0-1 - update to https://github.com/containers/container-selinux/releases/tag/v2.240.0 @@ -569,7 +569,7 @@ to spc_t even when setup with nosuid. - Label overlay directories under /var/lib/containers/ correctly * Mon May 21 2018 Dan Walsh - 2.61-1 -- Allow spc_t to load kernel modules from inside of container +- Allow spc_t to load kernel modules from inside of container * Mon May 21 2018 Dan Walsh - 2.60-1 - Allow containers to list cgroup directories