diff --git a/.container-selinux.metadata b/.container-selinux.metadata index 795db73..a40fdd2 100644 --- a/.container-selinux.metadata +++ b/.container-selinux.metadata @@ -1 +1 @@ -9ea9fac443eb4021c0278d9c50b4f4e9d2500f8c SOURCES/v2.232.1.tar.gz +09dd5e26510079c3fc117f8e26074e634cb492af SOURCES/v2.235.0.tar.gz diff --git a/.gitignore b/.gitignore index e198f9c..0e700d1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v2.232.1.tar.gz +SOURCES/v2.235.0.tar.gz diff --git a/SPECS/container-selinux.spec b/SPECS/container-selinux.spec index 3d7e53b..f8fbbb5 100644 --- a/SPECS/container-selinux.spec +++ b/SPECS/container-selinux.spec @@ -1,11 +1,7 @@ %global debug_package %{nil} -# container-selinux -%global git0 https://github.com/containers/container-selinux - # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted %global moduletype services %global modulenames container @@ -14,54 +10,72 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# Version of SELinux we were using -%global selinux_policyver 38.1.2-1.el9 +# RHEL < 10 and Fedora < 40 use file context entries in /var/run +%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40 +%define legacy_var_run 1 +%endif + +# https://github.com/containers/container-selinux/issues/203 +%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9 +%define no_user_namespace 1 +%endif + +# copr_build is more intuitive than copr_username +%if %{defined copr_username} +%define copr_build 1 +%endif -Epoch: 3 Name: container-selinux -Version: 2.232.1 +# Set different Epochs for copr and koji +%if %{defined copr_build} +Epoch: 102 +%else +Epoch: 3 +%endif +# Keep Version in upstream specfile at 0. It will be automatically set +# to the correct value by Packit for copr and koji builds. +# IGNORE this comment if you're looking at it in dist-git. +Version: 2.235.0 Release: 1%{?dist} -License: GPLv2 -URL: %{git0} +License: GPL-2.0-only +URL: https://github.com/containers/%{name} Summary: SELinux policies for container runtimes -Source0: %{git0}/archive/v%{version}.tar.gz +Source0: %{url}/archive/v%{version}.tar.gz BuildArch: noarch -BuildRequires: git +BuildRequires: make +BuildRequires: git-core BuildRequires: pkgconfig(systemd) -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} +BuildRequires: selinux-policy >= %_selinux_policy_version +BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires: selinux-policy >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} -Requires(post): policycoreutils >= 2.5-11 +Requires: selinux-policy >= %_selinux_policy_version +Requires(post): selinux-policy-base >= %_selinux_policy_version +Requires(post): selinux-policy-any >= %_selinux_policy_version +Recommends: selinux-policy-targeted >= %_selinux_policy_version +Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed -Obsoletes: %{name} <= 2:1.12.5-14 +Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 -Provides: docker-selinux = %{epoch}:%{version}-%{release} -Provides: docker-engine-selinux = %{epoch}:%{version}-%{release} +Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} Conflicts: udica < 0.2.6-1 +Conflicts: k3s-selinux <= 0.4-1 %description SELinux policy modules for use with container runtimes. %prep -%autosetup -Sgit +%autosetup -Sgit %{name}-%{version} -# Remove some lines for RHEL 8 build -%if ! 0%{?fedora} && 0%{?rhel} <= 8 -sed -i 's/watch watch_reads//' container.if -sed -i '/sysfs_t:dir watch/d' container.te -sed -i '/systemd_chat_resolved/d' container.te +sed -i 's/^man: install-policy/man:/' Makefile +sed -i 's/^install: man/install:/' Makefile + +%if %{defined no_user_namespace} +sed -i '/user_namespace/d' container.te %endif -sed -i 's/man: install-policy/man:/' Makefile -sed -i 's/install: man/install:/' Makefile - -# https://github.com/containers/container-selinux/issues/203 -%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9 -sed -i '/user_namespace/d' container.te +%if %{defined legacy_var_run} +sed -i 's|^/run/|/var/run/|' container.fc %endif %build @@ -70,22 +84,10 @@ make %install # install policy modules %_format MODULES $x.pp.bz2 -install -d %{buildroot}%{_datadir}/selinux/packages -install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services -install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services -install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages -install -d %{buildroot}/%{_datadir}/containers/selinux -install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts -install -d %{buildroot}%{_datadir}/udica/templates -install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates - -# remove spec file -rm -rf %{name}.spec - -%check +%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user %pre -%selinux_relabel_pre -s %{selinuxtype} +%selinux_relabel_pre %post # Install all modules in a single transaction @@ -93,27 +95,21 @@ if [ $1 -eq 1 ]; then %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config -sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1 +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null +%selinux_modules_install -s ${SELINUXTYPE} $MODULES +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then -%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker -fi - -%triggerpostun -- container-selinux < 3:2.162.1-3 -if %{_sbindir}/selinuxenabled ; then - echo "Fixing Rootless SELinux labels in homedir" - %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null || : + %selinux_modules_uninstall %{modulenames} docker fi %posttrans -%selinux_relabel_post -s %{selinuxtype} +%selinux_relabel_post #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -124,10 +120,33 @@ fi %dir %{_datadir}/containers/selinux %{_datadir}/containers/selinux/contexts %dir %{_datadir}/udica/templates/ +%dir %{_datadir}/udica %{_datadir}/udica/templates/* +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +%{_mandir}/man8/container_selinux.8.gz +%{_sysconfdir}/selinux/targeted/contexts/users/container_u +%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} +%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} +%triggerpostun -- container-selinux < 2:2.162.1-3 +if %{_sbindir}/selinuxenabled ; then + echo "Fixing Rootless SELinux labels in homedir" + %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null +fi %changelog +* Mon Feb 24 2025 Jindrich Novy - 3:2.235.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.235.0 +- Resolves: RHEL-80473 + +* Wed Nov 27 2024 Jindrich Novy - 3:2.234.2-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.234.2 +- Related: RHEL-60277 + +* Mon Sep 16 2024 Jindrich Novy - 3:2.233.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.233.0 +- Resolves: RHEL-58997 + * Tue Jun 11 2024 Jindrich Novy - 3:2.232.1-1 - update to https://github.com/containers/container-selinux/releases/tag/v2.232.1 - Related: RHEL-27608