rpms/container-selinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS container-selinux-2.235.0-1.el9

Browse Source
This commit is contained in:
eabdullin 2025-03-11 07:06:34 +00:00
parent 411e69b93c
commit 588a72e100
3 changed files with 81 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.container-selinux.metadata
View File

@ -1 +1 @@
9ea9fac443eb4021c0278d9c50b4f4e9d2500f8c SOURCES/v2.232.1.tar.gz 09dd5e26510079c3fc117f8e26074e634cb492af SOURCES/v2.235.0.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v2.232.1.tar.gz SOURCES/v2.235.0.tar.gz

139
SPECS/container-selinux.spec
View File

@ -1,11 +1,7 @@
%global debug_package %{nil} %global debug_package %{nil}
# container-selinux
%global git0 https://github.com/containers/container-selinux
# container-selinux stuff (prefix with ds_ for version/release etc.) # container-selinux stuff (prefix with ds_ for version/release etc.)
# Some bits borrowed from the openstack-selinux package # Some bits borrowed from the openstack-selinux package
%global selinuxtype targeted
%global moduletype services %global moduletype services
%global modulenames container %global modulenames container
@ -14,54 +10,72 @@
# Format must contain '$x' somewhere to do anything useful # Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
# Version of SELinux we were using # RHEL < 10 and Fedora < 40 use file context entries in /var/run
%global selinux_policyver 38.1.2-1.el9 %if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
%define legacy_var_run 1
%endif
# https://github.com/containers/container-selinux/issues/203
%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
%define no_user_namespace 1
%endif
# copr_build is more intuitive than copr_username
%if %{defined copr_username}
%define copr_build 1
%endif
Epoch: 3
Name: container-selinux Name: container-selinux
Version: 2.232.1 # Set different Epochs for copr and koji
%if %{defined copr_build}
Epoch: 102
%else
Epoch: 3
%endif
# Keep Version in upstream specfile at 0. It will be automatically set
# to the correct value by Packit for copr and koji builds.
# IGNORE this comment if you're looking at it in dist-git.
Version: 2.235.0
Release: 1%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPL-2.0-only
URL: %{git0} URL: https://github.com/containers/%{name}
Summary: SELinux policies for container runtimes Summary: SELinux policies for container runtimes
Source0: %{git0}/archive/v%{version}.tar.gz Source0: %{url}/archive/v%{version}.tar.gz
BuildArch: noarch BuildArch: noarch
BuildRequires: git BuildRequires: make
BuildRequires: git-core
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy >= %_selinux_policy_version
BuildRequires: selinux-policy-devel >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %_selinux_policy_version
# RE: rhbz#1195804 - ensure min NVR for selinux-policy # RE: rhbz#1195804 - ensure min NVR for selinux-policy
Requires: selinux-policy >= %{selinux_policyver} Requires: selinux-policy >= %_selinux_policy_version
Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-base >= %_selinux_policy_version
Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): selinux-policy-any >= %_selinux_policy_version
Requires(post): policycoreutils >= 2.5-11 Recommends: selinux-policy-targeted >= %_selinux_policy_version
Requires(post): policycoreutils
Requires(post): libselinux-utils Requires(post): libselinux-utils
Requires(post): sed Requires(post): sed
Obsoletes: %{name} <= 2:1.12.5-14 Obsoletes: %{name} <= 2:1.12.5-13
Obsoletes: docker-selinux <= 2:1.12.4-28 Obsoletes: docker-selinux <= 2:1.12.4-28
Provides: docker-selinux = %{epoch}:%{version}-%{release} Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
Provides: docker-engine-selinux = %{epoch}:%{version}-%{release}
Conflicts: udica < 0.2.6-1 Conflicts: udica < 0.2.6-1
Conflicts: k3s-selinux <= 0.4-1
%description %description
SELinux policy modules for use with container runtimes. SELinux policy modules for use with container runtimes.
%prep %prep
%autosetup -Sgit %autosetup -Sgit %{name}-%{version}
# Remove some lines for RHEL 8 build sed -i 's/^man: install-policy/man:/' Makefile
%if ! 0%{?fedora} && 0%{?rhel} <= 8 sed -i 's/^install: man/install:/' Makefile
sed -i 's/watch watch_reads//' container.if
sed -i '/sysfs_t:dir watch/d' container.te %if %{defined no_user_namespace}
sed -i '/systemd_chat_resolved/d' container.te sed -i '/user_namespace/d' container.te
%endif %endif
sed -i 's/man: install-policy/man:/' Makefile %if %{defined legacy_var_run}
sed -i 's/install: man/install:/' Makefile sed -i 's|^/run/|/var/run/|' container.fc
# https://github.com/containers/container-selinux/issues/203
%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
sed -i '/user_namespace/d' container.te
%endif %endif
%build %build
@ -70,22 +84,10 @@ make
%install %install
# install policy modules # install policy modules
%_format MODULES $x.pp.bz2 %_format MODULES $x.pp.bz2
install -d %{buildroot}%{_datadir}/selinux/packages %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}/%{_datadir}/containers/selinux
install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
install -d %{buildroot}%{_datadir}/udica/templates
install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
# remove spec file
rm -rf %{name}.spec
%check
%pre %pre
%selinux_relabel_pre -s %{selinuxtype} %selinux_relabel_pre
%post %post
# Install all modules in a single transaction # Install all modules in a single transaction
@ -93,27 +95,21 @@ if [ $1 -eq 1 ]; then
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
fi fi
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
%selinux_modules_install -s %{selinuxtype} $MODULES
. %{_sysconfdir}/selinux/config . %{_sysconfdir}/selinux/config
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1 %{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
%selinux_modules_install -s ${SELINUXTYPE} $MODULES
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
%postun %postun
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker %selinux_modules_uninstall %{modulenames} docker
fi
%triggerpostun -- container-selinux < 3:2.162.1-3
if %{_sbindir}/selinuxenabled ; then
echo "Fixing Rootless SELinux labels in homedir"
%{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null || :
fi fi
%posttrans %posttrans
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post
#define license tag if not already defined #define license tag if not already defined
%{!?_licensedir:%global license %doc} %{!?_licensedir:%global license %doc}
@ -124,10 +120,33 @@ fi
%dir %{_datadir}/containers/selinux %dir %{_datadir}/containers/selinux
%{_datadir}/containers/selinux/contexts %{_datadir}/containers/selinux/contexts
%dir %{_datadir}/udica/templates/ %dir %{_datadir}/udica/templates/
%dir %{_datadir}/udica
%{_datadir}/udica/templates/* %{_datadir}/udica/templates/*
# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
%{_mandir}/man8/container_selinux.8.gz
%{_sysconfdir}/selinux/targeted/contexts/users/container_u
%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
%triggerpostun -- container-selinux < 2:2.162.1-3
if %{_sbindir}/selinuxenabled ; then
echo "Fixing Rootless SELinux labels in homedir"
%{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null
fi
%changelog %changelog
* Mon Feb 24 2025 Jindrich Novy <jnovy@redhat.com> - 3:2.235.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.235.0
- Resolves: RHEL-80473
* Wed Nov 27 2024 Jindrich Novy <jnovy@redhat.com> - 3:2.234.2-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.234.2
- Related: RHEL-60277
* Mon Sep 16 2024 Jindrich Novy <jnovy@redhat.com> - 3:2.233.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.233.0
- Resolves: RHEL-58997
* Tue Jun 11 2024 Jindrich Novy <jnovy@redhat.com> - 3:2.232.1-1 * Tue Jun 11 2024 Jindrich Novy <jnovy@redhat.com> - 3:2.232.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.232.1 - update to https://github.com/containers/container-selinux/releases/tag/v2.232.1
- Related: RHEL-27608 - Related: RHEL-27608