diff --git a/.container-selinux.metadata b/.container-selinux.metadata deleted file mode 100644 index 9cb12a0..0000000 --- a/.container-selinux.metadata +++ /dev/null @@ -1 +0,0 @@ -b1b7c2f65716bc8e5a7911494ea19c0792cc13ad SOURCES/container-selinux-f958d0c.tar.gz diff --git a/.gitignore b/.gitignore index 44da998..575931c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/container-selinux-f958d0c.tar.gz +v2.235.0.tar.gz diff --git a/SPECS/container-selinux.spec b/SPECS/container-selinux.spec deleted file mode 100644 index d3130a9..0000000 --- a/SPECS/container-selinux.spec +++ /dev/null @@ -1,356 +0,0 @@ -%global debug_package %{nil} - -# container-selinux -%global git0 https://github.com/containers/container-selinux -%global commit0 f958d0cee4099f79890247ec64b57502b3acdb9f -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) - -# container-selinux stuff (prefix with ds_ for version/release etc.) -# Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted -%global moduletype services -%global modulenames container - -# Usage: _format var format -# Expand 'modulenames' into various formats as needed -# Format must contain '$x' somewhere to do anything useful -%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; - -# Version of SELinux we were using -%global selinux_policyver 3.14.3-9.el8 - -Epoch: 2 -Name: container-selinux -Version: 2.124.0 -Release: 1.git%{shortcommit0}%{?dist} -License: GPLv2 -URL: %{git0} -Summary: SELinux policies for container runtimes -Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -BuildArch: noarch -BuildRequires: git -BuildRequires: pkgconfig(systemd) -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} -# RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires: selinux-policy >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} -Requires(post): policycoreutils >= 2.5-11 -%if 0%{?rhel} > 7 || 0%{?fedora} -Requires(post): policycoreutils-python-utils -%else -Requires(post): policycoreutils-python -%endif -Requires(post): libselinux-utils -Requires(post): sed -Obsoletes: %{name} <= 2:1.12.5-14 -Obsoletes: docker-selinux <= 2:1.12.4-28 -Provides: docker-selinux = %{epoch}:%{version}-%{release} -Provides: docker-engine-selinux = %{epoch}:%{version}-%{release} - -%description -SELinux policy modules for use with container runtimes. - -%prep -%autosetup -Sgit -n %{name}-%{commit0} - -%build -make - -%install -# install policy modules -%_format MODULES $x.pp.bz2 -install -d %{buildroot}%{_datadir}/selinux/packages -install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services -install -p -m 644 %{modulenames}.if %{buildroot}%{_datadir}/selinux/devel/include/services -install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages - -# remove spec file -rm -rf %{name}.spec - -%check - -%pre -%selinux_relabel_pre -s %{selinuxtype} - -%post -# Install all modules in a single transaction -if [ $1 -eq 1 ]; then - %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 -fi -%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%selinux_modules_install -s %{selinuxtype} $MODULES -. %{_sysconfdir}/selinux/config -sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types -matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - -%postun -if [ $1 -eq 0 ]; then -%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker -fi - -%posttrans -%selinux_relabel_post -s %{selinuxtype} - -#define license tag if not already defined -%{!?_licensedir:%global license %doc} - -%files -%doc README.md -%{_datadir}/selinux/* - -%changelog -* Thu Mar 26 2020 Jindrich Novy - 2:2.124.0-1.gitf958d0c -- update to 2.124.0 -- Resolves: #1816541 - -* Thu Nov 28 2019 Jindrich Novy - 2:2.94-2.git1e99f1d -- rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1766316, #1766215 - -* Thu Mar 28 2019 Lokesh Mandvekar - 2:2.94-1.git1e99f1d -- Resolves: #1690286 - bump to v2.94 -- Resolves: #1693806, #1689255 - -* Mon Mar 11 2019 Lokesh Mandvekar - 2:2.89-1.git2521d0d -- bump to v2.89 - -* Tue Nov 13 2018 Lokesh Mandvekar - 2:2.75-1.git99e2cfd -- bump to v2.75 -- built commit 99e2cfd - -* Mon Oct 22 2018 Lokesh Mandvekar - 2:2.74-1 -- Resolves: #1641655 - bump to v2.74 -- built commit a62c2db - -* Tue Sep 18 2018 Frantisek Kluknavsky - 2:2.73-3 -- tweak macro for fedora - applies to rhel8 as well - -* Mon Sep 17 2018 Frantisek Kluknavsky - 2:2.73-2 -- moved changelog entries: -- Define spc_t as a container_domain, so that container_runtime will transition -to spc_t even when setup with nosuid. -- Allow container_runtimes to setattr on callers fifo_files -- Fix restorecon to not error on missing directory - -* Thu Sep 6 2018 Dan Walsh - 2.69-3 -- Make sure we pull in the latest selinux-policy - -* Wed Jul 25 2018 Dan Walsh - 2.69-2 -- Add map support to container-selinux for RHEL 7.5 -- Dontudit attempts to write to kernel_sysctl_t - -* Mon Jul 16 2018 Dan Walsh - 2.68-1 -- Add label for /var/lib/origin -- Add customizable_file_t to customizable_types - -* Sun Jul 15 2018 Dan Walsh - 2.67-1 -- Add policy for container_logreader_t - -* Thu Jun 14 2018 Dan Walsh - 2.66-1 -- Allow dnsmasq to dbus chat with spc_t - -* Sun Jun 3 2018 Dan Walsh - 2.64-1 -- Allow containers to create all socket classes - -* Thu May 24 2018 Dan Walsh - 2.62-1 -- Label overlay directories under /var/lib/containers/ correctly - -* Mon May 21 2018 Dan Walsh - 2.61-1 -- Allow spc_t to load kernel modules from inside of container - -* Mon May 21 2018 Dan Walsh - 2.60-1 -- Allow containers to list cgroup directories -- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. - -* Mon May 21 2018 Dan Walsh - 2.58-2 -- Run restorecon /usr/bin/podman in postinstall - -* Fri May 18 2018 Dan Walsh - 2.58-1 -- Add labels to allow podman to be run from a systemd unit file - -* Mon May 7 2018 Dan Walsh - 2.57-1 -- Set the version of SELinux policy required to the latest to fix build issues. - -* Wed Apr 11 2018 Dan Walsh - 2.56-1 -- Allow container_runtime_t to transition to spc_t over unlabeled files - -* Mon Mar 26 2018 Dan Walsh - 2.55-1 - Allow iptables to read container state - Dontaudit attempts from containers to write to /proc/self - Allow spc_t to change attributes on container_runtime_t fifo files - -* Thu Mar 8 2018 Dan Walsh - 2.52-1 -- Add better support for writing custom selinux policy for customer container domains. - -* Thu Mar 8 2018 Dan Walsh - 2.51-1 -- Allow shell_exec_t as a container_runtime_t entrypoint - -* Wed Mar 7 2018 Dan Walsh - 2.50-1 -- Allow bin_t as a container_runtime_t entrypoint - -* Fri Mar 2 2018 Dan Walsh - 2.49-1 -- Add support for MLS running container runtimes -- Add missing allow rules for running systemd in a container - -* Wed Feb 21 2018 Dan Walsh - 2.48-1 -- Update policy to match master branch -- Remove typebounds and replace with nnp_transition and nosuid_transition calls - -* Tue Jan 9 2018 Dan Walsh - 2.41-1 -- Add support to nnp_transition for container domains -- Eliminates need for typebounds. - -* Tue Jan 9 2018 Dan Walsh - 2.40-1 -- Allow container_runtime_t to use user ttys -- Fixes bounds check for container_t - -* Mon Jan 8 2018 Dan Walsh - 2.39-1 -- Allow container runtimes to use interited terminals. This helps -satisfy the bounds check of container_t versus container_runtime_t. - -* Sat Jan 6 2018 Dan Walsh - 2.38-1 -- Allow container runtimes to mmap container_file_t devices -- Add labeling for rhel push plugin - -* Tue Dec 12 2017 Dan Walsh - 2.37-1 -- Allow containers to use inherited ttys -- Allow ostree to handle labels under /var/lib/containers/ostree - -* Mon Nov 27 2017 Dan Walsh - 2.36-1 -- Allow containers to relabelto/from all file types to container_file_t - -* Mon Nov 27 2017 Dan Walsh - 2.35-1 -- Allow container to map chr_files labeled container_file_t - -* Wed Nov 22 2017 Dan Walsh - 2.34-1 -- Dontaudit container processes getattr on kernel file systems - -* Sun Nov 19 2017 Dan Walsh - 2.33-1 -- Allow containers to read /etc/resolv.conf and /etc/hosts if volume -- mounted into container. - -* Wed Nov 8 2017 Dan Walsh - 2.32-1 -- Make sure users creating content in /var/lib with right labels - -* Thu Oct 26 2017 Dan Walsh - 2.31-1 -- Allow the container runtime to dbus chat with dnsmasq -- add dontaudit rules for container trying to write to /proc - -* Tue Oct 10 2017 Dan Walsh - 2.29-1 -- Add support for lxcd -- Add support for labeling of tmpfs storage created within a container. - -* Mon Oct 9 2017 Dan Walsh - 2.28-1 -- Allow a container to umount a container_file_t filesystem - -* Fri Sep 22 2017 Dan Walsh - 2.27-1 -- Allow container runtimes to work with the netfilter sockets -- Allow container_file_t to be an entrypoint for VM's -- Allow spc_t domains to transition to svirt_t - -* Fri Sep 22 2017 Dan Walsh - 2.24-1 -- Make sure container_runtime_t has all access of container_t - -* Thu Sep 7 2017 Dan Walsh - 2.23-1 -- Allow container runtimes to create sockets in tmp dirs - -* Tue Sep 5 2017 Dan Walsh - 2.22-1 -- Add additonal support for crio labeling. - -* Mon Aug 14 2017 Troy Dawson - 2.21-3 -- Fixup spec file conditionals - -* Wed Jul 26 2017 Fedora Release Engineering - 2:2.21-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Thu Jul 6 2017 Dan Walsh - 2.21-1 -- Allow containers to execmod on container_share_t files. - -* Thu Jul 6 2017 Dan Walsh - 2.20-2 -- Relabel runc and crio executables - -* Fri Jun 30 2017 Dan Walsh - 2.20-1 -- Allow container processes to getsession - -* Wed Jun 14 2017 Lokesh Mandvekar - 2:2.19-2.1 -- update release tag to isolate from 7.3 - -* Wed Jun 14 2017 Dan Walsh - 2:2.19-1 -- Fix mcs transition problem on stdin/stdout/stderr -- Add labels for CRI-O -- Allow containers to use tunnel sockets - -* Tue Jun 06 2017 Lokesh Mandvekar - 2:2.15-1.1 -- Resolves: #1451289 -- rebase to v2.15 -- built @origin/RHEL-1.12 commit 583ca40 - -* Mon Mar 20 2017 Dan Walsh - 2:2.10-2.1 -- Make sure we have a late enough version of policycoreutils - -* Mon Mar 6 2017 Dan Walsh - 2:2.10-1 -- Update to the latest container-selinux patch from upstream -- Label files under /usr/libexec/lxc as container_runtime_exec_t -- Give container_t access to XFRM sockets -- Allow spc_t to dbus chat with init system -- Allow containers to read cgroup configuration mounted into a container - -* Tue Feb 21 2017 Lokesh Mandvekar - 2:2.9-4 -- Resolves: #1425574 -- built commit 79a6d70 - -* Mon Feb 20 2017 Lokesh Mandvekar - 2:2.9-3 -- Resolves: #1420591 -- built @origin/RHEL-1.12 commit 8f876c4 - -* Mon Feb 13 2017 Lokesh Mandvekar - 2:2.9-2 -- built @origin/RHEL-1.12 commit 33cb78b - -* Fri Feb 10 2017 Lokesh Mandvekar - 2:2.8-2 -- - -* Tue Feb 07 2017 Lokesh Mandvekar - 2:2.7-1 -- built origin/RHEL-1.12 commit 21dd37b - -* Fri Jan 20 2017 Lokesh Mandvekar - 2:2.4-2 -- correct version-release in changelog entries - -* Thu Jan 19 2017 Dan Walsh - 2:2.4-1 -- Add typebounds statement for container_t from container_runtime_t -- We should only label runc not runc* - -* Tue Jan 17 2017 Dan Walsh - 2:2.3-1 -- Fix labeling on /usr/bin/runc.* -- Add sandbox_net_domain access to container.te -- Remove containers ability to look at /etc content - -* Wed Jan 11 2017 Lokesh Mandvekar - 2:2.2-4 -- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7 - -* Tue Jan 10 2017 Jonathan Lebon - 2:2.2-3 -- properly disable docker module in %%post - -* Sat Jan 07 2017 Lokesh Mandvekar - 2:2.2-2 -- depend on selinux-policy-targeted -- relabel docker-latest* files as well - -* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.2-1 -- bump to v2.2 -- additional labeling for ocid - -* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.0-2 -- install policy at level 200 -- From: Dan Walsh - -* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.0-1 -- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a -standalone package) -- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel - -* Mon Dec 19 2016 Lokesh Mandvekar - 2:1.12.4-29 -- new package (separated from docker) diff --git a/container-selinux.spec b/container-selinux.spec new file mode 100644 index 0000000..b545425 --- /dev/null +++ b/container-selinux.spec @@ -0,0 +1,140 @@ +%global debug_package %{nil} + +# container-selinux stuff (prefix with ds_ for version/release etc.) +# Some bits borrowed from the openstack-selinux package +%global moduletype services +%global modulenames container + +# Usage: _format var format +# Expand 'modulenames' into various formats as needed +# Format must contain '$x' somewhere to do anything useful +%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; + +# RHEL < 10 and Fedora < 40 use file context entries in /var/run +%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40 +%define legacy_var_run 1 +%endif + +# https://github.com/containers/container-selinux/issues/203 +%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9 +%define no_user_namespace 1 +%endif + +# copr_build is more intuitive than copr_username +%if %{defined copr_username} +%define copr_build 1 +%endif + +Name: container-selinux +# Set different Epochs for copr and koji +%if %{defined copr_build} +Epoch: 102 +%else +Epoch: 4 +%endif +# Keep Version in upstream specfile at 0. It will be automatically set +# to the correct value by Packit for copr and koji builds. +# IGNORE this comment if you're looking at it in dist-git. +Version: 2.235.0 +Release: 1%{?dist} +License: GPL-2.0-only +URL: https://github.com/containers/%{name} +Summary: SELinux policies for container runtimes +Source0: %{url}/archive/v%{version}.tar.gz +BuildArch: noarch +BuildRequires: make +BuildRequires: git-core +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy >= %_selinux_policy_version +BuildRequires: selinux-policy-devel >= %_selinux_policy_version +# RE: rhbz#1195804 - ensure min NVR for selinux-policy +Requires: selinux-policy >= %_selinux_policy_version +Requires(post): selinux-policy-base >= %_selinux_policy_version +Requires(post): selinux-policy-any >= %_selinux_policy_version +Recommends: selinux-policy-targeted >= %_selinux_policy_version +Requires(post): policycoreutils +Requires(post): libselinux-utils +Requires(post): sed +Obsoletes: %{name} <= 2:1.12.5-13 +Obsoletes: docker-selinux <= 2:1.12.4-28 +Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} +Conflicts: udica < 0.2.6-1 +Conflicts: k3s-selinux <= 0.4-1 + +%description +SELinux policy modules for use with container runtimes. + +%prep +%autosetup -Sgit %{name}-%{version} + +sed -i 's/^man: install-policy/man:/' Makefile +sed -i 's/^install: man/install:/' Makefile + +%if %{defined no_user_namespace} +sed -i '/user_namespace/d' container.te +%endif + +%if %{defined legacy_var_run} +sed -i 's|^/run/|/var/run/|' container.fc +%endif + +%build +make + +%install +# install policy modules +%_format MODULES $x.pp.bz2 +%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user + +%pre +%selinux_relabel_pre + +%post +# Install all modules in a single transaction +if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 +fi +%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +. %{_sysconfdir}/selinux/config +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null +%selinux_modules_install -s ${SELINUXTYPE} $MODULES +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall %{modulenames} docker +fi + +%posttrans +%selinux_relabel_post + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +%files +%doc README.md +%{_datadir}/selinux/* +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts +%dir %{_datadir}/udica +%dir %{_datadir}/udica/templates/ +%{_datadir}/udica/templates/* +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +%{_mandir}/man8/container_selinux.8.gz +%{_sysconfdir}/selinux/targeted/contexts/users/container_u +%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} +%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} + +%triggerpostun -- container-selinux < 2:2.162.1-3 +if %{_sbindir}/selinuxenabled ; then + echo "Fixing Rootless SELinux labels in homedir" + %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null +fi + +%changelog +* Mon Feb 24 2025 Jindrich Novy - 4:2.235.0-1 +- update to https://github.com/containers/container-selinux/releases/tag/v2.235.0 +- Resolves: RHEL-80476 diff --git a/sources b/sources new file mode 100644 index 0000000..1602c69 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (v2.235.0.tar.gz) = 5d422ffe69e994d2b30460bef39598ccac52d3607a23dd15e300374f1704c6e5883069aa74cb3b362b9545f4dd4e048b6e9893a6086cbba53e9d5f8185b2ffd2