diff --git a/.gitignore b/.gitignore index e69de29..d0d771d 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/container-selinux-513572d.tar.gz diff --git a/container-selinux.spec b/container-selinux.spec new file mode 100644 index 0000000..7eb398c --- /dev/null +++ b/container-selinux.spec @@ -0,0 +1,134 @@ +# modifying the dockerinit binary breaks the SHA1 sum check by docker +%global __os_install_post %{_rpmconfigdir}/brp-compress + +# docker builds in a checksum of dockerinit into docker, +# so stripping the binaries breaks docker +%if 0%{?with_debug} +# https://bugzilla.redhat.com/show_bug.cgi?id=995136#c12 +%global _dwz_low_mem_die_limit 0 +%else +%global debug_package %{nil} +%endif + +# container-selinux +%global git0 https://github.com/projectatomic/container-selinux +%if 0%{?fedora} +%global commit0 513572d0fff7899196d57721ed81577ee3dc8414 +%else +%global commit0 a85092bf995b99f26b9be7103345805f846f647c +%endif +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +# container-selinux stuff (prefix with ds_ for version/release etc.) +# Some bits borrowed from the openstack-selinux package +%global selinuxtype targeted +%global moduletype services +%global modulenames container + +# Usage: _format var format +# Expand 'modulenames' into various formats as needed +# Format must contain '$x' somewhere to do anything useful +%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; + +# Relabel files +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker &> /dev/null || : + +# Version of SELinux we were using +%if 0%{?fedora} >= 22 +%global selinux_policyver 3.13.1-220 +%else +%global selinux_policyver 3.13.1-39 +%endif + +Name: container-selinux +%if 0%{?fedora} || 0%{?centos} +Epoch: 2 +%endif +Version: 2.0 +Release: 1%{?dist} +License: GPLv2 +URL: %{git0} +Summary: SELinux policies for container runtimes +Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +BuildArch: noarch +BuildRequires: git +BuildRequires: pkgconfig(systemd) + +# RE: rhbz#1195804 - ensure min NVR for selinux-policy +Requires: selinux-policy >= %{selinux_policyver} + +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): policycoreutils +%if 0%{?fedora} +Requires(post): policycoreutils-python-utils +%else +Requires(post): policycoreutils-python +%endif +Requires(post): libselinux-utils +Obsoletes: %{name} <= 2:1.12.5-13 +Obsoletes: docker-selinux <= 2:1.12.4-28 +Provides: docker-selinux = %{epoch}:%{version}-%{release} + +%description +SELinux policy modules for use with container runtimes. + +%prep +%autosetup -Sgit -n %{name}-%{commit0} + +%build +make + +%install +# install policy modules +%_format MODULES $x.pp.bz2 +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services +install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services +install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages + +# remove %%{repo}-selinux rpm spec file +rm -rf container-selinux.spec + +%check + +%post +# Install all modules in a single transaction +if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 +fi +%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES -X 100 -d docker -X 200 -d docker -X 400 -d docker -X 100 -d gear -X 200 -d gear -X 400 -d gear 2>&1 | grep -v docker +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + %relabel_files + if [ $1 -eq 1 ]; then + restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + fi +fi + +%postun +if [ $1 -eq 0 ]; then +%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : +if %{_sbindir}/selinuxenabled ; then +%{_sbindir}/load_policy +%relabel_files +fi +fi + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +%files +%doc README.md +%{_datadir}/selinux/* + +%changelog +* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.0-1 +- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a +standalone package) +- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel + +* Mon Dec 19 2016 Lokesh Mandvekar - 2:1.12.4-29 +- new package (separated from docker) diff --git a/sources b/sources index e69de29..847f00c 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (container-selinux-513572d.tar.gz) = b7510210a2d05a490f126df4a4452cc97871f24c7b72ce6f6bab5316ffa9b5bb9ca2a7b7f66bb94bc416b8da0f926e2ffb7c70f8b60c6b7db1d4556ad7b80822