rpms/container-selinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity
145 Commits 27 Branches 132 Tags 606 KiB
dfec1aa725
Commit Graph

135 Commits

Author SHA1 Message Date
Daniel J Walsh
91cc6aa535 Allow containers to create all socket classes 2018-06-03 06:09:33 -04:00
Daniel J Walsh
71d8662692 Allow containers to create icmp packets 2018-05-30 11:10:00 -04:00
Lokesh Mandvekar (Bot)
c2346462ef container-selinux-2:2.62-1.git1ecf953 
- bump to 2.62
- autobuilt 1ecf953

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-05-25 18:35:07 +00:00
Daniel J Walsh
25c4cb361a Allow spc_t to load kernel modules from inside of container 2018-05-21 17:13:15 -04:00
Daniel J Walsh
59df2c8753 Allow containers to list cgroup directories 2018-05-21 13:19:17 -04:00
Daniel J Walsh
2be9204393 Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. 2018-05-21 12:49:37 -04:00
Daniel J Walsh
cbb3d2bf04 Run restorecon /usr/bin/podman in postinstall 2018-05-21 11:03:42 -04:00
Daniel J Walsh
1f65dab452 Add labels to allow podman to be run from a systemd unit file 2018-05-18 11:53:51 -04:00
Lokesh Mandvekar (Bot)
cbb99afa99 container-selinux-2:2.55-12.gitd248f91 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-17 18:32:42 +00:00
Lokesh Mandvekar (Bot)
68364ba992 container-selinux-2:2.55-11.gitd248f91 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-17 17:53:26 +00:00
Lokesh Mandvekar
e87f128825 correct Source0 if centos 
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-16 15:59:39 -04:00
Lokesh Mandvekar (Bot)
654515c525 container-selinux-2:2.55-10.gitd248f91 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-16 19:10:54 +00:00
Lokesh Mandvekar (Bot)
6d73abcf30 container-selinux-2:2.55-9.gitd248f91 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-16 14:49:04 +00:00
Lokesh Mandvekar
7506926843 add shortcommit0 in release string 
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-15 23:42:42 -04:00
Lokesh Mandvekar (Bot)
95b2b1d800 container-selinux-2:2.55-8 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-16 03:31:26 +00:00
Lokesh Mandvekar (Bot)
357bc56e2f container-selinux-2:2.55-7 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-16 03:21:09 +00:00
Lokesh Mandvekar (Bot)
03bdc46668 container-selinux-2:2.55-6 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-16 02:57:50 +00:00
Lokesh Mandvekar (Bot)
e49a7cae6a container-selinux-2:2.55-5 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-09 19:29:53 +00:00
Lokesh Mandvekar (Bot)
af36061d14 container-selinux-2:2.55-4 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org>
 2018-04-09 15:30:25 +00:00
Lokesh Mandvekar
7c61638200 container-selinux-2:2.55-3 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-09 07:56:05 -04:00
Lokesh Mandvekar
c9ddfc8c4a change case cause it messes up my autobuilder script :D 
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-09 07:55:39 -04:00
Lokesh Mandvekar
802379f601 container-selinux- 
- autobuilt commit d248f91

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-09 07:50:15 -04:00
Lokesh Mandvekar
4c7ed6951b packaging changes for centos v/s fedora 
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2018-04-09 07:47:49 -04:00
Daniel J Walsh
c46266a878 Dontaudit attempts by containers to write to /proc/self 2018-03-15 07:14:36 -04:00
Daniel J Walsh
37b78d28ce Add rules for container domains to make writing custom policy easier 
Allow shell_exec_t as a container_runtime_t entrypoint
 2018-03-14 09:39:06 -04:00
Daniel J Walsh
69afd19c0a Add rules for container domains to make writing custom policy easier 2018-03-08 14:33:17 +00:00
Daniel J Walsh
b658aee2f1 Allow shell_exec_t as a container_runtime_t entrypoint 2018-03-08 07:54:07 +00:00
Daniel J Walsh
5a5bf66b86 Allow bin_t as a container_runtime_t entrypoint 
Add rules for running container runtimes on mls
 2018-03-07 05:59:10 +00:00
Daniel J Walsh
9a7a65d0b5 Allow container domains to map container_file_t directories 2018-02-15 12:55:50 -05:00
Daniel J Walsh
f8193b5e32 Change default label of /exports to container_var_lib_t 2018-02-10 07:18:48 -05:00
Igor Gnatenko
a7071bc06f
Escape macros in %changelog 
Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-09 09:04:17 +01:00
Fedora Release Engineering
07b6801caf - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2018-02-07 05:40:38 +00:00
Daniel J Walsh
3b45b2783a Add support for nosuid_transition flags for container_runtime and unconfined domains 2018-02-03 06:17:13 -05:00
Daniel J Walsh
1b20654010 Allow containers to sendto their own stream sockets 2018-02-02 13:40:54 -05:00
Daniel J Walsh
5b2867045c Allow container domains to read kernel ipc info 2018-01-29 06:58:52 +01:00
Daniel J Walsh
a7ce3135c2 Allow containers to memory map the fifo_files leaked into container from 
container runtimes.
 2018-01-22 09:40:35 -05:00
Daniel J Walsh
a4c374a14d Allow unconfined domains to transition to container types, when no-new-privs is set. 2018-01-16 13:56:33 -05:00
Daniel J Walsh
15578313e4 Add support to nnp_transition for container domains 
Eliminates need for typebounds.
 2018-01-09 11:47:20 -05:00
Daniel J Walsh
a8518096d5 Allow container_runtime_t to use user ttys 
Fixes bounds check for container_t
 2018-01-09 09:30:05 -05:00
Daniel J Walsh
64fe9d8cb1 Allow container runtimes to use interited terminals. This helps 
satisfy the bounds check of container_t versus container_runtime_t.
 2018-01-08 08:41:05 -05:00
Daniel J Walsh
98e715e396 Allow container runtimes to mmap container_file_t devices 
Add labeling for rhel push plugin
 2018-01-06 07:34:20 -05:00
Daniel J Walsh
aaa91fd2cc Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/container-selinux 2017-12-12 13:11:36 +00:00
Daniel J Walsh
e0502dafa3 Allow containers to use inherited ttys 
Allow ostree to handle labels under /var/lib/containers/ostree
 2017-12-12 13:11:14 +00:00
Lokesh Mandvekar
0ce8700159
remove git from builddep 
can't find git in the module ecosystem and git isn't critical for
package build.

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-12-03 21:38:21 -05:00
Daniel J Walsh
7f79cfab64 Allow containers to relabelto/from all file types to container_file_t 2017-11-27 14:57:52 +00:00
Daniel J Walsh
751a4e3fee Allow container to map chr_files labeled container_file_t 2017-11-27 14:43:49 +00:00
Daniel J Walsh
8ed545a6c5 Allow container to map chr_files labeled container_file_t 2017-11-27 13:21:48 +00:00
Daniel J Walsh
4e9b7c333a Dontaudit container processes getattr on kernel file systems 2017-11-22 15:35:20 +00:00
Daniel J Walsh
cc32bab0b3 Allow containers to read /etc/resolv.conf and /etc/hosts if volume 
mounted into container.
 2017-11-19 11:41:27 +00:00
Daniel J Walsh
be0a39a792 Make sure users creating content in /var/lib with right labels 2017-11-08 21:10:33 +00:00
Daniel J Walsh
31963a3bb5 Allow the container runtime to dbus chat with dnsmasq 
add dontaudit rules for container trying to write to /proc
 2017-10-26 11:38:02 +00:00
Daniel J Walsh
b99f18b8ce Add support for lxcd 
Add support for labeling of tmpfs storage created within a container.
 2017-10-10 16:17:55 +00:00
Daniel J Walsh
ecb1760cbb Allow a container to umount a container_file_t filesystem 2017-10-09 13:29:39 +00:00
Daniel J Walsh
5a61b6808a Allow container runtimes to work with the netfilter sockets 
Allow container_file_t to be an entrypoint for VM's
 Allow spc_t domains to transition to svirt_t
 2017-10-04 09:10:48 +00:00
Daniel J Walsh
c6e706af6d Make sure container_runtime_t has all access of container_t 2017-09-22 11:08:40 +00:00
Daniel J Walsh
b74f4a298b Allow container runtimes to create sockets in tmp dirs 2017-09-07 08:43:48 +00:00
Daniel J Walsh
1aad223080 Add additonal support for crio labeling. 2017-09-05 20:40:09 +00:00
Troy Dawson
9a3633bb6b Fixup spec file conditionals 2017-08-14 13:16:08 -07:00
Fedora Release Engineering
5cb66e7ed3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 05:26:19 +00:00
Daniel J Walsh
bb6875d358 Allow containers to execmod on container_share_t files. 2017-07-11 17:36:41 +00:00
Daniel J Walsh
852a09a52f Relabel runc and crio executables 2017-07-06 10:47:14 +00:00
Daniel J Walsh
ef7772c664 Allow container processes to getsession 2017-06-30 15:53:25 +00:00
Daniel J Walsh
fbb3cfcf9a Allow containers to create tun sockets 2017-06-12 18:13:46 +00:00
Daniel J Walsh
35b5399d15 Fix labeling for CRI-O files in overlay subdirs 2017-06-06 19:28:56 +00:00
Daniel J Walsh
590defb1b5 Revert change to run the container_runtime as ranged 2017-06-05 20:10:25 +00:00
Daniel J Walsh
4868764a43 Add default labeling for cri-o in /etc/crio directories 2017-06-01 21:47:32 +00:00
Daniel J Walsh
379ddc4b04 Allow container types to read/write container_runtime fifo files 
Allow a container runtime to mount on top of its own /proc
 2017-05-31 12:28:03 +00:00
Dan Walsh
ed21ef74dc Add labels for crio rename 
Break container_t rules out to use a separate container_domain
Allow containers to be able to set namespaced SYCTLS
Allow sandbox containers manage fuse files.
Fixes to make container_runtimes work on MLS machines
Bump version to allow handling of container_file_t filesystems
Allow containers to mount, remount and umount container_file_t file systems
Fixes to handle cap_userns
Give container_t access to XFRM sockets
Allow spc_t to dbus chat with init system
Allow spc_t to dbus chat with init system
Add rules to allow container runtimes to run with unconfined disabled
Add rules to support cgroup file systems mounted into container.
Fix typebounds entrypoint problems
Fix typebounds problems
Add typebounds statement for container_t from container_runtime_t
We should only label runc not runc*
 2017-05-19 07:19:44 -04:00
Daniel J Walsh
d6c9f15f16 Add rules to allow container runtimes to run with unconfined disabled 
Add rules to support cgroup file systems mounted into container.
 2017-02-28 13:47:46 -05:00
Daniel J Walsh
4e04f9adef Add rules to allow container_runtimes to run with unconfined disabled 2017-02-13 05:33:06 -08:00
Daniel J Walsh
e6af9053a7 Allow container_file_t to be stored on cgroup_t file systems 2017-02-09 08:59:37 -05:00
Daniel J Walsh
afcdd30e26 Fix type in container interface file 2017-02-07 09:24:46 -05:00
Daniel J Walsh
761ca4f112 Fix typebounds entrypoint problems 2017-02-06 10:28:33 -05:00
Daniel J Walsh
a2fe41cd44 Fix typebounds problems 2017-01-27 13:15:25 +01:00
Daniel J Walsh
3fcf74cdce Fix typebounds problems 2017-01-27 13:14:10 +01:00
Daniel J Walsh
c06c926b64 Add typebounds statement for container_t from container_runtime_t 
We should only label runc not runc*
 2017-01-19 12:00:49 -05:00
Daniel J Walsh
6c8c18196a Fix labeling on /usr/bin/runc.* 
Add sandbox_net_domain access to container.te
Remove containers ability to look at /etc content
 2017-01-18 08:20:57 -05:00
Daniel J Walsh
c8e82ceefa Fix labeling on /usr/bin/runc.* 
Add sandbox_net_domain access to container.te
Remove containers ability to look at /etc content
 2017-01-17 17:10:15 -05:00
Lokesh Mandvekar
dc5c3985ab container-selinux-2:2.2-4 
- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-01-11 12:13:04 -05:00
Jonathan Lebon
6028ccc721 container-selinux-2:2.2-3 2017-01-10 13:39:03 -05:00
Lokesh Mandvekar
8602eba442 container-selinux-2:2.2-2 
- depend on selinux-policy-targeted
- relabel docker-latest* files as well

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-01-07 14:34:01 -05:00
Lokesh Mandvekar
98c88e3954 container-selinux-2:2.2-1 
- bump to v2.2
- additional labeling for ocid

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-01-06 16:29:04 -05:00
Lokesh Mandvekar
57ea4c4351 container-selinux-2:2.0-2 
- install policy at level 200

From: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-01-06 15:41:09 -05:00
Daniel J Walsh
85f5b33ced Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a 
standalone package)
include projectatomic/RHEL-1.12 branch commit for building on centos/rhel
 2017-01-06 15:21:04 -05:00
Lokesh Mandvekar
7fa12a4c94 container-selinux-2:2.0-1 
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
standalone package)
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-01-06 14:34:31 -05:00