3 changed files with 21 additions and 326 deletions
--- a/.container-selinux.metadata
+++ b/.container-selinux.metadata
@ -1 +1 @@
-949e88bb092d00e713fb0f022f717e4cb63156fa SOURCES/v2.221.0.tar.gz
+b1b7c2f65716bc8e5a7911494ea19c0792cc13ad SOURCES/container-selinux-f958d0c.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/v2.221.0.tar.gz
+SOURCES/container-selinux-f958d0c.tar.gz
--- a/SPECS/container-selinux.spec
+++ b/SPECS/container-selinux.spec
@ -2,6 +2,8 @@

 # container-selinux
 %global git0 https://github.com/containers/container-selinux
+%global commit0 f958d0cee4099f79890247ec64b57502b3acdb9f
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
@ -15,16 +17,16 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;

 # Version of SELinux we were using
-%global selinux_policyver 38.1.2-1.el9
+%global selinux_policyver 3.14.3-9.el8

-Epoch: 3
+Epoch: 2
 Name: container-selinux
-Version: 2.221.0
-Release: 1%{?dist}
+Version: 2.124.0
+Release: 1.git%{shortcommit0}%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
-Source0: %{git0}/archive/v%{version}.tar.gz
+Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 BuildArch: noarch
 BuildRequires: git
 BuildRequires: pkgconfig(systemd)
@ -46,28 +48,12 @@ Obsoletes: %{name} <= 2:1.12.5-14
 Obsoletes: docker-selinux <= 2:1.12.4-28
 Provides: docker-selinux = %{epoch}:%{version}-%{release}
 Provides: docker-engine-selinux = %{epoch}:%{version}-%{release}
-Conflicts: udica < 0.2.6-1

 %description
 SELinux policy modules for use with container runtimes.

 %prep
-%autosetup -Sgit
-
-# Remove some lines for RHEL 8 build
-%if ! 0%{?fedora} && 0%{?rhel} <= 8
-sed -i 's/watch watch_reads//' container.if
-sed -i '/sysfs_t:dir watch/d' container.te
-sed -i '/systemd_chat_resolved/d' container.te
-%endif
-
-sed -i 's/man: install-policy/man:/' Makefile
-sed -i 's/install: man/install:/' Makefile
-
-# https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
-sed -i '/user_namespace/d' container.te
-%endif
+%autosetup -Sgit -n %{name}-%{commit0}

 %build
 make
@ -77,12 +63,8 @@ make
 %_format MODULES $x.pp.bz2
 install -d %{buildroot}%{_datadir}/selinux/packages
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
-install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
+install -p -m 644 %{modulenames}.if %{buildroot}%{_datadir}/selinux/devel/include/services
 install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
-install -d %{buildroot}/%{_datadir}/containers/selinux
-install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
-install -d %{buildroot}%{_datadir}/udica/templates
-install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates

 # remove spec file
 rm -rf %{name}.spec
@ -103,7 +85,7 @@ fi
 %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
 %selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
-sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :

 %postun
@ -111,12 +93,6 @@ if [ $1 -eq 0 ]; then
 %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
 fi

-%triggerpostun -- container-selinux < 3:2.162.1-3
-if %{_sbindir}/selinuxenabled ; then
-  echo "Fixing Rootless SELinux labels in homedir"
-  %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null || :
-fi
-
 %posttrans
 %selinux_relabel_post -s %{selinuxtype}

@ -126,304 +102,23 @@ fi
 %files
 %doc README.md
 %{_datadir}/selinux/*
-%dir %{_datadir}/containers/selinux
-%{_datadir}/containers/selinux/contexts
-%dir %{_datadir}/udica/templates/
-%{_datadir}/udica/templates/*
-

 %changelog
-* Tue Aug 15 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.221.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.221.0
- Related: #2176063
+* Thu Mar 26 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.124.0-1.gitf958d0c
+- update to 2.124.0
+- Resolves: #1816541

-* Mon Jul 03 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.219.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.219.0
- Related: #2176063
+* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.94-2.git1e99f1d
+- rebuild because of CVE-2019-9512 and CVE-2019-9514
+- Resolves: #1766316, #1766215

-* Wed Jun 21 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.218.0-3
- rebuild
- Resolves: #2181174
-
-* Wed Jun 21 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.218.0-2
- rebuild
- Resolves: #2214567
- Resolves: #2214569
-
-* Thu Jun 08 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.218.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.218.0
- Related: #2176063
-
-* Tue Jun 06 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.217.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.217.0
- Related: #2176063
-
-* Fri Jun 02 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.216.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.216.0
- Related: #2176063
-
-* Wed May 24 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.215.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.215.0
- Related: #2176063
-
-* Mon May 15 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.213.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.213.0
- Related: #2176063
-
-* Wed May 03 2023 Lokesh Mandvekar <lsm5@redhat.com> - 3:2.211.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.211.1
- Related: #2176063
-
-* Mon Apr 24 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.211.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.211.0
- Related: #2176063
-
-* Tue Apr 11 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.210.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.210.0
- Related: #2176063
-
-* Mon Apr 03 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.209.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.209.0
- Related: #2176063
-
-* Fri Mar 24 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.206.0-2
- use conditionals from https://github.com/containers/container-selinux/blob/main/container-selinux.spec.rpkg
- Related: #2176063
-
-* Wed Mar 22 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.206.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.206.0
- Related: #2176063
-
-* Mon Mar 20 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.205.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.205.0
- remove user_namespace class, thanks to Lokesh Mandvekar
- Resolves: #2178990
-
-* Mon Jan 30 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.199.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.199.0
- Related: #2124478
-
-* Fri Jan 06 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.198.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.198.0
- Related: #2124478
-
-* Wed Jan 04 2023 Jindrich Novy <jnovy@redhat.com> - 3:2.197.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.197.0
- Related: #2124478
-
-* Thu Dec 15 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.195.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.195.1
- Related: #2124478
-
-* Mon Dec 05 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.193.0-2
- require at least selinux-policy-38.1.2-1.el9
- Resolves: #2150283
-
-* Mon Nov 28 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.193.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.193.0
- Related: #2124478
-
-* Mon Oct 31 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.191.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.191.0
- Related: #2124478
-
-* Tue Oct 18 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.190.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.190.0
- Related: #2124478
-
-* Fri Jul 15 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.189.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.189.0
- Related: #2061316
-
-* Mon Jun 27 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.188.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.188.0
- Related: #2061316
-
-* Wed May 25 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.187.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.187.0
- Related: #2061316
-
-* Tue Apr 19 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.183.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.183.0
- Related: #2061316
-
-* Thu Mar 24 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.181.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.181.0
- Related: #2061316
-
-* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.180.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.180.0
- Related: #2061316
-
-* Mon Feb 28 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.179.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.179.1
- Related: #2000051
-
-* Fri Feb 11 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.178.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.178.0
- Related: #2000051
-
-* Thu Feb 10 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.177.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.177.0
- Related: #2000051
-
-* Thu Feb 03 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.176.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.176.0
- Related: #2000051
-
-* Wed Feb 02 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.174.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.174.0
- Related: #2000051
-
-* Thu Jan 27 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.173.2-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.173.2
- Related: #2000051
-
-* Fri Jan 21 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.173.1-2
- update minimal selinux_policy dependency
- Related: #2000051
-
-* Wed Jan 19 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.173.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.173.1
- Related: #2000051
-
-* Wed Jan 12 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.173.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.173.0
- Related: #2000051
-
-* Fri Jan 07 2022 Jindrich Novy <jnovy@redhat.com> - 3:2.172.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.172.1
- Related: #2000051
-
-* Tue Nov 23 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.172.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.172.0
- Related: #2000051
-
-* Thu Nov 11 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.171.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.171.0
- Related: #2000051
-
-* Wed Oct 06 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.170.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.170.0
- Related: #2000051
-
-* Fri Oct 01 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.169.0-3
- perform only sanity/installability tests for now
- Related: #2000051
-
-* Wed Sep 29 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.169.0-2
- add gating.yaml
- Related: #2000051
-
-* Mon Sep 27 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.169.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.169.0
- Related: #2000051
-
-* Tue Sep 21 2021 Vit Mojzis <vmojzis@redhat.com> - 2:2.168.0-2
- Start shipping udica templates
- Related: #2000051
-
-* Tue Sep 14 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.168.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.168.0
- Related: #2000051
-
-* Fri Sep 03 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.167.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.167.0
- Related: #2000051
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3:2.164.2-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Tue Aug 03 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.164.2-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.164.2
- Related: #1970747
-
-* Mon Jul 19 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.164.1-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.164.1
- Related: #1970747
-
-* Wed Jun 23 2021 Jindrich Novy <jnovy@redhat.com> - 3:2.163.0-2
- add trigger to fix labels in users homedirs, before overlayfs
-  is supported by default for non root users
- Related: #1970747
-
-* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.163.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.163.0
- Related: #1970747
-
-* Fri Jun 11 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.162.2-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.162.2
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.160.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Wed Mar 31 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.160.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.160.0
-
-* Tue Mar 23 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.159.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.159.0
-
-* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.158.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.158.0
-
-* Wed Jan 20 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.156.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.156.0
-
-* Tue Jan 05 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.155.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.155.0
-
-* Mon Jan 04 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.154.0-0.2
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.154.0
-
-* Sun Dec 20 2020 Petr Šabata <contyk@redhat.com> - 2:2.151.0-1.1
- Minor bump for gcc11
-
-* Tue Nov 03 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.151.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.151.0
-
-* Fri Oct 23 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.150.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.150.0
-
-* Fri Sep 18 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.145.0-1
- update to
-  https://github.com/containers/container-selinux/releases/tag/v2.145.0
-
-* Thu Sep 17 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.144.0-2
- sync with rhel8-8.3.0
-
-* Thu Sep 17 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.144.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.144.0
- Related: #1821193
-
-* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.107-1
- Resolves: #1720654 - rebase to v2.107
-
-* Tue Apr 30 2019 Eduardo Santiago <santiago@redhat.com> - 2:2.99-3.git9a53d6c
- strip away fs_manage_fusefs_* to resolve build-time error
-
-* Tue Apr 23 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.99-2.git9a53d6c
- rebase
+* Thu Mar 28 2019 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.94-1.git1e99f1d
+- Resolves: #1690286 - bump to v2.94
+- Resolves: #1693806, #1689255

 * Mon Mar 11 2019 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.89-1.git2521d0d
 - bump to v2.89

-* Fri Mar 01 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.87-3.git891a85f
- fix fersion number
-
-* Fri Mar 01 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.75-2.git891a85f
- rebase
-
 * Tue Nov 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.75-1.git99e2cfd
 - bump to v2.75
 - built commit 99e2cfd