d4a3de2777
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/container-selinux.git#d362045995eba6ee93d769a581962a1668bb6bf9
769 lines
30 KiB
RPMSpec
769 lines
30 KiB
RPMSpec
%global debug_package %{nil}
|
|
|
|
# container-selinux
|
|
%global git0 https://github.com/containers/container-selinux
|
|
%global commit0 0ef47032047b6f93b1c113aafc40cbcb4e0cac3b
|
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
|
|
|
# container-selinux stuff (prefix with ds_ for version/release etc.)
|
|
# Some bits borrowed from the openstack-selinux package
|
|
%global selinuxtype targeted
|
|
%global moduletype services
|
|
%global modulenames container
|
|
|
|
# Usage: _format var format
|
|
# Expand 'modulenames' into various formats as needed
|
|
# Format must contain '$x' somewhere to do anything useful
|
|
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
|
|
|
|
# Hooked up to autobuilder, please check with @lsm5 before updating
|
|
Name: container-selinux
|
|
%if 0%{?fedora}
|
|
Epoch: 2
|
|
%endif
|
|
Version: 2.150.0
|
|
Release: 2.dev.git%{shortcommit0}%{?dist}
|
|
License: GPLv2
|
|
URL: %{git0}
|
|
Summary: SELinux policies for container runtimes
|
|
Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
|
BuildArch: noarch
|
|
BuildRequires: git
|
|
BuildRequires: pkgconfig(systemd)
|
|
BuildRequires: selinux-policy >= %_selinux_policy_version
|
|
BuildRequires: selinux-policy-devel >= %_selinux_policy_version
|
|
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
|
|
Requires: selinux-policy >= %_selinux_policy_version
|
|
Requires(post): selinux-policy-base >= %_selinux_policy_version
|
|
Requires(post): selinux-policy-targeted >= %_selinux_policy_version
|
|
Requires(post): policycoreutils
|
|
Requires(post): libselinux-utils
|
|
Requires(post): sed
|
|
Obsoletes: %{name} <= 2:1.12.5-13
|
|
Obsoletes: docker-selinux <= 2:1.12.4-28
|
|
Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
|
|
|
|
%description
|
|
SELinux policy modules for use with container runtimes.
|
|
|
|
%prep
|
|
%autosetup -Sgit -n %{name}-%{commit0}
|
|
|
|
%build
|
|
make
|
|
|
|
%install
|
|
# install policy modules
|
|
%_format MODULES $x.pp.bz2
|
|
install -d %{buildroot}%{_datadir}/selinux/packages
|
|
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
|
|
install -d %{buildroot}/%{_datadir}/containers/selinux
|
|
install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
|
|
|
|
%check
|
|
|
|
%pre
|
|
%selinux_relabel_pre -s %{selinuxtype}
|
|
|
|
%post
|
|
# Install all modules in a single transaction
|
|
if [ $1 -eq 1 ]; then
|
|
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
|
fi
|
|
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
|
|
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
|
|
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
|
|
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
|
|
%selinux_modules_install -s %{selinuxtype} $MODULES
|
|
. %{_sysconfdir}/selinux/config
|
|
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
|
|
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
|
|
|
|
%postun
|
|
if [ $1 -eq 0 ]; then
|
|
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
|
|
fi
|
|
|
|
%posttrans
|
|
%selinux_relabel_post -s %{selinuxtype}
|
|
|
|
#define license tag if not already defined
|
|
%{!?_licensedir:%global license %doc}
|
|
|
|
%files
|
|
%doc README.md
|
|
%{_datadir}/selinux/*
|
|
%dir %{_datadir}/containers/selinux
|
|
%{_datadir}/containers/selinux/contexts
|
|
# Currently shipped in selinux-policy-doc
|
|
#%%{_datadir}/man/man8/container_selinux.8.gz
|
|
|
|
# Hooked up to autobuilder, please check with @lsm5 before updating
|
|
%changelog
|
|
* Fri Oct 23 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.150.0-2.dev.git0ef4703
|
|
- bump to 2.150.0
|
|
- autobuilt 0ef4703
|
|
|
|
* Thu Oct 15 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.148.0-3.dev.git9b3b66f
|
|
- autobuilt 9b3b66f
|
|
|
|
* Wed Oct 14 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.148.0-2.dev.git3c361a2
|
|
- bump to 2.148.0
|
|
- autobuilt 3c361a2
|
|
|
|
* Mon Oct 12 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.147.0-2.dev.git9fb1698
|
|
- bump to 2.147.0
|
|
- autobuilt 9fb1698
|
|
|
|
* Thu Oct 8 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.146.0-2.dev.git2908536
|
|
- bump to 2.146.0
|
|
- autobuilt 2908536
|
|
|
|
* Thu Sep 10 18:12:36 UTC 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.145.0-2.dev.git464e922
|
|
- bump to 2.145.0
|
|
- autobuilt 464e922
|
|
|
|
* Mon Aug 31 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.144.0-5.dev.git5d929d4
|
|
- Resolves: #1797554 - use _selinux_policy_version macro
|
|
|
|
* Fri Aug 28 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.144.0-4.dev.git5d929d4
|
|
- Resolves: #1780129 - bump min selinux-policy
|
|
|
|
* Thu Aug 13 14:10:45 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.144.0-3.dev.git5d929d4
|
|
- autobuilt 5d929d4
|
|
|
|
* Wed Aug 12 15:10:04 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.144.0-2.dev.git746ea7a
|
|
- bump to 2.144.0
|
|
- autobuilt 746ea7a
|
|
|
|
* Wed Aug 05 22:10:34 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.143.0-2.dev.gite2d5a9e
|
|
- bump to 2.143.0
|
|
- autobuilt e2d5a9e
|
|
|
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.142.0-3.dev.gitfe6a25c
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
|
|
* Fri Jul 24 11:09:45 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.142.0-2.dev.gitfe6a25c
|
|
- bump to 2.142.0
|
|
- autobuilt fe6a25c
|
|
|
|
* Fri Jul 24 10:09:44 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.141.0-2.dev.git2750e78
|
|
- bump to 2.141.0
|
|
- autobuilt 2750e78
|
|
|
|
* Thu Jul 23 2020 Merlin Mathesius <mmathesi@redhat.com> - 2:2.140.0-2.dev.git965c7fb
|
|
- Cleanup usage of %%{epoch} macro to allow building for ELN
|
|
|
|
* Thu Jul 23 19:10:26 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.140.0-2.dev.git965c7fb
|
|
- bump to 2.140.0
|
|
- autobuilt 965c7fb
|
|
|
|
* Sat Jul 18 11:10:04 GMT 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.139.0-2.dev.git8c26927
|
|
- bump to 2.139.0
|
|
- autobuilt 8c26927
|
|
|
|
* Thu Jul 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.138.0-2.dev.git9884317
|
|
- bump to 2.138.0
|
|
- autobuilt 9884317
|
|
|
|
* Thu Jun 11 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.137.0-2.dev.git6b721da
|
|
- bump to 2.137.0
|
|
- autobuilt 6b721da
|
|
|
|
* Thu Jun 11 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.136.0-2.dev.git441172a
|
|
- bump to 2.136.0
|
|
- autobuilt 441172a
|
|
|
|
* Fri May 29 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.135.0-2.dev.git0d99e89
|
|
- bump to 2.135.0
|
|
- autobuilt 0d99e89
|
|
|
|
* Thu May 28 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.134.0-2.dev.gitff26015
|
|
- bump to 2.134.0
|
|
- autobuilt ff26015
|
|
|
|
* Mon May 11 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.132.0-3.dev.git0a878bd
|
|
- autobuilt 0a878bd
|
|
|
|
* Wed Apr 15 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.132.0-2.dev.git448dfbf
|
|
- bump to 2.132.0
|
|
- autobuilt 448dfbf
|
|
|
|
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.131.0-2.dev.git9ce0dac
|
|
- bump to 2.131.0
|
|
- autobuilt 9ce0dac
|
|
|
|
* Mon Apr 06 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.130.0-2.dev.gitfd55ae0
|
|
- bump to 2.130.0
|
|
- autobuilt fd55ae0
|
|
|
|
* Sun Mar 29 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.129.0-2.dev.gitf00d1f4
|
|
- bump to 2.129.0
|
|
- autobuilt f00d1f4
|
|
|
|
* Sun Mar 29 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.128.0-2.dev.git363646f
|
|
- bump to 2.128.0
|
|
- autobuilt 363646f
|
|
|
|
* Fri Mar 27 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.127.0-2.dev.git6caf15d
|
|
- bump to 2.127.0
|
|
- autobuilt 6caf15d
|
|
|
|
* Thu Mar 26 2020 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.126.0-2.dev.git867a377
|
|
- Install selinux contexts file into /usr/share/containers/selinux/contexts
|
|
|
|
* Thu Mar 26 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.126.0-2.dev.git867a377
|
|
- bump to 2.126.0
|
|
- autobuilt 867a377
|
|
|
|
* Mon Mar 23 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.125.2-2.dev.gitae0720d
|
|
- bump release tag
|
|
|
|
* Mon Mar 23 2020 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.125.2-1.dev.gitae0720d
|
|
- Install container_contexts file
|
|
|
|
* Mon Mar 23 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.125.0-3.1.dev.gitfde876b
|
|
- autobuilt fde876b
|
|
|
|
* Mon Mar 23 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.125.0-2.1.dev.gitb321ea4
|
|
- bump release tag for smooth upgrade path
|
|
|
|
* Fri Mar 20 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.125.0-0.1.dev.gitb321ea4
|
|
- bump to 2.125.0
|
|
- autobuilt b321ea4
|
|
|
|
* Tue Feb 11 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.124.0-4.dev.git5624558
|
|
- keep functional upgrade path from f31
|
|
|
|
* Tue Feb 11 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.124.0-0.4.dev.git5624558
|
|
- autobuilt 5624558
|
|
|
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.124.0-0.3.dev.gitf958d0c
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
|
|
* Fri Jan 03 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.124.0-0.2.dev.gitf958d0c
|
|
- use more current selinux policy version
|
|
|
|
* Wed Dec 11 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.124.0-0.1.dev.gitf958d0c
|
|
- bump to 2.124.0
|
|
- autobuilt f958d0c
|
|
|
|
* Mon Dec 09 2019 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.123.0-0.4.dev.git0b25a4a
|
|
- run selinux_relabel_pre
|
|
|
|
* Fri Nov 29 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.123.0-0.3.dev.git0b25a4a
|
|
- autobuilt 0b25a4a
|
|
|
|
* Fri Nov 29 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.123.0-0.2.dev.git661a904
|
|
- Use selinux macros in post install scripts
|
|
|
|
* Mon Nov 25 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.123.0-0.1.dev.git661a904
|
|
- bump to 2.123.0
|
|
- autobuilt 661a904
|
|
|
|
* Fri Nov 22 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.122.0-0.1.dev.git4560dd4
|
|
- bump to 2.122.0
|
|
- autobuilt 4560dd4
|
|
|
|
* Tue Nov 19 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.120.1-0.2.dev.gita233788
|
|
- autobuilt a233788
|
|
|
|
* Wed Nov 06 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.120.1-0.1.dev.git6fb6dcf
|
|
- bump to 2.120.1
|
|
- autobuilt 6fb6dcf
|
|
|
|
* Sun Oct 27 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.1-0.1.dev.git2ecb2a8
|
|
- bump to 2.119.1
|
|
- autobuilt 2ecb2a8
|
|
|
|
* Thu Oct 24 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.0-0.1.dev.gitb383f07
|
|
- bump to 2.119.0
|
|
- autobuilt b383f07
|
|
|
|
* Fri Oct 11 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.118.0-0.1.dev.git79bdcb5
|
|
- bump to 2.118.0
|
|
- autobuilt 79bdcb5
|
|
|
|
* Fri Sep 20 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.117.0-0.1.dev.gitbfde70a
|
|
- bump to 2.117.0
|
|
- autobuilt bfde70a
|
|
|
|
* Thu Sep 05 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.116.0-0.1.dev.gitc5ef5ac
|
|
- bump to 2.116.0
|
|
- autobuilt c5ef5ac
|
|
|
|
* Wed Aug 21 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.115.0-0.1.dev.gitfddfbbb
|
|
- bump to 2.115.0
|
|
- autobuilt fddfbbb
|
|
|
|
* Mon Aug 19 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.114.0-0.1.dev.git028ab00
|
|
- bump to 2.114.0
|
|
- autobuilt 028ab00
|
|
|
|
* Fri Aug 9 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.113-1
|
|
- Allow containers to name_bind to rawip_sockets.
|
|
|
|
* Thu Aug 8 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.112-1
|
|
- Allow containers to use fusefs_t entrypoint
|
|
- Dontaudit attempts to setattr on devicenodes.
|
|
|
|
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.111.0-3.1.dev.git9a75deb
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
|
|
* Thu Jul 18 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.111.0-2.1.dev.git9a75deb
|
|
- bump to 2.111.0
|
|
- autobuilt 9a75deb
|
|
|
|
* Wed Jul 10 2019 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2.110.0-1.1.dev.git544d71f
|
|
- bump to v2.110.0
|
|
- hook up to autobuild
|
|
|
|
* Mon Jul 8 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.109-1
|
|
- Allow containers to accept connections on all socket types
|
|
- Allow containers to connect to gssproxy stream sockets if added to container
|
|
|
|
* Fri Jun 14 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.107-1
|
|
- Allow containers to manipulate Onload files.
|
|
|
|
* Tue Jun 11 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.106-1
|
|
- Allow all unconfined domains to manage unlabeled keyrings
|
|
- Add labeling for kubernetes pods
|
|
|
|
* Mon Jun 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.104-1
|
|
- Set proper labeling for container volumes in SilverBlue
|
|
|
|
* Fri May 17 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.103-1
|
|
- Set proper labeling for container volumes
|
|
|
|
* Sun May 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.102-1
|
|
- Allow all container domains to be entered from container_file_t
|
|
|
|
* Fri May 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.101-1
|
|
- Allow containers to read rpm cache and rpm databse
|
|
|
|
* Tue Apr 23 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.100-1
|
|
- Allow containers running as spc_t to create unlabeled_t kernel keyrings
|
|
|
|
* Mon Apr 22 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.99-1
|
|
- Fix labeling on /var/lib/containers/storage/overlay-layers,images to be sharable.
|
|
|
|
* Mon Apr 15 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.98-1
|
|
- Allow iptables to append to container_file_t
|
|
|
|
* Fri Apr 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.97-1
|
|
- Allow containers to read/write sysctl_kernel_ns_last_pid_t
|
|
- Allow containers to manage fusefs sockets and named pipes
|
|
|
|
* Thu Apr 4 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.96-1
|
|
- Allow containers to read/write sysctl_kernel_ns_last_pid_t
|
|
|
|
* Mon Apr 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.95-1
|
|
- Allow containers to create fusefs sockets and named pipes
|
|
|
|
* Thu Mar 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.94-1
|
|
- Allow init_t to manage container content
|
|
- Allow container domains to create fifo_files on fusefs file systems
|
|
- Add boolean to allow containers to use ceph file systems
|
|
|
|
* Tue Mar 26 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.91-1
|
|
- Allow container runtimes to create unlabeled keyrings
|
|
|
|
* Wed Mar 20 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.90-1
|
|
- Allow containers to mount and umount fuse file systems. This will allow us
|
|
- to use buidlah within a user namespace separated container.
|
|
|
|
* Sat Mar 9 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.89-1
|
|
- Allow all container domains to have container file types entrypoint
|
|
- Add new release to fix issues with udica
|
|
- Allow container_runtime_t to dyntransition to container domains
|
|
|
|
* Sat Mar 09 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.89-5.git2521d0d
|
|
- bump to 2.89
|
|
- autobuilt 2521d0d
|
|
|
|
* Thu Mar 07 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.88-4.git5c98b56
|
|
- bump to 2.88
|
|
- autobuilt 5c98b56
|
|
|
|
* Wed Mar 06 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-3.git2c1a2ab
|
|
- autobuilt 2c1a2ab
|
|
|
|
* Sat Mar 02 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-2.git891a85f
|
|
- bump to 2.87
|
|
- autobuilt 891a85f
|
|
|
|
* Fri Mar 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.86-1
|
|
- Allow unconfined user and services to dyntrans to container domains, needed for CRIU
|
|
- Allow containers exectue hugetlb files.
|
|
|
|
* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.85-1
|
|
- More allow rules to allow containers to run within containers
|
|
|
|
* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.84-1
|
|
- More allow rules to allow containers to run within containers
|
|
|
|
* Tue Feb 26 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.82-2.git5e1f62f
|
|
- bump to 2.82
|
|
- autobuilt 5e1f62f
|
|
|
|
* Mon Feb 25 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.83-1
|
|
- Allow containers to mounton cgroup and container_file_t
|
|
|
|
* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1.nightly.git5e1f62f
|
|
- Allow confined users to use containers
|
|
|
|
* Fri Feb 08 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.80-3.git21c2be6
|
|
- bump to 2.80
|
|
- autobuilt 21c2be6
|
|
|
|
* Thu Feb 7 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.81-1
|
|
- Add new labels for paths for containerd
|
|
|
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.80-2.git1b655d9
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
|
|
* Tue Jan 22 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.80-1.nightly.git21c2be6
|
|
- Don't allow containers to talk to contianer runtime sockets
|
|
|
|
* Fri Jan 11 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.79-1
|
|
- Fix labeling on /var/lib/registries
|
|
|
|
* Thu Jan 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.78-1
|
|
- Fix labeling for images in docker daemon user namespace
|
|
|
|
* Mon Dec 17 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.77-1
|
|
- Allow container-runtime to setattr on fifo_file handed into container runtime.
|
|
|
|
* Tue Nov 13 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.752.75-1.dev.git99e2cfd1
|
|
- bump to 2.75
|
|
- autobuilt 99e2cfd
|
|
|
|
* Mon Nov 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.76-1
|
|
- Allow containers to sendto dgram socket of container runtimes
|
|
- Needed to run container runtimes in notify socket unit files.
|
|
|
|
* Tue Oct 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.75-1.dev.git99e2cfd
|
|
- Allow containers to use fuse file systems by default
|
|
|
|
* Fri Oct 19 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.74-1
|
|
- Allow containers to setexec themselves
|
|
|
|
* Sat Sep 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.73-2
|
|
- Remove requires for policycoreutils-python-utils we don't need it.
|
|
|
|
* Wed Sep 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.73-1
|
|
- Define spc_t as a container_domain, so that container_runtime will transition
|
|
to spc_t even when setup with nosuid.
|
|
|
|
* Wed Sep 12 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.72-1
|
|
- Allow container_runtimes to setattr on callers fifo_files
|
|
github.com/opencontainers/selinux
|
|
* Mon Aug 27 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.71-2
|
|
- Fix restorecon to not error on missing directory
|
|
|
|
* Wed Aug 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.71-1
|
|
- Allow unconfined_r to transition to system_r over container_runtime_exec_t
|
|
|
|
* Wed Aug 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.70-1
|
|
- Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t
|
|
|
|
* Wed Jul 25 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-1
|
|
- dontaudit attempts to write to sysctl_kernel_t
|
|
|
|
* Wed Jul 18 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.68-2.gitc139a3d
|
|
- autobuilt c139a3d
|
|
|
|
* Mon Jul 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.67-1
|
|
- Add label for /var/lib/origin
|
|
- Add customizable_file_t to customizable_types
|
|
|
|
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.67-3.dev.git042f7cf
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
|
|
* Mon Jul 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-2.git042f7cf
|
|
- autobuilt 042f7cf
|
|
|
|
* Sat Jul 07 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.67-1.git0407867
|
|
- bump to 2.67
|
|
- autobuilt 0407867
|
|
|
|
* Sat Jun 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.66-1
|
|
- Allow container runtimes to dbus chat with systemd-resolved
|
|
|
|
* Tue Jun 12 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.64-1.gitdfaf8fd
|
|
- bump to 2.64
|
|
- autobuilt dfaf8fd
|
|
|
|
* Mon Jun 11 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.65-1
|
|
- Add new type to handle containers running with a non priv user in a userns
|
|
- allow containers to map all sockets
|
|
|
|
* Sun Jun 3 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.64-1.gitdfaf8fd
|
|
- Allow containers to create all socket classes
|
|
|
|
* Wed May 30 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.63-1
|
|
- Allow containers to create icmp packets
|
|
|
|
* Fri May 25 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.62-1.git1ecf953
|
|
- bump to 2.62
|
|
- autobuilt 1ecf953
|
|
|
|
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
|
|
- Allow spc_t to load kernel modules from inside of container
|
|
|
|
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
|
|
- Allow containers to list cgroup directories
|
|
|
|
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.59-1
|
|
- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.
|
|
|
|
* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-2
|
|
- Run restorecon /usr/bin/podman in postinstall
|
|
|
|
* Fri May 18 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-1
|
|
- Add labels to allow podman to be run from a systemd unit file
|
|
|
|
* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-12.gitd248f91
|
|
- autobuilt commit d248f91
|
|
|
|
* Tue Apr 17 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-11.gitd248f91
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-10.gitd248f91
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-9.gitd248f91
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-8
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-7
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 16 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-6
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-5
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 09 2018 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.55-4
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-3
|
|
- autobuilt commit d248f91
|
|
|
|
* Mon Apr 09 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.55-2
|
|
- autobuilt commit d248f91
|
|
|
|
* Thu Mar 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.55-1
|
|
- Dontaudit attempts by containers to write to /proc/self
|
|
|
|
* Wed Mar 14 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.54-1
|
|
- Add rules for container domains to make writing custom policy easier
|
|
- Allow shell_exec_t as a container_runtime_t entrypoint
|
|
|
|
* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.52-1
|
|
- Add rules for container domains to make writing custom policy easier
|
|
|
|
* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.51-1
|
|
- Allow shell_exec_t as a container_runtime_t entrypoint
|
|
|
|
* Wed Mar 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.50-1
|
|
- Allow bin_t as a container_runtime_t entrypoint
|
|
- Add rules for running container runtimes on mls
|
|
|
|
* Thu Feb 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.48-1
|
|
- Allow container domains to map container_file_t directories
|
|
|
|
* Sat Feb 10 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.47-1
|
|
- Change default label of /exports to container_var_lib_t
|
|
|
|
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2:2.46-3
|
|
- Escape macros in %%CHANGELOG
|
|
|
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.46-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
|
* Sat Feb 03 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.46-1
|
|
- Add support for nosuid_transition flags for container_runtime and unconfined domains
|
|
* Fri Feb 02 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.45-1
|
|
- Allow containers to sendto their own stream sockets
|
|
|
|
* Mon Jan 29 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.44-1
|
|
- Allow container domains to read kernel ipc info
|
|
|
|
* Mon Jan 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.43-1
|
|
- Allow containers to memory map the fifo_files leaked into container from
|
|
container runtimes.
|
|
|
|
* Tue Jan 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.42-1
|
|
- Allow unconfined domains to transition to container types, when no-new-privs is set.
|
|
|
|
* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
|
|
- Add support to nnp_transition for container domains
|
|
- Eliminates need for typebounds.
|
|
|
|
* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
|
|
- Allow container_runtime_t to use user ttys
|
|
- Fixes bounds check for container_t
|
|
|
|
* Mon Jan 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.39-1
|
|
- Allow container runtimes to use interited terminals. This helps
|
|
satisfy the bounds check of container_t versus container_runtime_t.
|
|
|
|
* Sat Jan 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.38-1
|
|
- Allow container runtimes to mmap container_file_t devices
|
|
- Add labeling for rhel push plugin
|
|
|
|
* Tue Dec 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.37-1
|
|
- Allow containers to use inherited ttys
|
|
- Allow ostree to handle labels under /var/lib/containers/ostree
|
|
|
|
* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
|
|
- Allow containers to relabelto/from all file types to container_file_t
|
|
|
|
* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
|
|
- Allow container to map chr_files labeled container_file_t
|
|
|
|
* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
|
|
- Dontaudit container processes getattr on kernel file systems
|
|
|
|
* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
|
|
- Allow containers to read /etc/resolv.conf and /etc/hosts if volume
|
|
- mounted into container.
|
|
|
|
* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.32-1
|
|
- Make sure users creating content in /var/lib with right labels
|
|
|
|
* Thu Oct 26 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.31-1
|
|
- Allow the container runtime to dbus chat with dnsmasq
|
|
- add dontaudit rules for container trying to write to /proc
|
|
|
|
* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
|
|
- Add support for lxcd
|
|
- Add support for labeling of tmpfs storage created within a container.
|
|
|
|
* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
|
|
- Allow a container to umount a container_file_t filesystem
|
|
|
|
* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
|
|
- Allow container runtimes to work with the netfilter sockets
|
|
- Allow container_file_t to be an entrypoint for VM's
|
|
- Allow spc_t domains to transition to svirt_t
|
|
|
|
* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
|
|
- Make sure container_runtime_t has all access of container_t
|
|
|
|
* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
|
|
- Allow container runtimes to create sockets in tmp dirs
|
|
|
|
* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
|
|
- Add additonal support for crio labeling.
|
|
|
|
* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
|
|
- Fixup spec file conditionals
|
|
|
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
|
* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
|
|
- Allow containers to execmod on container_share_t files.
|
|
|
|
* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
|
|
- Relabel runc and crio executables
|
|
|
|
* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
|
|
- Allow container processes to getsession
|
|
|
|
* Mon Jun 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.19-1
|
|
- Allow containers to create tun sockets
|
|
|
|
* Tue Jun 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.18-1
|
|
- Fix labeling for CRI-O files in overlay subdirs
|
|
|
|
* Mon Jun 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.17-1
|
|
- Revert change to run the container_runtime as ranged
|
|
|
|
* Thu Jun 1 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.16-1
|
|
- Add default labeling for cri-o in /etc/crio directories
|
|
|
|
* Wed May 31 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.15-1
|
|
- Allow container types to read/write container_runtime fifo files
|
|
- Allow a container runtime to mount on top of its own /proc
|
|
|
|
* Fri May 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.14-1
|
|
- Add labels for crio rename
|
|
- Break container_t rules out to use a separate container_domain
|
|
- Allow containers to be able to set namespaced SYCTLS
|
|
- Allow sandbox containers manage fuse files.
|
|
- Fixes to make container_runtimes work on MLS machines
|
|
- Bump version to allow handling of container_file_t filesystems
|
|
- Allow containers to mount, remount and umount container_file_t file systems
|
|
- Fixes to handle cap_userns
|
|
- Give container_t access to XFRM sockets
|
|
- Allow spc_t to dbus chat with init system
|
|
- Allow spc_t to dbus chat with init system
|
|
- Add rules to allow container runtimes to run with unconfined disabled
|
|
- Add rules to support cgroup file systems mounted into container.
|
|
- Fix typebounds entrypoint problems
|
|
- Fix typebounds problems
|
|
- Add typebounds statement for container_t from container_runtime_t
|
|
- We should only label runc not runc*
|
|
|
|
* Tue Feb 28 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.10-1
|
|
- Add rules to allow container runtimes to run with unconfined disabled
|
|
- Add rules to support cgroup file systems mounted into container.
|
|
|
|
* Mon Feb 13 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.9-1
|
|
- Add rules to allow container_runtimes to run with unconfined disabled
|
|
|
|
* Thu Feb 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:8.1-1
|
|
- Allow container_file_t to be stored on cgroup_t file systems
|
|
|
|
* Tue Feb 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:7.1-1
|
|
- Fix type in container interface file
|
|
|
|
* Mon Feb 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:6.1-1
|
|
- Fix typebounds entrypoint problems
|
|
|
|
* Fri Jan 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:5.1-1
|
|
- Fix typebounds problems
|
|
|
|
* Thu Jan 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:4.1-1
|
|
- Add typebounds statement for container_t from container_runtime_t
|
|
- We should only label runc not runc*
|
|
|
|
* Tue Jan 17 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:3.1-1
|
|
- Fix labeling on /usr/bin/runc.*
|
|
- Add sandbox_net_domain access to container.te
|
|
- Remove containers ability to look at /etc content
|
|
|
|
* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-4
|
|
- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7
|
|
|
|
* Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
|
|
- properly disable docker module in %%post
|
|
|
|
* Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
|
|
- depend on selinux-policy-targeted
|
|
- relabel docker-latest* files as well
|
|
|
|
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-1
|
|
- bump to v2.2
|
|
- additional labeling for ocid
|
|
|
|
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-2
|
|
- install policy at level 200
|
|
- From: Dan Walsh <dwalsh@redhat.com>
|
|
|
|
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-1
|
|
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
|
|
standalone package)
|
|
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel
|
|
|
|
* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:1.12.4-29
|
|
- new package (separated from docker)
|