import osbuild-18-3.el8

2020-11-03 07:00:26 -05:00 · 2020-11-03 07:00:26 -05:00 · 4fb9ed8b5d
commit 4fb9ed8b5d
5 changed files with 385 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/osbuild-18.tar.gz
--- a/.osbuild.metadata
+++ b/.osbuild.metadata
@ -0,0 +1 @@
+9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz
--- a/SOURCES/no-floats-in-sources.patch
+++ b/SOURCES/no-floats-in-sources.patch
@ -0,0 +1,53 @@
+From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <obudai@redhat.com>
+Date: Thu, 25 Jun 2020 09:56:30 +0200
+Subject: [PATCH] sources/files: do not pass floats to --max-time
+
+curl uses strtod from the C standard library to convert the --max-time's value
+from string to double. However, this is what strtod expects:
+
+nonempty sequence of decimal digits optionally containing decimal-point
+character (as determined by the current C locale)
+
+Yeah, unfortunately, the decimal-point character is determined by the current
+C locale. For example, Czech and German locale uses a comma as the
+decimal-point character.
+
+For reasons I don't fully understand, Python thinks it's running on en_US
+locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the
+decimal-point character when converting float to string. However, as written
+before, curl fails to parse this because it expects comma.
+
+The fix I chose is simple: Use math.ceil, so only an integer can be passed to
+curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return
+an integer (and it does in Python 3.8) but the documentation is not 100% clear
+on this topic, so let's be paranoid and also convert it to int after the
+ceiling.
+---
+ sources/org.osbuild.files | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files
+index 42ff6ca..13ce9b8 100755
+--- a/sources/org.osbuild.files
+++ b/sources/org.osbuild.files
+@@ -17,6 +17,7 @@ import concurrent.futures
+ import glob
+ import itertools
+ import json
+import math
+ import os
+ import subprocess
+ import sys
+@@ -102,7 +103,7 @@ def fetch(url, checksum, directory):
+             curl_command = [
+                 "curl",
+                 "--silent",
+-                "--max-time", f"{300 - elapsed_time}",
+                "--max-time", f"{int(math.ceil(300 - elapsed_time))}",
+                 "--connect-timeout", "60",
+                 "--fail",
+                 "--location",
+-- 
+2.26.2
+
--- a/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch
+++ b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch
@ -0,0 +1,82 @@
+From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001
+From: Christian Kellner <christian@kellner.me>
+Date: Sun, 9 Aug 2020 13:09:06 +0200
+Subject: [PATCH] selinux: allow nnp and nosuid transitions
+
+Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition
+into setfiles_mac_t and install_t. nnp is a inheritable per-thread
+flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made
+by execve(2) to not grant any new privileges that could not have
+been done without the execv call. This is on contrast to what can
+be done via SELinux rules, i.e. in our case `setfiles_mac_t` and
+`install_t` can set arbitrary SELinux labels, but `osbuild_t`
+itself can not; but `osbuild_t` enables the transitioning of
+`setfiles_mac_t` for the `setfiles` binary via execve(2) from a
+process with `osbuild_t`. Related, the nosuid mount flag, prevents
+the suid, sgid bits to be interpreted and thus are in the same
+spirit as nnp, i.e. no new privs during execve(2).
+
+Thus SELinux domain transitions stand in contrast with nnp and
+nosuid transitions, and have therefore been de-coupled. See also
+the corresponding kernel patch at [1] for more information.
+
+bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the
+nnp flag, as well as the nosuid option for all bind-mounts. Since
+we no use bwrap to contain processes we need to allow the nnp and
+nosuid transitions from `osbuild_t` to `setfiles_mac_t` and
+`install_t`.
+
+[1] https://patchwork.kernel.org/patch/9841441/
+---
+ selinux/osbuild.if | 19 +++++++++++++++++++
+ selinux/osbuild.te |  2 ++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/selinux/osbuild.if b/selinux/osbuild.if
+index 815c691..48d099f 100644
+--- a/selinux/osbuild.if
+++ b/selinux/osbuild.if
+@@ -93,3 +93,22 @@ interface(`osbuild_role',`
+ 	ps_process_pattern($2, osbuild_t)
+ 	allow $2 osbuild_t:process { signull signal sigkill };
+ ')
+
+########################################
+## <summary>
+##	osbuild nnp / nosuid transitions to domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to be allowed to transition into.
+## </summary>
+## </param>
+#
+interface(`osbuild_nnp_nosuid_trans',`
+	gen_require(`
+		type osbuild_t;
+		class process2 { nnp_transition nosuid_transition };
+	')
+
+	allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
+')
+diff --git a/selinux/osbuild.te b/selinux/osbuild.te
+index 1a5f98d..e4a0c7d 100644
+--- a/selinux/osbuild.te
+++ b/selinux/osbuild.te
+@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t)
+ # execute setfiles in the setfiles_mac domain
+ # when in the osbuild_t domain
+ seutil_domtrans_setfiles_mac(osbuild_t)
+osbuild_nnp_nosuid_trans(setfiles_mac_t)
+ 
+ # Allow sysadm and unconfined to run osbuild
+ optional_policy(`
+@@ -63,4 +64,5 @@ optional_policy(`
+ # allow transitioning to install_t (for ostree)
+ optional_policy(`
+ 	anaconda_domtrans_install(osbuild_t)
+	osbuild_nnp_nosuid_trans(install_t)
+ ')
+-- 
+2.26.2
+
--- a/SPECS/osbuild.spec
+++ b/SPECS/osbuild.spec
@ -0,0 +1,248 @@
+%global         forgeurl https://github.com/osbuild/osbuild
+%global         selinuxtype targeted
+
+Version:        18
+
+%forgemeta
+
+%global         pypi_name osbuild
+%global         pkgdir %{_prefix}/lib/%{pypi_name}
+
+Name:           %{pypi_name}
+Release:        3%{?dist}
+License:        ASL 2.0
+
+URL:            %{forgeurl}
+
+Source0:        %{forgesource}
+Patch0:         no-floats-in-sources.patch
+Patch1:         selinux-allow-nnp-and-nosuid-transitions.patch
+BuildArch:      noarch
+Summary:        A build system for OS images
+
+BuildRequires:  make
+BuildRequires:  python3-devel
+BuildRequires:  python3-docutils
+
+Requires:       bash
+Requires:       coreutils
+Requires:       curl
+Requires:       dnf
+Requires:       e2fsprogs
+Requires:       glibc
+Requires:       policycoreutils
+Requires:       qemu-img
+Requires:       systemd
+Requires:       systemd-container
+Requires:       tar
+Requires:       util-linux
+Requires:       python3-%{pypi_name} = %{version}-%{release}
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+# Turn off dependency generators for assemblers, runners and stages.
+# They run in a container, so there's no reason to generate dependencies
+# from them. As of 2020-03-25 this filters out python3.6 dependency generated
+# by rhel runner.
+%global __requires_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$
+
+%{?python_enable_dependency_generator}
+
+%description
+A build system for OS images
+
+%package -n     python3-%{pypi_name}
+Summary:        %{summary}
+%{?python_provide:%python_provide python3-%{pypi_name}}
+
+%description -n python3-%{pypi_name}
+A build system for OS images
+
+%package        ostree
+Summary:        OSTree support
+Requires:       %{name} = %{version}-%{release}
+Requires:       ostree
+Requires:       rpm-ostree
+
+%description ostree
+Contains the necessary stages, assembler and source
+to build OSTree based images.
+
+%package        selinux
+Summary:        SELinux policies
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description    selinux
+Contains the necessary SELinux policies that allows
+osbuild to use labels unknown to the host inside the
+containers it uses to build OS artifacts.
+
+%prep
+%forgesetup
+%patch0 -p1
+%patch1 -p1
+
+%build
+%py3_build
+make man
+
+# SELinux
+make -f /usr/share/selinux/devel/Makefile osbuild.pp
+bzip2 -9 osbuild.pp
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
+%install
+%py3_install
+
+mkdir -p %{buildroot}%{pkgdir}/stages
+install -p -m 0755 $(find stages -type f) %{buildroot}%{pkgdir}/stages/
+
+mkdir -p %{buildroot}%{pkgdir}/assemblers
+install -p -m 0755 $(find assemblers -type f) %{buildroot}%{pkgdir}/assemblers/
+
+mkdir -p %{buildroot}%{pkgdir}/runners
+install -p -m 0755 $(find runners -type f -or -type l) %{buildroot}%{pkgdir}/runners
+
+mkdir -p %{buildroot}%{pkgdir}/sources
+install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources
+
+# mount point for bind mounting the osbuild library
+mkdir -p %{buildroot}%{pkgdir}/osbuild
+
+# schemata
+mkdir -p %{buildroot}%{_datadir}/osbuild/schemas
+install -p -m 0755 $(find schemas/*.json) %{buildroot}%{_datadir}/osbuild/schemas
+ln -s %{_datadir}/osbuild/schemas %{buildroot}%{pkgdir}/schemas
+
+# documentation
+mkdir -p %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_mandir}/man5
+install -p -m 0644 -t %{buildroot}%{_mandir}/man1/ docs/*.1
+install -p -m 0644 -t %{buildroot}%{_mandir}/man5/ docs/*.5
+
+# SELinux
+install -D -m 644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} %{name}.pp.bz2
+install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_selinux.8
+
+%check
+exit 0
+# We have some integration tests, but those require running a VM, so that would
+# be an overkill for RPM check script.
+
+%files
+%license LICENSE
+%{_bindir}/osbuild
+%{_mandir}/man1/%{name}.1*
+%{_mandir}/man5/%{name}-manifest.5*
+%{_datadir}/osbuild/schemas
+%{pkgdir}
+# the following files are in the ostree sub-package
+%exclude %{pkgdir}/assemblers/org.osbuild.ostree.commit
+%exclude %{pkgdir}/sources/org.osbuild.ostree
+%exclude %{pkgdir}/stages/org.osbuild.ostree
+%exclude %{pkgdir}/stages/org.osbuild.rpm-ostree
+
+%files -n       python3-%{pypi_name}
+%license LICENSE
+%doc README.md NEWS.md
+%{python3_sitelib}/%{pypi_name}-*.egg-info/
+%{python3_sitelib}/%{pypi_name}/
+
+%files ostree
+%{pkgdir}/assemblers/org.osbuild.ostree.commit
+%{pkgdir}/sources/org.osbuild.ostree
+%{pkgdir}/stages/org.osbuild.ostree
+%{pkgdir}/stages/org.osbuild.rpm-ostree
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%{_mandir}/man8/%{name}_selinux.8.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+
+%changelog
+* Thu Aug 13 2020 Christian Kellner <ckellner@redhat.com> - 18-3
+- Add patch to allow nnp and nosuid domain transitions
+  https://github.com/osbuild/osbuild/pull/495
+
+* Fri Jun 26 2020 Christian Kellner <ckellner@redhat.com> - 18-2
+- Add patch to not pass floats to curl in the files source
+  https://github.com/osbuild/osbuild/pull/459
+
+* Tue Jun 23 2020 Christian Kellner <ckellner@redhat.com> - 18-1
+- Upstream release 18
+- All RHEL runners now use platform-python.
+
+* Wed Jun 10 2020 Christian Kellner <ckellner@redhat.com> - 17-1
+- Upstream release 17
+- Add custom SELinux policy that lets osbuild set labels inside
+  the build root that are unknown to the host.
+
+* Thu Jun  4 2020 Christian Kellner <christian@kellner.me> - 16-1
+- Upstream release 16
+- Drop sources-fix-break-when-secrets-is-None.patch included in
+  osbuild-16.
+
+* Tue May 26 2020 Christian Kellner <ckellner@redhat.com> - 15-2
+- Add a patch to allow org.osbuild.files source in the new format
+  but without actually containing the secrets key.
+  Taken from merged PR: https://github.com/osbuild/osbuild/pull/416
+
+* Thu May 21 2020 Christian Kellner <ckellner@redhat.com> - 15-1
+- New upstream release 15
+- Drop draft4-validator.json patch, included in osbuild-15
+
+* Wed May 13 2020 Christian Kellner <ckellner@redhat.com> - 14-2
+- Add draft4-validator.json patch
+  python3-jsonschema in RHEL currently has version 2.6.0 which
+  has support validating up to and including draft4 of jsonschema.
+  See https://github.com/osbuild/osbuild/pull/394
+
+* Wed May 13 2020 Christian Kellner <ckellner@redhat.com> - 14-1
+- Upstream release 14
+- Install schemata to <datadir>/osbuild/schemas and include a
+  symlink to it in /usr/lib/osbuild/schemas
+- The directories /usr/lib/osbuild/{assemblers, stages}/osbuild
+  got removed. Changes to osbuild made them obsolete.
+
+* Wed Apr 15 2020 Christian Kellner <ckellner@redhat.com> - 12-1
+- Sync with Fedora and use upstream release 12
+- Specify the exact version in the 'python3-osbuild' requirement
+  to avoid the library and the main binary being out of sync.
+- osbuild-ostree sub-package with the necessary bits to create
+  OSTree based images
+- Turn off dependency generator for internal components
+- Add NEWS.md file with the release notes and man pages
+
+* Mon Dec 16 2019 Lars Karlitski <lars@karlitski.net> - 7-1
+- New upstream release
+
+* Sun Dec 1 2019 Tom Gundersen <teg@jklm.no> - 6-2
+- New upstream release
+
+* Thu Oct 24 2019 Lars Karlitski <lueberni@redhat.com> - 3-2
+- add gating infra and tests
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1-3
+- Rebuilt for Python 3.8
+
+* Mon Jul 29 2019 Martin Sehnoutka <msehnout@redhat.com> - 1-2
+- update upstream URL to the new Github organization
+
+* Wed Jul 17 2019 Martin Sehnoutka <msehnout@redhat.com> - 1-1
+- Initial package
				`@ -0,0 +1 @@`
				`9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz`