import osbuild-27.2-1.el8
This commit is contained in:
CentOS Sources
parent
4fb9ed8b5d
commit
83e4dab508
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/osbuild-18.tar.gz
|
||||
SOURCES/osbuild-27.2.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz
|
||||
781efd5f4d96e25059c002a7e998429b9d682d03 SOURCES/osbuild-27.2.tar.gz
|
||||
|
||||
@ -1,53 +0,0 @@
|
||||
From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <obudai@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 09:56:30 +0200
|
||||
Subject: [PATCH] sources/files: do not pass floats to --max-time
|
||||
|
||||
curl uses strtod from the C standard library to convert the --max-time's value
|
||||
from string to double. However, this is what strtod expects:
|
||||
|
||||
nonempty sequence of decimal digits optionally containing decimal-point
|
||||
character (as determined by the current C locale)
|
||||
|
||||
Yeah, unfortunately, the decimal-point character is determined by the current
|
||||
C locale. For example, Czech and German locale uses a comma as the
|
||||
decimal-point character.
|
||||
|
||||
For reasons I don't fully understand, Python thinks it's running on en_US
|
||||
locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the
|
||||
decimal-point character when converting float to string. However, as written
|
||||
before, curl fails to parse this because it expects comma.
|
||||
|
||||
The fix I chose is simple: Use math.ceil, so only an integer can be passed to
|
||||
curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return
|
||||
an integer (and it does in Python 3.8) but the documentation is not 100% clear
|
||||
on this topic, so let's be paranoid and also convert it to int after the
|
||||
ceiling.
|
||||
---
|
||||
sources/org.osbuild.files | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files
|
||||
index 42ff6ca..13ce9b8 100755
|
||||
--- a/sources/org.osbuild.files
|
||||
+++ b/sources/org.osbuild.files
|
||||
@@ -17,6 +17,7 @@ import concurrent.futures
|
||||
import glob
|
||||
import itertools
|
||||
import json
|
||||
+import math
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
@@ -102,7 +103,7 @@ def fetch(url, checksum, directory):
|
||||
curl_command = [
|
||||
"curl",
|
||||
"--silent",
|
||||
- "--max-time", f"{300 - elapsed_time}",
|
||||
+ "--max-time", f"{int(math.ceil(300 - elapsed_time))}",
|
||||
"--connect-timeout", "60",
|
||||
"--fail",
|
||||
"--location",
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,82 +0,0 @@
|
||||
From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Kellner <christian@kellner.me>
|
||||
Date: Sun, 9 Aug 2020 13:09:06 +0200
|
||||
Subject: [PATCH] selinux: allow nnp and nosuid transitions
|
||||
|
||||
Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition
|
||||
into setfiles_mac_t and install_t. nnp is a inheritable per-thread
|
||||
flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made
|
||||
by execve(2) to not grant any new privileges that could not have
|
||||
been done without the execv call. This is on contrast to what can
|
||||
be done via SELinux rules, i.e. in our case `setfiles_mac_t` and
|
||||
`install_t` can set arbitrary SELinux labels, but `osbuild_t`
|
||||
itself can not; but `osbuild_t` enables the transitioning of
|
||||
`setfiles_mac_t` for the `setfiles` binary via execve(2) from a
|
||||
process with `osbuild_t`. Related, the nosuid mount flag, prevents
|
||||
the suid, sgid bits to be interpreted and thus are in the same
|
||||
spirit as nnp, i.e. no new privs during execve(2).
|
||||
|
||||
Thus SELinux domain transitions stand in contrast with nnp and
|
||||
nosuid transitions, and have therefore been de-coupled. See also
|
||||
the corresponding kernel patch at [1] for more information.
|
||||
|
||||
bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the
|
||||
nnp flag, as well as the nosuid option for all bind-mounts. Since
|
||||
we no use bwrap to contain processes we need to allow the nnp and
|
||||
nosuid transitions from `osbuild_t` to `setfiles_mac_t` and
|
||||
`install_t`.
|
||||
|
||||
[1] https://patchwork.kernel.org/patch/9841441/
|
||||
---
|
||||
selinux/osbuild.if | 19 +++++++++++++++++++
|
||||
selinux/osbuild.te | 2 ++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/selinux/osbuild.if b/selinux/osbuild.if
|
||||
index 815c691..48d099f 100644
|
||||
--- a/selinux/osbuild.if
|
||||
+++ b/selinux/osbuild.if
|
||||
@@ -93,3 +93,22 @@ interface(`osbuild_role',`
|
||||
ps_process_pattern($2, osbuild_t)
|
||||
allow $2 osbuild_t:process { signull signal sigkill };
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## osbuild nnp / nosuid transitions to domain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to be allowed to transition into.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`osbuild_nnp_nosuid_trans',`
|
||||
+ gen_require(`
|
||||
+ type osbuild_t;
|
||||
+ class process2 { nnp_transition nosuid_transition };
|
||||
+ ')
|
||||
+
|
||||
+ allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
|
||||
+')
|
||||
diff --git a/selinux/osbuild.te b/selinux/osbuild.te
|
||||
index 1a5f98d..e4a0c7d 100644
|
||||
--- a/selinux/osbuild.te
|
||||
+++ b/selinux/osbuild.te
|
||||
@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t)
|
||||
# execute setfiles in the setfiles_mac domain
|
||||
# when in the osbuild_t domain
|
||||
seutil_domtrans_setfiles_mac(osbuild_t)
|
||||
+osbuild_nnp_nosuid_trans(setfiles_mac_t)
|
||||
|
||||
# Allow sysadm and unconfined to run osbuild
|
||||
optional_policy(`
|
||||
@@ -63,4 +64,5 @@ optional_policy(`
|
||||
# allow transitioning to install_t (for ostree)
|
||||
optional_policy(`
|
||||
anaconda_domtrans_install(osbuild_t)
|
||||
+ osbuild_nnp_nosuid_trans(install_t)
|
||||
')
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
%global forgeurl https://github.com/osbuild/osbuild
|
||||
%global selinuxtype targeted
|
||||
|
||||
Version: 18
|
||||
Version: 27.2
|
||||
|
||||
%forgemeta
|
||||
|
||||
@ -9,14 +9,12 @@ Version: 18
|
||||
%global pkgdir %{_prefix}/lib/%{pypi_name}
|
||||
|
||||
Name: %{pypi_name}
|
||||
Release: 3%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: ASL 2.0
|
||||
|
||||
URL: %{forgeurl}
|
||||
|
||||
Source0: %{forgesource}
|
||||
Patch0: no-floats-in-sources.patch
|
||||
Patch1: selinux-allow-nnp-and-nosuid-transitions.patch
|
||||
BuildArch: noarch
|
||||
Summary: A build system for OS images
|
||||
|
||||
@ -25,6 +23,7 @@ BuildRequires: python3-devel
|
||||
BuildRequires: python3-docutils
|
||||
|
||||
Requires: bash
|
||||
Requires: bubblewrap
|
||||
Requires: coreutils
|
||||
Requires: curl
|
||||
Requires: dnf
|
||||
@ -33,20 +32,34 @@ Requires: glibc
|
||||
Requires: policycoreutils
|
||||
Requires: qemu-img
|
||||
Requires: systemd
|
||||
Requires: systemd-container
|
||||
Requires: tar
|
||||
Requires: util-linux
|
||||
Requires: python3-%{pypi_name} = %{version}-%{release}
|
||||
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||
|
||||
# Turn off dependency generators for assemblers, runners and stages.
|
||||
# They run in a container, so there's no reason to generate dependencies
|
||||
# from them. As of 2020-03-25 this filters out python3.6 dependency generated
|
||||
# by rhel runner.
|
||||
%global __requires_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$
|
||||
# Turn off dependency generators for runners. The reason is that runners are
|
||||
# tailored to the platform, e.g. on RHEL they are using platform-python. We
|
||||
# don't want to pick up those dependencies on other platform.
|
||||
%global __requires_exclude_from ^%{pkgdir}/(runners)/.*$
|
||||
|
||||
# Turn off shebang mangling on RHEL. brp-mangle-shebangs (from package
|
||||
# redhat-rpm-config) is run on all executables in a package after the `install`
|
||||
# section runs. The below macro turns this behavior off for:
|
||||
# - runners, because they already have the correct shebang for the platform
|
||||
# they're meant for, and
|
||||
# - stages and assemblers, because they are run within osbuild build roots,
|
||||
# which are not required to contain the same OS as the host and might thus
|
||||
# have a different notion of "platform-python".
|
||||
# RHEL NB: Since assemblers and stages are not excluded from the dependency
|
||||
# generator, this also means that an additional dependency on /usr/bin/python3
|
||||
# will be added. This is intended and needed, so that in the host build root
|
||||
# /usr/bin/python3 is present so stages and assemblers can be run.
|
||||
%global __brp_mangle_shebangs_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$
|
||||
|
||||
|
||||
%{?python_enable_dependency_generator}
|
||||
|
||||
|
||||
%description
|
||||
A build system for OS images
|
||||
|
||||
@ -81,8 +94,6 @@ containers it uses to build OS artifacts.
|
||||
|
||||
%prep
|
||||
%forgesetup
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%py3_build
|
||||
@ -110,6 +121,9 @@ install -p -m 0755 $(find runners -type f -or -type l) %{buildroot}%{pkgdir}/run
|
||||
mkdir -p %{buildroot}%{pkgdir}/sources
|
||||
install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources
|
||||
|
||||
mkdir -p %{buildroot}%{pkgdir}/inputs
|
||||
install -p -m 0755 $(find inputs -type f) %{buildroot}%{pkgdir}/inputs
|
||||
|
||||
# mount point for bind mounting the osbuild library
|
||||
mkdir -p %{buildroot}%{pkgdir}/osbuild
|
||||
|
||||
@ -176,6 +190,52 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Apr 8 2021 Christian Kellner <ckellner@redhat.com> - 27.2-1
|
||||
- Upstream release 27.2.
|
||||
- Support for explicitly selecting the qcow2 version.
|
||||
|
||||
* Thu Apr 1 2021 Achilleas Koutsou <akoutsou@redhat.com> - 27.1-1
|
||||
- Upstream release 27.1
|
||||
- Bug fixes related to OCI archive generation.
|
||||
|
||||
* Tue Mar 16 2021 Christian Kellner <ckellner@redhat.com> - 27-1
|
||||
- Upstream release 27
|
||||
- Various bug fixes related to the new container and installer
|
||||
stages introdcued in version 25 and 26.
|
||||
|
||||
* Fri Feb 19 2021 Christian Kellner <ckellner@redhat.com> - 26-1
|
||||
- Upstream release 26
|
||||
- Includes the necessary stages to build boot isos.
|
||||
|
||||
* Fri Feb 12 2021 Christian Kellner <ckellner@redhat.com> - 25-1
|
||||
- Upstream 25 release
|
||||
- First tech preview of the new manifest format. Includes
|
||||
various new stages and inputs to be able to build ostree
|
||||
commits contained in a oci archive.
|
||||
|
||||
* Thu Jan 28 2021 Christian Kellner <ckellner@redhat.com> - 24-1
|
||||
- Upstream 24 release
|
||||
- Include new `Input` modules.
|
||||
|
||||
* Mon Nov 23 2020 Christian Kellner <ckellner@redhat.com> - 23-3
|
||||
- only disable the dep. generator for runners, remove explicity
|
||||
python3 requirement again. The dependency should be picked up
|
||||
via the dependency generator now.
|
||||
|
||||
* Fri Nov 13 2020 Christian Kellner <ckellner@redhat.com> - 23-2
|
||||
- Explicilty require python3. See the comment above the Requires
|
||||
for an explanation why this is needed.
|
||||
|
||||
* Fri Oct 23 2020 Christian Kellner <ckellner@redhat.com> - 23-1
|
||||
- Upstream release 23
|
||||
- Do not mangle shebangs for assemblers, runners & stages.
|
||||
|
||||
* Wed Oct 14 2020 Christian Kellner <ckellner@redhat.com> - 22-1
|
||||
- Upstream release 22
|
||||
- Remove all patches since they are all in osbuild-22.
|
||||
- bubblewrap replaced systemd-nspawn for sandboxing; change the
|
||||
requirements accordingly.
|
||||
|
||||
* Thu Aug 13 2020 Christian Kellner <ckellner@redhat.com> - 18-3
|
||||
- Add patch to allow nnp and nosuid domain transitions
|
||||
https://github.com/osbuild/osbuild/pull/495
|
||||
|
||||
Loading…
Reference in New Issue
Block a user