17 upstream release

Add a custom SELinux policy, shipped in a new osbuild-selinux sub- package, to allow setting labels unknown to the host.
2020-06-10 16:24:02 +02:00 · 2020-06-10 16:24:02 +02:00 · cee28ed091
commit cee28ed091
parent 7d9cc21846
3 changed files with 50 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,4 @@
 /osbuild-14.tar.gz
 /osbuild-15.tar.gz
 /osbuild-16.tar.gz
+/osbuild-17.tar.gz
--- a/osbuild.spec
+++ b/osbuild.spec
@ -1,6 +1,7 @@
 %global         forgeurl https://github.com/osbuild/osbuild
+%global         selinuxtype targeted

-Version:        16
+Version:        17

 %forgemeta

@ -34,6 +35,7 @@ Requires:       systemd-container
 Requires:       tar
 Requires:       util-linux
 Requires:       python3-%{pypi_name} = %{version}-%{release}
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})

 # Turn off dependency generators for assemblers, runners and stages.
 # They run in a container, so there's no reason to generate dependencies
@ -63,6 +65,18 @@ Requires:       rpm-ostree
 Contains the necessary stages, assembler and source
 to build OSTree based images.

+%package        selinux
+Summary:        SELinux policies
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description    selinux
+Contains the necessary SELinux policies that allows
+osbuild to use labels unknown to the host inside the
+containers it uses to build OS artifacts.
+
 %prep
 %forgesetup

@ -70,6 +84,13 @@ to build OSTree based images.
 %py3_build
 make man

+# SELinux
+make -f /usr/share/selinux/devel/Makefile osbuild.pp
+bzip2 -9 osbuild.pp
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
 %install
 %py3_install

@ -99,6 +120,10 @@ mkdir -p %{buildroot}%{_mandir}/man5
 install -p -m 0644 -t %{buildroot}%{_mandir}/man1/ docs/*.1
 install -p -m 0644 -t %{buildroot}%{_mandir}/man5/ docs/*.5

+# SELinux
+install -D -m 644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} %{name}.pp.bz2
+install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_selinux.8
+
 %check
 exit 0
 # We have some integration tests, but those require running a VM, so that would
@ -129,9 +154,30 @@ exit 0
 %{pkgdir}/stages/org.osbuild.ostree
 %{pkgdir}/stages/org.osbuild.rpm-ostree

+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%{_mandir}/man8/%{name}_selinux.8.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
 %changelog
+* Wed Jun 10 2020 Christian Kellner <ckellner@redhat.com> - 17-1
+- new upstream relaese 17
+- Add custom SELinux policy that lets osbuild set labels inside
+  the build root that are unknown to the host.
+
 * Thu Jun  4 2020 Christian Kellner <ckellner@redhat.com> - 16-1
- new upstream release 15
+- new upstream release 16
 - Drop sources-fix-break-when-secrets-is-None.patch included in
  the new upstream reelase.

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (osbuild-16.tar.gz) = 21041af1b617ef30ae7e6e27a986d094a13bcbc3a4d52d69272f24a88c49a0d4b5f57e4d54a7dd322053d607a2c859ff7586f0392d0e1efae163a9bfe6b5c065
+SHA512 (osbuild-17.tar.gz) = 63b7402e87665917d31a69e3a9c399dd22219b1f3bb1edec71a6c3d00eb996a4a297129ed33d46dad49c4d7d7f18e643166aace1de84e4741ecd929be0248021