udica-0.2.7-5

- Show diff when checking formatting
- Fix several lint findings
- Fix generating policy for Crio mounts

Fixes:
  https://github.com/containers/udica/issues/118

0001-Add-device-access-option.patch

@@ -1,7 +1,7 @@
 From a72b8fffc82657de85d20b3c9191d24a0b41e612 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
 Date: Thu, 11 Aug 2022 14:20:14 +0200
-Subject: [PATCH 1/4] Add ---device--access option
+Subject: [PATCH] Add ---device--access option
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0002-Syntax-changes-after-running-black.patch

@@ -1,7 +1,7 @@
 From a2f0e4588e010e9df9da7bbd46fa4304335f9b25 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
 Date: Thu, 11 Aug 2022 20:29:18 +0200
-Subject: [PATCH 2/4] Syntax changes after running black
+Subject: [PATCH] Syntax changes after running black
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0003-Add-unit-test-for-device-access.patch

@@ -1,7 +1,7 @@
 From 0d3e3194e26a21c531d13bde5e45c0bce9717a99 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
 Date: Thu, 11 Aug 2022 21:50:57 +0200
-Subject: [PATCH 3/4] Add unit test for --device-access
+Subject: [PATCH] Add unit test for --device-access
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0004-Rename-device-access-to-devices.patch

@@ -1,7 +1,7 @@
 From 34c0f137583001c5b7b0f8bf681b027aeff109cb Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 19 Oct 2022 16:34:46 +0200
-Subject: [PATCH 4/4] Rename --device-access to --devices
+Subject: [PATCH] Rename --device-access to --devices
 
 This makes parameters more consistent.
 Also, describe the new parameter in man page.

0005-Show-diff-when-checking-formatting.patch

@@ -0,0 +1,29 @@
+From 07ff36fd09cb20196691a80b5dc1e544b64f12f3 Mon Sep 17 00:00:00 2001
+From: Chris Evich <cevich@redhat.com>
+Date: Wed, 29 Mar 2023 15:25:49 -0400
+Subject: [PATCH] Show diff when checking formatting
+
+Otherwise, all you get in CI is a failure notice w/o any indication as
+to why.
+
+Signed-off-by: Chris Evich <cevich@redhat.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 2b2eda9..4d3b55e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -16,7 +16,7 @@ format:
+ 
+ .PHONY:
+ format-check:
+-	black --check *.py udica/*.py tests/*.py
++	black --check --diff *.py udica/*.py tests/*.py
+ 
+ .PHONY: test
+ test: lint format-check
+-- 
+2.37.3
+

0006-Fix-several-lint-findings.patch

@@ -0,0 +1,38 @@
+From 5d6feb3a6c900d119732a20145352b2459fafcde Mon Sep 17 00:00:00 2001
+From: Chris Evich <cevich@redhat.com>
+Date: Wed, 29 Mar 2023 15:34:13 -0400
+Subject: [PATCH] Fix several lint findings
+
+Signed-off-by: Chris Evich <cevich@redhat.com>
+---
+ udica/__main__.py | 1 -
+ udica/policy.py   | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/udica/__main__.py b/udica/__main__.py
+index 103ddc2..43d2e43 100644
+--- a/udica/__main__.py
++++ b/udica/__main__.py
+@@ -140,7 +140,6 @@ def get_args():
+ 
+ 
+ def main():
+-
+     opts = get_args()
+ 
+     if opts["ContainerID"]:
+diff --git a/udica/policy.py b/udica/policy.py
+index 9069c97..e32b077 100644
+--- a/udica/policy.py
++++ b/udica/policy.py
+@@ -88,7 +88,6 @@ def list_contexts(directory):
+ 
+ 
+ def list_ports(port_number, port_proto):
+-
+     handle = semanage.semanage_handle_create()
+     semanage.semanage_connect(handle)
+ 
+-- 
+2.37.3
+

0007-Fix-generating-policy-for-Crio-mounts.patch

@@ -0,0 +1,116 @@
+From 6a7382bead93a1777370e4bf37f545a22f3bfb4c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 11 Apr 2023 18:15:13 +0200
+Subject: [PATCH] Fix generating policy for Crio mounts
+
+Fix issue introduced by
+Commit 7c7b9ad505ab6b7cd809d30f1699d4bb7323ce0a
+"Avoid duplicate rules for accessing  mounts and devices"
+where policy rules for "read-only mounts" are not generated properly.
+
+Adjust Crio basic test to incorporate a read only mount that is not
+covered by a special case ("/home" is handled by "home_container" and
+anything under "/var/lib/kubelet" is ignored).
+
+Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for
+spotting this in the code.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ tests/selinux.py          | 4 ++++
+ tests/test_basic.cri.cil  | 6 +++++-
+ tests/test_basic.cri.json | 4 ++--
+ tests/test_main.py        | 4 ++--
+ udica/policy.py           | 2 +-
+ 5 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/tests/selinux.py b/tests/selinux.py
+index f56d132..3f720a5 100644
+--- a/tests/selinux.py
++++ b/tests/selinux.py
+@@ -25,6 +25,8 @@ def selabel_lookup(selabel, directory, rc):
+         return (0, None)
+     elif directory == "/dev/fb0":
+         return (0, "system_u:object_r:framebuf_device_t:s0")
++    elif directory == "/etc/hosts":
++        return (0, "system_u:object_r:net_conf_t:s0")
+     else:
+         return (0, "system_u:object_r:var_spool_t:s0")
+ 
+@@ -32,5 +34,7 @@ def selabel_lookup(selabel, directory, rc):
+ def getfilecon(directory):
+     if directory == "/tmp/test":
+         return (0, "system_u:object_r:user_tmp_t:s0")
++    elif directory == "/etc/hosts":
++        return (0, "system_u:object_r:net_conf_t:s0")
+     else:
+         return (0, "system_u:object_r:var_spool_t:s0")
+diff --git a/tests/test_basic.cri.cil b/tests/test_basic.cri.cil
+index 47a3705..52d5771 100644
+--- a/tests/test_basic.cri.cil
++++ b/tests/test_basic.cri.cil
+@@ -250,4 +250,8 @@
+     (allow process zoneminder_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
+     (allow process zoneminder_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) 
+     (allow process zoneminder_spool_t ( sock_file ( append getattr open read write ))) 
+-)
+\ No newline at end of file
++    (allow process net_conf_t ( dir ( getattr ioctl lock open read search ))) 
++    (allow process net_conf_t ( file ( getattr ioctl lock open read ))) 
++    (allow process net_conf_t ( fifo_file ( getattr open read lock ioctl ))) 
++    (allow process net_conf_t ( sock_file ( getattr open read ))) 
++)
+diff --git a/tests/test_basic.cri.json b/tests/test_basic.cri.json
+index e16f9aa..c21705d 100644
+--- a/tests/test_basic.cri.json
++++ b/tests/test_basic.cri.json
+@@ -46,9 +46,9 @@
+       },
+       {
+         "containerPath": "/etc/hosts",
+-        "hostPath": "/var/lib/kubelet/pods/59ecb6eb-de09-11e9-8ebe-02e4204e049a/etc-hosts",
++        "hostPath": "/etc/hosts",
+         "propagation": "PROPAGATION_PRIVATE",
+-        "readonly": false,
++        "readonly": true,
+         "selinuxRelabel": false
+       },
+       {
+diff --git a/tests/test_main.py b/tests/test_main.py
+index f32588b..fb6a9ab 100644
+--- a/tests/test_main.py
++++ b/tests/test_main.py
+@@ -119,7 +119,7 @@ class TestBase(unittest.TestCase):
+         self.assert_policy(test_file("test_basic.docker.cil"))
+ 
+     def test_basic_cri(self):
+-        """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms"""
++        """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms"""
+         output = self.run_udica(
+             [
+                 "udica",
+@@ -135,7 +135,7 @@ class TestBase(unittest.TestCase):
+         self.assert_policy(test_file("test_basic.cri.cil"))
+ 
+     def test_basic_specified_engine_cri(self):
+-        """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms"""
++        """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms"""
+         output = self.run_udica(
+             [
+                 "udica",
+diff --git a/udica/policy.py b/udica/policy.py
+index e32b077..9d1eae0 100644
+--- a/udica/policy.py
++++ b/udica/policy.py
+@@ -284,7 +284,7 @@ def write_policy_for_crio_mounts(mounts, policy):
+             + " ))) \n"
+         )
+ 
+-    for contexts in sorted(set(contexts_readonly)):
++    for context in sorted(set(contexts_readonly)):
+         policy.write(
+             "    (allow process "
+             + context
+-- 
+2.38.1
+

udica.spec

@@ -1,12 +1,16 @@
 Summary: A tool for generating SELinux security policies for containers
 Name: udica
 Version: 0.2.7
-Release: 4%{?dist}
+Release: 5%{?dist}
 Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
-Patch001: 0001-Add-device-access-option.patch
+#git format-patch -N 4a64ff7c1b8116a1894e72eee2a19706e970001f -- . ':!.cirrus.yml' ':!.github'
-Patch002: 0002-Syntax-changes-after-running-black.patch
+Patch0001: 0001-Add-device-access-option.patch
-Patch003: 0003-Add-unit-test-for-device-access.patch
+Patch0002: 0002-Syntax-changes-after-running-black.patch
-Patch004: 0004-Rename-device-access-to-devices.patch
+Patch0003: 0003-Add-unit-test-for-device-access.patch
+Patch0004: 0004-Rename-device-access-to-devices.patch
+Patch0005: 0005-Show-diff-when-checking-formatting.patch
+Patch0006: 0006-Fix-several-lint-findings.patch
+Patch0007: 0007-Fix-generating-policy-for-Crio-mounts.patch
 License: GPL-3.0-or-later
 BuildArch: noarch
 Url: https://github.com/containers/udica
@@ -62,6 +66,11 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 %endif
 
 %changelog
+* Tue Apr 11 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.7-5
+- Show diff when checking formatting
+- Fix several lint findings
+- Fix generating policy for Crio mounts
+
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.7-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild