.gitignore

@@ -1 +1 @@
-SOURCES/v0.2.1.tar.gz
+SOURCES/v0.2.8.tar.gz

.udica.metadata

@@ -1 +1 @@
-4040bc2746225acabf5c7038d8eb38ae2de30ac2 SOURCES/v0.2.1.tar.gz
+033cad13d38db7fcb03b004ac3e60cba8c3166d0 SOURCES/v0.2.8.tar.gz

SOURCES/0002-Add-tests-covering-confined-user-policy-generation.patch

@@ -0,0 +1,170 @@
+From d444e67ead27266d57184ab8bc032c5528f7e26c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 20 Dec 2023 14:33:27 +0100
+Subject: [PATCH] Add tests covering confined user policy generation
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ tests/test_confined_abcdgilmns.cil | 24 ++++++++++++++++++++
+ tests/test_confined_cla.cil        | 15 +++++++++++++
+ tests/test_confined_lb.cil         | 12 ++++++++++
+ tests/test_confined_lsid.cil       | 17 +++++++++++++++
+ tests/test_main.py                 | 35 +++++++++++++++++++++++++-----
+ 5 files changed, 98 insertions(+), 5 deletions(-)
+ create mode 100644 tests/test_confined_abcdgilmns.cil
+ create mode 100644 tests/test_confined_cla.cil
+ create mode 100644 tests/test_confined_lb.cil
+ create mode 100644 tests/test_confined_lsid.cil
+
+diff --git a/tests/test_confined_abcdgilmns.cil b/tests/test_confined_abcdgilmns.cil
+new file mode 100644
+index 0000000..5fd619f
+--- /dev/null
++++ b/tests/test_confined_abcdgilmns.cil
+@@ -0,0 +1,24 @@
++(boolean my_container_exec_content true)
++(role my_container_r)
++(type my_container_dbus_t)
++(type my_container_gkeyringd_t)
++(type my_container_ssh_agent_t)
++(type my_container_sudo_t)
++(type my_container_sudo_tmp_t)
++(type my_container_t)
++(type my_container_userhelper_t)
++(user my_container_u)
++(userrole my_container_u my_container_r)
++(userlevel my_container_u (s0))
++(userrange my_container_u ((s0 ) (s0 (c0))))
++
++(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
++(call confinedom_graphical_login_macro (my_container_t my_container_r my_container_dbus_t))
++(call confinedom_mozilla_usage_macro (my_container_t my_container_r))
++(call confinedom_networking_macro (my_container_t my_container_r))
++(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
++(call confinedom_security_basic_macro (my_container_t my_container_r))
++(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
++(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))
++(call confined_use_basic_commands_macro (my_container_t my_container_r))
+\ No newline at end of file
+diff --git a/tests/test_confined_cla.cil b/tests/test_confined_cla.cil
+new file mode 100644
+index 0000000..a633aaa
+--- /dev/null
++++ b/tests/test_confined_cla.cil
+@@ -0,0 +1,15 @@
++(boolean my_container_exec_content true)
++(role my_container_r)
++(type my_container_dbus_t)
++(type my_container_gkeyringd_t)
++(type my_container_ssh_agent_t)
++(type my_container_sudo_t)
++(type my_container_t)
++(user my_container_u)
++(userrole my_container_u my_container_r)
++(userlevel my_container_u (s0))
++(userrange my_container_u ((s0 ) (s0 (c0))))
++
++(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
++(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))
+\ No newline at end of file
+diff --git a/tests/test_confined_lb.cil b/tests/test_confined_lb.cil
+new file mode 100644
+index 0000000..3e3c997
+--- /dev/null
++++ b/tests/test_confined_lb.cil
+@@ -0,0 +1,12 @@
++(boolean my_container_exec_content true)
++(role my_container_r)
++(type my_container_dbus_t)
++(type my_container_gkeyringd_t)
++(type my_container_t)
++(user my_container_u)
++(userrole my_container_u my_container_r)
++(userlevel my_container_u (s0))
++(userrange my_container_u ((s0 ) (s0 (c0))))
++
++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
++(call confined_use_basic_commands_macro (my_container_t my_container_r))
+\ No newline at end of file
+diff --git a/tests/test_confined_lsid.cil b/tests/test_confined_lsid.cil
+new file mode 100644
+index 0000000..8719420
+--- /dev/null
++++ b/tests/test_confined_lsid.cil
+@@ -0,0 +1,17 @@
++(boolean my_container_exec_content true)
++(role my_container_r)
++(type my_container_dbus_t)
++(type my_container_gkeyringd_t)
++(type my_container_sudo_t)
++(type my_container_sudo_tmp_t)
++(type my_container_t)
++(type my_container_userhelper_t)
++(user my_container_u)
++(userrole my_container_u my_container_r)
++(userlevel my_container_u (s0))
++(userrange my_container_u ((s0 ) (s0 (c0))))
++
++(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
++(call confinedom_security_basic_macro (my_container_t my_container_r))
++(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+\ No newline at end of file
+diff --git a/tests/test_main.py b/tests/test_main.py
+index fb6a9ab..0c73861 100644
+--- a/tests/test_main.py
++++ b/tests/test_main.py
+@@ -369,7 +369,26 @@ class TestBase(unittest.TestCase):
+         self.assert_templates(output, ["base_container"])
+         self.assert_policy(test_file("test_devices.podman.cil"))
+ 
+-    def run_udica(self, args):
++    # Confined user tests
++    def test_confined_user(self):
++        """udica confined_user <args> --level s0 --range s0:c0 my_container"""
++        for arg in ["cla", "lb", "lsid", "abcdgilmns"]:
++            output = self.run_udica(
++                [
++                    "udica",
++                    "confined_user",
++                    "-{}".format(arg),
++                    "--level",
++                    "s0",
++                    "--range",
++                    "s0:c0",
++                    "my_container",
++                ],
++                True,
++            )
++            self.assert_policy(test_file("test_confined_{}.cil".format(arg)))
++
++    def run_udica(self, args, confined=False):
+         with patch("sys.argv", args):
+             with patch("sys.stderr.write") as mock_err, patch(
+                 "sys.stdout.write"
+@@ -383,10 +402,16 @@ class TestBase(unittest.TestCase):
+                 udica.__main__.main()
+                 mock_err.assert_not_called()
+ 
+-        self.assertRegex(mock_out.output, "Policy my_container created")
+-        self.assertRegex(
+-            mock_out.output, "--security-opt label=type:my_container.process"
+-        )
++        if confined:
++            self.assertRegex(mock_out.output, "semodule -i my_container.cil")
++            self.assertRegex(
++                mock_out.output, "semanage login -a -s my_container_u my_container"
++            )
++        else:
++            self.assertRegex(mock_out.output, "Policy my_container created")
++            self.assertRegex(
++                mock_out.output, "--security-opt label=type:my_container.process"
++            )
+ 
+         return mock_out.output
+ 
+-- 
+2.43.0
+

SOURCES/0003-confined-make-l-non-optional.patch

@@ -0,0 +1,57 @@
+From f411c146986fabe7375724528b2d4ba8cf78b904 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 12 Feb 2024 19:38:14 +0100
+Subject: [PATCH] confined: make "-l" non optional
+
+The confinedom_user_login_macro is needed for all custom users.
+
+Also, allow the new user type to be accessed via remote login.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ udica/__main__.py                     | 2 +-
+ udica/macros/confined_user_macros.cil | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/udica/__main__.py b/udica/__main__.py
+index 1ba8515..801499c 100644
+--- a/udica/__main__.py
++++ b/udica/__main__.py
+@@ -92,7 +92,7 @@ def get_args():
+             "-l",
+             "--user_login",
+             action="store_true",
+-            default=False,
++            default=True,
+             dest="user_login",
+             help="Basic rules common to all users (tty, pty, ...)",
+         )
+diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
+index ddb5689..06c4c56 100644
+--- a/udica/macros/confined_user_macros.cil
++++ b/udica/macros/confined_user_macros.cil
+@@ -2411,7 +2411,7 @@
+         (typetransition utype sudo_exec_t process sudo_type)
+         (allow sudo_type utype (fd (use)))
+         (allow sudo_type utype (fifo_file (ioctl read write getattr lock append)))
+-        (allow sudo_type utype (process (sigchld)))
++        (allow sudo_type utype (process (getpgid sigchld)))
+         (allow sudo_type bin_t (dir (getattr open search)))
+         (allow sudo_type bin_t (dir (ioctl read getattr lock open search)))
+         (allow sudo_type bin_t (dir (getattr open search)))
+@@ -4006,6 +4006,12 @@
+             )
+         )
+     )
++    ; Telnet login
++    (optional  confinedom_user_login_optional_3
++      (typeattributeset cil_gen_require remote_login_t)
++      (allow remote_login_t utype (process (signal transition)))
++      (allow utype self (bpf (prog_load)))
++    )
+ )
+ 
+ (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
+-- 
+2.43.0
+

SOURCES/0004-confined-allow-asynchronous-I-O-operations.patch

@@ -0,0 +1,31 @@
+From 131d228c6a91eaaeccc1d000821beeccba69d134 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 4 Mar 2024 12:59:53 +0100
+Subject: [PATCH] confined: allow asynchronous I/O operations
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ udica/macros/confined_user_macros.cil | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
+index 06c4c56..dcb5198 100644
+--- a/udica/macros/confined_user_macros.cil
++++ b/udica/macros/confined_user_macros.cil
+@@ -4012,6 +4012,13 @@
+       (allow remote_login_t utype (process (signal transition)))
+       (allow utype self (bpf (prog_load)))
+     )
++    ; asynchronous I/O operations RHEL 10
++    (optional  confinedom_user_login_optional_4
++      (typeattributeset cil_gen_require io_uring_t)
++      (allow utype self (io_uring (sqpoll)))
++      (allow utype io_uring_t (anon_inode (create)))
++      (allow utype io_uring_t (anon_inode (read write getattr map)))
++    )
+ )
+ 
+ (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
+-- 
+2.43.0
+

SPECS/udica.spec

@@ -1,8 +1,13 @@
 Summary: A tool for generating SELinux security policies for containers
 Name: udica
-Version: 0.2.1
+Version: 0.2.8
 Release: 2%{?dist}
 Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
+#git format-patch -N v0.2.8 -- . ':!.cirrus.yml' ':!.github'
+Patch0001: 0001-Add-option-to-generate-custom-policy-for-a-confined-.patch
+Patch0002: 0002-Add-tests-covering-confined-user-policy-generation.patch
+Patch0003: 0003-confined-make-l-non-optional.patch
+Patch0004: 0004-confined-allow-asynchronous-I-O-operations.patch
 License: GPLv3+
 BuildArch: noarch
 Url: https://github.com/containers/udica
@@ -13,13 +18,15 @@ Requires: python3 python3-libsemanage python3-libselinux
 BuildRequires: python2 python2-devel python2-setuptools
 Requires: python2 libsemanage-python libselinux-python
 %endif
+# container-selinux provides policy templates
+Requires: container-selinux >= 2.168.0-2
 
 %description
 Tool for generating SELinux security profiles for containers based on
 inspection of container JSON file.
 
 %prep
-%setup -q
+%autosetup -p 1
 
 %build
 %if 0%{?fedora} || 0%{?rhel} > 7
@@ -29,14 +36,13 @@ inspection of container JSON file.
 %endif
 
 %install
-install --directory %%{buildroot}%{_datadir}/udica/templates
-
 %if 0%{?fedora} || 0%{?rhel} > 7
 %{__python3} setup.py install --single-version-externally-managed --root=%{buildroot}
 %else
 %{__python2} setup.py install --single-version-externally-managed --root=%{buildroot}
 %endif
 
+install --directory %{buildroot}%{_datadir}/udica/macros
 install --directory %{buildroot}%{_mandir}/man8
 install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 
@@ -45,9 +51,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 %{_bindir}/udica
 %dir %{_datadir}/udica
 %dir %{_datadir}/udica/ansible
-%dir %{_datadir}/udica/templates
+%dir %{_datadir}/udica/macros
 %{_datadir}/udica/ansible/*
-%{_datadir}/udica/templates/*
+%{_datadir}/udica/macros/*
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %license LICENSE
@@ -60,29 +66,124 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 %endif
 
 %changelog
-* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.2.1-2
+* Tue Mar 05 2024 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-2
-- initial import to container-tools 8.2.0
+- Add option to generate custom policy for a confined user (RHEL-28166)
-- Related: RHELPLAN-25139
+- Add tests covering confined user policy generation
+- confined: make "-l" non optional
+- confined: allow asynchronous I/O operations
+
+* Thu Nov 30 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-1
+- Improve code readability based on lint and black findings
+- Fix generating policy for Crio mounts
+- Add --devices option
+- v0.2.7 release changes:
+- Improve label collection for mounts and devices (RHEL-16245)
+- Add support for containerd via "nerdctl inspect"
+- Avoid duplicate rules for accessing mounts and devices
+
+* Fri Jan 27 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-30
+- Bump release to preserve upgrade path (#2160401)
+
+* Wed Dec 01 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-4
+- Make sure each section of the inspect exists before accessing (#2027656)
+
+* Tue Sep 21 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-3
+- Require container-selinux shipping policy templates (#2000051)
+
+* Fri Sep 17 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.6-2
+- use RHEL-9 product version for gating
+- Related: #2000051
+
+* Thu Sep 16 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.6-1
+- update to https://github.com/containers/udica/releases/tag/v0.2.6
+- Related: #2000051
+
+* Fri Sep 03 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.5-2
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.5 (#1995041)
+- Replace capability dictionary with str.lower()
+- Enable udica to generate policies with fifo class
+- Sort container inspect data before processing
+- Update templates to work properly with new cil parser
+- Related: #2000051
+
+* Wed Aug 25 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.5-1
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.5 (#1995046)
+- Replace capability dictionary with str.lower()
+- Enable udica to generate policies with fifo class
+- Sort container inspect data before processing
+- Update templates to work properly with new cil parser
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.2.4-9
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-8
+- remove %%check again and all related BRs
+
+* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-7
+- remove black from BR
+
+* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-6
+- Add missing BR
+- Related: #1970747
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.2.4-5
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Mar 16 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.4-4
+- Remove %%check section
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sun Dec 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.4-2
+- Add %%check section to run basic tests during rpm build process
+
+* Wed Nov 25 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.4-1
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.4
+
+* Thu Aug 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.3-1
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.3
+
+* Mon Aug 03 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.2-1
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.2
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.2.1-3
+- Rebuilt for Python 3.9
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
 * Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.1-1
-- New rebase https://github.com/containers/udica/releases/tag/v0.2.0
+- New rebase https://github.com/containers/udica/releases/tag/v0.2.1
-Resolves: rhbz#1757693
 
-* Wed Oct 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.0-1
+* Wed Sep 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.0-1
 - New rebase https://github.com/containers/udica/releases/tag/v0.2.0
-Resolves: rhbz#1757693
+
+* Wed Aug 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.9-1
+- Update tests test_basic.podman.cil, test_basic.docker.cil. Round 2
+- New rebase https://github.com/containers/udica/releases/tag/v0.1.9
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.1.8-3
+- Rebuilt for Python 3.8
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
 * Thu Jul 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.8-1
-- Udica supports podman version 1.4.0+
+- New rebase https://github.com/containers/udica/releases/tag/v0.1.8
-Resolves: rhbz#1729115
 
-* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.6-1
+* Wed Jun 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.7-1
-- Update testsuite from upstream release
+- New rebase with upstream adding new param --ansible, to generate ansible playbook for deploying policies. https://github.com/containers/udica/releases/tag/v0.1.7
-Resolves: rhbz#1673643
 
-* Wed May 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2
+* Thu May 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.6-1
-- Bump release because of gating tests
+- New rebase with upstream adding new tests
 
+* Tue Apr 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2
+- Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules.
 * Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-1
 - Create mock selinux and semanage module
 - Update testing section in README