container-selinux.spec 17.2 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
%global debug_package   %{nil}

# container-selinux
%global git0 https://github.com/containers/container-selinux

# container-selinux stuff (prefix with ds_ for version/release etc.)
# Some bits borrowed from the openstack-selinux package
%global selinuxtype targeted
%global moduletype services
%global modulenames container

# Usage: _format var format
# Expand 'modulenames' into various formats as needed
# Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;

# Version of SELinux we were using
%global selinux_policyver 3.14.3-9.el8

Epoch: 2
Name: container-selinux
Version: 2.155.0
Release: 1%{?dist}
License: GPLv2
URL: %{git0}
Summary: SELinux policies for container runtimes
Source0: %{git0}/archive/v%{version}.tar.gz
BuildArch: noarch
BuildRequires: git
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
Requires: selinux-policy >= %{selinux_policyver}
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): selinux-policy-targeted >= %{selinux_policyver}
Requires(post): policycoreutils >= 2.5-11
%if 0%{?rhel} > 7 || 0%{?fedora}
Requires(post): policycoreutils-python-utils
%else
Requires(post): policycoreutils-python
%endif
Requires(post): libselinux-utils
Requires(post): sed
Obsoletes: %{name} <= 2:1.12.5-14
Obsoletes: docker-selinux <= 2:1.12.4-28
Provides: docker-selinux = %{epoch}:%{version}-%{release}
Provides: docker-engine-selinux = %{epoch}:%{version}-%{release}

%description
SELinux policy modules for use with container runtimes.

%prep
%autosetup -Sgit

%build
make

%install
# install policy modules
%_format MODULES $x.pp.bz2
install -d %{buildroot}%{_datadir}/selinux/packages
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}/%{_datadir}/containers/selinux
install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts

# remove spec file
rm -rf %{name}.spec

%check

%pre
%selinux_relabel_pre -s %{selinuxtype}

%post
# Install all modules in a single transaction
if [ $1 -eq 1 ]; then
   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
fi
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
%selinux_modules_install -s %{selinuxtype} $MODULES
. %{_sysconfdir}/selinux/config
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :

%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
fi

%posttrans
%selinux_relabel_post -s %{selinuxtype}

#define license tag if not already defined
%{!?_licensedir:%global license %doc}

%files
%doc README.md
%{_datadir}/selinux/*
%dir %{_datadir}/containers/selinux
%{_datadir}/containers/selinux/contexts

%changelog
* Tue Jan 05 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.155.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.155.0
- Related: #1888571

* Sat Jan 02 2021 Jindrich Novy <jnovy@redhat.com> - 2:2.154.0-1
- update to
  https://github.com/containers/container-selinux/releases/tag/v2.154.0
- Related: #1888571

* Sat Dec 26 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.153.0-1
- update to
  https://github.com/containers/container-selinux/releases/tag/v2.153.0
- Related: #1888571

* Sat Dec 26 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.152.0-1
- update to
  https://github.com/containers/container-selinux/releases/tag/v2.152.0
- Related: #1888571

* Tue Nov 03 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.151.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.151.0
- Related: #1888571

* Fri Oct 23 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.150.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.150.0
- Related: #1888571

* Thu Oct 22 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.145.0-1
- synchronize with stream-container-tools-rhel8-rhel-8.4.0
- Resolves: #1873064

* Thu Aug 13 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.144.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.144.0
- Related: #1821193

* Mon Aug 10 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.143.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.143.0
- Related: #1821193

* Sun Jul 26 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.142.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.142.0
- Related: #1821193

* Sun Jul 19 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.139.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.139.0
- Related: #1821193

* Fri Jul 10 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.138.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.138.0
- Related: #1821193

* Fri Jun 12 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.137.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.137.0
- Related: #1821193

* Sun May 31 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.135.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.135.0
- Related: #1821193

* Fri May 29 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.134.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.134.0
- Related: #1821193

* Tue May 12 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.132.0-1
- synchronize containter-tools 8.3.0 with 8.2.1
- Related: #1821193

* Tue Apr 07 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.130.0-1
- update to https://github.com/containers/container-selinux/releases/tag/v2.130.0
- don't use macros in changelog
- Related: #1821193

* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.124.0-1
- update to 2.124.0
- Related: RHELPLAN-25139

* Fri Dec 06 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.123.0-2
- implement spec file refactoring by Zdenek Pytela, namely:
  Change the uninstall command in the %%postun section of the specfile
  to use the %%selinux_modules_uninstall macro which uses priority 200.
  Change the install command in the %%post section if the specfile
  to use the %%selinux_modules_install macro.
  Replace relabel commands with using the %%selinux_relabel_pre and
  %%selinux_relabel_post macros.
  Change formatting so that the lines are vertically aligned
  in the %%postun section.
  (https://github.com/containers/container-selinux/pull/85)
- Related: RHELPLAN-25139

* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.123.0-1
- update to 2.123.0
- Related: RHELPLAN-25139

* Mon Nov 25 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.122.0-1
- update to 2.122.0
- Related: RHELPLAN-25139

* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.119.0-3.gita233788
- update to master container-selinux - bug 1769469
- Related: RHELPLAN-25139

* Tue Nov 19 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.119.0-2
- fix post scriptlet - fail if semodule fails - bug 1729272
- Related: RHELPLAN-25139

* Fri Nov 08 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.119.0-1
- update to 2.119.0
- Related: RHELPLAN-25139

* Thu Oct 17 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.116-1
- update to 2.116
  Resolves: #1748519

* Tue Aug 13 2019 Jindrich Novy <jnovy@redhat.com> - 2:2.107-2
- Use at least selinux policy 3.14.3-9.el8,
  Resolves: #1728700

* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.107-1
- Resolves: #1720654 - rebase to v2.107

* Mon Mar 11 2019 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.89-1.git2521d0d
- bump to v2.89

* Tue Nov 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.75-1.git99e2cfd
- bump to v2.75
- built commit 99e2cfd

* Mon Oct 22 2018 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.74-1
- Resolves: #1641655 - bump to v2.74
- built commit a62c2db

* Tue Sep 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.73-3
- tweak macro for fedora - applies to rhel8 as well

* Mon Sep 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.73-2
- moved changelog entries:
- Define spc_t as a container_domain, so that container_runtime will transition
to spc_t even when setup with nosuid.
- Allow container_runtimes to setattr on callers fifo_files
- Fix restorecon to not error on missing directory

* Thu Sep 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-3
- Make sure we pull in the latest selinux-policy

* Wed Jul 25 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.69-2
- Add map support to container-selinux for RHEL 7.5
- Dontudit attempts to write to kernel_sysctl_t

* Mon Jul 16 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.68-1
- Add label for /var/lib/origin
- Add customizable_file_t to customizable_types

* Sun Jul 15 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.67-1
- Add policy for container_logreader_t

* Thu Jun 14 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.66-1
- Allow dnsmasq to dbus chat with spc_t

* Sun Jun 3 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.64-1
- Allow containers to create all socket classes

* Thu May 24 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.62-1
- Label overlay directories under /var/lib/containers/ correctly

* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.61-1
- Allow spc_t to load kernel modules from inside of container 

* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.60-1
- Allow containers to list cgroup directories
- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.

* Mon May 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-2
- Run restorecon /usr/bin/podman in postinstall

* Fri May 18 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.58-1
- Add labels to allow podman to be run from a systemd unit file

* Mon May 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.57-1
- Set the version of SELinux policy required to the latest to fix build issues.

* Wed Apr 11 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.56-1
- Allow container_runtime_t to transition to spc_t over unlabeled files

* Mon Mar 26 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.55-1
    Allow iptables to read container state
    Dontaudit attempts from containers to write to /proc/self
    Allow spc_t to change attributes on container_runtime_t fifo files

* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.52-1
- Add better support for writing custom selinux policy for customer container domains.

* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.51-1
- Allow shell_exec_t as a container_runtime_t entrypoint

* Wed Mar 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.50-1
- Allow bin_t as a container_runtime_t entrypoint

* Fri Mar 2 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.49-1
- Add support for MLS running container runtimes
- Add missing allow rules for running systemd in a container

* Wed Feb 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.48-1
- Update policy to match master branch
- Remove typebounds and replace with nnp_transition and nosuid_transition calls

* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
- Add support to nnp_transition for container domains
- Eliminates need for typebounds.

* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
- Allow container_runtime_t to use user ttys
- Fixes bounds check for container_t

* Mon Jan 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.39-1
- Allow container runtimes to use interited terminals.  This helps
satisfy the bounds check of container_t versus container_runtime_t.

* Sat Jan 6 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.38-1
- Allow container runtimes to mmap container_file_t devices
- Add labeling for rhel push plugin

* Tue Dec 12 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.37-1
- Allow containers to use inherited ttys
- Allow ostree to handle labels under /var/lib/containers/ostree

* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
- Allow containers to relabelto/from all file types to container_file_t

* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
- Allow container to map chr_files labeled container_file_t

* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
- Dontaudit container processes getattr on kernel file systems

* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
- Allow containers to read /etc/resolv.conf and /etc/hosts if volume
- mounted into container.

* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.32-1
- Make sure users creating content in /var/lib with right labels

* Thu Oct 26 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.31-1
- Allow the container runtime to dbus chat with dnsmasq
- add dontaudit rules for container trying to write to /proc

* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
- Add support for lxcd
- Add support for labeling of tmpfs storage created within a container.

* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
- Allow a container to umount a container_file_t filesystem

* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
-  Allow container runtimes to work with the netfilter sockets
-  Allow container_file_t to be an entrypoint for VM's
-  Allow spc_t domains to transition to svirt_t

* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
-     Make sure container_runtime_t has all access of container_t

* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
- Allow container runtimes to create sockets in tmp dirs

* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
- Add additonal support for crio labeling.

* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
- Fixup spec file conditionals

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
- Allow containers to execmod on container_share_t files.

* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
- Relabel runc and crio executables

* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
- Allow container processes to getsession

* Wed Jun 14 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.19-2.1
- update release tag to isolate from 7.3

* Wed Jun 14 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.19-1
- Fix mcs transition problem on stdin/stdout/stderr
- Add labels for CRI-O
- Allow containers to use tunnel sockets

* Tue Jun 06 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.15-1.1
- Resolves: #1451289
- rebase to v2.15
- built @origin/RHEL-1.12 commit 583ca40

* Mon Mar 20 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.10-2.1
- Make sure we have a late enough version of policycoreutils

* Mon Mar 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.10-1
- Update to the latest container-selinux patch from upstream
- Label files under /usr/libexec/lxc as container_runtime_exec_t
- Give container_t access to XFRM sockets
- Allow spc_t to dbus chat with init system
- Allow containers to read cgroup configuration mounted into a container

* Tue Feb 21 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.9-4
- Resolves: #1425574
- built commit 79a6d70

* Mon Feb 20 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.9-3
- Resolves: #1420591
- built @origin/RHEL-1.12 commit 8f876c4

* Mon Feb 13 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.9-2
- built @origin/RHEL-1.12 commit 33cb78b

* Fri Feb 10 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.8-2
-

* Tue Feb 07 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.7-1
- built origin/RHEL-1.12 commit 21dd37b

* Fri Jan 20 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.4-2
- correct version-release in changelog entries

* Thu Jan 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.4-1
- Add typebounds statement for container_t from container_runtime_t
- We should only label runc not runc*

* Tue Jan 17 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.3-1
- Fix labeling on /usr/bin/runc.*
- Add sandbox_net_domain access to container.te
- Remove containers ability to look at /etc content

* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-4
- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7

* Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
- properly disable docker module in %%post

* Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
- depend on selinux-policy-targeted
- relabel docker-latest* files as well

* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-1
- bump to v2.2
- additional labeling for ocid

* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-2
- install policy at level 200
- From: Dan Walsh <dwalsh@redhat.com>

* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-1
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
standalone package)
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel

* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:1.12.4-29
- new package (separated from docker)