container-selinux/container-selinux.spec

%global debug_package %{nil}

# container-selinux stuff (prefix with ds_ for version/release etc.)
# Some bits borrowed from the openstack-selinux package
%global selinuxtype targeted
%global moduletype services
%global modulenames container

# Usage: _format var format
# Expand 'modulenames' into various formats as needed
# Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;

Name: container-selinux
Epoch: 2
Version: 2.230.0
Release: 1
License: GPL-2.0-only
URL: https://github.com/containers/%{name}
Summary: SELinux policies for container runtimes
Source0: %{url}/archive/v%{version}.tar.gz
BuildArch: noarch
BuildRequires: make
BuildRequires: git-core
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy >= %_selinux_policy_version
BuildRequires: selinux-policy-devel >= %_selinux_policy_version
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
Requires: selinux-policy >= %_selinux_policy_version
Requires(post): selinux-policy-base >= %_selinux_policy_version
Requires(post): selinux-policy-targeted >= %_selinux_policy_version
Requires(post): policycoreutils
Requires(post): libselinux-utils
Requires(post): sed
Obsoletes: %{name} <= 2:1.12.5-13
Obsoletes: docker-selinux <= 2:1.12.4-28
Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}

%description
SELinux policy modules for use with container runtimes.

%prep
%autosetup -Sgit %{name}-%{version}

sed -i 's/^man: install-policy/man:/' Makefile
sed -i 's/^install: man/install:/' Makefile

%build
make

%install
# install policy modules
%_format MODULES $x.pp.bz2
%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user

# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
rm %{buildroot}%{_mandir}/man8/container_selinux.8

%pre
%selinux_relabel_pre -s %{selinuxtype}

%post
# Install all modules in a single transaction
if [ $1 -eq 1 ]; then
   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
fi
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
%selinux_modules_install -s %{selinuxtype} $MODULES
. %{_sysconfdir}/selinux/config
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :

%postun
if [ $1 -eq 0 ]; then
   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
fi

%posttrans
%selinux_relabel_post -s %{selinuxtype}

#define license tag if not already defined
%{!?_licensedir:%global license %doc}

%files
%doc README.md
%{_datadir}/selinux/*
%dir %{_datadir}/containers/selinux
%{_datadir}/containers/selinux/contexts
%dir %{_datadir}/udica/templates/
%{_datadir}/udica/templates/*
# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
#%%{_mandir}/man8/container_selinux.8.gz
%{_sysconfdir}/selinux/targeted/contexts/users/*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}

%triggerpostun -- container-selinux < 2:2.162.1-3
if %{_sbindir}/selinuxenabled ; then
    echo "Fixing Rootless SELinux labels in homedir"
    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null
fi

%changelog
* Tue Apr 09 2024 lijian <lijian2@kylinos.cn> - 2:2.230.0-1
- Update container-selinux to v2.230.0
- Allow containers to unmount file systems
- Add buildah as a container_runtime_exec_t label
- Additional rules for container_user_t
- Add some MLS rules to policy
- Add container_file_t and container_ro_file_t as user_home_type

* Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.163-1
- Update container-selinux to v2.163.0

* Tue Oct 26 2021 caodongxia <caodongxia@huawei.com> - 2.138-5
- DESC: systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead

* Wed Aug 11 2021 chenyanpanHW <chenyanpan@huawei.com> - 2.138-4
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git

* Mon Dec 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.138-2
- Update container-selinux spec

* Wed Aug 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.138-1
- Update container-selinux to v2.138.1

* Sat Sep 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.73-3
- Package init
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`%global debug_package %{nil}`
update code 2019-11-06 19:04:45 +08:00
			`# container-selinux stuff (prefix with ds_ for version/release etc.)`
			`# Some bits borrowed from the openstack-selinux package`
			`%global selinuxtype targeted`
			`%global moduletype services`
			`%global modulenames container`

			`# Usage: _format var format`
			`# Expand 'modulenames' into various formats as needed`
			`# Format must contain '$x' somewhere to do anything useful`
			`%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;`

			`Name: container-selinux`
			`Epoch: 2`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`Version: 2.230.0`
update version to 2.163 2022-05-23 09:41:23 +08:00			`Release: 1`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`License: GPL-2.0-only`
			`URL: https://github.com/containers/%{name}`
update code 2019-11-06 19:04:45 +08:00			`Summary: SELinux policies for container runtimes`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`Source0: %{url}/archive/v%{version}.tar.gz`
update code 2019-11-06 19:04:45 +08:00			`BuildArch: noarch`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`BuildRequires: make`
update version to 2.163 2022-05-23 09:41:23 +08:00			`BuildRequires: git-core`
update code 2019-11-06 19:04:45 +08:00			`BuildRequires: pkgconfig(systemd)`
update version to 2.163 2022-05-23 09:41:23 +08:00			`BuildRequires: selinux-policy >= %_selinux_policy_version`
			`BuildRequires: selinux-policy-devel >= %_selinux_policy_version`
update code 2019-11-06 19:04:45 +08:00			`# RE: rhbz#1195804 - ensure min NVR for selinux-policy`
update version to 2.163 2022-05-23 09:41:23 +08:00			`Requires: selinux-policy >= %_selinux_policy_version`
			`Requires(post): selinux-policy-base >= %_selinux_policy_version`
			`Requires(post): selinux-policy-targeted >= %_selinux_policy_version`
update code 2019-11-06 19:04:45 +08:00			`Requires(post): policycoreutils`
			`Requires(post): libselinux-utils`
			`Requires(post): sed`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`Obsoletes: %{name} <= 2:1.12.5-13`
update code 2019-11-06 19:04:45 +08:00			`Obsoletes: docker-selinux <= 2:1.12.4-28`
update version to 2.163 2022-05-23 09:41:23 +08:00			`Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}`
update code 2019-11-06 19:04:45 +08:00
			`%description`
			`SELinux policy modules for use with container runtimes.`

			`%prep`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`%autosetup -Sgit %{name}-%{version}`

			`sed -i 's/^man: install-policy/man:/' Makefile`
			`sed -i 's/^install: man/install:/' Makefile`
update code 2019-11-06 19:04:45 +08:00
			`%build`
			`make`

			`%install`
			`# install policy modules`
			`%_format MODULES $x.pp.bz2`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user`
update code 2019-11-06 19:04:45 +08:00
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120`
			`rm %{buildroot}%{_mandir}/man8/container_selinux.8`
update code 2019-11-06 19:04:45 +08:00
update version to 2.163 2022-05-23 09:41:23 +08:00			`%pre`
			`%selinux_relabel_pre -s %{selinuxtype}`

update code 2019-11-06 19:04:45 +08:00			`%post`
			`# Install all modules in a single transaction`
			`if [ $1 -eq 1 ]; then`
update version to 2.163 2022-05-23 09:41:23 +08:00			`%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1`
update code 2019-11-06 19:04:45 +08:00			`fi`
			`%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2`
			`%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null`
			`%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null`
			`%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null`
update version to 2.163 2022-05-23 09:41:23 +08:00			`%selinux_modules_install -s %{selinuxtype} $MODULES`
update code 2019-11-06 19:04:45 +08:00			`. %{_sysconfdir}/selinux/config`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`sed -e "\\|container_file_t\|h; \${x;s\|container_file_t\|\|;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types`
update code 2019-11-06 19:04:45 +08:00			`matchpathcon -qV %{_sharedstatedir}/containers \|\| restorecon -R %{_sharedstatedir}/containers &> /dev/null \|\| :`

			`%postun`
			`if [ $1 -eq 0 ]; then`
update version to 2.163 2022-05-23 09:41:23 +08:00			`%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker`
update code 2019-11-06 19:04:45 +08:00			`fi`

update version to 2.163 2022-05-23 09:41:23 +08:00			`%posttrans`
			`%selinux_relabel_post -s %{selinuxtype}`

update code 2019-11-06 19:04:45 +08:00			`#define license tag if not already defined`
			`%{!?_licensedir:%global license %doc}`

			`%files`
			`%doc README.md`
			`%{_datadir}/selinux/*`
update version to 2.163 2022-05-23 09:41:23 +08:00			`%dir %{_datadir}/containers/selinux`
			`%{_datadir}/containers/selinux/contexts`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`%dir %{_datadir}/udica/templates/`
			`%{_datadir}/udica/templates/*`
			`# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120`
			`#%%{_mandir}/man8/container_selinux.8.gz`
			`%{_sysconfdir}/selinux/targeted/contexts/users/*`
			`%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}`
update version to 2.163 2022-05-23 09:41:23 +08:00
			`%triggerpostun -- container-selinux < 2:2.162.1-3`
			`if %{_sbindir}/selinuxenabled ; then`
			`echo "Fixing Rootless SELinux labels in homedir"`
			`%{_sbindir}/restorecon -R /home//.local/share/containers/storage/overlay 2> /dev/null`
			`fi`
update code 2019-11-06 19:04:45 +08:00
			`%changelog`
Update container-selinux to v2.230.0 (cherry picked from commit 699f9f16788e8e2ab37955afe94e9c623d783f58) 2024-04-09 14:38:01 +08:00			`* Tue Apr 09 2024 lijian <lijian2@kylinos.cn> - 2:2.230.0-1`
			`- Update container-selinux to v2.230.0`
			`- Allow containers to unmount file systems`
			`- Add buildah as a container_runtime_exec_t label`
			`- Additional rules for container_user_t`
			`- Add some MLS rules to policy`
			`- Add container_file_t and container_ro_file_t as user_home_type`

update version to 2.163 2022-05-23 09:41:23 +08:00			`* Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.163-1`
			`- Update container-selinux to v2.163.0`

systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead 2021-10-26 14:05:01 +08:00			`* Tue Oct 26 2021 caodongxia <caodongxia@huawei.com> - 2.138-5`
			`- DESC: systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead`

delete -Sgit from %autosetup, and delete BuildRequires git 2021-08-11 19:24:11 +08:00			`* Wed Aug 11 2021 chenyanpanHW <chenyanpan@huawei.com> - 2.138-4`
			`- DESC: delete -Sgit from %autosetup, and delete BuildRequires git`

update container-selinux spec Signed-off-by: zvier <liuzekun@huawei.com> 2020-12-14 11:02:32 +08:00			`* Mon Dec 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.138-2`
			`- Update container-selinux spec`

Update container-selinux to v2.138.0 Signed-off-by: liuzekun <liuzekun@huawei.com> 2020-08-19 17:00:39 +08:00			`* Wed Aug 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.138-1`
update container-selinux spec Signed-off-by: zvier <liuzekun@huawei.com> 2020-12-14 11:02:32 +08:00			`- Update container-selinux to v2.138.1`
Update container-selinux to v2.138.0 Signed-off-by: liuzekun <liuzekun@huawei.com> 2020-08-19 17:00:39 +08:00
			`* Sat Sep 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.73-3`
update code 2019-11-06 19:04:45 +08:00			`- Package init`