!9 升级container-selinux至2.163版本

From: @duyiwei7w 
Reviewed-by: @yangzhao_kl 
Signed-off-by: @yangzhao_kl

0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch

@@ -1,27 +0,0 @@
-From 2ab60ecaf03083775312e49a1c3cd98a8cb3eb46 Mon Sep 17 00:00:00 2001
-From: wujing <wujing50@huawei.com>
-Date: Mon, 30 Aug 2021 11:11:00 +0800
-Subject: [PATCH] systemd_dbus_chat_resolved has been deprecated, use
- systemd_chat_resolved instead
-
-Signed-off-by: wujing <wujing50@huawei.com>
----
- container.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/container.te b/container.te
-index d17e4fe..63c5379 100644
---- a/container.te
-+++ b/container.te
-@@ -427,7 +427,7 @@ modutils_domtrans_kmod(container_runtime_domain)
- systemd_status_all_unit_files(container_runtime_domain)
- systemd_start_systemd_services(container_runtime_domain)
- systemd_dbus_chat_logind(container_runtime_domain)
--systemd_dbus_chat_resolved(container_runtime_domain)
-+systemd_chat_resolved(container_runtime_domain)
- 
- userdom_stream_connect(container_runtime_domain)
- userdom_search_user_home_content(container_runtime_domain)
--- 
-2.31.1
-

container-selinux.spec

@@ -1,8 +1,8 @@
 %global debug_package   %{nil}
 
 # container-selinux
-%global git0 https://github.com/projectatomic/container-selinux
+%global git0 https://github.com/containers/container-selinux
-%global commit0 988431700370bf7f554ab6507c836a9aa19e47ff
+%global commit0 99b40c5013ec2720a04b1d3579ef888281714c35
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
@@ -16,37 +16,31 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
-# Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
-
-# Version of SELinux we were using
-%global selinux_policyver 3.13.1-220
-
-%define epoch 2
-
 Name: container-selinux
 Epoch: 2
-Version: 2.138
+Version: 2.163
-Release: 5
+Release: 1
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+#fix ERROR 'unknown class lockdown' at token ';'
+Patch0: fix.patch
 BuildArch: noarch
-Patch1: 0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch
+BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
-BuildRequires: selinux-policy >= %{selinux_policyver}
+BuildRequires: selinux-policy >= %_selinux_policy_version
-BuildRequires: selinux-policy-devel >= %{selinux_policyver}
+BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
-Requires: selinux-policy >= %{selinux_policyver}
+Requires: selinux-policy >= %_selinux_policy_version
-Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires(post): selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
-Obsoletes: %{name} <= 2:1.12.5-13
+Obsoletes: %{name} <= 2:1.12.5-14
 Obsoletes: docker-selinux <= 2:1.12.4-28
-Provides: docker-selinux = %{epoch}:%{version}-%{release}
+Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
 
 %description
 SELinux policy modules for use with container runtimes.
@@ -64,52 +58,56 @@ install -d %{buildroot}%{_datadir}/selinux/packages
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
 install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
 install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
-
+install -d %{buildroot}/%{_datadir}/containers/selinux
-# remove spec file
+install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
-rm -rf container-selinux.spec
 
 %check
 
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
 %post
 # Install all modules in a single transaction
 if [ $1 -eq 1 ]; then
-    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
+   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
 %{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
 %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
+%selinux_modules_install -s %{selinuxtype} $MODULES
-if %{_sbindir}/selinuxenabled ; then
-    %{_sbindir}/load_policy
-    %relabel_files
-    if [ $1 -eq 1 ]; then
-	restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
-	restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
-    fi
-fi
 . %{_sysconfdir}/selinux/config
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
-
 %postun
 if [ $1 -eq 0 ]; then
-%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
+   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
-if %{_sbindir}/selinuxenabled ; then
-%{_sbindir}/load_policy
-%relabel_files
-fi
 fi
 
+%posttrans
+%selinux_relabel_post -s %{selinuxtype}
+
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
 
 %files
 %doc README.md
 %{_datadir}/selinux/*
+%dir %{_datadir}/containers/selinux
+%{_datadir}/containers/selinux/contexts
+
+
+%triggerpostun -- container-selinux < 2:2.162.1-3
+if %{_sbindir}/selinuxenabled ; then
+    echo "Fixing Rootless SELinux labels in homedir"
+    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null
+fi
 
 %changelog
+* Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.163-1
+- Update container-selinux to v2.163.0
+
 * Tue Oct 26 2021 caodongxia <caodongxia@huawei.com> - 2.138-5
 - DESC: systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead
 

fix.patch

@@ -0,0 +1,12 @@
+diff -up container-selinux-2.161.1/container.te.orig container-selinux-2.161.1/container.te
+--- container-selinux-2.161.1/container.te.orig	2021-05-06 14:55:57.952216763 +0200
++++ container-selinux-2.161.1/container.te	2021-05-06 14:56:02.027287991 +0200
+@@ -114,7 +114,7 @@ mls_trusted_object(container_runtime_t)
+ #
+ allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
+ allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
+-allow container_runtime_domain self:lockdown { confidentiality integrity };
++#allow container_runtime_domain self:lockdown { confidentiality integrity };
+ allow container_runtime_domain self:process ~setcurrent;
+ allow container_runtime_domain self:passwd rootok;
+ allow container_runtime_domain self:fd use;