From 5ee573aa1ce2b1bb619ceb71dd8bbca8f9595008 Mon Sep 17 00:00:00 2001 From: zhuchunyi Date: Wed, 6 Nov 2019 19:04:45 +0800 Subject: [PATCH] update code --- container-selinux-d7a3f33.tar.gz | Bin 0 -> 17791 bytes container-selinux.spec | 431 +++++++++++++++++++++++++++++++ 2 files changed, 431 insertions(+) create mode 100644 container-selinux-d7a3f33.tar.gz create mode 100644 container-selinux.spec diff --git a/container-selinux-d7a3f33.tar.gz b/container-selinux-d7a3f33.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7707fb58760f82e230fd0d58b1d5cac9ba02b20a GIT binary patch literal 17791 zcmV(pK=8jGiwFP!000001MFMda@$Cf?boTVsPIcm5i~8ylHJ{oeV`=D=8i-S`46;R;C?%la;>`pUgS{6~L%6p#7O0A=>e_5pYG)n)nG*N7d zAO8NI6MWvhdBZ>P+5U-#=RcgjetrJt?Cj0i#W}t|J-;|R{bBJBpk?P%*)l3{WRd6P zx7K~{`8IR^M?M#4dX}$NCM*9fejB}>zkYpj{!?TwW*0x7o}+~^e)jexesgg$ zzc3ePbM?PX^B z{&4XRNc=xPtpD?~ZT+90oV@T1ny|8*Ry4mEs|`ZlajX2@=`}> znm?Pks~`@R$3tPF)igB_fSxRk-^uEEUg#C**4A@Q|BsDDrW6Xx=nKAljy8IeSB08` z@i<@66T9T~Af8D8b7fcS%Z(-{Eg}p0N}R>YGH}@_)eqGaN2^=M2*^#c(qyq5wWuNp zxP%_)DE+OY=$Y~~zkG=$E27g@SVo7|?BEDm%Zx%Spwa5e!Zx}jiNvZlY1)$(t=B1p zPlvO7SO=zUC91KKA8jDPjJb)jjn45-q1Q#eD58~qUgorORW9?wavcMemAR^{s1GC^ zjq{apuN|_;7IU*4<^u6eH_8k9)>ts84=|QwwnXLJJ=XejUg=qsF|Qjfw6NqI!4?Y4 z^DY_9r=`jCGvvB9(H9a13)K_Sp+`heVdkbNh#LsN>90d3sn!L~2ZQ(3A4hqd zN-_$yjGjcnfpG+`BObFupFVP?Q!LmL6uT3I^n{~zGN-Neb7Ggro%$&7GBe2&ZBi98 z+B$|}3KrPHz|~6SUxdx#*WguJ;|#TBjCdWkr$OUPsH9CYotbB$*USB#*pT1uOO`*^ z`^Gu#X=!K3*|K&fIlWq%St*{w0nV~kG84$MFeIrN8IhIkA&hAfE7&SUClaQ~*wfu1 zvJ(+b7Hz-Cqnxx-klz-}psebuiM-P~1s-kFsN~IOrl9OiE7o|JOp_Ft+=U_9StP3V zYBZE&hbVI5U*&N!C-Y@d+~9%v8m-nT7P%FBx3kr3sUt6P$ZBcG>lA(~6XuvhhMpU2 z#OEOO>P6!057v=js|>=Su+m6@lAhiE!&!ppX`d!sjaXK;!IZhR81$Z&z9ve?$DkZ79ac)y?|wBaL}yH>7& zA_nuF6vM7rPGNyRFY&- z+QAvZ66F{O0-1fqskF%BY9?fG4k7KrI%xxh=9E-VS_t-1E*<@d1?#Hh1S95hLyyx< zhYtzE6OmLdfhdrGCXy^po|3pCqI5pxKq80Ka0VWqX#?AwvA1y^S~lC@C(@7sfZlXn(1cBp zxj@ZqJS_256cd)wv(!Y6LWsaIBRp5!RtpwomeXX{F=Z6;t~o)g$(sP`RcjHi?S=x(fg!)twYKfE4H2KU3U zzPTUa*N4x8;rouh9*ifW!Q~@8;)Qqj*MpnERgbLYK|#% z5dW+(mBKZvXh9-7`hdWQI53BZJM{~6AVc?AS`l=oBl3z&9e~z7&Xm`Tei5Gjf`DhA zBDr%6j&M;N7lxx`Wc3TAju$ZK9-{k`;Dg-Bm2lM|w`eiRSdwsOgO9~JoH@Lc2+N?X zDs93Zj|7U{y{SYLEa$4IvK`U8nCyX$i8~Ik@oosChywX4d_@INJnUZh_A|6d!lhC&4$mHnO53v`u?iI>o1* zn#njfk_b+_f?=Y~?XhRr7>J70qq2?rG4_P4zRKQ_yK16xbz+Xk8Stqk9 zuWTx(Bj#`@hwb8Q(kNL$Dj?b?{&)I|F>7)OvH%C} zl)Pqr!Xo%X#c?YVO5I1yM^kGuoI3Kt zwl%Avs#;4@=rDG5Fb1J^xv_AL)Y-K-v#-|VB*AwZw@c(;V!n0}hIp>gQ2@Uv=YI8d zxyQ_GIcJUKIC#f93RlH`gYgm5MK&do4J#^6iz^}bU?}dmR4R5F;!FHj*goeU=~$Y3Wypq&XZKq=M1uC!GcF} zZ)bA6ho!j6KJ80Pmbb(l*}+Gkn2IfDc(ST1bWC^XVA~`C)Y}H~f^eK?xylwXowj*K za^|OuzlyR>>-?RSR7ZSmg+QlR-hOE~oGKzpLx?kuc?4Pn*q|g7QId`FL+Z~` zO7&5gJc3M*Uk^59jF@DOAnGs`F*0pI(SqwjP?u1UFGwi>N@UPtPg#~%h%VFubV-<< zq80J<-iR0R2JVZ)rOy#TT9hvxkHBjCa9$vE)Gr)2{R-}_vBw9fUM${Ao7KfTY&(og zqb5y#{-W(P*SfiWO3d?COype}gm={cIx`%uexU^0O4+3~>D+f5y$(PdZ$Y_^Q+jO) zB7A8QWG#_*B#5;lkmqI>A^b;`6w-l_9k({?9;>=*!b?}uQs9o9OD46s@{x^qa4D)1 zf&zFRp$OF0xV8(+hl)vlMX=C8&+KqoqRzvV=!k5dVK?sM5;7_nAU3dr7Fz@7BQv7| ztb=-Bu#y}hbU{%p0Uq|y4t24(QQh#FBeT`yvnOrEBkp!YcI#;BI9Fx;g4(h< z8?6GV;BAgPTwzLtk;){ot(>B^a|*}R5O2DiC42ai(7ok@kZMany1z{`M5;W&03HjY zg!oGRaHo1jsx90x9%ELVETkENFSzs+whFU|iWs?o^^ceIGi7OMjZN@kC%7XZO1b%7 z*74HGiE|O*qM-Z7IMtRaY#d>k6n6z(X8;5+vC;;>x_25{T5{dc9L3d*GG9$0#jkIh zNoR-}80lVN2lZ240L`V;%kb5d-HQak^B|+jB9UvH6$QFzu^=h=ZC%MDe2`T3ZKSrL z7RN{a@*6JJ2cR;#%aZnUCbxNvi`?~=FAymCnZiSDC%DjF zJDh|?_PoQk#Df&Qt(=w~823s3{e3z(EPvtTf1rceA?r#q5`jdDpk!ru>Jl?6NK*gS zEz|*)38HZGEJ{I3Ch^Rn7KNhM5IL3w$ttKT?9&c^nOiW2(`ZNyv%Qn zPovuEs49nC3hD0XaW(bXVJgyh$fb2XHgAH8G{l4!z7!O7tm@23i|8uO^=aFM8RW^= zp*LJJghWe2u6BJnUGeF1q`!^Xp$p&RkcvvBq$yfZ*rk=_!X&abpC!H@1{a9P@Xb8Q z66v&3ndR0?94?ZzTqje)Rz80bafxe_G3=rKc$!8baA-IJmmi?`ClWegJ7w2~HEukX z?djV%G)xW`0+x6MBlN|0)mF>Ya+>!XxI?UD0P z?lZTgha^AWK?}j|1hE1Spt~B^CSyYfeG0qt(QX=p(Q)K1qS+d_OYKmte@hcwM`$K0 zw>H?ZJ`cAUjPho9P%+N8Y9Fj@MM=7%AbeacmO*S!+wU=NN>ryeq zd1f$}A3Xl>=@dTcQb|mZFN&gyvOwu_86}Z~^w_%e+(VYC-O$UI5H#Ni)v;ANRxAvE z$IjZN1mOW%&=IUJ-~8A@QZ%DCHDT;ItR<>$C=`1FP!7^97ydV|QVA?+5}|Zt)m@0{ ze03Mrnq-mda;pTh3AH5s%`{t%o3-FrTeDA?m@S+xFc(zdOVhS}kLwzGh~NhlL*1a# zZr^;!+zl1HkuS;$zM)$t)1;I}eHuO2SNE;A~K z7Z0}BkEOLkw~e#fYUKRLwRBrLE*Zbl9X0hE{fNOkuH2%O z$;vo<@-3wQ9gfRzqG8K{obgkI?7h)PH05uR-4huT5hreU5`)`)PZzwKLs3b0+2+7a zsGpy3;VD64aDB^pRq$<9Yudz>U`K%?phgp+);rQG8SezvLTS|9J%2aVoIn2@MA!NYS|y$ zMCxOorfJL%Zc;j+UmvmMBOSSH6JMruL9I_Zx6X`*-<5d_H~d7ehaLUgfpJSCJ1{Ss ztf~}lYUHX&t}l>777kW6QD23ZHo>HxfiAiE9=zr<|Bey~d3(b=;Ct@Qe|Ib?^4hIO zXYwi)94GUky2v-E5;iY+o*;1U04DfT5c~x7<~)Ow*Vk+Af+a>;n9+O&H|^`+P(?DR z03X64M;@*#+_)zh1E})iokB>2ouv;I<~d$ArC><+=>;XNx*Nnw{s#F1;esoloqiPl zxil#OX{m*2j4l(WGz{`2_3{?vjI%0@5NVTQR;?^YZHaKxC~ZQx3AYcXP?hu~{cVb0 z6kJMdO|81=$xKX0g~!tU>7dndTUP}~ustm|Xr^-cnST?n4@OUHGgLusewgaUHP5(P z=cn{st4{g`Nx5-%L5h3XvhrQ~@MYu*8saXX(BJX7F&bieQMesTH-p*K*DVzb=I_+) zRh5wGQzVfTzn0+)Z~bd-$dkadzGFR_9P68T9JQdS4!E^M9d}G!i9gc?e!(}8G}^aA zl8KeKb`D*xB;ip+7tixd`rVcTCr`D^f|4x)SmKx7xgKh@t}lCeg6dVAXQF@@*(c_) zQl7KYcF8tFV35;$t5;Cd>gj8Okt0%uPwHt27Y1D>lt8@96UKy-Ew2g9l;`1yP&$R0 z`#jzB>}td*#9*Gp0j6d*TS->6hwSDPFmW*R6n+*kE>oE)V=*D3?VA z#Vl8wlBqPtKixFfT49wgA-X{$JA*_N6uI!SEjo6q01oI;981@MYyjF`7+Stw^7VO( z#bDwEX-zKTl*Hkhm5z*MMrHfe)?WfhGbdvVutFuE8bL_psH{7{#FP;;xtW?pl3asO z42++{f$4(8ay$=6gqy=CeS6W}Jx=p@XT*TD`g51ZU=B{9lcfCUMPZ&2zPc5a(?Ii+ z{QZShPWK1K(FFn!h$U~rPp~&8-oicDcgQZ0;1i1Npxv&Mf=AYUlgX0bx;Nx6BZxx4 zPMTZ53$cNTr5xd9+K7*+rzho-1BS@skBqI|W~3_Wu2Q#=R0thcV4A|BUy)U-sVSP- zP+uBzFK5oR`qtW=Izl34FiqzY?F)+CG^JJe9bR;rB91e*AJAx8=Ry0lji>#Dn7<$N zMCFAa8E75l72M3|kvXV6=CH$ibDbeV*z6O*))m>N9$?8m%=fQQX}X`9eSeN2b4w>( zj~)H|Y2Y0U6?TSCco0s)Z#aQ!-R)h=gSRlXSQ=jtlZ%;ldQfhDp3r+!NIPU$CxQAl zG7NLyk^I(ihy3*&|M^C~GUQ}daXP45jJBS3c7LKlIgI7bEev=bOg?UCp>gp=9;NKv z?0dzNH#WxOd;p8*x|Fo+w`&YfkabHh9^!3B&{{5(Trw3y{5__$0M*Y6NztLA8dZYLK z4y_yYX+^jf4af!?VAVbU-v4dVA5Qc`e{?sPOt9PKXWe^vz~;Tn+rGZ-eS$Rmzg_ho zCi>Hd{!rc1_MZlzXFTcA3xlElG#X3>!}q))P2r9P?>|iRhx^;>{)k6)U*U9qQ9txX zlRC8=>i_mI>W{&{!rp^B zP~6AE!SL$#@tUWAFR{b$egZjxGtfD?XVLhzes>Uq{ncH61o;goz01Mv07uf;@XcT{ z#1TAP+!M;L9&dYK;&JqFKkifehD3->An?&({Ab-8D<{}rAA9vikS_MP>kY41QCo^6 zcJ=4`N6H%D`}Ud^D8GON)z{bkoBq{g@Db|8N*ptOyz4u8k0&gk+gm;CUxD7<=(8U8 zM;`}QBnLI>KlBC=KMhEaMzqWQP-4qjmy`!9>3<{}cpTmmx1;{AkKkvICD0zd_pmk+ zW}tWVX@J8?L)*&l@GE%GDE~9e=w9FTKFd`0XJ;NDvmV=STLp}wvCiJ*J;~q_^bD9R z5JCbW6NUk&IVcn;Hpu5U#u@SaeqQ!z^{79Dyx5(3S67cCxE8IT zH$ct!5zaOkvQiZB%icT~U3-6GIqRF=;P!E}V`Dh^9wMYI+16@>cq1Dhci0B>;08xs zeQ?^-EwBBoKR^|ieJtx;e;iQck#iJ$VLWg$x&N>BzO}n;97%M(n!kdZ$Hwj($(HTI-Pq~Je{^pRuzB( zP$(3t3Y-GxWA4)rvxLDby!QbHA--iUQeV?vl-XB*qU9f6{te~r_n_WV6iU=S_uXlsobY#gQ2yfFraK zO1%j-4QrfZF9b08_R#?oe&Gi!cr2KQiL&4m<}V2P!F71c53E3UPq~&>I2x1x4w51o z>5R-Mq}Pd~ep2Bd<=Vg_Q0HTAv~rgTZGgxRhrIZxp=);JK!J_8tOJv{1LP~@C*ccs z0f_<6Kv%=#DMoq>TaSqgE564(i98wwBxK@=>2Tom%YI0_>w`(+R5 zgSz_MS2I99hvmDl8M^djoX&aE&}j*c1hS6^+R>O0Cf5QMWQqE6h^}g@B!)JzXh2Z^ zLH0#+X80_*Ym~fGp9={of=WDO z$HeUPBmu^uvq*qs&xaaZkzHdE#%o|$xJY|Fl;yOSPS+7T*UiKIc?1b>EP3W(Br<`7 zAXAcCK-(8V@3}8B$6kc11DAzyubdQj@N;(35i@UgJZi=uy23VBgx@?WqEv(i5>1>K zqvTT-tobeXQuok_VmXIpgIuTx2Zt$(wfI|dn*_IU$Y(ko?u~Erf|zqqQ30AEsH1Qp z%nJuXf0xGjGdvz6he4Q)DU0S!UGAoWUNGrFZc~H8{tav6e(U*H;fjRdE9OUnao;dX ze!7L3mc(zKy93bHR?(btkf7SaK0L=<9cd)uyZ#Czh}(5F@-a8F@N=WW#DU{S?q4!) zI8qR7o^K#OWLwFi$ipMrRe~qfC~U?nK*?=1j&KgA=u8y+Y_+1pM^+P%t>oGzmnhlQ z)7&Y=;lzavi3x=p;Ug*{x&u(@MD$EO&xNDTb5S>K{@y8UcFz{i7WtpPgXxQUc4HY0 z`QHY^8pRZ z?pOWHhyN{?^gpZ+`?>;Qw!oJ>*_{Jg#HDaB?JW}!fVa+G8nWL&PRC0OIOz439*EjL z{1PPOQkFOVev~;*nZPA3lSqZR%euWt0vFX0IG0$6v&a8(dvD#|!aX}VsiVM~x9>jw zgv?O!WeF=L)HN+K{N*jL6E9$*NdsNRZ|)p>$aDV4rGTbkDq+M4^8+#C4^QzEyG z{ob|QJrDJ4G5`Pi?!(8w{P2Bq8IAM*sILDVoeg*M|1&(p{`v84djIczwwV8g#y9be zWtivx;P`A<%m03IJlN&`{T$CBw(IbhevqJjZEqUJBl36sl*6Y_g7mbQVprPAH0T1MNNRsCx^NL02TP-OD6^t!_6pOnh(ta6|#Z z@2uI3SXb0?sDJ;@!~ghdIbTnsxU-th!g+7GPG`OD=%x=vxDaZ+IeCvGag9^e)ZAM8V6m&zV)N`HC0#b*JiNEy2_}ZE%9Uf^& z=1?h8?|=16f1XV3y90o&2+xuRS+a$PU7&*8zm&qg!Vwqt5ENxnWzAC)4NFN zF!kbKoO}w~ju`a-WPy(@NtM>f^7PnneKSg3PV)hTub`}!!CQ-9HTg~@vA&3I1hSyt zv0N5pI~UIt!rMz}&}ZvXy4AP_3UXbE;0DT@hSX;2sjglEU=x9*t=upDWfZj1#2d(^ z@Du2z-OxjKSJ>)z+8>8(aQO$s7G&V zCA?++c_JGqhP2>C4H1iKuM<5as_?s$XT#Y4d)<%&0Xc3>p_+X<23&t*Fu|H3SY8pu5A?7v)<$S3V z8z)E`R_F8AI6HkWCP?F~JlJkNeZc4p9(F_dQ!!@*#mLkqQb#k$VvuW?4OJac^)?#S zOOSG`jSbRnTb6#LZj|^3TPmLYEx}|$Ee7wyFp`fmsFn>Qb9;hdB$M|~1}d0KXs65R z!>=O@LP`OVvNnr?IW!IOju(S3jny?NH;;FX~I0Hl&tmO7u9>#J;(T$_nSrUa16yO`<^k;=(bnBB;|}V2bY-5 zyT-6UeLk*!X=<+|vuwHBUSt_K|DclQ8_K-J@9Xk&?CgA$Sr8Y(JBMyJ=rKzSU z`c^LsbGA@%L7VdM|BrauC~yAy5#GhDDOcp+k%}FMbQOU`vFa%z)^lrvuyTT!thdr6 zcrt{4$MEl@+r7w-e|h_bth1!CFQcHHjzkB8N`V8U(iWRPcEYH7*|~`WgXcRr^61FU zt+6rD!KI(g+uG`?-y}~`(NWwxm2WCUL9DmXxdMusC%7@?X$I(v%O8QvyOp0#j4+|l zO@K9FbQHE1sV0|nqLGh`-1^dh#Vh3U1&seGus@@TlBO|T)kG=VYMaSLxPX=G_n*`^ zz@x=R)?P(V&z>VnZV66g8^V2;Xi(4R!)D9quEwIVIM% z4r;OyZx{`9pY5OqDW?I$Zwl%(4MQCj=I+EP%s=_1;>GMRRe|fmnkv}Q;qJPE3*_;; zT}5h~Y)wHi9yX-GJw7E;mir5ZQM{NwlW2-g#$8e+r`)ay(tfZ*nyWBP=GT4XKqq8b zPvt)A9nwUlxkGZ?VYqvW!wyNZFbPf&6r&Yr1tTw5L@`^;@K9AZeRv`RPN|=N0BT#B zmXbIY_LE$x!N$9u3mb_~ZkmD0v!Dek%zk(MoYe;P8LaijUTw+^w8oQ7vq>-4WTTC` z&b`fwbfva!KdCpI70gRv#dk}`lN)H)#)0?o$8U-{q+jyrTl&@`5MfcVgCDkbANHEI zbR(!MX*jIqX~jf9#4nLUqCO1H<<-iPEqe#{J^A%-bai^^mSL1xn35awV51GW>~?z{ zt&(`rYE$$u-9`1>)*7TW?28^Xn~&<-9(3qeewZrX`#kK|%FG~K>h9bn^o}1=_HA#@ zCain^vYo*P3ZvCY4JayRJ~=T_kd8;RbD{~KTRbcH$Yl!xtTPZ>YzK1usTDeJzQPFE zj4h3mX6v7@B?tZQSkoVlQ8QKpYy zn8PjAw~ZS;A(W(r)Z{JQOP@id)fVBNPN-3G=kr)G8q z%;fI5V=s;T@|r66Yqx?fSK%c3q~Pa|^dY}zs-ULlXNH$vL1krjGQ5%aq~vE2s941_ zh0U5w4vKFT7j^pjWKh;_@n8>MEiM{K6mkAfd0{eQ<)FUZI@ZIT;xe| z)pj4^Ja*rPKxf5nt%DadQG+n`xy#g&J4=P=as<`E>v-wj#$pxoJ=%K+yF6LX=X3X` zZ+>(sf1~iJT5>7CsAFTYb?lAhw&q)5x><4J&C~FpQYBs^wq@eSw(`jeUB1j5`KPO7 zy>xlDm*9ZQAd6aXjh7K9>Y-cSpt+HUt2n7_Ae@Z5nliN5>5zwI;DrlVshFhQSCnK5 zSm&!=x*q@62()5$k94vAsmSF>xUyMdF_4KtfDGsV{ahMg~wL9`Et^9C6-kP^Z zAHpJD-r&1&lCFWP(wqC2d_?e5uzI^>)r9MpDiwmSXw^}}>^J4n!rs*em~3yZ!&?n8 zqeb^XYN=$~D*Gtym%i4gOQ8#uswgRfJd6j~r9MDWy2q8t370wHdq7Gcy+l0BqE*GO z(-o&aWy-}N6{{!zo0_gXF;bq2m1&BTGDdMO9OU+^SSo6@3i8vns@Kf<=~TkL4=LRB%_r*sStKP@pZ_(Swk5dhMJG%Jv1wn$K?Uj-Ka zZi%LHB;rNOFD!3!Z4SF$AhwhjZg>;=R!#J?hd6^)Un}UWOn#5M)m@{0HY2_+6YkYw}v^x?zlEGStSceGeL!JkpxBsrA99g^jj>v zWogxRl!;3k+9=%W>-%0+#)oZ*)pMe3OtCS1z>=~eobO8VViM!>z=?Z1aY+;|#S~^4Nnm-!{heBR-ZPs**;%xqno3u8UiWJ3 zY45+%B*u$09+?`j&3Wzy1FB?E(|*`&fVHIEem!kjKM+P(wcF;Wsf#Q zF>T$ew)D4QynP$E{ox@C5xUYtmeE>KZBvGg;H)5#!YN72m*z7$Q|S}g?A~^ou(ru7 z>1NF-^xfPpw!thj0u7sa;>)=#d%e_Q4Z8m+Yds! z2;qK6^26@wtI`fUOc7GbfQKspqx_x61x!&=DV0ojyTGQ*iJMG(OPZ~Po+aJZg3pp} zd!^HoaBC^pMAt?VmNLt?-1n#wj@VbZLj|@e72l?#*NSFaCDM}cX2Z;a@J7STM7Qi) zU_A^tN!2jO+fD<*$~~%Ct!T7vy;nS*W5XaLJHL2GIShfH_7VC7MwzxZ&N>;YpNoEZ^!}81{4^b z`m->wE1dkv8%l1hq*FN9kI0kT^Rwt0CTpNU;P3%{TL+X%lGlfQNlp9{evQ%8pUq2H zM)4$4sJES%3R z;E)yUG6nREF&t$f1{BTW1FJrN3RtQ@BlI@Mkfj4cffh|RK-#dZil37PZPT;DS(Ys= zix4P&vREwV;inOe_GaADaj7i_l}L7n#v32aZg4i;bkxdLX%Zq_k}^Mj4ZH;I7k;Eh z;6i$qzK?(RO7-2QQKXD z`Q+knY$Atb)~bfOTks++cZ8wTn^6+8jLSSflDaAUMtJgxpmpIBx*taAl?I*;>Tz|9 z)AT0F{Fxe#=LD&a9@tI?$&H3IPZKR7GSyH7gx}Yi7IA=NX~x${Bl<2jzx-&Ey!O$v z#?aADksk-=JGFX|PBqXaV9=KEhzX!|CW9#TrCC7!n9*;ZKFXp%D7t_J)`3PHg8J@< zy7sG3g*HBcH$cGy8V1QxsVyN{LC$UhFY^rZh;|HO(&;Pk*sVhwdd{$eVYqo_ami-x zFmaLJ#i^NG;W~@B{v3o8Z#~b%Ez%kk8G{W!9qHSYf?T-OX~Ys+Y9&Et;tc7JkgK$0y(}Jb#2n-&GWZ^apdrwxUB$FLAm_ z6^0V7z6!QJ*>^6iE#x4c|G*K0KbO-eaK#3SZ`U@Ie! z3~Xa#qB|q)%tsGo#sUCiUA1!fSa8qOovEK)^Tj5YU;=0Frtg)>_SE$wAf@F!O6#a5z|_?L$M8fJ;|s6j=y++Mu}p)fcYw(+uE!nE5DEx>F!kd`wT zn1)mpw80Vr5fF?w(qn9CL2p9W*AzrW^0&^^Ra=Xr74D}MRAfvlUuXJ zMmlfG{i+&Tl-II*D^vqNZ|ur;iX*k$RNZ{~w#*iv3?PE@KuODa0u*L|MnEwy)-mdj zzDJ#)t*3(u7;MyweIoQ-3NQ7$bqc^{hASE{dEB+m5>TM5vQhq*xIWE@6O7lWe0ZoW zP9xo-`PlvGhqphtKgVdP595sG90N&mO?g^kS0oZ*8(iFIrS5teAa9(<^|H7LLQ|Sz zyR6R8l&4*0)NE2~)^RSeTC`a~yIP)Ns}885S3_20eXCQ_qzK2Vi+~Xun?MfBCZT0; ziNMM=XnbKjg)A`G3@HjS3`!-EaFlL~qhD8~^c#{)WQdeV$kQqDGA6<6WsSo#_v8ce zI)aHtrtJxf$S;;Rcw?w;1<=5Y3MBIvGaBeC7-reMm#Y=APT1{9N`(=Kw5q1&6#FZx zn_+kL%*622Ta3L5%l*ijl>}x9zGc4AjkowZEhnW%^v6ZqdGzYegd2zzg6 zrxM&y8zsECr2>V955q75ijigkN(^kSwA%8DG$in9Lfy2)WaiLtP(iBY&ebFFwM6k< z;l<3tdf0*J%SxGL?>rSjDJK?rYh=xa}>l zgnq>~-dpmPv7(JrqPxjvv3-()3DP$RqzX7Z4~SDN2UX+N)ABt_R?P) zo2ex*0R{9123}x8Lenc~1={G$Xq}sfbjM&iM9|yg2{O!(C+MIAw?eN@rJ3238jv#A z%DL-gidwupPu)wC<}Q(v6R>h~rgp-TcxXH%WnhLANG4@0lyViM5Km2I=VHvH%n-D2 zF1Cdi8g&VQxURu^Oj(}ipL|ZB=+jY2;;Ki8=+FZVb|aRRY%g|U!sC!LM=T&xV>SC) zh5!S|!*f^;j~SsNN*b(@?E2lMqQY{5sgh&BUJ1Ae=QWS3^>_rmvTv*gf(8htzSr!I zZqIH!SW~H>MQMJKKvgK98)OcV(aK(So##3 zTht(h^T;Ef`?D>+6wJXX7)Chdzt-MPB6CMMQR}(Fl-|X4{t8}JRXboV&kx1aF*@}$ zpV`YzfHJh_{t8=;T5j1fjZZa&1_~2S)8q_CGKv$@`3tJ-HM?-HUk2Jdn}{`VqjSbKk(uonXBQfkkM&BNo5DJrgPMHGb0Eo4SmdWt z60>ub&cU1gXmijF1zuK_c8}d}SQ6R!ExUm&Vz=RevI09Hl(T)jHP}^bJM!ywiu&O> z9%`B_39?))d&3q*+%}M6{jwTOR!OPMu0JD!ioE*ur1$ce*)Z#VI|*;vFy@5r6r_X= zunob+w7m7kXi#`5QXbNh&Zu&=i9OforXVPe^p&83Tst7yq#-kfH56m~+inAXZF z4!M?@Nf({o*xv+SzHHqVs~8rX%eG^zMXp*I<0`xr8zK1BrVO>Ov85xgiqIArVO8W5 zUd#4GHptssMmHwXE`f$2rZ)1g8^H2SA|1;>$Kp>=h5akEk6pRkI4?ZQr`(l%Dz=pP z3)>z^UgyHwd^L|2QC8Z2V&pOYq&(`x3=s1t5Tr`y;?NnP2!>N-&T`Ov@##EgNAtmOvr!ZBkHIQkpFbJiiWUrQ04xxi^ zeS>QkI{l+TpJ;Wxhm2@(x5ww!TWqiNXk0XHqtn_c7PZB=vI=*k{I=hxY_M67BG>Y8 zBgLF+2>hym8KS-_kkz;)U1*l709~%7Dy%N5tPZCMDbv=uA)ZW&X9^}W6lRDdv%{)* z8aDJrLkyX!OQO}U&HOV2N#-Kn6pJA(jM_j93C1D{LxwhoU{oQs@fQ-HCitRUMXMsM zQoc08>k6>Vl$OIcxn@g>LnYrAi*%NfYr#UhisGqKNvR?iDOGIHorW{V(!0XmDN)L* zxj>ZZJ$MXQoUjO|N=_=Fl2ay&T$=MBtJ1I#kV>O2PhY{jsB$+mlX|BLQ>=Zjgkffe z5Y39=UYpw}QzS6so&cpJ9Q6fGaRZ^?Nu#GVI&ji49=V=Z%da2%ZGKf863MpQipJ=``9@Hail%2itGrFdPc2XR(Iwo8?NmqMis}}hB zk|{2X4dk>y{Nh-4coJsZ%&}%amT3LZUmlAQ8Z+EI^9yGsmghIi;u@*UdX)xxbDQ32 z%_0s$6A4xTl!EH3adEm1sKY3_@c|;xY$MNFM4UB7nps4c*+rJwvV_YClcH#I(Pa~E zn|n8#XtfZa&z`#&!oqhg^4>|8%g~l@giKs(&W~tK6LbiexT&SqUQ1EdjMI=F%|iKa zQ>a}+G%MDSl(Xau!CEzjLq4mgqNY_S&zZ;8A8CcerC^!oWhvllKy1B}0j%={Nbbj6 z{1+Jm%nrgT%#zb?c}uCf;zLEEgea7RTz^nw=pqHR-o16FYh;FKcdLp^_<8(^`g7ge zDGwRAs{{?Wagwev7f$hpkKwX&92;RU=5p`2Y8eWbH;$ECYf7guH83&-l>FIL<=1UG z>OF)MrfEB9-k56E7peHF*egat+bo+p%$7+uYh3aaI}jL0j&Hc5GANIjBVwQ@Gf zMx6HWto?=$-i~ zBfLmeg^&w<378!|B-18n+8CS2ZmHACjcl*o8nD~yxhhij8m|i5TKE0K?lC_(pL-&0 zS8(nfPmYgIPhNQ8segJg7#+l-v`IXCuhUq+3@rP-VcvYPS5{v`Wf2)hc#xffFjY{V}fh?UTxg}Cr=0cUn9{^ zm!U6}f&4f-JJIz2;0VZ8`u`Z-5C8C4nE1cE{~xd&f;CuIFMWGMCD1 z=D{)v-^XM-4%{qpqZs%$pUb;4(fxc=)^~w4(wanmgs$s3JuENw=j(ulE@d+eTMA$` z>`kMLa!rJuKXZThNH1ye28GaZo=)e<7$^ndcs-@80Nxa~W$x3vIGW!(s=DMjK>5hU z>xk0J!$bIEwjTHWWN`?38=AYkELlW;eJDFmqltU;^zM(7Fi2M3eNGRPA0o-{=xjI` z`WI)x`CxE4IA|{9u8l+BdGHN2I#f7a@nu&?cJv(rlou)AwPq$1_Kws zqGX+NP#E^98;4#@ zy7Id0AHY5J2x`lp`U&;m+R z(P)e(0P@>^e&Zen;q@U!;QaT0yO-EWe`T`;W#-3s?`i1Ygz(=AWhD%esswT0ymp7f z>a^f0K1@CLxIcjZdc)ySMP_J0k1vFHaK49eb*U1Al}bSE@lQX5DUseg@0N)_yL5+w z4sR5^=?|O_Ob%SS1HeFueDAym*2VbhUw?dmJ#>El@ct5bhBEfv`M6#zyw&Yx&JL8rvL}zb4Fq1)giQ>QdYI!x~=Z*aAjU?rVcbD#JHvaALU~qBz;^@TfxzN%z^d@d9 zzW?h7YDGE4ty2)K%Zk1hxO!LWbY z8yw3Je71{~r~o|a4PQ7vu99omD%RnUSs_k@`^%?yd=bPE$JasVwWomQuOhNfIi=x! z%aj=xJO9yiDmIQnGlUhnHJ%MWQz-2O~26vJ6wL# zx00Sluhauzucow7q*zdBJ6iRFJQX7BcQzo` z55`U78&C>{m!KN;22RiYItU_mVBu05aa(|kK;lP%qoDjgxe9^ocQA*q!z&oXujc9E z^iOQ9<=fGIvYLugj;NFmEWrq@T8{@OM`x!%sOOH?izV(zt^vy3pF}Izx2%`QczpY3 zqKF$D&w;@d2i_cZ7Gh&|07SV=b<3OJ58u9f-^2CN9fS1pXMD3tjUvg4Erh|!l*hx> z473qw=XdbxEr`*<1-A37Wjn?Cd;!&p!y8dccRvl6-U?>|+ibG&xijo`^=x7POG$4} zo69iU|BjA^r>AxM@9=zQ|N9Kj$8Wzrg_*uz9|znt#kW`opdNcKPA{OB#>Yoz;|p&v zI66J|gTcjca(*&7xi}w(-to{odEt+TlR*$nj)UOE$#Sn(s`Ps$TA0D53FOFY$N9U)5vlqj`s8Ii3tA7Z;}&7f0c4 z((j(#vwL>W?%6%NXZP%$-Lrdk&+gehyJz?8p53#1cF*qFJ-cW3?4I4Tdv?$6**&{w W_w1hCvwL<=@%#^Ji)y?8kO2TSwFTz@ literal 0 HcmV?d00001 diff --git a/container-selinux.spec b/container-selinux.spec new file mode 100644 index 0000000..4d442d0 --- /dev/null +++ b/container-selinux.spec @@ -0,0 +1,431 @@ +%global debug_package %{nil} + +# container-selinux +%global git0 https://github.com/projectatomic/container-selinux +%global commit0 d7a3f33548ae5c5912006dc2b14270d650f5e52f +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +# container-selinux stuff (prefix with ds_ for version/release etc.) +# Some bits borrowed from the openstack-selinux package +%global selinuxtype targeted +%global moduletype services +%global modulenames container + +# Usage: _format var format +# Expand 'modulenames' into various formats as needed +# Format must contain '$x' somewhere to do anything useful +%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; + +# Relabel files +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : + +# Version of SELinux we were using +%global selinux_policyver 3.13.1-220 + +%define epoch 2 + +Name: container-selinux +Epoch: 2 +Version: 2.73 +Release: 3.git%{shortcommit0} +License: GPLv2 +URL: %{git0} +Summary: SELinux policies for container runtimes +Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +BuildArch: noarch +BuildRequires: git +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy >= %{selinux_policyver} +BuildRequires: selinux-policy-devel >= %{selinux_policyver} +# RE: rhbz#1195804 - ensure min NVR for selinux-policy +Requires: selinux-policy >= %{selinux_policyver} +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires(post): policycoreutils +Requires(post): libselinux-utils +Requires(post): sed +Obsoletes: %{name} <= 2:1.12.5-13 +Obsoletes: docker-selinux <= 2:1.12.4-28 +Provides: docker-selinux = %{epoch}:%{version}-%{release} + +%description +SELinux policy modules for use with container runtimes. + +%prep +%autosetup -Sgit -n %{name}-%{commit0} + +%build +make + +%install +# install policy modules +%_format MODULES $x.pp.bz2 +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services +install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services +install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages + +# remove spec file +rm -rf container-selinux.spec + +%check + +%post +# Install all modules in a single transaction +if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 +fi +%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null +%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + %relabel_files + if [ $1 -eq 1 ]; then + restorecon -R %{_sharedstatedir}/docker &> /dev/null || : + restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + fi +fi +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + + +%postun +if [ $1 -eq 0 ]; then +%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : +if %{_sbindir}/selinuxenabled ; then +%{_sbindir}/load_policy +%relabel_files +fi +fi + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +%files +%doc README.md +%{_datadir}/selinux/* + +%changelog +* Thu Sep 14 2019 openEuler Buildteam - 2.73-3 +- Package init + +* Sat Sep 22 2018 Dan Walsh - 2.73-2 +- Remove requires for policycoreutils-python-utils we don't need it. + +* Wed Sep 12 2018 Dan Walsh - 2.73-1 +- Define spc_t as a container_domain, so that container_runtime will transition +to spc_t even when setup with nosuid. + +* Wed Sep 12 2018 Dan Walsh - 2.72-1 +- Allow container_runtimes to setattr on callers fifo_files + +* Mon Aug 27 2018 Dan Walsh - 2.71-2 +- Fix restorecon to not error on missing directory + +* Wed Aug 22 2018 Dan Walsh - 2.71-1 +- Allow unconfined_r to transition to system_r over container_runtime_exec_t + +* Wed Aug 22 2018 Dan Walsh - 2.70-1 +- Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t + +* Wed Jul 25 2018 Dan Walsh - 2.69-1 +- dontaudit attempts to write to sysctl_kernel_t + +* Wed Jul 18 2018 Lokesh Mandvekar (Bot) - 2:2.68-2.gitc139a3d +- autobuilt c139a3d + +* Mon Jul 16 2018 Dan Walsh - 2.67-1 +- Add label for /var/lib/origin +- Add customizable_file_t to customizable_types + +* Thu Jul 12 2018 Fedora Release Engineering - 2:2.67-3.dev.git042f7cf +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Lokesh Mandvekar (Bot) - 2:2.67-2.git042f7cf +- autobuilt 042f7cf + +* Sat Jul 07 2018 Lokesh Mandvekar (Bot) - 2:2.67-1.git0407867 +- bump to 2.67 +- autobuilt 0407867 + +* Sat Jun 30 2018 Dan Walsh - 2.66-1 +- Allow container runtimes to dbus chat with systemd-resolved + +* Tue Jun 12 2018 Lokesh Mandvekar (Bot) - 2:2.64-1.gitdfaf8fd +- bump to 2.64 +- autobuilt dfaf8fd + +* Mon Jun 11 2018 Dan Walsh - 2.65-1 +- Add new type to handle containers running with a non priv user in a userns +- allow containers to map all sockets + +* Sun Jun 3 2018 Dan Walsh - 2.64-1.gitdfaf8fd +- Allow containers to create all socket classes + +* Wed May 30 2018 Dan Walsh - 2.63-1 +- Allow containers to create icmp packets + +* Fri May 25 2018 Lokesh Mandvekar (Bot) - 2:2.62-1.git1ecf953 +- bump to 2.62 +- autobuilt 1ecf953 + +* Mon May 21 2018 Dan Walsh - 2.61-1 +- Allow spc_t to load kernel modules from inside of container + +* Mon May 21 2018 Dan Walsh - 2.60-1 +- Allow containers to list cgroup directories + +* Mon May 21 2018 Dan Walsh - 2.59-1 +- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t. + +* Mon May 21 2018 Dan Walsh - 2.58-2 +- Run restorecon /usr/bin/podman in postinstall + +* Fri May 18 2018 Dan Walsh - 2.58-1 +- Add labels to allow podman to be run from a systemd unit file + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-12.gitd248f91 +- autobuilt commit d248f91 + +* Tue Apr 17 2018 Lokesh Mandvekar (Bot) - 2:2.55-11.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-10.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-9.gitd248f91 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-8 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-7 +- autobuilt commit d248f91 + +* Mon Apr 16 2018 Lokesh Mandvekar (Bot) - 2:2.55-6 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-5 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar (Bot) - 2:2.55-4 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-3 +- autobuilt commit d248f91 + +* Mon Apr 09 2018 Lokesh Mandvekar - 2:2.55-2 +- autobuilt commit d248f91 + +* Thu Mar 15 2018 Dan Walsh - 2.55-1 +- Dontaudit attempts by containers to write to /proc/self + +* Wed Mar 14 2018 Dan Walsh - 2.54-1 +- Add rules for container domains to make writing custom policy easier +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Thu Mar 8 2018 Dan Walsh - 2.52-1 +- Add rules for container domains to make writing custom policy easier + +* Thu Mar 8 2018 Dan Walsh - 2.51-1 +- Allow shell_exec_t as a container_runtime_t entrypoint + +* Wed Mar 7 2018 Dan Walsh - 2.50-1 +- Allow bin_t as a container_runtime_t entrypoint +- Add rules for running container runtimes on mls + +* Thu Feb 15 2018 Dan Walsh - 2.48-1 +- Allow container domains to map container_file_t directories + +* Sat Feb 10 2018 Dan Walsh - 2.47-1 +- Change default label of /exports to container_var_lib_t + +* Fri Feb 09 2018 Igor Gnatenko - 2:2.46-3 +- Escape macros in %%CHANGELOG + +* Wed Feb 07 2018 Fedora Release Engineering - 2:2.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Dan Walsh - 2.46-1 +- Add support for nosuid_transition flags for container_runtime and unconfined domains +* Fri Feb 02 2018 Dan Walsh - 2.45-1 +- Allow containers to sendto their own stream sockets + +* Mon Jan 29 2018 Dan Walsh - 2.44-1 +- Allow container domains to read kernel ipc info + +* Mon Jan 22 2018 Dan Walsh - 2.43-1 +- Allow containers to memory map the fifo_files leaked into container from +container runtimes. + +* Tue Jan 16 2018 Dan Walsh - 2.42-1 +- Allow unconfined domains to transition to container types, when no-new-privs is set. + +* Tue Jan 9 2018 Dan Walsh - 2.41-1 +- Add support to nnp_transition for container domains +- Eliminates need for typebounds. + +* Tue Jan 9 2018 Dan Walsh - 2.40-1 +- Allow container_runtime_t to use user ttys +- Fixes bounds check for container_t + +* Mon Jan 8 2018 Dan Walsh - 2.39-1 +- Allow container runtimes to use interited terminals. This helps +satisfy the bounds check of container_t versus container_runtime_t. + +* Sat Jan 6 2018 Dan Walsh - 2.38-1 +- Allow container runtimes to mmap container_file_t devices +- Add labeling for rhel push plugin + +* Tue Dec 12 2017 Dan Walsh - 2.37-1 +- Allow containers to use inherited ttys +- Allow ostree to handle labels under /var/lib/containers/ostree + +* Mon Nov 27 2017 Dan Walsh - 2.36-1 +- Allow containers to relabelto/from all file types to container_file_t + +* Mon Nov 27 2017 Dan Walsh - 2.35-1 +- Allow container to map chr_files labeled container_file_t + +* Wed Nov 22 2017 Dan Walsh - 2.34-1 +- Dontaudit container processes getattr on kernel file systems + +* Sun Nov 19 2017 Dan Walsh - 2.33-1 +- Allow containers to read /etc/resolv.conf and /etc/hosts if volume +- mounted into container. + +* Wed Nov 8 2017 Dan Walsh - 2.32-1 +- Make sure users creating content in /var/lib with right labels + +* Thu Oct 26 2017 Dan Walsh - 2.31-1 +- Allow the container runtime to dbus chat with dnsmasq +- add dontaudit rules for container trying to write to /proc + +* Tue Oct 10 2017 Dan Walsh - 2.29-1 +- Add support for lxcd +- Add support for labeling of tmpfs storage created within a container. + +* Mon Oct 9 2017 Dan Walsh - 2.28-1 +- Allow a container to umount a container_file_t filesystem + +* Fri Sep 22 2017 Dan Walsh - 2.27-1 +- Allow container runtimes to work with the netfilter sockets +- Allow container_file_t to be an entrypoint for VM's +- Allow spc_t domains to transition to svirt_t + +* Fri Sep 22 2017 Dan Walsh - 2.24-1 +- Make sure container_runtime_t has all access of container_t + +* Thu Sep 7 2017 Dan Walsh - 2.23-1 +- Allow container runtimes to create sockets in tmp dirs + +* Tue Sep 5 2017 Dan Walsh - 2.22-1 +- Add additonal support for crio labeling. + +* Mon Aug 14 2017 Troy Dawson - 2.21-3 +- Fixup spec file conditionals + +* Wed Jul 26 2017 Fedora Release Engineering - 2:2.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 6 2017 Dan Walsh - 2.21-1 +- Allow containers to execmod on container_share_t files. + +* Thu Jul 6 2017 Dan Walsh - 2.20-2 +- Relabel runc and crio executables + +* Fri Jun 30 2017 Dan Walsh - 2.20-1 +- Allow container processes to getsession + +* Mon Jun 12 2017 Dan Walsh - 2.19-1 +- Allow containers to create tun sockets + +* Tue Jun 6 2017 Dan Walsh - 2.18-1 +- Fix labeling for CRI-O files in overlay subdirs + +* Mon Jun 5 2017 Dan Walsh - 2.17-1 +- Revert change to run the container_runtime as ranged + +* Thu Jun 1 2017 Dan Walsh - 2.16-1 +- Add default labeling for cri-o in /etc/crio directories + +* Wed May 31 2017 Dan Walsh - 2.15-1 +- Allow container types to read/write container_runtime fifo files +- Allow a container runtime to mount on top of its own /proc + +* Fri May 19 2017 Dan Walsh - 2.14-1 +- Add labels for crio rename +- Break container_t rules out to use a separate container_domain +- Allow containers to be able to set namespaced SYCTLS +- Allow sandbox containers manage fuse files. +- Fixes to make container_runtimes work on MLS machines +- Bump version to allow handling of container_file_t filesystems +- Allow containers to mount, remount and umount container_file_t file systems +- Fixes to handle cap_userns +- Give container_t access to XFRM sockets +- Allow spc_t to dbus chat with init system +- Allow spc_t to dbus chat with init system +- Add rules to allow container runtimes to run with unconfined disabled +- Add rules to support cgroup file systems mounted into container. +- Fix typebounds entrypoint problems +- Fix typebounds problems +- Add typebounds statement for container_t from container_runtime_t +- We should only label runc not runc* + +* Tue Feb 28 2017 Dan Walsh - 2.10-1 +- Add rules to allow container runtimes to run with unconfined disabled +- Add rules to support cgroup file systems mounted into container. + +* Mon Feb 13 2017 Dan Walsh - 2.9-1 +- Add rules to allow container_runtimes to run with unconfined disabled + +* Thu Feb 9 2017 Dan Walsh - 2:8.1-1 +- Allow container_file_t to be stored on cgroup_t file systems + +* Tue Feb 7 2017 Dan Walsh - 2:7.1-1 +- Fix type in container interface file + +* Mon Feb 6 2017 Dan Walsh - 2:6.1-1 +- Fix typebounds entrypoint problems + +* Fri Jan 27 2017 Dan Walsh - 2:5.1-1 +- Fix typebounds problems + +* Thu Jan 19 2017 Dan Walsh - 2:4.1-1 +- Add typebounds statement for container_t from container_runtime_t +- We should only label runc not runc* + +* Tue Jan 17 2017 Dan Walsh - 2:3.1-1 +- Fix labeling on /usr/bin/runc.* +- Add sandbox_net_domain access to container.te +- Remove containers ability to look at /etc content + +* Wed Jan 11 2017 Lokesh Mandvekar - 2:2.2-4 +- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7 + +* Tue Jan 10 2017 Jonathan Lebon - 2:2.2-3 +- properly disable docker module in %%post + +* Sat Jan 07 2017 Lokesh Mandvekar - 2:2.2-2 +- depend on selinux-policy-targeted +- relabel docker-latest* files as well + +* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.2-1 +- bump to v2.2 +- additional labeling for ocid + +* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.0-2 +- install policy at level 200 +- From: Dan Walsh + +* Fri Jan 06 2017 Lokesh Mandvekar - 2:2.0-1 +- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a +standalone package) +- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel + +* Mon Dec 19 2016 Lokesh Mandvekar - 2:1.12.4-29 +- new package (separated from docker)