packages/container-selinux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!12 [sync] PR-11: Update container-selinux to v2.230.0

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @yangzhao_kl 
Signed-off-by: @yangzhao_kl
This commit is contained in:
openeuler-ci-bot 2024-04-10 02:17:56 +00:00 committed by Gitee
commit 9761bc213b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 33 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux-99b40c5.tar.gz
View File

Binary file not shown.

48
container-selinux.spec
View File

@ -1,10 +1,5 @@
%global debug_package %{nil} %global debug_package %{nil}
# container-selinux
%global git0 https://github.com/containers/container-selinux
%global commit0 99b40c5013ec2720a04b1d3579ef888281714c35
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# container-selinux stuff (prefix with ds_ for version/release etc.) # container-selinux stuff (prefix with ds_ for version/release etc.)
# Some bits borrowed from the openstack-selinux package # Some bits borrowed from the openstack-selinux package
%global selinuxtype targeted %global selinuxtype targeted
@ -18,15 +13,14 @@
Name: container-selinux Name: container-selinux
Epoch: 2 Epoch: 2
Version: 2.163 Version: 2.230.0
Release: 1 Release: 1
License: GPLv2 License: GPL-2.0-only
URL: %{git0} URL: https://github.com/containers/%{name}
Summary: SELinux policies for container runtimes Summary: SELinux policies for container runtimes
Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source0: %{url}/archive/v%{version}.tar.gz
#fix ERROR 'unknown class lockdown' at token ';'
Patch0: fix.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: make
BuildRequires: git-core BuildRequires: git-core
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy >= %_selinux_policy_version BuildRequires: selinux-policy >= %_selinux_policy_version
@ -38,7 +32,7 @@ Requires(post): selinux-policy-targeted >= %_selinux_policy_version
Requires(post): policycoreutils Requires(post): policycoreutils
Requires(post): libselinux-utils Requires(post): libselinux-utils
Requires(post): sed Requires(post): sed
Obsoletes: %{name} <= 2:1.12.5-14 Obsoletes: %{name} <= 2:1.12.5-13
Obsoletes: docker-selinux <= 2:1.12.4-28 Obsoletes: docker-selinux <= 2:1.12.4-28
Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
@ -46,7 +40,10 @@ Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
SELinux policy modules for use with container runtimes. SELinux policy modules for use with container runtimes.
%prep %prep
%autosetup -n %{name}-%{commit0} -p1 %autosetup -Sgit %{name}-%{version}
sed -i 's/^man: install-policy/man:/' Makefile
sed -i 's/^install: man/install:/' Makefile
%build %build
make make
@ -54,14 +51,10 @@ make
%install %install
# install policy modules # install policy modules
%_format MODULES $x.pp.bz2 %_format MODULES $x.pp.bz2
install -d %{buildroot}%{_datadir}/selinux/packages %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}/%{_datadir}/containers/selinux
install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
%check # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
rm %{buildroot}%{_mandir}/man8/container_selinux.8
%pre %pre
%selinux_relabel_pre -s %{selinuxtype} %selinux_relabel_pre -s %{selinuxtype}
@ -96,7 +89,12 @@ fi
%{_datadir}/selinux/* %{_datadir}/selinux/*
%dir %{_datadir}/containers/selinux %dir %{_datadir}/containers/selinux
%{_datadir}/containers/selinux/contexts %{_datadir}/containers/selinux/contexts
%dir %{_datadir}/udica/templates/
%{_datadir}/udica/templates/*
# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
#%%{_mandir}/man8/container_selinux.8.gz
%{_sysconfdir}/selinux/targeted/contexts/users/*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
%triggerpostun -- container-selinux < 2:2.162.1-3 %triggerpostun -- container-selinux < 2:2.162.1-3
if %{_sbindir}/selinuxenabled ; then if %{_sbindir}/selinuxenabled ; then
@ -105,6 +103,14 @@ if %{_sbindir}/selinuxenabled ; then
fi fi
%changelog %changelog
* Tue Apr 09 2024 lijian <lijian2@kylinos.cn> - 2:2.230.0-1
- Update container-selinux to v2.230.0
- Allow containers to unmount file systems
- Add buildah as a container_runtime_exec_t label
- Additional rules for container_user_t
- Add some MLS rules to policy
- Add container_file_t and container_ro_file_t as user_home_type
* Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.163-1 * Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.163-1
- Update container-selinux to v2.163.0 - Update container-selinux to v2.163.0

4
container-selinux.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: github
src_repo: containers/container-selinux
tag_prefix: ^v
seperator: .

12
fix.patch
View File

@ -1,12 +0,0 @@
diff -up container-selinux-2.161.1/container.te.orig container-selinux-2.161.1/container.te
--- container-selinux-2.161.1/container.te.orig 2021-05-06 14:55:57.952216763 +0200
+++ container-selinux-2.161.1/container.te 2021-05-06 14:56:02.027287991 +0200
@@ -114,7 +114,7 @@ mls_trusted_object(container_runtime_t)
#
allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
-allow container_runtime_domain self:lockdown { confidentiality integrity };
+#allow container_runtime_domain self:lockdown { confidentiality integrity };
allow container_runtime_domain self:process ~setcurrent;
allow container_runtime_domain self:passwd rootok;
allow container_runtime_domain self:fd use;

BIN
v2.230.0.tar.gz Normal file
View File

Binary file not shown.