diff --git a/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch b/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch deleted file mode 100644 index 0a954e7..0000000 --- a/0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2ab60ecaf03083775312e49a1c3cd98a8cb3eb46 Mon Sep 17 00:00:00 2001 -From: wujing -Date: Mon, 30 Aug 2021 11:11:00 +0800 -Subject: [PATCH] systemd_dbus_chat_resolved has been deprecated, use - systemd_chat_resolved instead - -Signed-off-by: wujing ---- - container.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/container.te b/container.te -index d17e4fe..63c5379 100644 ---- a/container.te -+++ b/container.te -@@ -427,7 +427,7 @@ modutils_domtrans_kmod(container_runtime_domain) - systemd_status_all_unit_files(container_runtime_domain) - systemd_start_systemd_services(container_runtime_domain) - systemd_dbus_chat_logind(container_runtime_domain) --systemd_dbus_chat_resolved(container_runtime_domain) -+systemd_chat_resolved(container_runtime_domain) - - userdom_stream_connect(container_runtime_domain) - userdom_search_user_home_content(container_runtime_domain) --- -2.31.1 - diff --git a/container-selinux-9884317.tar.gz b/container-selinux-9884317.tar.gz deleted file mode 100644 index ef21be8..0000000 Binary files a/container-selinux-9884317.tar.gz and /dev/null differ diff --git a/container-selinux-99b40c5.tar.gz b/container-selinux-99b40c5.tar.gz new file mode 100644 index 0000000..9c5168a Binary files /dev/null and b/container-selinux-99b40c5.tar.gz differ diff --git a/container-selinux.spec b/container-selinux.spec index 2f55fe8..86150ff 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -1,8 +1,8 @@ %global debug_package %{nil} # container-selinux -%global git0 https://github.com/projectatomic/container-selinux -%global commit0 988431700370bf7f554ab6507c836a9aa19e47ff +%global git0 https://github.com/containers/container-selinux +%global commit0 99b40c5013ec2720a04b1d3579ef888281714c35 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # container-selinux stuff (prefix with ds_ for version/release etc.) @@ -16,37 +16,31 @@ # Format must contain '$x' somewhere to do anything useful %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; -# Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : - -# Version of SELinux we were using -%global selinux_policyver 3.13.1-220 - -%define epoch 2 - Name: container-selinux Epoch: 2 -Version: 2.138 -Release: 5 +Version: 2.163 +Release: 1 License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +#fix ERROR 'unknown class lockdown' at token ';' +Patch0: fix.patch BuildArch: noarch -Patch1: 0001-systemd_dbus_chat_resolved-has-been-deprecated-use-s.patch +BuildRequires: git-core BuildRequires: pkgconfig(systemd) -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} +BuildRequires: selinux-policy >= %_selinux_policy_version +BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires: selinux-policy >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires: selinux-policy >= %_selinux_policy_version +Requires(post): selinux-policy-base >= %_selinux_policy_version +Requires(post): selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed -Obsoletes: %{name} <= 2:1.12.5-13 +Obsoletes: %{name} <= 2:1.12.5-14 Obsoletes: docker-selinux <= 2:1.12.4-28 -Provides: docker-selinux = %{epoch}:%{version}-%{release} +Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} %description SELinux policy modules for use with container runtimes. @@ -64,52 +58,56 @@ install -d %{buildroot}%{_datadir}/selinux/packages install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages - -# remove spec file -rm -rf container-selinux.spec +install -d %{buildroot}/%{_datadir}/containers/selinux +install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts %check +%pre +%selinux_relabel_pre -s %{selinuxtype} + %post # Install all modules in a single transaction if [ $1 -eq 1 ]; then - %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null %{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - %relabel_files - if [ $1 -eq 1 ]; then - restorecon -R %{_sharedstatedir}/docker &> /dev/null || : - restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - fi -fi +%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : - %postun if [ $1 -eq 0 ]; then -%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : -if %{_sbindir}/selinuxenabled ; then -%{_sbindir}/load_policy -%relabel_files -fi + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker fi +%posttrans +%selinux_relabel_post -s %{selinuxtype} + #define license tag if not already defined %{!?_licensedir:%global license %doc} %files %doc README.md %{_datadir}/selinux/* +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts + + +%triggerpostun -- container-selinux < 2:2.162.1-3 +if %{_sbindir}/selinuxenabled ; then + echo "Fixing Rootless SELinux labels in homedir" + %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null +fi %changelog +* Mon May 23 2022 duyiwei - 2.163-1 +- Update container-selinux to v2.163.0 + * Tue Oct 26 2021 caodongxia - 2.138-5 - DESC: systemd_dbus_chat_resolved has been deprecated, use systemd_chat_resolved instead diff --git a/fix.patch b/fix.patch new file mode 100644 index 0000000..90293df --- /dev/null +++ b/fix.patch @@ -0,0 +1,12 @@ +diff -up container-selinux-2.161.1/container.te.orig container-selinux-2.161.1/container.te +--- container-selinux-2.161.1/container.te.orig 2021-05-06 14:55:57.952216763 +0200 ++++ container-selinux-2.161.1/container.te 2021-05-06 14:56:02.027287991 +0200 +@@ -114,7 +114,7 @@ mls_trusted_object(container_runtime_t) + # + allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; + allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +-allow container_runtime_domain self:lockdown { confidentiality integrity }; ++#allow container_runtime_domain self:lockdown { confidentiality integrity }; + allow container_runtime_domain self:process ~setcurrent; + allow container_runtime_domain self:passwd rootok; + allow container_runtime_domain self:fd use;