|
Lokesh Mandvekar |
7fa12a |
%global debug_package %{nil}
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# container-selinux
|
|
Lokesh Mandvekar |
7fa12a |
%global git0 https://github.com/projectatomic/container-selinux
|
|
Lokesh Mandvekar |
7fa12a |
%if 0%{?fedora}
|
|
Lokesh Mandvekar |
98c88e |
%global commit0 bcdcb9a0aa3476e9f17fd383cf61a91921d7782c
|
|
Lokesh Mandvekar |
7fa12a |
%else
|
|
Lokesh Mandvekar |
7fa12a |
%global commit0 a85092bf995b99f26b9be7103345805f846f647c
|
|
Lokesh Mandvekar |
7fa12a |
%endif
|
|
Lokesh Mandvekar |
7fa12a |
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# container-selinux stuff (prefix with ds_ for version/release etc.)
|
|
Lokesh Mandvekar |
7fa12a |
# Some bits borrowed from the openstack-selinux package
|
|
Lokesh Mandvekar |
7fa12a |
%global selinuxtype targeted
|
|
Lokesh Mandvekar |
7fa12a |
%global moduletype services
|
|
Lokesh Mandvekar |
7fa12a |
%global modulenames container
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# Usage: _format var format
|
|
Lokesh Mandvekar |
7fa12a |
# Expand 'modulenames' into various formats as needed
|
|
Lokesh Mandvekar |
7fa12a |
# Format must contain '$x' somewhere to do anything useful
|
|
Lokesh Mandvekar |
7fa12a |
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# Relabel files
|
|
Lokesh Mandvekar |
7fa12a |
%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker &> /dev/null || :
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# Version of SELinux we were using
|
|
Lokesh Mandvekar |
7fa12a |
%if 0%{?fedora} >= 22
|
|
Lokesh Mandvekar |
7fa12a |
%global selinux_policyver 3.13.1-220
|
|
Lokesh Mandvekar |
7fa12a |
%else
|
|
Lokesh Mandvekar |
7fa12a |
%global selinux_policyver 3.13.1-39
|
|
Lokesh Mandvekar |
7fa12a |
%endif
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
Name: container-selinux
|
|
Lokesh Mandvekar |
7fa12a |
%if 0%{?fedora} || 0%{?centos}
|
|
Lokesh Mandvekar |
7fa12a |
Epoch: 2
|
|
Lokesh Mandvekar |
7fa12a |
%endif
|
|
Lokesh Mandvekar |
98c88e |
Version: 2.2
|
|
Lokesh Mandvekar |
98c88e |
Release: 1%{?dist}
|
|
Lokesh Mandvekar |
7fa12a |
License: GPLv2
|
|
Lokesh Mandvekar |
7fa12a |
URL: %{git0}
|
|
Lokesh Mandvekar |
7fa12a |
Summary: SELinux policies for container runtimes
|
|
Lokesh Mandvekar |
7fa12a |
Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
|
Lokesh Mandvekar |
7fa12a |
BuildArch: noarch
|
|
Lokesh Mandvekar |
7fa12a |
BuildRequires: git
|
|
Lokesh Mandvekar |
7fa12a |
BuildRequires: pkgconfig(systemd)
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
|
|
Lokesh Mandvekar |
7fa12a |
Requires: selinux-policy >= %{selinux_policyver}
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
BuildRequires: selinux-policy
|
|
Lokesh Mandvekar |
7fa12a |
BuildRequires: selinux-policy-devel
|
|
Lokesh Mandvekar |
7fa12a |
Requires(post): selinux-policy-base >= %{selinux_policyver}
|
|
Lokesh Mandvekar |
7fa12a |
Requires(post): policycoreutils
|
|
Lokesh Mandvekar |
7fa12a |
%if 0%{?fedora}
|
|
Lokesh Mandvekar |
7fa12a |
Requires(post): policycoreutils-python-utils
|
|
Lokesh Mandvekar |
7fa12a |
%else
|
|
Lokesh Mandvekar |
7fa12a |
Requires(post): policycoreutils-python
|
|
Lokesh Mandvekar |
7fa12a |
%endif
|
|
Lokesh Mandvekar |
7fa12a |
Requires(post): libselinux-utils
|
|
Lokesh Mandvekar |
7fa12a |
Obsoletes: %{name} <= 2:1.12.5-13
|
|
Lokesh Mandvekar |
7fa12a |
Obsoletes: docker-selinux <= 2:1.12.4-28
|
|
Lokesh Mandvekar |
7fa12a |
Provides: docker-selinux = %{epoch}:%{version}-%{release}
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%description
|
|
Lokesh Mandvekar |
7fa12a |
SELinux policy modules for use with container runtimes.
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%prep
|
|
Lokesh Mandvekar |
7fa12a |
%autosetup -Sgit -n %{name}-%{commit0}
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%build
|
|
Lokesh Mandvekar |
7fa12a |
make
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%install
|
|
Lokesh Mandvekar |
7fa12a |
# install policy modules
|
|
Lokesh Mandvekar |
7fa12a |
%_format MODULES $x.pp.bz2
|
|
Lokesh Mandvekar |
7fa12a |
install -d %{buildroot}%{_datadir}/selinux/packages
|
|
Lokesh Mandvekar |
7fa12a |
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
Lokesh Mandvekar |
7fa12a |
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
Lokesh Mandvekar |
7fa12a |
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
# remove %%{repo}-selinux rpm spec file
|
|
Lokesh Mandvekar |
7fa12a |
rm -rf container-selinux.spec
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%check
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%post
|
|
Lokesh Mandvekar |
7fa12a |
# Install all modules in a single transaction
|
|
Lokesh Mandvekar |
7fa12a |
if [ $1 -eq 1 ]; then
|
|
Lokesh Mandvekar |
7fa12a |
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
|
Lokesh Mandvekar |
7fa12a |
fi
|
|
Lokesh Mandvekar |
7fa12a |
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
|
|
Daniel J Walsh |
85f5b3 |
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
|
|
Daniel J Walsh |
85f5b3 |
%{_sbindir}/semodule -n -s %{selinuxtype} -d %{repo} 2> /dev/null
|
|
Daniel J Walsh |
85f5b3 |
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
|
|
Daniel J Walsh |
85f5b3 |
%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
|
|
Lokesh Mandvekar |
7fa12a |
if %{_sbindir}/selinuxenabled ; then
|
|
Lokesh Mandvekar |
7fa12a |
%{_sbindir}/load_policy
|
|
Lokesh Mandvekar |
7fa12a |
%relabel_files
|
|
Lokesh Mandvekar |
7fa12a |
if [ $1 -eq 1 ]; then
|
|
Daniel J Walsh |
85f5b3 |
restorecon -R %{_sharedstatedir}/%{repo} &> /dev/null || :
|
|
Lokesh Mandvekar |
7fa12a |
fi
|
|
Lokesh Mandvekar |
7fa12a |
fi
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%postun
|
|
Lokesh Mandvekar |
7fa12a |
if [ $1 -eq 0 ]; then
|
|
Lokesh Mandvekar |
7fa12a |
%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
|
|
Lokesh Mandvekar |
7fa12a |
if %{_sbindir}/selinuxenabled ; then
|
|
Lokesh Mandvekar |
7fa12a |
%{_sbindir}/load_policy
|
|
Lokesh Mandvekar |
7fa12a |
%relabel_files
|
|
Lokesh Mandvekar |
7fa12a |
fi
|
|
Lokesh Mandvekar |
7fa12a |
fi
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
#define license tag if not already defined
|
|
Lokesh Mandvekar |
7fa12a |
%{!?_licensedir:%global license %doc}
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%files
|
|
Lokesh Mandvekar |
7fa12a |
%doc README.md
|
|
Lokesh Mandvekar |
7fa12a |
%{_datadir}/selinux/*
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
%changelog
|
|
Lokesh Mandvekar |
98c88e |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-1
|
|
Lokesh Mandvekar |
98c88e |
- bump to v2.2
|
|
Lokesh Mandvekar |
98c88e |
- additional labeling for ocid
|
|
Lokesh Mandvekar |
98c88e |
|
|
Lokesh Mandvekar |
57ea4c |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-2
|
|
Lokesh Mandvekar |
57ea4c |
- install policy at level 200
|
|
Lokesh Mandvekar |
57ea4c |
- From: Dan Walsh <dwalsh@redhat.com>
|
|
Lokesh Mandvekar |
57ea4c |
|
|
Lokesh Mandvekar |
7fa12a |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-1
|
|
Lokesh Mandvekar |
7fa12a |
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
|
|
Lokesh Mandvekar |
7fa12a |
standalone package)
|
|
Lokesh Mandvekar |
7fa12a |
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel
|
|
Lokesh Mandvekar |
7fa12a |
|
|
Lokesh Mandvekar |
7fa12a |
* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:1.12.4-29
|
|
Lokesh Mandvekar |
7fa12a |
- new package (separated from docker)
|