From 913c2876a8b21e8978d5cbf4e4158dd7046e632f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 12 2018 11:46:20 +0000 Subject: Allow container_runtimes to setattr on callers fifo_files --- diff --git a/container-selinux.spec b/container-selinux.spec index be54c4e..2b5276c 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,14 +2,8 @@ # container-selinux %global git0 https://github.com/projectatomic/container-selinux -%if 0%{?fedora} || 0%{?rhel} > 7 -%global commit0 5721d746acccaa840a9af5be6ee30ca3b0c2a2bb +%global commit0 f6c7f410ca8bfe20bd0a217dd75b22735a32f212 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) -%else -# use upstream's RHEL-1.12 branch for CentOS 7 -%global el_commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1 -%global shortcommit0 %(c=%{el_commit0}; echo ${c:0:7}) -%endif # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package @@ -26,26 +20,18 @@ %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || : # Version of SELinux we were using -%if 0%{?fedora} >= 22 || 0%{?rhel} > 7 %global selinux_policyver 3.13.1-220 -%else -%global selinux_policyver 3.13.1-39 -%endif Name: container-selinux -%if 0%{?fedora} || 0%{?centos} || 0%{?rhel} > 7 +%if 0%{?fedora} Epoch: 2 %endif -Version: 2.71 -Release: 2.git%{shortcommit0}%{?dist} +Version: 2.72 +Release: 1.git%{shortcommit0}%{?dist} License: GPLv2 URL: %{git0} Summary: SELinux policies for container runtimes -%if 0%{?fedora} || 0%{?rhel} >7 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -%else -Source0: %{git0}/archive/%{el_commit0}/%{name}-%{shortcommit0}.tar.gz -%endif BuildArch: noarch BuildRequires: git BuildRequires: pkgconfig(systemd) @@ -56,13 +42,8 @@ Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils -%if 0%{?fedora} || 0%{?rhel} > 7 Requires(post): policycoreutils-python-utils -%else -Requires(post): policycoreutils-python -%endif Requires(post): libselinux-utils -Requires(post): libsemanage >= 2.8-2 Requires(post): sed Obsoletes: %{name} <= 2:1.12.5-13 Obsoletes: docker-selinux <= 2:1.12.4-28 @@ -72,11 +53,7 @@ Provides: docker-selinux = %{epoch}:%{version}-%{release} SELinux policy modules for use with container runtimes. %prep -%if 0%{?fedora} || 0%{?rhel} > 7 %autosetup -Sgit -n %{name}-%{commit0} -%else -%autosetup -Sgit -n %{name}-%{el_commit0} -%endif %build make @@ -116,6 +93,7 @@ fi sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + %postun if [ $1 -eq 0 ]; then %{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || : @@ -133,16 +111,18 @@ fi %{_datadir}/selinux/* %changelog +* Wed Sep 12 2018 Dan Walsh - 2.72-1 +- Allow container_runtimes to setattr on callers fifo_files + * Mon Aug 27 2018 Dan Walsh - 2.71-2 - Fix restorecon to not error on missing directory * Wed Aug 22 2018 Dan Walsh - 2.71-1 - Allow unconfined_r to transition to system_r over container_runtime_exec_t + +* Wed Aug 22 2018 Dan Walsh - 2.70-1 - Allow unconfined_t to transition to container_runtime_t over container_runtime_exec_t -* Fri Aug 10 2018 Dan Walsh - 2.69-3 -- Relabel /var/lib/containers if directory is mislabeled -gi * Wed Jul 25 2018 Dan Walsh - 2.69-1 - dontaudit attempts to write to sysctl_kernel_t