Sync from SUSE:SLFO:Main container-selinux revision 6e15bb214f0c643fb671f208114808ed
This commit is contained in:
@@ -1,3 +1,115 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 9 14:16:15 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
|
||||
|
||||
- Add BuildRequires selinux-policy-%{selinuxtype} to enable building
|
||||
for SLFO. Might be removed in the future again when 1231252
|
||||
is fixed.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 07 12:04:40 UTC 2024 - cathy.hu@suse.com
|
||||
|
||||
- Update to version 2.233.0:
|
||||
* container_engine_t: small change to allow non root exec in a container
|
||||
* RPM: explicitly list ghosted paths and skip mode verification
|
||||
* container-selinux install on non selinux-policy-targeted systems (#332)
|
||||
* set container_log_t type for /var/log/kube-apiserver
|
||||
* Allow kubelet_t to create a sock file kubelet_var_lib_t
|
||||
* dontaudit spc_t to mmap_zero
|
||||
* Packit: update targets (#330)
|
||||
* container_engine_t: another round of small improvements (#327)
|
||||
* Allow container_device_plugin_t to use the network (#325)
|
||||
* RPM: cleanup changelog (#324)
|
||||
* TMT: Simplify tests
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 10 07:52:16 UTC 2024 - cathy.hu@suse.com
|
||||
|
||||
- Update to version 2.232.1:
|
||||
* Bump to v2.232.1
|
||||
* TMT: fix srpm download syntax on rawhide
|
||||
* Bump to 2.232.0
|
||||
* Packit: remove `update_release` key from downstream jobs (#313)
|
||||
* Update container-selinux.8 man page
|
||||
* Add ownership of /usr/share/udica (#312)
|
||||
* Packit/TMT: upstream maintenance of downstream gating tests
|
||||
* extend container_engine_t again
|
||||
* Allow spc_t to use localectl
|
||||
* Allow spc_t to use timedatectl
|
||||
* introduce container_use_xserver_devices boolean to allow GPU access
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 06 07:36:02 UTC 2024 - jsegitz@suse.com
|
||||
|
||||
- Update to version 2.231.0:
|
||||
* Allow container domains to communicate with spc_t unix_stream_sockets
|
||||
* Move to %posttrans to ensure selinux-policy got updated before
|
||||
the commands run (bsc#1221720)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 10 15:47:15 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
||||
|
||||
- Manual update to version 2.230.0+git4.a8e389d to include this
|
||||
commit that is needed for the main selinux-policy update to work:
|
||||
* Rename all /var/run file context entries to /run
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 10 15:38:24 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
||||
|
||||
- Update to version 2.230.0:
|
||||
* Move to tar_scm based packaging: added _service and _servicedata
|
||||
* Allow containers to unmount file systems
|
||||
* Add buildah as a container_runtime_exec_t label
|
||||
* Additional rules for container_user_t
|
||||
* improve container_engine_t
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 11 08:37:53 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.228:
|
||||
* Allow container domains to watch fifo_files
|
||||
* container_engine_t: improve for podman in kubernetes case
|
||||
* Allow spc_t to transition to install_t domain
|
||||
* Default to allowing containers to use dri devices
|
||||
* Allow access to BPF Filesystems
|
||||
* Fix kubernetes transition rule
|
||||
* Label kubensenter as well as kubenswrapper
|
||||
* Allow container domains to execute container_runtime_tmpfs_t files
|
||||
* Allow container domains to ptrace themselves
|
||||
* Allow container domains to use container_runtime_tmpfs_t as an entrypoint
|
||||
* Add boolean to allow containers to use dri devices
|
||||
* Give containers access to pod resources endpoint
|
||||
* Label kubenswrapper kubelet_exec_t
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 20 14:21:29 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.222:
|
||||
* Allow containers to read/write inherited dri devices
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 15 05:48:12 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.221:
|
||||
* Allow containers to shutdown sockets inherited from container
|
||||
runtimes
|
||||
* Allow spc_t to use execmod libraries on container file systems
|
||||
* Add boolean to allow containers to read all cert files
|
||||
* More MLS Policy allow rules
|
||||
* Allow container runtimes using pasta bind icmp_socket to port_t
|
||||
* Fix spc_t transitions from container_runtime_domain
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 23 07:32:16 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.215.0:
|
||||
* Add some MLS rules to policy
|
||||
* Allow container runtime to dyntransition to spc_t
|
||||
* Tighten controls on confined users
|
||||
* Add labels for /var/lib/shared
|
||||
* Cleanup entrypoint definitions
|
||||
* Allow container_device_plugin_t access to debugfs
|
||||
* Allow containers which use devices to map them
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 24 07:24:46 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user