Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 993ff04b4b |
21
_service
21
_service
@@ -1,21 +0,0 @@
|
||||
<services>
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="version">_auto_</param>
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="match-tag">v*</param>
|
||||
<param name="revision">@PARENT_TAG@</param>
|
||||
<param name="versionrewrite-pattern">v(.*)</param>
|
||||
<param name="versionrewrite-replacement">\1</param>
|
||||
</service>
|
||||
<service name="recompress" mode="manual">
|
||||
<param name="compression">xz</param>
|
||||
<param name="file">*.tar</param>
|
||||
</service>
|
||||
<service name="set_version" mode="manual" >
|
||||
<param name="file">container-selinux.spec</param>
|
||||
</service>
|
||||
</services>
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="changesrevision">36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c</param></service></servicedata>
|
||||
BIN
container-selinux-2.236.0.tar.xz
(Stored with Git LFS)
Normal file
BIN
container-selinux-2.236.0.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
container-selinux-2.239.0.tar.xz
(Stored with Git LFS)
BIN
container-selinux-2.239.0.tar.xz
(Stored with Git LFS)
Binary file not shown.
@@ -1,28 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 24 12:22:54 UTC 2025 - Robert Frohl <rfrohl@suse.com>
|
||||
|
||||
- Add workaround for rootless docker iptables AVCs (bsc#1246348)
|
||||
adding rootless-docker_iptables.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 7 08:41:20 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.239.0:
|
||||
* Allow containers to use hsa devices for ROCM
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 02 07:13:46 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 2.238.0:
|
||||
* label /run/sysctl.d correctly on creation
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 29 08:47:24 UTC 2025 - jsegitz@suse.com
|
||||
|
||||
- Update to version 2.237.0:
|
||||
* bootc/install_t: allow transition to container_runtime_t
|
||||
* Allow containers to mask parts of their /proc
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 31 12:35:29 UTC 2025 - jsegitz@suse.com
|
||||
|
||||
|
||||
@@ -25,24 +25,23 @@
|
||||
%global _format() export %{1}=""; for x in %{modulenames}; do %{1}+=%{2}; %{1}+=" "; done;
|
||||
# Version of SELinux we were using
|
||||
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
|
||||
%define no_user_namespace 0
|
||||
Name: container-selinux
|
||||
Version: 2.239.0
|
||||
Version: 2.236.0
|
||||
Release: 0
|
||||
Summary: SELinux policies for container runtimes
|
||||
License: GPL-2.0-only
|
||||
URL: https://github.com/containers/container-selinux
|
||||
Source0: container-selinux-%{version}.tar.xz
|
||||
# PATCH-FIX-UPSTREAM rootless-docker_iptables.patch https://github.com/containers/container-selinux/pull/388
|
||||
Patch01: rootless-docker_iptables.patch
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildRequires: selinux-policy-%{selinuxtype}
|
||||
Requires: selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}')
|
||||
Requires(posttrans): policycoreutils
|
||||
Requires(posttrans): /usr/bin/sed
|
||||
Requires(posttrans): selinux-policy-base >= %{selinux_policyver}
|
||||
Requires(posttrans): selinux-policy-targeted >= %{selinux_policyver}
|
||||
Requires(posttrans): selinux-tools
|
||||
Requires(post): policycoreutils
|
||||
Requires(post): /usr/bin/sed
|
||||
Requires(post): selinux-policy-base >= %{selinux_policyver}
|
||||
Requires(post): selinux-policy-targeted >= %{selinux_policyver}
|
||||
Requires(post): selinux-tools
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
@@ -50,7 +49,9 @@ SELinux policy modules for use with container runtimes.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -P 1 -p1
|
||||
%if %{defined no_user_namespace}
|
||||
sed -i '/user_namespace/d' container.te
|
||||
%endif
|
||||
|
||||
%build
|
||||
%make_build
|
||||
@@ -74,12 +75,7 @@ install -pm 0644 container_selinux.8 %{buildroot}%{_mandir}/man8/
|
||||
%pre
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%postun
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
%post
|
||||
# Install all modules in a single transaction
|
||||
if [ $1 -eq 1 ]; then
|
||||
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
||||
@@ -92,6 +88,13 @@ fi
|
||||
. %{_sysconfdir}/selinux/config
|
||||
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/customizable_types
|
||||
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
|
||||
|
||||
%postun
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%files
|
||||
|
||||
@@ -1,39 +0,0 @@
|
||||
commit 10cc7ecacd631368e23691a77dbfe63ac6ca855f
|
||||
Author: Robert Frohl <rfrohl@suse.com>
|
||||
Date: Wed Jul 16 14:35:45 2025 +0200
|
||||
|
||||
Dontaudit dac_override for iptables_t
|
||||
|
||||
There are AVCs observed during rootless docker 'systemctl --user restart
|
||||
docker.service', but no functional impact.
|
||||
|
||||
Minimal steps to reproduce:
|
||||
|
||||
> sudo modprobe ip_tables
|
||||
> # creates /proc/net/ip_tables_names
|
||||
> systemctl --user restart docker.service
|
||||
> # reproduces the AVCs
|
||||
|
||||
----
|
||||
type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER
|
||||
type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=CWD msg=audit(..) : cwd=/home/user3
|
||||
type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
|
||||
type=AVC msg=audit(..) : avc: denied { dac_override } for pid=4979 comm=iptables capability=dac_override scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
|
||||
----
|
||||
|
||||
Fixes: bsc#1246348
|
||||
Signed-off-by: Robert Frohl <rfrohl@suse.com>
|
||||
|
||||
diff --git a/container.te b/container.te
|
||||
index 9e20607..271efa8 100644
|
||||
--- a/container.te
|
||||
+++ b/container.te
|
||||
@@ -465,6 +465,7 @@ optional_policy(`
|
||||
container_append_file(iptables_t)
|
||||
allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
|
||||
allow iptables_t container_file_type:dir list_dir_perms;
|
||||
+ dontaudit iptables_t self:cap_userns dac_override;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
Reference in New Issue
Block a user