commit 4ac42b007c863cfe002bcf955c9428f5bc325823106598d7279308346a2b4612 Author: Johannes Segitz Date: Fri Apr 12 07:02:23 2024 +0000 Accepting request 1166916 from home:cahu:security:SELinux:policytest - Manual update to version 2.230.0+git4.a8e389d to include this commit that is needed for the main selinux-policy update to work: * Rename all /var/run file context entries to /run - Update to version 2.230.0: * Move to tar_scm based packaging: added _service and _servicedata * Allow containers to unmount file systems * Add buildah as a container_runtime_exec_t label * Additional rules for container_user_t * improve container_engine_t OBS-URL: https://build.opensuse.org/request/show/1166916 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=34 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..181daf7 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + _auto_ + @PARENT_TAG@ + https://github.com/containers/container-selinux.git + git + enable + v* + main + v(.*) + \1 + + + xz + *.tar + + + container-selinux.spec + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..19cf922 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/containers/container-selinux.git + a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e \ No newline at end of file diff --git a/container-selinux-2.230.0+git4.a8e389d.tar.xz b/container-selinux-2.230.0+git4.a8e389d.tar.xz new file mode 100644 index 0000000..e6462fb --- /dev/null +++ b/container-selinux-2.230.0+git4.a8e389d.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a51c6267aeda128a15487628d4e976d50074ec97fb36dbe12377e996903563a8 +size 27684 diff --git a/container-selinux.changes b/container-selinux.changes new file mode 100644 index 0000000..d8967c7 --- /dev/null +++ b/container-selinux.changes @@ -0,0 +1,252 @@ +------------------------------------------------------------------- +Wed Apr 10 15:47:15 UTC 2024 - Cathy Hu + +- Manual update to version 2.230.0+git4.a8e389d to include this + commit that is needed for the main selinux-policy update to work: + * Rename all /var/run file context entries to /run + +------------------------------------------------------------------- +Wed Apr 10 15:38:24 UTC 2024 - Cathy Hu + +- Update to version 2.230.0: + * Move to tar_scm based packaging: added _service and _servicedata + * Allow containers to unmount file systems + * Add buildah as a container_runtime_exec_t label + * Additional rules for container_user_t + * improve container_engine_t + +------------------------------------------------------------------- +Thu Jan 11 08:37:53 UTC 2024 - Johannes Segitz + +- Update to version 2.228: + * Allow container domains to watch fifo_files + * container_engine_t: improve for podman in kubernetes case + * Allow spc_t to transition to install_t domain + * Default to allowing containers to use dri devices + * Allow access to BPF Filesystems + * Fix kubernetes transition rule + * Label kubensenter as well as kubenswrapper + * Allow container domains to execute container_runtime_tmpfs_t files + * Allow container domains to ptrace themselves + * Allow container domains to use container_runtime_tmpfs_t as an entrypoint + * Add boolean to allow containers to use dri devices + * Give containers access to pod resources endpoint + * Label kubenswrapper kubelet_exec_t + +------------------------------------------------------------------- +Wed Sep 20 14:21:29 UTC 2023 - Johannes Segitz + +- Update to version 2.222: + * Allow containers to read/write inherited dri devices + +------------------------------------------------------------------- +Tue Aug 15 05:48:12 UTC 2023 - Johannes Segitz + +- Update to version 2.221: + * Allow containers to shutdown sockets inherited from container + runtimes + * Allow spc_t to use execmod libraries on container file systems + * Add boolean to allow containers to read all cert files + * More MLS Policy allow rules + * Allow container runtimes using pasta bind icmp_socket to port_t + * Fix spc_t transitions from container_runtime_domain + +------------------------------------------------------------------- +Tue May 23 07:32:16 UTC 2023 - Johannes Segitz + +- Update to version 2.215.0: + * Add some MLS rules to policy + * Allow container runtime to dyntransition to spc_t + * Tighten controls on confined users + * Add labels for /var/lib/shared + * Cleanup entrypoint definitions + * Allow container_device_plugin_t access to debugfs + * Allow containers which use devices to map them + +------------------------------------------------------------------- +Mon Apr 24 07:24:46 UTC 2023 - Johannes Segitz + +- Update to version 2.211.0: + * Don't transition to initrc_t domains from spc_t + * Add tunable to allow sshd_t to launch container engines + * Allow syslogd_t gettatr on inheritited runtime tmpfs files + * Add container_file_t and container_ro_file_t as user_home_type + * Set default context for local-path-provisioner + * Allow daemon to send dbus messages to spc_t by + +------------------------------------------------------------------- +Wed Mar 29 13:04:36 UTC 2023 - Johannes Segitz + +- Update to version 2.206.0: + * Allow unconfined domains to transition to container_runtime_t + * Allow container domains to transition to install_t + * Allow avirt_sandbox_domain to manage container_file_t types + * Allow containers to watch sysfs_t directories + * Allow spc_t to transption to rpm_script_t + * Add support to new user_namespace access check + * Smaller permission changes for container_init_t +- Drop spc.patch, is now included + +------------------------------------------------------------------- +Mon Jan 16 12:47:34 UTC 2023 - Frederic Crozat + +- Update to version 2.198.0: + * Fix spc_t transition rules on tmpfs_t +- Changes from 2.197.0: + * Add boolean containers_use_ecryptfs policy +- Changes from 2.195.1: + * Readd missing allow rules for container_t +- Changes from 2.194.0: + * Allow syslogd_t to use tmpfs files created by container runtime +- Changes from 2.193.0: + * Allow containers to mount tmpfs_t file systems + * Label spc_t as a init initrc daemon + * Allow userdomains to run containers +- Changes from 2.191.0: + * Create container_logwriter_t type +- Changes from 2.190.1: + * Support BuildKit + * container.fc: Set label for kata-agent + * support nerdctl +- Changes from 2.190.0: + * Packit: initial enablement + * Allow iptables to list directories labeled as container_file_t +- Changes from 2.189.0: + * Dont audit searching other processes in /proc. + +------------------------------------------------------------------- +Thu Jan 12 13:02:32 UTC 2023 - Johannes Segitz + +- Rename spc_timedated.patch to spc.patch +- Update spc.patch to allow privileged containers to use + localectl (bsc#1207077) + +------------------------------------------------------------------- +Wed Jan 11 14:15:06 UTC 2023 - Johannes Segitz + +- Add spc_timedated.patch to allow privileged containers to use + timedatectl (bsc#1207054) + +------------------------------------------------------------------- +Thu Jul 14 08:37:48 UTC 2022 - Johannes Segitz + +- Update to version 2.188.0: + * Allow confined containers to mount overlay filesystems + Fixed bsc#1201348 + +------------------------------------------------------------------- +Wed Jun 22 13:17:49 UTC 2022 - Frederic Crozat + +- Update to version 2.187.0: + * Allow container domains to use /dev/zero +- Changes from 2.186.0: + * Create policy for a container_device_t + * Allow containers to shutdown & setopt userdomain:sockets +- Changes from 2.183.0: + * Allow containers to inherit all socket classes from container runtimes. +- Changes from 2.182.0: + * Allow containers to inherit all socket classes +- Changes from 2.181.0: + * Allow socket activated domains for tcp sockets from init_t and userdomains. + +------------------------------------------------------------------- +Tue Mar 22 08:35:54 UTC 2022 - Johannes Segitz + +- Add udica templates to the package + +------------------------------------------------------------------- +Fri Mar 18 12:04:25 UTC 2022 - Johannes Segitz + +- Update to version 2.180.0 + * Allow container domains to read/write kvm_device_t + * Update kublet mappings to inlcude /usr/local/* + * Allow container domains to use container runtime tcp and udp sockets + * Alow containers to use unix_stream_sockets leaked from container runtimes + * Allow userdomains to execute conmon_exec_t and use it as an entrypoint + * Allow conmon_exec_t as an entrypoint + * Add container_use_devices boolean to allow containers to use any device + * Add explicit range transition for conmon + * Add missing dbus class declaration into container_runtime_run() + * Remove lockdown allow rules + * Remove k3s fcontexts + * Allow container domains to be used by user roles +- Changed source url to allow for download via source service + +------------------------------------------------------------------- +Fri Nov 12 16:21:06 UTC 2021 - Richard Brown + +- Update to version 2.171.0 + * Define kubernetes_file_t as a config_type + * Allow containers to be socket activated by user domains and by systemd. + * Allow iptables to use fifo files of a container runtime + * Allow container_runtime create all tmpfs content as container_runtime_tmpfs_t + * Allow containers to create lnk_file on tmpfs_t directories. + +------------------------------------------------------------------- +Mon Aug 9 07:44:17 UTC 2021 - Johannes Segitz + +- Update to version 2.164.2 + * Don't setup users for writing to pid_sockets + * Allow container engines to be started from the staff user. + * Allow spc_t domains to set bpf rules on any domain + * Add support for k3s + +------------------------------------------------------------------- +Fri Apr 23 06:04:48 UTC 2021 - Johannes Segitz + +- Fix container runtime binary labels (bsc#1185030). You need to + relable at least /usr/sbin if you're affected + +------------------------------------------------------------------- +Tue Feb 23 13:21:19 UTC 2021 - Thorsten Kukuk + +- Update to version 2.158.0 + - Add nfs remount support + - Allow containers to execmod on nfs, samba and cephs remote shares + - Allow confined users to send dbus messages to container_runtime + +------------------------------------------------------------------- +Mon Jan 11 10:40:32 UTC 2021 - Thorsten Kukuk + +- Update to version 2.154.0 + - Allow confined user domains to run confined container domains. + - Allow all containers to use nfs shares, iff virt_use_nfs boolean + is enabled. + - Allow containers to read nsfs file systems. + - KVM Container need to use tunnel sockets created by runtime. + +------------------------------------------------------------------- +Tue Nov 3 07:53:35 UTC 2020 - Ludwig Nussel + +- Don't use BuildRequires based on shell script output. OBS can't + evaluate that. + +------------------------------------------------------------------- +Thu Oct 29 07:52:21 UTC 2020 - Thorsten Kukuk + +- Update to version 2.150.0 + - Add additional allow rules for kvm based containers using + virtiofsd. + +------------------------------------------------------------------- +Wed Oct 14 12:57:07 UTC 2020 - Thorsten Kukuk + +- Update to version 2.145.0 + - Add support for kubernetes_file_t + - Allow container_t to open existing tun/tap + +------------------------------------------------------------------- +Wed Aug 12 09:11:30 UTC 2020 - Thorsten Kukuk + +- Minimize BuildRequires + +------------------------------------------------------------------- +Mon Aug 10 21:11:12 UTC 2020 - Thorsten Kukuk + +- Update to version 2.143.0 + - support containerd/cri + +------------------------------------------------------------------- +Wed Aug 5 08:42:45 UTC 2020 - Thorsten Kukuk + +- Initial version diff --git a/container-selinux.spec b/container-selinux.spec new file mode 100644 index 0000000..2f9d0fd --- /dev/null +++ b/container-selinux.spec @@ -0,0 +1,104 @@ +# +# spec file for package container-selinux +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global selinuxtype targeted +%global moduletype services +%global modulenames container +# Usage: _format var format +# Expand 'modulenames' into various formats as needed +# Format must contain '$x' somewhere to do anything useful +%global _format() export %{1}=""; for x in %{modulenames}; do %{1}+=%{2}; %{1}+=" "; done; +# Version of SELinux we were using +%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') +Name: container-selinux +Version: 2.230.0+git4.a8e389d +Release: 0 +Summary: SELinux policies for container runtimes +License: GPL-2.0-only +URL: https://github.com/containers/container-selinux +Source0: container-selinux-%{version}.tar.xz +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires: selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}') +Requires(post): policycoreutils +Requires(post): /usr/bin/sed +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires(post): selinux-tools +BuildArch: noarch + +%description +SELinux policy modules for use with container runtimes. + +%prep +%setup -q + +%build +%make_build + +%install +# install policy modules +%_format MODULES $x.pp.bz2 +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services +install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services +install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages +install -d %{buildroot}/%{_datadir}/containers/selinux +install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts +install -d %{buildroot}%{_datadir}/udica/templates +install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates + +%check + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%post +# Install all modules in a single transaction +if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 +fi +%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null ||: +%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null ||: +%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null ||: +%selinux_modules_install -s %{selinuxtype} $MODULES +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/customizable_types +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} + +%files +%license LICENSE +%doc README.md +%{_datadir}/selinux/* +%dir %{_datadir}/containers +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts +%dir %{_datadir}/udica +%dir %{_datadir}/udica/templates +%{_datadir}/udica/templates/* + +%changelog diff --git a/v2.228.0.tar.gz b/v2.228.0.tar.gz new file mode 100644 index 0000000..e117a26 --- /dev/null +++ b/v2.228.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ae7825a8460460934950f6b2a4a0928bc2f71915e71474d6d5d20c8eeb9bbdd +size 31145