commit 7beff29edb56c305fa93f13c8572a8eae01a7e1ce25a46f32a8740541c58c1a6 Author: Marcus Meissner Date: Thu Aug 20 10:56:37 2020 +0000 Accepting request 825950 from home:kukuk:selinux This package is needed to run Container with SELinux enabled OBS-URL: https://build.opensuse.org/request/show/825950 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/container-selinux-2.143.0.tar.gz b/container-selinux-2.143.0.tar.gz new file mode 100644 index 0000000..ce4f030 --- /dev/null +++ b/container-selinux-2.143.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2aaf16ca0c304854ab68593b1a6e096150de2cc3e7f58de526bf8dfaed1fefe +size 23454 diff --git a/container-selinux.changes b/container-selinux.changes new file mode 100644 index 0000000..43a0026 --- /dev/null +++ b/container-selinux.changes @@ -0,0 +1,15 @@ +------------------------------------------------------------------- +Wed Aug 12 09:11:30 UTC 2020 - Thorsten Kukuk + +- Minimize BuildRequires + +------------------------------------------------------------------- +Mon Aug 10 21:11:12 UTC 2020 - Thorsten Kukuk + +- Update to version 2.143.0 + - support containerd/cri + +------------------------------------------------------------------- +Wed Aug 5 08:42:45 UTC 2020 - Thorsten Kukuk + +- Initial version diff --git a/container-selinux.spec b/container-selinux.spec new file mode 100644 index 0000000..06cf632 --- /dev/null +++ b/container-selinux.spec @@ -0,0 +1,99 @@ +# +# spec file for package container-selinux +# +# Copyright (c) 2020 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global selinuxtype targeted +%global moduletype services +%global modulenames container +# Usage: _format var format +# Expand 'modulenames' into various formats as needed +# Format must contain '$x' somewhere to do anything useful +%global _format() export %{1}=""; for x in %{modulenames}; do %{1}+=%{2}; %{1}+=" "; done; +# Version of SELinux we were using +%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') +Name: container-selinux +Version: 2.143.0 +Release: 0 +Summary: SELinux policies for container runtimes +License: GPL-2.0-only +URL: https://github.com/containers/container-selinux +Source0: %{name}-%{version}.tar.gz +BuildRequires: selinux-policy >= %{selinux_policyver} +BuildRequires: selinux-policy-devel >= %{selinux_policyver} +Requires: selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}') +Requires(post): policycoreutils +Requires(post): /usr/bin/sed +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires(post): selinux-tools +BuildArch: noarch + +%description +SELinux policy modules for use with container runtimes. + +%prep +%setup -q + +%build +%make_build + +%install +# install policy modules +%_format MODULES $x.pp.bz2 +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services +install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services +install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages +install -d %{buildroot}/%{_datadir}/containers/selinux +install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts + +%check + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%post +# Install all modules in a single transaction +if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 +fi +%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null ||: +%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null ||: +%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null ||: +%selinux_modules_install -s %{selinuxtype} $MODULES +. %{_sysconfdir}/selinux/config +sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/customizable_types +matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} + +%files +%license LICENSE +%doc README.md +%{_datadir}/selinux/* +%dir %{_datadir}/containers +%dir %{_datadir}/containers/selinux +%{_datadir}/containers/selinux/contexts + +%changelog