From 8f38ed6e53b3e5d9a43a5e41a6e3d2fb4f064b337f4788c92edba2b6db33de89 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 11 Jan 2024 08:53:20 +0000 Subject: [PATCH] Accepting request 1138075 from home:jsegitz:branches:security:SELinux - Update to version 2.228: * Allow container domains to watch fifo_files * container_engine_t: improve for podman in kubernetes case * Allow spc_t to transition to install_t domain * Default to allowing containers to use dri devices * Allow access to BPF Filesystems * Fix kubernetes transition rule * Label kubensenter as well as kubenswrapper * Allow container domains to execute container_runtime_tmpfs_t files * Allow container domains to ptrace themselves * Allow container domains to use container_runtime_tmpfs_t as an entrypoint * Add boolean to allow containers to use dri devices * Give containers access to pod resources endpoint * Label kubenswrapper kubelet_exec_t OBS-URL: https://build.opensuse.org/request/show/1138075 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=33 --- container-selinux.changes | 18 ++++++++++++++++++ container-selinux.spec | 2 +- v2.222.0.tar.gz | 3 --- v2.228.0.tar.gz | 3 +++ 4 files changed, 22 insertions(+), 4 deletions(-) delete mode 100644 v2.222.0.tar.gz create mode 100644 v2.228.0.tar.gz diff --git a/container-selinux.changes b/container-selinux.changes index 2074302..3f28656 100644 --- a/container-selinux.changes +++ b/container-selinux.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Jan 11 08:37:53 UTC 2024 - Johannes Segitz + +- Update to version 2.228: + * Allow container domains to watch fifo_files + * container_engine_t: improve for podman in kubernetes case + * Allow spc_t to transition to install_t domain + * Default to allowing containers to use dri devices + * Allow access to BPF Filesystems + * Fix kubernetes transition rule + * Label kubensenter as well as kubenswrapper + * Allow container domains to execute container_runtime_tmpfs_t files + * Allow container domains to ptrace themselves + * Allow container domains to use container_runtime_tmpfs_t as an entrypoint + * Add boolean to allow containers to use dri devices + * Give containers access to pod resources endpoint + * Label kubenswrapper kubelet_exec_t + ------------------------------------------------------------------- Wed Sep 20 14:21:29 UTC 2023 - Johannes Segitz diff --git a/container-selinux.spec b/container-selinux.spec index 4dfe28a..079b0c9 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -26,7 +26,7 @@ # Version of SELinux we were using %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') Name: container-selinux -Version: 2.222.0 +Version: 2.228.0 Release: 0 Summary: SELinux policies for container runtimes License: GPL-2.0-only diff --git a/v2.222.0.tar.gz b/v2.222.0.tar.gz deleted file mode 100644 index 02b118d..0000000 --- a/v2.222.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f9626ee2d2a49380f43f6b44a2e0d982295d6404838f4b0cd6e6d1e108d8f65e -size 30721 diff --git a/v2.228.0.tar.gz b/v2.228.0.tar.gz new file mode 100644 index 0000000..e117a26 --- /dev/null +++ b/v2.228.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ae7825a8460460934950f6b2a4a0928bc2f71915e71474d6d5d20c8eeb9bbdd +size 31145