pool/container-selinux
SHA256
11
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:devel pool:slfo-1.2 pool:slfo-main
..
compare: pool:factory
Branches Tags
pool:factory pool:devel pool:slfo-1.2 pool:slfo-main

2 Commits
slfo-1.2 ... factory

Author SHA256 Message Date
Dominique Leuenberger
7e1c88062a Accepting request 1297768 from security:SELinux 
update to 2.240.0

OBS-URL: https://build.opensuse.org/request/show/1297768
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/container-selinux?expand=0&rev=30
 2025-08-06 12:31:36 +00:00
Hu
6b164d4af3 - Update to version 2.240.0: 
* Dontaudit dac_override for iptables_t
    * dropping rootless-docker_iptables.patch is upstream
  * Don't allow containers by default setexec setfscreate
  * Containers need to use hsa devices for ROCM

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=47
 2025-08-05 14:36:42 +00:00
6 changed files with 14 additions and 47 deletions
Expand all files Collapse all files

2
_servicedata
View File

@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/containers/container-selinux.git</param>
<param name="changesrevision">36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c</param></service></servicedata>
<param name="changesrevision">10cc7ecacd631368e23691a77dbfe63ac6ca855f</param></service></servicedata>

BIN
container-selinux-2.239.0.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

3
container-selinux-2.240.0.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8cca742899b757bb775b7852cefc83defd8ba5dd4e89a1a77e5833fb002efa60
size 27832

9
container-selinux.changes
View File

@@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue Aug 05 14:21:07 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
- Update to version 2.240.0:
* Dontaudit dac_override for iptables_t
* dropping rootless-docker_iptables.patch is upstream
* Don't allow containers by default setexec setfscreate
* Containers need to use hsa devices for ROCM
-------------------------------------------------------------------
Thu Jul 24 12:22:54 UTC 2025 - Robert Frohl <rfrohl@suse.com>

5
container-selinux.spec
View File

@@ -26,14 +26,12 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
Version: 2.239.0
Version: 2.240.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
URL: https://github.com/containers/container-selinux
Source0: container-selinux-%{version}.tar.xz
# PATCH-FIX-UPSTREAM rootless-docker_iptables.patch https://github.com/containers/container-selinux/pull/388
Patch01: rootless-docker_iptables.patch
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildRequires: selinux-policy-%{selinuxtype}
@@ -50,7 +48,6 @@ SELinux policy modules for use with container runtimes.
%prep
%setup -q
%patch -P 1 -p1
%build
%make_build

39
rootless-docker_iptables.patch
View File

@@ -1,39 +0,0 @@
commit 10cc7ecacd631368e23691a77dbfe63ac6ca855f
Author: Robert Frohl <rfrohl@suse.com>
Date: Wed Jul 16 14:35:45 2025 +0200
Dontaudit dac_override for iptables_t
There are AVCs observed during rootless docker 'systemctl --user restart
docker.service', but no functional impact.
Minimal steps to reproduce:
> sudo modprobe ip_tables
> # creates /proc/net/ip_tables_names
> systemctl --user restart docker.service
> # reproduces the AVCs
----
type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER
type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(..) : cwd=/home/user3
type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(..) : avc: denied { dac_override } for pid=4979 comm=iptables capability=dac_override scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
----
Fixes: bsc#1246348
Signed-off-by: Robert Frohl <rfrohl@suse.com>
diff --git a/container.te b/container.te
index 9e20607..271efa8 100644
--- a/container.te
+++ b/container.te
@@ -465,6 +465,7 @@ optional_policy(`
container_append_file(iptables_t)
allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
allow iptables_t container_file_type:dir list_dir_perms;
+ dontaudit iptables_t self:cap_userns dac_override;
')
optional_policy(`