From 2310aa43d7c4012da2ef1bf450b836a85e5660e8fd7c0deec7ecb45bcd02e5d2 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Wed, 26 Jan 2022 20:27:26 +0000
Subject: [PATCH] Accepting request 949251 from devel:kubic

OBS-URL: https://build.opensuse.org/request/show/949251
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/k3s-selinux?expand=0&rev=1
---
 .gitattributes                  |  23 +++++++
 .gitignore                      |   1 +
 _service                        |  18 ++++++
 _servicedata                    |   4 ++
 k3s-selinux-0.5.latest.1.tar.gz |   3 +
 k3s-selinux.changes             |  28 +++++++++
 k3s-selinux.spec                | 102 ++++++++++++++++++++++++++++++++
 k3s.if                          |  27 +++++++++
 8 files changed, 206 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 _service
 create mode 100644 _servicedata
 create mode 100644 k3s-selinux-0.5.latest.1.tar.gz
 create mode 100644 k3s-selinux.changes
 create mode 100644 k3s-selinux.spec
 create mode 100644 k3s.if

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/_service b/_service
new file mode 100644
index 0000000..5a82b16
--- /dev/null
+++ b/_service
@@ -0,0 +1,18 @@
+<services>
+  <service name="tar_scm" mode="disabled">
+    <param name="url">https://github.com/k3s-io/k3s-selinux</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="revision">v0.5.stable.1</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="changesgenerate">enable</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
+  </service>
+  <service name="set_version" mode="disabled">
+    <param name="basename">k3s-selinux</param>
+  </service>
+  <service name="recompress" mode="disabled">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+</services>
diff --git a/_servicedata b/_servicedata
new file mode 100644
index 0000000..f4c2b92
--- /dev/null
+++ b/_servicedata
@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/k3s-io/k3s-selinux</param>
+              <param name="changesrevision">e4307b98dd1e4c1d9a1cdb09af8b48ad1e91f8f5</param></service></servicedata>
\ No newline at end of file
diff --git a/k3s-selinux-0.5.latest.1.tar.gz b/k3s-selinux-0.5.latest.1.tar.gz
new file mode 100644
index 0000000..453c58f
--- /dev/null
+++ b/k3s-selinux-0.5.latest.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:92069501b3f5d90e1e809ef1c54a55e68b1a01b3f73fcd7401b580a3e562559c
+size 10903
diff --git a/k3s-selinux.changes b/k3s-selinux.changes
new file mode 100644
index 0000000..fea5db1
--- /dev/null
+++ b/k3s-selinux.changes
@@ -0,0 +1,28 @@
+-------------------------------------------------------------------
+Wed Jan 26 11:52:45 UTC 2022 - Richard Brown <rbrown@suse.com>
+
+- Add missing spec license/copyright 
+
+-------------------------------------------------------------------
+Sun Jan  9 15:18:33 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
+
+- add k3s.if as source file, as it is empty in v0.5.stable.1
+  - this was cherry-picked from the latest commit:
+    https://github.com/k3s-io/k3s-selinux/commit/7b982cf500e20c0adbad8a83cc27c43a79218aca
+
+-------------------------------------------------------------------
+Sun Jan 09 07:16:00 UTC 2022 - kastl@b1-systems.de
+
+- create new package at version 0.5.stable.1
+- Update to version 0.5.latest.1:
+  * mention rpm signing keys in the readme
+  * fix for over-broad container_runtime_exec_t (#25)
+  * el8: keep on truckin (#24)
+  * drone: publish sle artifacts (#22)
+  * support sles 15 with sle micro packages (#21)
+  * [migrate k3s-io] drone tweaks
+  * Make k3s-selinux conflict with rke2-selinux
+  * Build independent el7 and el8 RPMs for k3s-selinux
+  * Modify build script to put the source RPM where we expect, as well as generate the source RPM
+  * Initial k3s-selinux el7_8 work
+
diff --git a/k3s-selinux.spec b/k3s-selinux.spec
new file mode 100644
index 0000000..1505d0c
--- /dev/null
+++ b/k3s-selinux.spec
@@ -0,0 +1,102 @@
+#
+# spec file for package k3s-selinux
+#
+# Copyright (c) 2022 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+%define k3s_relabel_files() \
+        mkdir -p /var/lib/cni; \
+        mkdir -p /var/lib/kubelet/pods; \
+        mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
+        mkdir -p /var/lib/rancher/k3s/data; \
+        mkdir -p /var/run/flannel; \
+        mkdir -p /var/run/k3s; \
+        restorecon -R -i /etc/systemd/system/k3s.service; \
+        restorecon -R -i /usr/lib/systemd/system/k3s.service; \
+        restorecon -R /var/lib/cni; \
+        restorecon -R /var/lib/kubelet; \
+        restorecon -R /var/lib/rancher; \
+        restorecon -R /var/run/k3s; \
+        restorecon -R /var/run/flannel
+
+%define selinux_policyver 20210716-3.1
+%define container_policyver 2.164.2-1.1
+
+Name:       k3s-selinux
+Version:	0.5.latest.1
+Release:	0
+Summary:	SELinux policy module for k3s
+
+Group:	    System Environment/Base
+License:	Apache-2.0
+URL:		http://k3s.io/k3s-selinux
+Source:     %{name}-%{version}.tar.gz
+Source1:    k3s.if
+
+BuildArch:  noarch
+BuildRequires: container-selinux >= %{container_policyver}
+BuildRequires: git
+BuildRequires: selinux-policy >= %{selinux_policyver}
+BuildRequires: selinux-policy-devel >= %{selinux_policyver}
+
+Requires: policycoreutils, selinux-tools
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(postun): policycoreutils
+
+Provides: %{name} = %{version}-%{release}
+Obsoletes: k3s-selinux <= 0.5
+Conflicts: rke2-selinux
+
+%description
+This package installs and sets up the SELinux policy security module for k3s.
+
+%prep
+%setup -q
+install -m 644 %{SOURCE1} policy/microos/k3s.if
+
+%build
+cd policy/microos
+make -f /usr/share/selinux/devel/Makefile k3s.pp
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 policy/microos/k3s.pp %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 policy/microos/k3s.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+%pre
+%selinux_relabel_pre
+
+%post
+%selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %k3s_relabel_files
+fi;
+
+%postun
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall k3s
+fi;
+
+%posttrans
+%selinux_relabel_post
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
+%{_datadir}/selinux/devel/include/contrib/k3s.if
+
+%changelog
+
diff --git a/k3s.if b/k3s.if
new file mode 100644
index 0000000..a40c7a3
--- /dev/null
+++ b/k3s.if
@@ -0,0 +1,27 @@
+#######################################################################
+## <summary>
+##	Creates types and rules for a k3s runtime domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`k3s_runtime_domain_template',`
+	gen_require(`
+		attribute container_runtime_domain, exec_type;
+		role system_r, sysadm_r;
+	')
+
+	attribute $1_domain;
+	type $1_t, $1_domain;
+	role system_r types $1_t;
+	role sysadm_r types $1_t;
+
+	can_exec($1_t, exec_type)
+	domain_type($1_t)
+	domain_entry_file($1_domain, $1_t)
+
+	admin_pattern(container_runtime_domain, $1_t)
+')