Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final

OBS-URL: https://build.opensuse.org/request/show/1072556 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175
2023-03-17 10:46:53 +00:00 · 2023-03-17 10:46:53 +00:00 · 00949e479d
commit 00949e479d
parent 5e0b3ff876
11 changed files with 2683 additions and 21 deletions
--- a/8
+++ b/8
@ -7,14 +7,6 @@
    <param name="changesgenerate">enable</param>
    <param name="revision">factory</param>
  </service>
-  <service name="tar_scm" mode="manual">
-    <param name="version">1</param>
-    <param name="versionformat">%cd</param>
-    <param name="url">https://github.com/containers/container-selinux.git</param>
-    <param name="scm">git</param>
-    <param name="changesgenerate">enable</param>
-    <param name="revision">main</param>
-  </service>
  <service name="recompress" mode="manual">
    <param name="compression">xz</param>
    <param name="file">*.tar</param>
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">167da331be8238b650e75d629a925576ca5bf70b</param></service><service name="tar_scm">
+              <param name="changesrevision">3fa3ee463c968e6001607a3d25edc2f9971824d7</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
--- a/container-selinux-20230214.tar.xz
+++ b/container-selinux-20230214.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936
-size 25128
--- a/container.fc
+++ b/container.fc
@ -0,0 +1,156 @@
+/root/\.docker	gen_context(system_u:object_r:container_home_t,s0)
+
+/usr/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+
+/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/lxc/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/lxd/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
+/usr/local/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
+/usr/local/s?bin/runc		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/runc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crun		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/crun			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/kata-agent	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kata-agent		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/container[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/sbin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-latest		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-current		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/ocid.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+
+/usr/lib/systemd/system/docker.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/lxd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/containerd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/buildkit.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+
+/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/docker-latest(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/buildkit(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+
+/var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/.*\.log		gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/lib/containerd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
+/var/lib/containerd/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containerd/[^/]*/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl/[^/]*/volumes(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/buildkit(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/buildkit/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
+/var/lib/buildkit/runc-.*/executor(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
+# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
+# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
+/var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containers/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/atomic(/.*)?	<<none>>
+/var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+
+/var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker-latest/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
+/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
+/var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
+
+/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+
+/srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+
+/var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)
--- a/container.if
+++ b/container.if
--- a/container.te
+++ b/container.te
--- a/selinux-policy-20230214.tar.xz
+++ b/selinux-policy-20230214.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f
-size 752564
--- a/selinux-policy-20230316.tar.xz
+++ b/selinux-policy-20230316.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4b5384b23b8bf5fe9cbd1b3da67c54a08c99b029b65b2005f345951b8763fd8a
+size 752624
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230316:
+  * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
+    path
+  * allow kernel_t to relabel etc_t files
+  * allow kernel_t to relabel sysnet config files
+  * allow kernel_t to relabel systemd hwdb etc files
+  * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
+  * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
+    to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
+    management of config files
+  * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
+    interfaces to allow labeling on etc_t, not on the broader configfiles
+    attribute
+  * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
+    watch permissions reported are already fixed in a current policy.
+- Reinstate update.sh and remove container-selinux from the service.
+  Having both repos in there causes issues and update.sh makes the update
+  process easier in general
+
+-------------------------------------------------------------------
+Tue Mar  7 08:49:05 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Remove erroneous SUSE man page. Will not be created with the
+  3.5 toolchain
+
 -------------------------------------------------------------------
 Tue Feb 14 21:41:54 UTC 2023 - Hu <cathy.hu@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,11 +33,13 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230214
+Version:        20230316
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
-Source1:        container-selinux-%{version}.tar.xz
-Source2:        selinux-policy-rpmlintrc
+Source1:        container.fc
+Source2:        container.te
+Source3:        container.if
+Source4:        selinux-policy-rpmlintrc

 Source10:       modules-targeted-base.conf
 Source11:       modules-targeted-contrib.conf
@ -338,9 +340,9 @@ exit 0
 # dirty hack for container-selinux, because selinux-policy won't build without it
 # upstream does not want to include it in main policy tree:
 # see discussion in https://github.com/containers/container-selinux/issues/186
-%setup -T -D -b 1
-cp ../container-selinux-%{version}/container.* policy/modules/services/
-rm -rf ../container-selinux-%{version}
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
+  cp $i policy/modules/services/
+done

 %build

--- a/update.sh
+++ b/update.sh
@ -0,0 +1,27 @@
+#!/bin/sh
+
+date=$(date '+%Y%m%d')
+base_name_pattern='selinux-policy-*.tar.xz'
+
+echo Update to $date
+
+old_tar_file=$(ls -1 $base_name_pattern)
+
+osc service manualrun
+
+rm -rf container-selinux
+git clone --depth 1 https://github.com/containers/container-selinux.git
+rm -f container.*
+mv container-selinux/container.* .
+rm -rf container-selinux
+
+# delete old files. Might need a better sanity check
+tar_cnt=$(ls -1 $base_name_pattern  | wc -l)
+if [ $tar_cnt -gt 1 ]; then
+  echo delte old file $old_tar_file
+  rm "$old_tar_file"
+  osc addremove
+fi
+
+osc status
+