Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final
OBS-URL: https://build.opensuse.org/request/show/1072556 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175
This commit is contained in:
parent
5e0b3ff876
commit
00949e479d
8
_service
8
_service
@ -7,14 +7,6 @@
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="revision">factory</param>
|
||||
</service>
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="version">1</param>
|
||||
<param name="versionformat">%cd</param>
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="revision">main</param>
|
||||
</service>
|
||||
<service name="recompress" mode="manual">
|
||||
<param name="compression">xz</param>
|
||||
<param name="file">*.tar</param>
|
||||
|
@ -1,6 +1,6 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="changesrevision">167da331be8238b650e75d629a925576ca5bf70b</param></service><service name="tar_scm">
|
||||
<param name="changesrevision">3fa3ee463c968e6001607a3d25edc2f9971824d7</param></service><service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936
|
||||
size 25128
|
156
container.fc
Normal file
156
container.fc
Normal file
@ -0,0 +1,156 @@
|
||||
/root/\.docker gen_context(system_u:object_r:container_home_t,s0)
|
||||
|
||||
/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
|
||||
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
||||
/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
||||
/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
||||
/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
||||
/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
|
||||
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
|
||||
/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
|
||||
/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
|
||||
/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
|
||||
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
|
||||
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/atomic(/.*)? <<none>>
|
||||
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
||||
|
||||
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
|
||||
/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
||||
/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
||||
|
||||
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
||||
|
||||
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)
|
1044
container.if
Normal file
1044
container.if
Normal file
File diff suppressed because it is too large
Load Diff
1416
container.te
Normal file
1416
container.te
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f
|
||||
size 752564
|
3
selinux-policy-20230316.tar.xz
Normal file
3
selinux-policy-20230316.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4b5384b23b8bf5fe9cbd1b3da67c54a08c99b029b65b2005f345951b8763fd8a
|
||||
size 752624
|
@ -1,3 +1,31 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com
|
||||
|
||||
- Update to version 20230316:
|
||||
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay
|
||||
path
|
||||
* allow kernel_t to relabel etc_t files
|
||||
* allow kernel_t to relabel sysnet config files
|
||||
* allow kernel_t to relabel systemd hwdb etc files
|
||||
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
|
||||
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
|
||||
to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
|
||||
management of config files
|
||||
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
|
||||
interfaces to allow labeling on etc_t, not on the broader configfiles
|
||||
attribute
|
||||
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
|
||||
watch permissions reported are already fixed in a current policy.
|
||||
- Reinstate update.sh and remove container-selinux from the service.
|
||||
Having both repos in there causes issues and update.sh makes the update
|
||||
process easier in general
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Remove erroneous SUSE man page. Will not be created with the
|
||||
3.5 toolchain
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 14 21:41:54 UTC 2023 - Hu <cathy.hu@suse.com>
|
||||
|
||||
|
@ -33,11 +33,13 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20230214
|
||||
Version: 20230316
|
||||
Release: 0
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: container-selinux-%{version}.tar.xz
|
||||
Source2: selinux-policy-rpmlintrc
|
||||
Source1: container.fc
|
||||
Source2: container.te
|
||||
Source3: container.if
|
||||
Source4: selinux-policy-rpmlintrc
|
||||
|
||||
Source10: modules-targeted-base.conf
|
||||
Source11: modules-targeted-contrib.conf
|
||||
@ -338,9 +340,9 @@ exit 0
|
||||
# dirty hack for container-selinux, because selinux-policy won't build without it
|
||||
# upstream does not want to include it in main policy tree:
|
||||
# see discussion in https://github.com/containers/container-selinux/issues/186
|
||||
%setup -T -D -b 1
|
||||
cp ../container-selinux-%{version}/container.* policy/modules/services/
|
||||
rm -rf ../container-selinux-%{version}
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
|
||||
cp $i policy/modules/services/
|
||||
done
|
||||
|
||||
%build
|
||||
|
||||
|
27
update.sh
Normal file
27
update.sh
Normal file
@ -0,0 +1,27 @@
|
||||
#!/bin/sh
|
||||
|
||||
date=$(date '+%Y%m%d')
|
||||
base_name_pattern='selinux-policy-*.tar.xz'
|
||||
|
||||
echo Update to $date
|
||||
|
||||
old_tar_file=$(ls -1 $base_name_pattern)
|
||||
|
||||
osc service manualrun
|
||||
|
||||
rm -rf container-selinux
|
||||
git clone --depth 1 https://github.com/containers/container-selinux.git
|
||||
rm -f container.*
|
||||
mv container-selinux/container.* .
|
||||
rm -rf container-selinux
|
||||
|
||||
# delete old files. Might need a better sanity check
|
||||
tar_cnt=$(ls -1 $base_name_pattern | wc -l)
|
||||
if [ $tar_cnt -gt 1 ]; then
|
||||
echo delte old file $old_tar_file
|
||||
rm "$old_tar_file"
|
||||
osc addremove
|
||||
fi
|
||||
|
||||
osc status
|
||||
|
Loading…
Reference in New Issue
Block a user