From 7b4d27d1e7ab448e20bfbfcfc8cf24833db8875321430a8086547c5a17c8e902 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 12 Jan 2023 07:15:56 +0000 Subject: [PATCH 1/2] Accepting request 1057911 from home:jsegitz:branches:security:SELinux - Add spc_timedated.patch to allow privileged containers to use timedatectl (bsc#1207054) OBS-URL: https://build.opensuse.org/request/show/1057911 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=24 --- container-selinux.changes | 6 ++++++ container-selinux.spec | 3 +++ spc_timedated.patch | 12 ++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 spc_timedated.patch diff --git a/container-selinux.changes b/container-selinux.changes index ef4c88c..94e0683 100644 --- a/container-selinux.changes +++ b/container-selinux.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 11 14:15:06 UTC 2023 - Johannes Segitz + +- Add spc_timedated.patch to allow privileged containers to use + timedatectl (bsc#1207054) + ------------------------------------------------------------------- Thu Jul 14 08:37:48 UTC 2022 - Johannes Segitz diff --git a/container-selinux.spec b/container-selinux.spec index d059ef9..e4a7d68 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -32,6 +32,8 @@ Summary: SELinux policies for container runtimes License: GPL-2.0-only URL: https://github.com/containers/container-selinux Source0: https://github.com/containers/container-selinux/archive/refs/tags/v%{version}.tar.gz +# https://github.com/containers/container-selinux/pull/199, can be dropped after this is included +Patch0: spc_timedated.patch BuildRequires: selinux-policy BuildRequires: selinux-policy-devel Requires: selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}') @@ -47,6 +49,7 @@ SELinux policy modules for use with container runtimes. %prep %setup -q +%patch0 -p1 %build %make_build diff --git a/spc_timedated.patch b/spc_timedated.patch new file mode 100644 index 0000000..57c2267 --- /dev/null +++ b/spc_timedated.patch @@ -0,0 +1,12 @@ +Index: container-selinux-2.188.0/container.te +=================================================================== +--- container-selinux-2.188.0.orig/container.te ++++ container-selinux-2.188.0/container.te +@@ -675,6 +675,7 @@ init_dbus_chat(spc_t) + optional_policy(` + systemd_dbus_chat_machined(spc_t) + systemd_dbus_chat_logind(spc_t) ++ systemd_dbus_chat_timedated(spc_t) + ') + + optional_policy(` From 1c8daaef72ed924728fec69d40a62218eaa1f1b45b3de9bb23ee3d2df64be195 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 12 Jan 2023 13:57:32 +0000 Subject: [PATCH 2/2] Accepting request 1058004 from home:jsegitz:branches:security:SELinux - Rename spc_timedated.patch to spc.patch - Update spc.patch to allow privileged containers to use localectl (bsc#1207077) OBS-URL: https://build.opensuse.org/request/show/1058004 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/container-selinux?expand=0&rev=25 --- container-selinux.changes | 7 +++++++ container-selinux.spec | 2 +- spc_timedated.patch => spc.patch | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) rename spc_timedated.patch => spc.patch (82%) diff --git a/container-selinux.changes b/container-selinux.changes index 94e0683..befc034 100644 --- a/container-selinux.changes +++ b/container-selinux.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jan 12 13:02:32 UTC 2023 - Johannes Segitz + +- Rename spc_timedated.patch to spc.patch +- Update spc.patch to allow privileged containers to use + localectl (bsc#1207077) + ------------------------------------------------------------------- Wed Jan 11 14:15:06 UTC 2023 - Johannes Segitz diff --git a/container-selinux.spec b/container-selinux.spec index e4a7d68..348a656 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -33,7 +33,7 @@ License: GPL-2.0-only URL: https://github.com/containers/container-selinux Source0: https://github.com/containers/container-selinux/archive/refs/tags/v%{version}.tar.gz # https://github.com/containers/container-selinux/pull/199, can be dropped after this is included -Patch0: spc_timedated.patch +Patch0: spc.patch BuildRequires: selinux-policy BuildRequires: selinux-policy-devel Requires: selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}') diff --git a/spc_timedated.patch b/spc.patch similarity index 82% rename from spc_timedated.patch rename to spc.patch index 57c2267..6f3d665 100644 --- a/spc_timedated.patch +++ b/spc.patch @@ -2,11 +2,12 @@ Index: container-selinux-2.188.0/container.te =================================================================== --- container-selinux-2.188.0.orig/container.te +++ container-selinux-2.188.0/container.te -@@ -675,6 +675,7 @@ init_dbus_chat(spc_t) +@@ -675,6 +675,8 @@ init_dbus_chat(spc_t) optional_policy(` systemd_dbus_chat_machined(spc_t) systemd_dbus_chat_logind(spc_t) + systemd_dbus_chat_timedated(spc_t) ++ systemd_dbus_chat_localed(spc_t) ') optional_policy(`