Accepting request 1297768 from security:SELinux

update to 2.240.0

OBS-URL: https://build.opensuse.org/request/show/1297768
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/container-selinux?expand=0&rev=30

_service

@@ -6,7 +6,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="match-tag">v*</param>
-    <param name="revision">main</param>
+    <param name="revision">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
   </service>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
-              <param name="changesrevision">a68865582e123856c191fe0ecbbba9301758e591</param></service></servicedata>
+              <param name="changesrevision">10cc7ecacd631368e23691a77dbfe63ac6ca855f</param></service></servicedata>

container-selinux-2.232.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1acd56a634e738cfa61f469564850942c261529e4bf3557ef9723067bd536757
-size 28860

container-selinux-2.240.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8cca742899b757bb775b7852cefc83defd8ba5dd4e89a1a77e5833fb002efa60
+size 27832

container-selinux.changes

@@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Tue Aug 05 14:21:07 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
+
+- Update to version 2.240.0:
+  * Dontaudit dac_override for iptables_t
+    * dropping rootless-docker_iptables.patch is upstream
+  * Don't allow containers by default setexec setfscreate
+  * Containers need to use hsa devices for ROCM
+
+-------------------------------------------------------------------
+Thu Jul 24 12:22:54 UTC 2025 - Robert Frohl <rfrohl@suse.com>
+
+- Add workaround for rootless docker iptables AVCs (bsc#1246348)
+  adding rootless-docker_iptables.patch
+
+-------------------------------------------------------------------
+Mon Jul  7 08:41:20 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 2.239.0:
+  * Allow containers to use hsa devices for ROCM
+
+-------------------------------------------------------------------
+Mon Jun 02 07:13:46 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 2.238.0:
+  * label /run/sysctl.d correctly on creation
+
+-------------------------------------------------------------------
+Tue Apr 29 08:47:24 UTC 2025 - jsegitz@suse.com
+
+- Update to version 2.237.0:
+  * bootc/install_t: allow transition to container_runtime_t
+  * Allow containers to mask parts of their /proc
+
+-------------------------------------------------------------------
+Mon Mar 31 12:35:29 UTC 2025 - jsegitz@suse.com
+
+- Update to version 2.236.0:
+  * Allow super privileged containers to use RealtimeKit for scheduling
+  * Add container_ro_file_t to the podman artifact store
+
+-------------------------------------------------------------------
+Wed Mar 05 17:15:45 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 2.235.0:
+  * Bump to v2.235.0
+  * OWNERS: add wrabcak and zpytela
+  * OWNERS: initial commit
+  * container_log{reader,writer}_t: allow watch file
+  * RPM: Update gating config
+  * Enable aarch64 testing
+  * TMT: simplify podman tests
+  * feat: support /var/lib/crio
+
+-------------------------------------------------------------------
+Tue Feb  4 13:56:57 UTC 2025 - Robert Frohl <rfrohl@suse.com>
+
+- OBS service file: use the tagged commit for archive versioning and don't
+  just archive the latest changes from the main branch using the latest tag
+
+-------------------------------------------------------------------
+Fri Jan 10 10:08:37 UTC 2025 - rfrohl@suse.com
+
+- Update to version 2.234.2:
+  * TMT: enable epel idomatically
+  * Packit: switch back to fedora-all
+  * RPM: Bump Epoch to 4
+  * rpm: ship manpage
+  * Add proper labeling for RamaLama
+  * Packit: remove rhel / epel jobs
+  * packit: remove unused file
+
+-------------------------------------------------------------------
+Thu Jan  9 14:16:15 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
+
+- Add BuildRequires selinux-policy-%{selinuxtype} to enable building
+  for SLFO. Might be removed in the future again when 1231252
+  is fixed.
+
+-------------------------------------------------------------------
+Thu Nov 07 12:04:40 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 2.233.0:
+  * container_engine_t: small change to allow non root exec in a container
+  * RPM: explicitly list ghosted paths and skip mode verification
+  * container-selinux install on non selinux-policy-targeted systems (#332)
+  * set container_log_t type for /var/log/kube-apiserver
+  * Allow kubelet_t to create a sock file kubelet_var_lib_t
+  * dontaudit spc_t to mmap_zero
+  * Packit: update targets (#330)
+  * container_engine_t: another round of small improvements (#327)
+  * Allow container_device_plugin_t to use the network (#325)
+  * RPM: cleanup changelog (#324)
+  * TMT: Simplify tests
+
 -------------------------------------------------------------------
 Wed Jul 10 07:52:16 UTC 2024 - cathy.hu@suse.com
 

container-selinux.spec

@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.232.1
+Version:        2.240.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only
@@ -34,6 +34,7 @@ URL:            https://github.com/containers/container-selinux
 Source0:        container-selinux-%{version}.tar.xz
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
+BuildRequires:  selinux-policy-%{selinuxtype}
 Requires:       selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}')
 Requires(posttrans): policycoreutils
 Requires(posttrans): /usr/bin/sed
@@ -62,6 +63,8 @@ install -d %{buildroot}/%{_datadir}/containers/selinux
 install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
 install -d %{buildroot}%{_datadir}/udica/templates
 install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
+install -d %{buildroot}%{_mandir}/man8/
+install -pm 0644 container_selinux.8 %{buildroot}%{_mandir}/man8/
 
 %check
 
@@ -98,5 +101,6 @@ matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedi
 %dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates
 %{_datadir}/udica/templates/*
+%{_mandir}/man8/container_selinux.8*
 
 %changelog