Accepting request 1296255 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/1296255
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/container-selinux?expand=0&rev=29

_service

@@ -6,7 +6,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="match-tag">v*</param>
-    <param name="revision">main</param>
+    <param name="revision">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
   </service>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
-              <param name="changesrevision">a68865582e123856c191fe0ecbbba9301758e591</param></service></servicedata>
+              <param name="changesrevision">36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c</param></service></servicedata>

container-selinux-2.232.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1acd56a634e738cfa61f469564850942c261529e4bf3557ef9723067bd536757
-size 28860

container-selinux.changes

@@ -1,3 +1,89 @@
+-------------------------------------------------------------------
+Thu Jul 24 12:22:54 UTC 2025 - Robert Frohl <rfrohl@suse.com>
+
+- Add workaround for rootless docker iptables AVCs (bsc#1246348)
+  adding rootless-docker_iptables.patch
+
+-------------------------------------------------------------------
+Mon Jul  7 08:41:20 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 2.239.0:
+  * Allow containers to use hsa devices for ROCM
+
+-------------------------------------------------------------------
+Mon Jun 02 07:13:46 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 2.238.0:
+  * label /run/sysctl.d correctly on creation
+
+-------------------------------------------------------------------
+Tue Apr 29 08:47:24 UTC 2025 - jsegitz@suse.com
+
+- Update to version 2.237.0:
+  * bootc/install_t: allow transition to container_runtime_t
+  * Allow containers to mask parts of their /proc
+
+-------------------------------------------------------------------
+Mon Mar 31 12:35:29 UTC 2025 - jsegitz@suse.com
+
+- Update to version 2.236.0:
+  * Allow super privileged containers to use RealtimeKit for scheduling
+  * Add container_ro_file_t to the podman artifact store
+
+-------------------------------------------------------------------
+Wed Mar 05 17:15:45 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 2.235.0:
+  * Bump to v2.235.0
+  * OWNERS: add wrabcak and zpytela
+  * OWNERS: initial commit
+  * container_log{reader,writer}_t: allow watch file
+  * RPM: Update gating config
+  * Enable aarch64 testing
+  * TMT: simplify podman tests
+  * feat: support /var/lib/crio
+
+-------------------------------------------------------------------
+Tue Feb  4 13:56:57 UTC 2025 - Robert Frohl <rfrohl@suse.com>
+
+- OBS service file: use the tagged commit for archive versioning and don't
+  just archive the latest changes from the main branch using the latest tag
+
+-------------------------------------------------------------------
+Fri Jan 10 10:08:37 UTC 2025 - rfrohl@suse.com
+
+- Update to version 2.234.2:
+  * TMT: enable epel idomatically
+  * Packit: switch back to fedora-all
+  * RPM: Bump Epoch to 4
+  * rpm: ship manpage
+  * Add proper labeling for RamaLama
+  * Packit: remove rhel / epel jobs
+  * packit: remove unused file
+
+-------------------------------------------------------------------
+Thu Jan  9 14:16:15 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
+
+- Add BuildRequires selinux-policy-%{selinuxtype} to enable building
+  for SLFO. Might be removed in the future again when 1231252
+  is fixed.
+
+-------------------------------------------------------------------
+Thu Nov 07 12:04:40 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 2.233.0:
+  * container_engine_t: small change to allow non root exec in a container
+  * RPM: explicitly list ghosted paths and skip mode verification
+  * container-selinux install on non selinux-policy-targeted systems (#332)
+  * set container_log_t type for /var/log/kube-apiserver
+  * Allow kubelet_t to create a sock file kubelet_var_lib_t
+  * dontaudit spc_t to mmap_zero
+  * Packit: update targets (#330)
+  * container_engine_t: another round of small improvements (#327)
+  * Allow container_device_plugin_t to use the network (#325)
+  * RPM: cleanup changelog (#324)
+  * TMT: Simplify tests
+
 -------------------------------------------------------------------
 Wed Jul 10 07:52:16 UTC 2024 - cathy.hu@suse.com
 

container-selinux.spec

@@ -26,14 +26,17 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.232.1
+Version:        2.239.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only
 URL:            https://github.com/containers/container-selinux
 Source0:        container-selinux-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM rootless-docker_iptables.patch https://github.com/containers/container-selinux/pull/388
+Patch01:        rootless-docker_iptables.patch
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
+BuildRequires:  selinux-policy-%{selinuxtype}
 Requires:       selinux-policy >= %(rpm -q selinux-policy --qf '%%{version}-%%{release}')
 Requires(posttrans): policycoreutils
 Requires(posttrans): /usr/bin/sed
@@ -47,6 +50,7 @@ SELinux policy modules for use with container runtimes.
 
 %prep
 %setup -q
+%patch -P 1 -p1
 
 %build
 %make_build
@@ -62,6 +66,8 @@ install -d %{buildroot}/%{_datadir}/containers/selinux
 install -m 644 container_contexts %{buildroot}/%{_datadir}/containers/selinux/contexts
 install -d %{buildroot}%{_datadir}/udica/templates
 install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
+install -d %{buildroot}%{_mandir}/man8/
+install -pm 0644 container_selinux.8 %{buildroot}%{_mandir}/man8/
 
 %check
 
@@ -98,5 +104,6 @@ matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedi
 %dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates
 %{_datadir}/udica/templates/*
+%{_mandir}/man8/container_selinux.8*
 
 %changelog

rootless-docker_iptables.patch

@@ -0,0 +1,39 @@
+commit 10cc7ecacd631368e23691a77dbfe63ac6ca855f
+Author: Robert Frohl <rfrohl@suse.com>
+Date:   Wed Jul 16 14:35:45 2025 +0200
+
+    Dontaudit dac_override for iptables_t
+    
+    There are AVCs observed during rootless docker 'systemctl --user restart
+    docker.service', but no functional impact.
+    
+    Minimal steps to reproduce:
+    
+    > sudo modprobe ip_tables
+    > # creates /proc/net/ip_tables_names
+    > systemctl --user restart docker.service
+    > # reproduces the AVCs
+    
+    ----
+    type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER
+    type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+    type=CWD msg=audit(..) : cwd=/home/user3
+    type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
+    type=AVC msg=audit(..) : avc:  denied  { dac_override } for  pid=4979 comm=iptables capability=dac_override  scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
+    ----
+    
+    Fixes: bsc#1246348
+    Signed-off-by: Robert Frohl <rfrohl@suse.com>
+
+diff --git a/container.te b/container.te
+index 9e20607..271efa8 100644
+--- a/container.te
++++ b/container.te
+@@ -465,6 +465,7 @@ optional_policy(`
+ 	container_append_file(iptables_t)
+ 	allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
+ 	allow iptables_t container_file_type:dir list_dir_perms;
++	dontaudit iptables_t self:cap_userns dac_override;
+ ')
+ 
+ optional_policy(`