commit container-selinux for openSUSE:Factory

Mon, 26 Apr 2021 07:39:35 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2021-04-26 16:38:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.12324 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "container-selinux"

Mon Apr 26 16:38:51 2021 rev:7 rq:887982 version:2.160.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2021-03-02 12:30:57.055602691 +0100
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.12324/container-selinux.changes
   2021-04-26 16:39:07.730028314 +0200
@@ -1,0 +2,6 @@
+Fri Apr 23 06:04:48 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Fix container runtime binary labels (bsc#1185030). You need to 
+  relable at least /usr/sbin if you're affected
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.158.0.tar.gz

New:
----
  container-selinux-2.160.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.TvLKq3/_old  2021-04-26 16:39:08.134028957 +0200
+++ /var/tmp/diff_new_pack.TvLKq3/_new  2021-04-26 16:39:08.134028957 +0200
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.158.0
+Version:        2.160.1
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ container-selinux-2.158.0.tar.gz -> container-selinux-2.160.1.tar.gz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.158.0/SECURITY.md 
new/container-selinux-2.160.1/SECURITY.md
--- old/container-selinux-2.158.0/SECURITY.md   1970-01-01 01:00:00.000000000 
+0100
+++ new/container-selinux-2.160.1/SECURITY.md   2021-04-22 16:52:57.000000000 
+0200
@@ -0,0 +1,4 @@
+## Security and Disclosure Information Policy for the container-selinux Project
+
+The container-selinux Project follows the [Security and Disclosure Information 
Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the 
Containers Projects.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.158.0/container.fc 
new/container-selinux-2.160.1/container.fc
--- old/container-selinux-2.158.0/container.fc  2021-02-11 22:35:06.000000000 
+0100
+++ new/container-selinux-2.160.1/container.fc  2021-04-22 16:52:57.000000000 
+0200
@@ -4,37 +4,32 @@
 /usr/local/libexec/docker/.*   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/libexec/docker/docker.*   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/libexec/docker/docker.*     --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/docker.*              --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/bin/docker.*                --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/containerd.*          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/bin/containerd.*            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/lxc-.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/lxd-.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/lxc                   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/lxd                   --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/fuidshift             --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker.*            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/docker.*              --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/containerd.*                --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*                      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*                      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc                 --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd                 --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/fuidshift           --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/libexec/lxc/.*            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/libexec/lxd/.*            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/podman                --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/bin/podman          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/sbin/runc           --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/bin/runc            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/runc                  --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/sbin/runc                 --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/bin/crun            --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/crun                  --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/runc          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/runc                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crun          --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/crun                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/container[^/]*plugin  --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/bin/rhel-push-plugin      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/sbin/rhel-push-plugin     --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/docker-latest         --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/docker-current                --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/docker-novolume-plugin        --      
gen_context(system_u:object_r:container_auth_exec_t,s0)
-/usr/sbin/crio.*                       --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/sbin/crio.*                 --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/crio.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/bin/crio.*                  --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/ocid.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/sbin/ocid.*               --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-latest               --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-current              --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-novolume-plugin      --      
gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/s?bin/crio.*                      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crio.*                        --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/ocid.*                      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/lib/docker/docker-novolume-plugin --      
gen_context(system_u:object_r:container_auth_exec_t,s0)
 /usr/lib/docker/[^/]*plugin    --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/lib/docker/[^/]*plugin      --      
gen_context(system_u:object_r:container_runtime_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.158.0/container.if 
new/container-selinux-2.160.1/container.if
--- old/container-selinux-2.158.0/container.if  2021-02-11 22:35:06.000000000 
+0100
+++ new/container-selinux-2.160.1/container.if  2021-04-22 16:52:57.000000000 
+0200
@@ -493,6 +493,7 @@
        type container_home_t;
        type kubernetes_file_t;
        type container_runtime_tmpfs_t;
+       type container_kvm_var_run_t;
     ')
 
     files_pid_filetrans($1, container_var_run_t, file, "container.pid")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.158.0/container.te 
new/container-selinux-2.160.1/container.te
--- old/container-selinux-2.158.0/container.te  2021-02-11 22:35:06.000000000 
+0100
+++ new/container-selinux-2.160.1/container.te  2021-04-22 16:52:57.000000000 
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.158.0)
+policy_module(container, 2.160.0)
 gen_require(`
        class passwd rootok;
 ')
@@ -358,8 +358,10 @@
 ')
 
 optional_policy(`
-    domain_stub_named_filetrans_domain()
-    container_filetrans_named_content(named_filetrans_domain)
+       gen_require(`
+               attribute named_filetrans_domain;
+       ')
+       container_filetrans_named_content(named_filetrans_domain)
 ')
 
 #
@@ -584,7 +586,9 @@
 ')
 
 optional_policy(`
-       unconfined_stub_role()
+       gen_require(`
+               role unconfined_r;
+       ')
        unconfined_domain(container_runtime_t)
        unconfined_run_to(container_runtime_t, container_runtime_exec_t)
        role_transition unconfined_r container_runtime_exec_t system_r;
@@ -598,6 +602,9 @@
 ')
 
 optional_policy(`
+       gen_require(`
+               type virtd_lxc_t;
+       ')
        virt_read_config(container_runtime_domain)
        virt_exec(container_runtime_domain)
        virt_stream_connect(container_runtime_domain)
@@ -610,7 +617,6 @@
 #      virt_attach_sandbox_tun_iface(container_runtime_domain)
        allow container_runtime_domain container_domain:tun_socket relabelfrom;
        virt_sandbox_entrypoint(container_runtime_domain)
-       virt_stub_lxc()
        allow container_runtime_domain virtd_lxc_t:unix_stream_socket { 
rw_stream_socket_perms connectto };
 
 ')
@@ -642,6 +648,7 @@
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom 
};
 allow spc_t unlabeled_t:key manage_key_perms;
+allow spc_t unlabeled_t:socket_class_set create_socket_perms;
 
 init_dbus_chat(spc_t)
 
@@ -858,11 +865,13 @@
 domain_dontaudit_link_all_domains_keyrings(container_domain)
 domain_dontaudit_search_all_domains_keyrings(container_domain)
 
-virt_stub_svirt_sandbox_file()
 virt_sandbox_net_domain(container_t)
 
 logging_send_syslog_msg(container_t)
 
+gen_require(`
+       type container_file_t;
+')
 fs_noxattr_type(container_file_t)
 # fs_associate_cgroupfs(container_file_t)
 gen_require(`
@@ -877,7 +886,9 @@
 fs_unmount_cgroup(container_t)
 
 dev_read_rand(container_domain)
+dev_write_rand(container_domain)
 dev_read_urand(container_domain)
+dev_write_urand(container_domain)
 
 files_read_kernel_modules(container_domain)
 
@@ -1021,8 +1032,8 @@
 container_append_file(iptables_t)
 
 optional_policy(`
-       unconfined_stub_role()
        gen_require(`
+               role unconfined_r;
                type unconfined_service_t;
                type unconfined_service_exec_t;
        ')

Reply via email to