Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2022-06-22 16:18:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Wed Jun 22 16:18:16 2022 rev:12 rq: version:2.187.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2022-03-28 16:58:58.960840710 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1548/container-selinux.changes
2022-06-22 16:18:17.496539657 +0200
@@ -1,0 +2,15 @@
+Wed Jun 22 13:17:49 UTC 2022 - Frederic Crozat <fcro...@suse.com>
+
+- Update to version 2.187.0:
+ * Allow container domains to use /dev/zero
+- Changes from 2.186.0:
+ * Create policy for a container_device_t
+ * Allow containers to shutdown & setopt userdomain:sockets
+- Changes from 2.183.0:
+ * Allow containers to inherit all socket classes from container runtimes.
+- Changes from 2.182.0:
+ * Allow containers to inherit all socket classes
+- Changes from 2.181.0:
+ * Allow socket activated domains for tcp sockets from init_t and userdomains.
+
+-------------------------------------------------------------------
Old:
----
v2.180.0.tar.gz
New:
----
v2.187.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.ow6Yg9/_old 2022-06-22 16:18:18.132540591 +0200
+++ /var/tmp/diff_new_pack.ow6Yg9/_new 2022-06-22 16:18:18.136540597 +0200
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.180.0
+Version: 2.187.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ v2.180.0.tar.gz -> v2.187.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.180.0/container.fc
new/container-selinux-2.187.0/container.fc
--- old/container-selinux-2.180.0/container.fc 2022-03-03 15:20:15.000000000
+0100
+++ new/container-selinux-2.187.0/container.fc 2022-05-24 18:37:23.000000000
+0200
@@ -5,10 +5,10 @@
/usr/libexec/docker/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/kubelet.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/kubelet.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/hyperkube.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/hyperkube.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubelet.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.180.0/container.if
new/container-selinux-2.187.0/container.if
--- old/container-selinux-2.180.0/container.if 2022-03-03 15:20:15.000000000
+0100
+++ new/container-selinux-2.187.0/container.if 2022-05-24 18:37:23.000000000
+0200
@@ -881,3 +881,67 @@
allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
')
+
+########################################
+## <summary>
+## Execute container in the container domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`container_kubelet_domtrans',`
+ gen_require(`
+ type kubelet_t, kubelet_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kubelet_exec_t, kubelet_t)
+')
+
+########################################
+## <summary>
+## Execute kubelet_exec_t in the kubelet_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`container_kubelet_run',`
+ gen_require(`
+ type kubelet_t;
+ class dbus send_msg;
+ ')
+
+ container_kubelet_domtrans($1)
+ role $2 types kubelet_t;
+')
+
+########################################
+## <summary>
+## Connect to kubelet over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_kubelet_stream_connect',`
+ gen_require(`
+ type kubelet_t, container_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_var_run_t, container_var_run_t,
kubelet_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.180.0/container.te
new/container-selinux-2.187.0/container.te
--- old/container-selinux-2.180.0/container.te 2022-03-03 15:20:15.000000000
+0100
+++ new/container-selinux-2.187.0/container.te 2022-05-24 18:37:23.000000000
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.180.0)
+policy_module(container, 2.187.0)
gen_require(`
class passwd rootok;
@@ -482,6 +482,7 @@
userdom_use_inherited_user_terminals(container_runtime_domain)
userdom_use_user_ptys(container_runtime_domain)
userdom_connectto_stream(container_runtime_domain)
+allow container_domain init_t:socket_class_set { accept ioctl read getattr
lock write append getopt };
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(container_runtime_domain)
@@ -836,6 +837,7 @@
dev_getattr_mtrr_dev(container_domain)
dev_list_sysfs(container_domain)
dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
allow container_domain self:key manage_key_perms;
dontaudit container_domain container_domain:key search;
@@ -851,9 +853,7 @@
allow container_domain self:passwd rootok;
allow container_domain self:filesystem associate;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:unix_stream_socket { accept
ioctl read getattr lock write append getopt setopt };
-allow container_domain container_runtime_domain:tcp_socket { accept ioctl read
getattr lock write append getopt setopt };
-allow container_domain container_runtime_domain:udp_socket { accept ioctl read
getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept
ioctl read getattr lock write append getopt setopt };
kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
@@ -1007,6 +1007,7 @@
fs_manage_fusefs_named_pipes(container_domain)
fs_exec_fusefs_files(container_domain)
fs_unmount_xattr_fs(container_domain)
+fs_remount_xattr_fs(container_domain)
fs_mount_fusefs(container_domain)
fs_unmount_fusefs(container_domain)
fs_mounton_fusefs(container_domain)
@@ -1168,7 +1169,7 @@
allow staff_t container_runtime_t:process signal_perms;
allow staff_t container_domain:process signal_perms;
- allow container_domain userdomain:unix_stream_socket { accept ioctl
read getattr lock write append getopt };
+ allow container_domain userdomain:socket_class_set { accept ioctl read
getattr lock write append getopt shutdown setopt };
')
gen_require(`
@@ -1298,3 +1299,67 @@
kernel_mounton_proc(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
term_mount_pty_fs(container_engine_t)
+
+type kubelet_t, container_runtime_domain;
+domain_type(kubelet_t)
+
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+ role unconfined_r types kubelet_t;
+ unconfined_domain(kubelet_t)
+')
+
+
+type kubelet_exec_t;
+application_executable_file(kubelet_exec_t)
+can_exec(container_runtime_t, kubelet_exec_t)
+allow kubelet_t kubelet_exec_t:file entrypoint;
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 -
mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 -
mls_systemhigh)
+')
+mls_trusted_object(kubelet_t)
+
+init_daemon_domain(kubelet_t, kubelet_exec_t)
+
+admin_pattern(kubelet_t, kubernetes_file_t)
+
+optional_policy(`
+ gen_require(`
+ type sysadm_t;
+ role sysadm_r;
+ attribute userdomain;
+ role unconfined_r;
+ ')
+
+ container_kubelet_run(sysadm_t, sysadm_r)
+
+ unconfined_run_to(kubelet_t, kubelet_exec_t)
+ role_transition unconfined_r kubelet_exec_t system_r;
+')
+
+# Standard container which needs to be allowed to use any device
+container_domain_template(container_device)
+allow container_device_t device_node:chr_file rw_chr_file_perms;
+
+# Standard container which needs to be allowed to use any device and
+# communicate with kubelet
+container_domain_template(container_device_plugin)
+allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_t)
+container_kubelet_stream_connect(container_device_plugin_t)
+
+# Standard container which needs to be allowed to use any device and
+# modify kubelet configuration
+container_domain_template(container_device_plugin_init)
+allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_init_t)
+manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
+manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
+manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
