Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2023-03-22 22:29:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Mar 22 22:29:18 2023 rev:44 rq:1073587 version:20230321 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2023-03-07 16:48:31.977015764 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.31432/selinux-policy.changes 2023-03-22 22:29:23.349814974 +0100 @@ -1,0 +2,28 @@ +Tue Mar 21 15:37:23 UTC 2023 - jseg...@suse.com + +- Update to version 20230321: + * make kernel_t unconfined again + +------------------------------------------------------------------- +Thu Mar 16 15:43:19 UTC 2023 - jseg...@suse.com + +- Update to version 20230316: + * prevent labeling of overlayfs filesystems based on the /var/lib/overlay + path + * allow kernel_t to relabel etc_t files + * allow kernel_t to relabel sysnet config files + * allow kernel_t to relabel systemd hwdb etc files + * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files + * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply + to files and lnk_files. lnk_files are commonly used in SUSE to allow easy + management of config files + * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic + interfaces to allow labeling on etc_t, not on the broader configfiles + attribute + * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The + watch permissions reported are already fixed in a current policy. +- Reinstate update.sh and remove container-selinux from the service. + Having both repos in there causes issues and update.sh makes the update + process easier in general. Updated README.Update + +------------------------------------------------------------------- @@ -5,0 +34,131 @@ + +------------------------------------------------------------------- +Tue Feb 14 21:41:54 UTC 2023 - Hu <cathy...@suse.com> + +- Complete packaging rework: Move policy to git repository and + only use tar_scm obs service to refresh from there: + https://gitlab.suse.de/selinux/selinux-policy + + Please use `osc service manualrun` to update this OBS package to the + newest git version. + + * Added README.Update describing how to update this package + * Added _service file that pulls from selinux-policy and + upstream container-selinux and tars them + * Adapted selinux-policy.spec to build selinux-policy with + container-selinux + * Removed update.sh as no longer needed + * Removed suse specific modules as they are now covered by git commits + * packagekit.te packagekit.if packagekit.fc + * rebootmgr.te rebootmgr.if rebootmgr.fc + * rtorrent.te rtorrent.if rtorrent.fc + * wicked.te wicked.if wicked.fc + * Removed *.patch as they are now covered by git commits: + * distro_suse_to_distro_redhat.patch + * dontaudit_interface_kmod_tmpfs.patch + * fix_accountsd.patch + * fix_alsa.patch + * fix_apache.patch + * fix_auditd.patch + * fix_authlogin.patch + * fix_automount.patch + * fix_bitlbee.patch + * fix_chronyd.patch + * fix_cloudform.patch + * fix_colord.patch + * fix_corecommand.patch + * fix_cron.patch + * fix_dbus.patch + * fix_djbdns.patch + * fix_dnsmasq.patch + * fix_dovecot.patch + * fix_entropyd.patch + * fix_firewalld.patch + * fix_fwupd.patch + * fix_geoclue.patch + * fix_hypervkvp.patch + * fix_init.patch + * fix_ipsec.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_java.patch + * fix_kernel.patch + * fix_kernel_sysctl.patch + * fix_libraries.patch + * fix_locallogin.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_mcelog.patch + * fix_miscfiles.patch + * fix_nagios.patch + * fix_networkmanager.patch + * fix_nis.patch + * fix_nscd.patch + * fix_ntp.patch + * fix_openvpn.patch + * fix_postfix.patch + * fix_rpm.patch + * fix_rtkit.patch + * fix_screen.patch + * fix_selinuxutil.patch + * fix_sendmail.patch + * fix_smartmon.patch + * fix_snapper.patch + * fix_sslh.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_userdomain.patch + * fix_usermanage.patch + * fix_wine.patch + * fix_xserver.patch + * sedoctool.patch + * systemd_domain_dyntrans_type.patch + +------------------------------------------------------------------- +Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz <jseg...@suse.com> + +- Update to version 20230206. Refreshed: + * fix_entropyd.patch + * fix_networkmanager.patch + * fix_systemd_watch.patch + * fix_unconfineduser.patch +- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is + necessary as plymouth doesn't run in it's own domain in early boot + +------------------------------------------------------------------- +Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jseg...@suse.com> + +- Update to version 20230125. Refreshed: + * distro_suse_to_distro_redhat.patch + * fix_dnsmasq.patch + * fix_init.patch + * fix_ipsec.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_rpm.patch + * fix_selinuxutil.patch + * fix_systemd_watch.patch + * fix_userdomain.patch +- More flexible lib(exec) matching in fix_fwupd.patch +- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch +- Dropped fix_container.patch, is now upstream +- Added fix_entropyd.patch + * Added new interface entropyd_semaphore_filetrans to properly transfer + semaphore created during early boot. That doesn't work yet, so work + around with next item + * Allow reading tempfs files +- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace + to allow kmod_tmpfs_t files to be executed. Necessary for firewalld +- Added fix_rtkit.patch to fix labeling of binary +- Modified fix_ntp.patch: + * Proper labeling for start-ntpd + * Fixed label rules for chroot path + * Temporarily allow dac_override for ntpd_t (bsc#1207577) + * Add interface ntp_manage_pid_files to allow management of pid + files +- Updated fix_networkmanager.patch to allow managing ntp pid files Old: ---- distro_suse_to_distro_redhat.patch dontaudit_interface_kmod_tmpfs.patch fedora-policy-20221019.tar.bz2 fix_accountsd.patch fix_alsa.patch fix_apache.patch fix_auditd.patch fix_authlogin.patch fix_automount.patch fix_bitlbee.patch fix_chronyd.patch fix_cloudform.patch fix_colord.patch fix_container.patch fix_corecommand.patch fix_cron.patch fix_dbus.patch fix_djbdns.patch fix_dnsmasq.patch fix_dovecot.patch fix_firewalld.patch fix_fwupd.patch fix_geoclue.patch fix_hypervkvp.patch fix_init.patch fix_ipsec.patch fix_iptables.patch fix_irqbalance.patch fix_java.patch fix_kernel_sysctl.patch fix_libraries.patch fix_locallogin.patch fix_logging.patch fix_logrotate.patch fix_mcelog.patch fix_miscfiles.patch fix_nagios.patch fix_networkmanager.patch fix_nis.patch fix_nscd.patch fix_ntp.patch fix_openvpn.patch fix_postfix.patch fix_rpm.patch fix_screen.patch fix_selinuxutil.patch fix_sendmail.patch fix_smartmon.patch fix_snapper.patch fix_sslh.patch fix_sysnetwork.patch fix_systemd.patch fix_systemd_watch.patch fix_thunderbird.patch fix_unconfined.patch fix_unconfineduser.patch fix_unprivuser.patch fix_userdomain.patch fix_usermanage.patch fix_wine.patch fix_xserver.patch packagekit.fc packagekit.if packagekit.te rebootmgr.fc rebootmgr.if rebootmgr.te rtorrent.fc rtorrent.if rtorrent.te sedoctool.patch systemd_domain_dyntrans_type.patch wicked.fc wicked.if wicked.te New: ---- README.Update _service _servicedata container.fc container.if container.te selinux-policy-20230321.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.pBseQs/_old 2023-03-22 22:29:24.313819825 +0100 +++ /var/tmp/diff_new_pack.pBseQs/_new 2023-03-22 22:29:24.317819845 +0100 @@ -33,10 +33,15 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20221019 +Version: 20230321 Release: 0 -Source: fedora-policy-%{version}.tar.bz2 -Source1: selinux-policy-rpmlintrc +Source0: %{name}-%{version}.tar.xz +Source1: container.fc +Source2: container.te +Source3: container.if +Source4: selinux-policy-rpmlintrc +Source5: README.Update +Source6: update.sh Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -70,88 +75,6 @@ #Source93: config.tgz Source94: file_contexts.subs_dist Source95: macros.selinux-policy -Source96: update.sh - -Source120: packagekit.te -Source121: packagekit.if -Source122: packagekit.fc -Source123: rtorrent.te -Source124: rtorrent.if -Source125: rtorrent.fc -Source126: wicked.te -Source127: wicked.if -Source128: wicked.fc -Source129: rebootmgr.te -Source130: rebootmgr.if -Source131: rebootmgr.fc - -Patch000: distro_suse_to_distro_redhat.patch -Patch001: fix_djbdns.patch -Patch002: fix_dbus.patch -Patch004: fix_java.patch -Patch006: fix_thunderbird.patch -Patch007: fix_postfix.patch -Patch008: fix_nscd.patch -Patch009: fix_sysnetwork.patch -Patch010: fix_logging.patch -Patch011: fix_xserver.patch -Patch012: fix_miscfiles.patch -Patch013: fix_init.patch -Patch014: fix_locallogin.patch -Patch016: fix_iptables.patch -Patch017: fix_irqbalance.patch -Patch018: fix_ntp.patch -Patch019: fix_fwupd.patch -Patch020: fix_firewalld.patch -Patch021: fix_logrotate.patch -Patch022: fix_selinuxutil.patch -Patch024: fix_corecommand.patch -Patch025: fix_snapper.patch -Patch026: fix_systemd.patch -Patch027: fix_unconfined.patch -Patch028: fix_unconfineduser.patch -Patch029: fix_chronyd.patch -Patch030: fix_networkmanager.patch -Patch032: fix_accountsd.patch -Patch033: fix_automount.patch -Patch034: fix_colord.patch -Patch035: fix_mcelog.patch -Patch036: fix_sslh.patch -Patch037: fix_nagios.patch -Patch038: fix_openvpn.patch -Patch039: fix_cron.patch -Patch040: fix_usermanage.patch -Patch041: fix_smartmon.patch -Patch042: fix_geoclue.patch -Patch044: fix_authlogin.patch -Patch045: fix_screen.patch -Patch046: fix_unprivuser.patch -Patch047: fix_rpm.patch -Patch048: fix_apache.patch -Patch049: fix_nis.patch -Patch050: fix_libraries.patch -Patch051: fix_dovecot.patch -# https://github.com/cockpit-project/cockpit/pull/15758 -#Patch052: fix_cockpit.patch -Patch053: fix_systemd_watch.patch -# kernel specific sysctl.conf (boo#1184804) -Patch054: fix_kernel_sysctl.patch -Patch055: fix_auditd.patch -Patch056: fix_wine.patch -Patch057: fix_hypervkvp.patch -Patch058: fix_bitlbee.patch -Patch059: systemd_domain_dyntrans_type.patch -Patch060: fix_dnsmasq.patch -Patch061: fix_userdomain.patch -Patch062: fix_cloudform.patch -Patch063: fix_alsa.patch -Patch064: dontaudit_interface_kmod_tmpfs.patch -Patch065: fix_sendmail.patch -Patch066: fix_ipsec.patch -# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included -Patch067: fix_container.patch - -Patch100: sedoctool.patch URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -412,7 +335,16 @@ exit 0 %prep -%autosetup -n fedora-policy-%{version} -p1 + +# set up selinux-policy +%autosetup -n %{name}-%{version} -p1 + +# dirty hack for container-selinux, because selinux-policy won't build without it +# upstream does not want to include it in main policy tree: +# see discussion in https://github.com/containers/container-selinux/issues/186 +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do + cp $i policy/modules/services/ +done %build @@ -439,10 +371,6 @@ cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do - cp $i policy/modules/contrib -done - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow ++++++ README.Update ++++++ # How to update this project This project is updated using obs services. The obs services pull from git repositories, which are specified in the `_service` file. Please contribute all changes to the upstream git repositories listed there. To update this project to the upstream versions, please make sure you installed these obs services locally: ``` sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files ``` Then, generate new tarballs, changelog and version number for this repository by running this command: ``` sh update.sh ``` Afterwards, please check your local project state and remove old tarballs if necessary. Then proceed as usual with check-in and build. ++++++ _service ++++++ <services> <service name="tar_scm" mode="manual"> <param name="version">1</param> <param name="versionformat">%cd</param> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> <param name="revision">factory</param> </service> <service name="recompress" mode="manual"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> <service name="set_version" mode="manual" > <param name="file">selinux-policy.spec</param> </service> </services> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> <param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata> (No newline at EOF) ++++++ container.fc ++++++ /root/\.docker gen_context(system_u:object_r:container_home_t,s0) /usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) /usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) /usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) /usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) /usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) /exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. /var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) # "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode. /var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) # "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode. # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it. /var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) /var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/atomic(/.*)? <<none>> /var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) /var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) /var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) /var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) /var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) /var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) /var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) /srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) ++++++ container.te ++++++ ++++ 1425 lines (skipped) ++++++ update.sh ++++++ --- /var/tmp/diff_new_pack.pBseQs/_old 2023-03-22 22:29:24.725821897 +0100 +++ /var/tmp/diff_new_pack.pBseQs/_new 2023-03-22 22:29:24.729821918 +0100 @@ -1,24 +1,28 @@ #!/bin/sh date=$(date '+%Y%m%d') +base_name_pattern='selinux-policy-*.tar.xz' echo Update to $date -rm -rf fedora-policy container-selinux +old_tar_file=$(ls -1 $base_name_pattern) -git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git -git clone --depth 1 https://github.com/containers/container-selinux.git +osc service manualrun -mv selinux-policy fedora-policy-$date -rm -rf fedora-policy-$date/.git* -mv container-selinux/container.* fedora-policy-$date/policy/modules/services/ - -rm -f fedora-policy?$date.tar* -tar cf fedora-policy-$date.tar fedora-policy-$date -bzip2 fedora-policy-$date.tar -rm -rf fedora-policy-$date container-selinux +rm -rf container-selinux +git clone --depth 1 https://github.com/containers/container-selinux.git +rm -f container.* +mv container-selinux/container.* . +rm -rf container-selinux + +# delete old files. Might need a better sanity check +tar_cnt=$(ls -1 $base_name_pattern | wc -l) +if [ $tar_cnt -gt 1 ]; then + echo delte old file $old_tar_file + rm "$old_tar_file" + osc addremove +fi -sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec +osc status -echo "remove old tar file, then osc addremove"
