Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2023-04-25 16:53:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Tue Apr 25 16:53:19 2023 rev:17 rq:1082387 version:2.211.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2023-03-31 21:15:06.610283517 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1533/container-selinux.changes
2023-04-25 16:53:22.246121928 +0200
@@ -1,0 +2,11 @@
+Mon Apr 24 07:24:46 UTC 2023 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 2.211.0:
+ * Don't transition to initrc_t domains from spc_t
+ * Add tunable to allow sshd_t to launch container engines
+ * Allow syslogd_t gettatr on inheritited runtime tmpfs files
+ * Add container_file_t and container_ro_file_t as user_home_type
+ * Set default context for local-path-provisioner
+ * Allow daemon to send dbus messages to spc_t by
+
+-------------------------------------------------------------------
Old:
----
v2.206.0.tar.gz
New:
----
v2.211.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.9Ez1Ka/_old 2023-04-25 16:53:22.718126794 +0200
+++ /var/tmp/diff_new_pack.9Ez1Ka/_new 2023-04-25 16:53:22.722126835 +0200
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.206.0
+Version: 2.211.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ v2.206.0.tar.gz -> v2.211.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/.fmf/version
new/container-selinux-2.211.0/.fmf/version
--- old/container-selinux-2.206.0/.fmf/version 1970-01-01 01:00:00.000000000
+0100
+++ new/container-selinux-2.211.0/.fmf/version 2023-04-22 13:28:56.000000000
+0200
@@ -0,0 +1 @@
+1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/.packit.yaml
new/container-selinux-2.211.0/.packit.yaml
--- old/container-selinux-2.206.0/.packit.yaml 2023-03-21 21:03:07.000000000
+0100
+++ new/container-selinux-2.211.0/.packit.yaml 2023-04-22 13:28:56.000000000
+0200
@@ -1,3 +1,4 @@
+---
# See the documentation for more information:
# https://packit.dev/docs/configuration/
@@ -14,6 +15,14 @@
owner: rhcontainerbot
project: packit-builds
enable_net: true
+ # x86_64 is assumed by default
+ # container-selinux is noarch so we only need to test on one arch
+ targets: &pr_copr_targets
+ - fedora-rawhide
+ - fedora-38
+ - fedora-37
+ - centos-stream-9
+ - centos-stream-8
srpm_build_deps:
- make
- rpkg
@@ -28,3 +37,35 @@
trigger: commit
branch: main
project: podman-next
+ targets:
+ - fedora-rawhide-aarch64
+ - fedora-rawhide-ppc64le
+ - fedora-rawhide-s390x
+ - fedora-rawhide-x86_64
+ - fedora-38-aarch64
+ - fedora-38-ppc64le
+ - fedora-38-s390x
+ - fedora-38-x86_64
+ - fedora-37-aarch64
+ - fedora-37-ppc64le
+ - fedora-37-s390x
+ - fedora-37-x86_64
+ - centos-stream+epel-next-9-aarch64
+ - centos-stream+epel-next-9-ppc64le
+ - centos-stream+epel-next-9-s390x
+ - centos-stream+epel-next-9-x86_64
+
+ # All tests specified in the `/plans/` subdir
+ # FIXME: uncomment e2e tests after disk space issues resolved on testing farm
+ #- job: tests
+ # trigger: pull_request
+ # targets: *test_targets
+ # identifier: podman_e2e_test
+ # tmt_plan: "/plans/podman_e2e_test"
+
+ - job: tests
+ trigger: pull_request
+ # arch assumed to be x86_64 by default.
+ targets: *pr_copr_targets
+ identifier: podman_system_test
+ tmt_plan: "/plans/podman_system_test"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/container.fc
new/container-selinux-2.211.0/container.fc
--- old/container-selinux-2.206.0/container.fc 2023-03-21 21:03:07.000000000
+0100
+++ new/container-selinux-2.211.0/container.fc 2023-04-22 13:28:56.000000000
+0200
@@ -116,6 +116,8 @@
/var/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/(var|opt)/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/container.if
new/container-selinux-2.211.0/container.if
--- old/container-selinux-2.206.0/container.if 2023-03-21 21:03:07.000000000
+0100
+++ new/container-selinux-2.211.0/container.if 2023-04-22 13:28:56.000000000
+0200
@@ -997,7 +997,6 @@
interface(`container_kubelet_run',`
gen_require(`
type kubelet_t;
- class dbus send_msg;
')
container_kubelet_domtrans($1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/container.te
new/container-selinux-2.211.0/container.te
--- old/container-selinux-2.206.0/container.te 2023-03-21 21:03:07.000000000
+0100
+++ new/container-selinux-2.211.0/container.te 2023-04-22 13:28:56.000000000
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.206.0)
+policy_module(container, 2.211.0)
gen_require(`
class passwd rootok;
@@ -19,6 +19,13 @@
## <desc>
## <p>
+## Determine whether sshd can launch container engines
+## </p>
+## </desc>
+gen_tunable(sshd_launch_containers, false)
+
+## <desc>
+## <p>
## Allow containers to use any device volume mounted into container
## </p>
## </desc>
@@ -77,7 +84,6 @@
type spc_t, container_domain;
domain_type(spc_t)
role system_r types spc_t;
-init_initrc_domain(spc_t)
type container_auth_t alias docker_auth_t;
type container_auth_exec_t alias docker_auth_exec_t;
@@ -124,6 +130,7 @@
typealias container_ro_file_t alias { container_share_t docker_share_t };
files_mountpoint(container_ro_file_t)
+userdom_user_home_content(container_ro_file_t)
type container_port_t alias docker_port_t;
corenet_port(container_port_t)
@@ -577,7 +584,6 @@
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)
-
optional_policy(`
files_search_all(container_domain)
container_read_share_files(container_domain)
@@ -725,6 +731,7 @@
# This should eventually be in upstream policy.
# https://github.com/fedora-selinux/selinux-policy/pull/806
allow spc_t domain:bpf { map_create map_read map_write prog_load
prog_run };
+ allow daemon spc_t:dbus send_msg;
')
optional_policy(`
@@ -808,7 +815,7 @@
')
container_manage_files_template(container, container)
-typeattribute container_file_t container_file_type;
+typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain,
container_user_domain;
allow container_user_domain self:process getattr;
allow container_domain { container_var_lib_t container_ro_file_t
container_file_t }:file entrypoint;
@@ -993,7 +1000,6 @@
allow container_net_domain self:netlink_kobject_uevent_socket
create_socket_perms;
allow container_net_domain self:netlink_xfrm_socket
create_netlink_socket_perms;
-
kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
kernel_unlabeled_entry_type(spc_t)
allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1413,7 +1419,7 @@
type syslogd_t;
')
- allow syslogd_t container_runtime_tmpfs_t:file { read write };
+ allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
logging_send_syslog_msg(container_runtime_t)
')
@@ -1424,3 +1430,14 @@
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t,
container_file_t)
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t,
container_file_t)
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t,
container_file_t)
+
+tunable_policy(`sshd_launch_containers',`
+ gen_require(`
+ type sshd_t;
+ type systemd_logind_t;
+ type iptables_var_run_t;
+ ')
+
+ container_runtime_domtrans(sshd_t)
+ dontaudit systemd_logind_t iptables_var_run_t:dir read;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/plans/common_setup.sh
new/container-selinux-2.211.0/plans/common_setup.sh
--- old/container-selinux-2.206.0/plans/common_setup.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.211.0/plans/common_setup.sh 2023-04-22
13:28:56.000000000 +0200
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Clean all prior dnf metadata
+dnf clean all
+
+# Disable rhcontainerbot/packit-builds to avoid testing with
+# packages built from unmerged content of other repos.
+dnf -y copr disable rhcontainerbot/packit-builds
+
+# Fetch podman and other dependencies from rhcontainerbot/podman-next.
+. /etc/os-release
+if [ $(NAME) == "CentOS Stream" ]; then
+ dnf -y copr enable rhcontainerbot/podman-next
centos-stream+epel-next-$(VERSION)
+else
+ dnf -y copr enable rhcontainerbot/podman-next
+fi
+dnf -y --disablerepo=testing-farm-* install bats golang podman podman-tests
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/plans/main.fmf
new/container-selinux-2.211.0/plans/main.fmf
--- old/container-selinux-2.206.0/plans/main.fmf 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.211.0/plans/main.fmf 2023-04-22
13:28:56.000000000 +0200
@@ -0,0 +1,11 @@
+/podman_e2e_test:
+ summary: Run SELinux specific Podman e2e tests
+ execute:
+ how: tmt
+ script: bash plans/podman_e2e_test.sh
+
+/podman_system_test:
+ summary: Run SELinux specific Podman system tests
+ execute:
+ how: tmt
+ script: bash plans/podman_system_test.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.206.0/plans/podman_e2e_test.sh
new/container-selinux-2.211.0/plans/podman_e2e_test.sh
--- old/container-selinux-2.206.0/plans/podman_e2e_test.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.211.0/plans/podman_e2e_test.sh 2023-04-22
13:28:56.000000000 +0200
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copr repo setup handled in common_setup.sh
+. ./plans/common_setup.sh
+
+# Fetch and prep Podman source from latest SRPM on
+# rhcontainerbot/podman-next copr
+dnf --disablerepo=*
--enablerepo=copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next download
--source podman
+rpm2cpio podman*.src.rpm | cpio -di
+tar zxf podman*.tar.gz
+cd podman/test/e2e
+
+# Run SELinux specific Podman e2e tests
+PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go
common_test.go libpod_suite_test.go run_selinux_test.go
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.206.0/plans/podman_system_test.sh
new/container-selinux-2.211.0/plans/podman_system_test.sh
--- old/container-selinux-2.206.0/plans/podman_system_test.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/container-selinux-2.211.0/plans/podman_system_test.sh 2023-04-22
13:28:56.000000000 +0200
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Copr repo setup handled in common_setup.sh
+. ./plans/common_setup.sh
+
+# Run Podman's SELinux system tests
+bats /usr/bin/podman /usr/share/podman/test/system/410-selinux.bats
