Hello community, here is the log from the commit of package transactional-update for openSUSE:Factory checked in at 2020-10-26 16:12:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/transactional-update (Old) and /work/SRC/openSUSE:Factory/.transactional-update.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transactional-update" Mon Oct 26 16:12:21 2020 rev:63 rq:843423 version:2.28 Changes: -------- --- /work/SRC/openSUSE:Factory/transactional-update/transactional-update.changes 2020-10-18 16:18:35.620415312 +0200 +++ /work/SRC/openSUSE:Factory/.transactional-update.new.3463/transactional-update.changes 2020-10-26 16:12:55.950750426 +0100 @@ -1,0 +2,8 @@ +Thu Oct 22 12:20:38 UTC 2020 - Ignaz Forster <ifors...@suse.com> + +- Version 2.28 + - Add 'setup-selinux' command for easy setup of a SELinux system + - Allow complex commands for the 'run' command + - SELinux: Fix /etc / overlay labeling + +------------------------------------------------------------------- Old: ---- transactional-update-2.27.tar.gz New: ---- transactional-update-2.28.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ transactional-update.spec ++++++ --- /var/tmp/diff_new_pack.vqSNoB/_old 2020-10-26 16:12:56.830751236 +0100 +++ /var/tmp/diff_new_pack.vqSNoB/_new 2020-10-26 16:12:56.834751241 +0100 @@ -17,7 +17,7 @@ Name: transactional-update -Version: 2.27 +Version: 2.28 Release: 0 Summary: Transactional Updates with btrfs and snapshots License: GPL-2.0-or-later ++++++ transactional-update-2.27.tar.gz -> transactional-update-2.28.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-2.27/NEWS new/transactional-update-2.28/NEWS --- old/transactional-update-2.27/NEWS 2020-10-14 11:30:17.000000000 +0200 +++ new/transactional-update-2.28/NEWS 2020-10-22 14:18:21.000000000 +0200 @@ -1,6 +1,11 @@ transactional-update NEWS -- history of user-visible changes. -Copyright (C) 2016-2019 Thorsten Kukuk et al. +Copyright (C) 2016-2020 Thorsten Kukuk, Ignaz Forster et al. + +Version 2.28 +* Add 'setup-selinux' command for easy setup of a SELinux system +* Allow complex commands for the 'run' command +* SELinux: Fix /etc / overlay labeling Version 2.27 * Add support for network systemd-resolvd network connections in t-u diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-2.27/configure.ac new/transactional-update-2.28/configure.ac --- old/transactional-update-2.27/configure.ac 2020-10-14 11:30:17.000000000 +0200 +++ new/transactional-update-2.28/configure.ac 2020-10-22 14:18:21.000000000 +0200 @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT(transactional-update, 2.27) +AC_INIT(transactional-update, 2.28) AM_INIT_AUTOMAKE AC_PREFIX_DEFAULT(/usr) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-2.27/man/transactional-update.8.xml new/transactional-update-2.28/man/transactional-update.8.xml --- old/transactional-update-2.27/man/transactional-update.8.xml 2020-10-14 11:30:17.000000000 +0200 +++ new/transactional-update-2.28/man/transactional-update.8.xml 2020-10-22 14:18:21.000000000 +0200 @@ -244,12 +244,39 @@ <para> Execute the the command <replaceable>cmd</replaceable> inside a new snapshot. By default this snaphot will remain, but if - <option>--drop-if-no-chage</option> is set, the new snapshot + <option>--drop-if-no-change</option> is set, the new snapshot will be dropped if there is no change in the file system. </para> <para> This command consumes all the remaining parameters, so should - be placed the in the last position. + be placed in the last position. + </para> + <para> + To use features like command lists (e.g. pipes or separators) wrap the + script into a Shell command like such as + <programlisting> + transactional-update run bash -c ' + ls && date + if [ true ]; then + echo -n "Hello " + echo '\''world'\'' + fi + ' + </programlisting> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>setup-selinux</option></term> + <listitem> + <para> + Sets up a SELinux system: Installs the default SELinux "Targeted + policy" and enables it. + </para> + <para> + This command can not be combined with any + <link linkend='pkg_commands'>Package Command</link> other than + <option>install</option>. </para> </listitem> </varlistentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-2.27/sbin/transactional-update.in new/transactional-update-2.28/sbin/transactional-update.in --- old/transactional-update-2.27/sbin/transactional-update.in 2020-10-14 11:30:17.000000000 +0200 +++ new/transactional-update-2.28/sbin/transactional-update.in 2020-10-22 14:18:21.000000000 +0200 @@ -45,6 +45,7 @@ REBOOT_METHOD="auto" RUN_CMD="" RUN_SHELL=0 +SETUP_SELINUX=0 USE_TELEMETRICS=0 TELEM_PAYLOAD="PACKAGE_NAME=transactional-update\nPACKAGE_VERSION=@VERSION@" TELEM_CLASS="" @@ -139,6 +140,7 @@ echo "shell Open rw shell in new snapshot before exiting" echo "reboot Reboot after update" echo "run <cmd> Run a command in a new snapshot" + echo "setup-selinux Install targeted SELinux policy and enable it" echo "" echo "Package Commands:" echo "Defaults: (i) interactive command; (n) non-interactive command" @@ -677,9 +679,14 @@ usage 1 fi - RUN_CMD="$@" + RUN_CMD=("$@") break ;; + setup-selinux) + test -z "$TELEM_CLASS" && TELEM_CLASS="selinux" + SETUP_SELINUX=1 + shift + ;; -i|--interactive) ZYPPER_NONINTERACTIVE="" shift @@ -742,6 +749,33 @@ esac done +# Setup SELinux +if [ "${SETUP_SELINUX}" -eq 1 ]; then + # Setting up SELinux requires several steps: + # 1. Make sure the policies are installed + # 2. Adjust /etc/default/grub + # 3. Adjust /etc/selinux/config + # 4. Rebuild grub.cfg and initrd + + if [ -n "${ZYPPER_ARG}" -a "${ZYPPER_ARG}" != "install" ]; then + log_error "ERROR: Cannot combine 'setup-selinux' with zypper command '${ZYPPER_ARG}'" + exit 1 + fi + # Check if we need to install packages + for pkg in selinux-policy-targeted container-selinux; do + rpm -q --quiet ${pkg} || ZYPPER_ARG_PKGS+=("${pkg}") + done + if [ ${#ZYPPER_ARG_PKGS[@]} -ne 0 ]; then + ZYPPER_ARG="install" + fi + REWRITE_INITRD=1 + REBUILD_KDUMP_INITRD=1 + + # Make sure /var/lib/selinux exists, else installing the + # Policy will fail + test -d /var/lib/selinux || mkdir -p /var/lib/selinux +fi + # If no commands were given, assume "up" if [ -z "${ZYPPER_ARG}" -a -z "${TELEM_CLASS}" -a "${REBOOT_AFTERWARDS}" -eq 0 \ -a "${DO_REGISTRATION}" -eq 0 -a "${DO_CLEANUP_OVERLAYS}" -eq 0 \ @@ -1031,6 +1065,10 @@ mkdir -p "${ETC_OVERLAY_DIR}" "${ETC_OVERLAY_WORK_DIR}" + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then + chcon --reference /etc "${ETC_OVERLAY_DIR}" + fi + get_etc_overlay_from / current_upper="${fstab_upper}" get_etc_overlay_from "/.snapshots/${BASE_SNAPSHOT_ID}/snapshot" @@ -1307,6 +1345,24 @@ fi fi + if [ ${SETUP_SELINUX} -eq 1 ]; then + # Adjust grub configuration + + # Check if we don't have selinux already enabled. + grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q security=selinux || \ + sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' /etc/default/grub + REWRITE_GRUB_CFG=1 + + if [ ! -e "${MOUNT_DIR}/etc/selinux/config" ]; then + log_error "ERROR: /etc/selinux/config does not exist!" + EXITCODE=1 + fi + # Adjust selinux config + sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \ + -e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \ + "${MOUNT_DIR}/etc/selinux/config" + fi + if [ ${REWRITE_INITRD} -eq 1 ]; then log_info "Creating new initrd" chroot ${MOUNT_DIR} /sbin/mkinitrd @@ -1346,7 +1402,7 @@ fi if [ ${DO_RUN} -eq 1 ]; then - chroot ${MOUNT_DIR} ${RUN_CMD} + chroot ${MOUNT_DIR} "${RUN_CMD[@]}" fi if [ ${RUN_SHELL} -eq 1 ]; then @@ -1355,7 +1411,6 @@ fi if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then - chcon --reference /etc "${ETC_OVERLAY_DIR}" chcon --reference /etc/fstab "${MOUNT_DIR}/etc/fstab" fi