Hello community,
here is the log from the commit of package transactional-update for
openSUSE:Factory checked in at 2020-10-26 16:12:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/transactional-update (Old)
and /work/SRC/openSUSE:Factory/.transactional-update.new.3463 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transactional-update"
Mon Oct 26 16:12:21 2020 rev:63 rq:843423 version:2.28
Changes:
--------
---
/work/SRC/openSUSE:Factory/transactional-update/transactional-update.changes
2020-10-18 16:18:35.620415312 +0200
+++
/work/SRC/openSUSE:Factory/.transactional-update.new.3463/transactional-update.changes
2020-10-26 16:12:55.950750426 +0100
@@ -1,0 +2,8 @@
+Thu Oct 22 12:20:38 UTC 2020 - Ignaz Forster <ifors...@suse.com>
+
+- Version 2.28
+ - Add 'setup-selinux' command for easy setup of a SELinux system
+ - Allow complex commands for the 'run' command
+ - SELinux: Fix /etc / overlay labeling
+
+-------------------------------------------------------------------
Old:
----
transactional-update-2.27.tar.gz
New:
----
transactional-update-2.28.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ transactional-update.spec ++++++
--- /var/tmp/diff_new_pack.vqSNoB/_old 2020-10-26 16:12:56.830751236 +0100
+++ /var/tmp/diff_new_pack.vqSNoB/_new 2020-10-26 16:12:56.834751241 +0100
@@ -17,7 +17,7 @@
Name: transactional-update
-Version: 2.27
+Version: 2.28
Release: 0
Summary: Transactional Updates with btrfs and snapshots
License: GPL-2.0-or-later
++++++ transactional-update-2.27.tar.gz -> transactional-update-2.28.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/transactional-update-2.27/NEWS
new/transactional-update-2.28/NEWS
--- old/transactional-update-2.27/NEWS 2020-10-14 11:30:17.000000000 +0200
+++ new/transactional-update-2.28/NEWS 2020-10-22 14:18:21.000000000 +0200
@@ -1,6 +1,11 @@
transactional-update NEWS -- history of user-visible changes.
-Copyright (C) 2016-2019 Thorsten Kukuk et al.
+Copyright (C) 2016-2020 Thorsten Kukuk, Ignaz Forster et al.
+
+Version 2.28
+* Add 'setup-selinux' command for easy setup of a SELinux system
+* Allow complex commands for the 'run' command
+* SELinux: Fix /etc / overlay labeling
Version 2.27
* Add support for network systemd-resolvd network connections in t-u
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/transactional-update-2.27/configure.ac
new/transactional-update-2.28/configure.ac
--- old/transactional-update-2.27/configure.ac 2020-10-14 11:30:17.000000000
+0200
+++ new/transactional-update-2.28/configure.ac 2020-10-22 14:18:21.000000000
+0200
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
-AC_INIT(transactional-update, 2.27)
+AC_INIT(transactional-update, 2.28)
AM_INIT_AUTOMAKE
AC_PREFIX_DEFAULT(/usr)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/transactional-update-2.27/man/transactional-update.8.xml
new/transactional-update-2.28/man/transactional-update.8.xml
--- old/transactional-update-2.27/man/transactional-update.8.xml
2020-10-14 11:30:17.000000000 +0200
+++ new/transactional-update-2.28/man/transactional-update.8.xml
2020-10-22 14:18:21.000000000 +0200
@@ -244,12 +244,39 @@
<para>
Execute the the command <replaceable>cmd</replaceable> inside
a new snapshot. By default this snaphot will remain, but if
- <option>--drop-if-no-chage</option> is set, the new snapshot
+ <option>--drop-if-no-change</option> is set, the new snapshot
will be dropped if there is no change in the file system.
</para>
<para>
This command consumes all the remaining parameters, so should
- be placed the in the last position.
+ be placed in the last position.
+ </para>
+ <para>
+ To use features like command lists (e.g. pipes or separators) wrap the
+ script into a Shell command like such as
+ <programlisting>
+ transactional-update run bash -c '
+ ls && date
+ if [ true ]; then
+ echo -n "Hello "
+ echo '\''world'\''
+ fi
+ '
+ </programlisting>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>setup-selinux</option></term>
+ <listitem>
+ <para>
+ Sets up a SELinux system: Installs the default SELinux "Targeted
+ policy" and enables it.
+ </para>
+ <para>
+ This command can not be combined with any
+ <link linkend='pkg_commands'>Package Command</link> other than
+ <option>install</option>.
</para>
</listitem>
</varlistentry>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/transactional-update-2.27/sbin/transactional-update.in
new/transactional-update-2.28/sbin/transactional-update.in
--- old/transactional-update-2.27/sbin/transactional-update.in 2020-10-14
11:30:17.000000000 +0200
+++ new/transactional-update-2.28/sbin/transactional-update.in 2020-10-22
14:18:21.000000000 +0200
@@ -45,6 +45,7 @@
REBOOT_METHOD="auto"
RUN_CMD=""
RUN_SHELL=0
+SETUP_SELINUX=0
USE_TELEMETRICS=0
TELEM_PAYLOAD="PACKAGE_NAME=transactional-update\nPACKAGE_VERSION=@VERSION@"
TELEM_CLASS=""
@@ -139,6 +140,7 @@
echo "shell Open rw shell in new snapshot before
exiting"
echo "reboot Reboot after update"
echo "run <cmd> Run a command in a new snapshot"
+ echo "setup-selinux Install targeted SELinux policy and
enable it"
echo ""
echo "Package Commands:"
echo "Defaults: (i) interactive command; (n) non-interactive command"
@@ -677,9 +679,14 @@
usage 1
fi
- RUN_CMD="$@"
+ RUN_CMD=("$@")
break
;;
+ setup-selinux)
+ test -z "$TELEM_CLASS" && TELEM_CLASS="selinux"
+ SETUP_SELINUX=1
+ shift
+ ;;
-i|--interactive)
ZYPPER_NONINTERACTIVE=""
shift
@@ -742,6 +749,33 @@
esac
done
+# Setup SELinux
+if [ "${SETUP_SELINUX}" -eq 1 ]; then
+ # Setting up SELinux requires several steps:
+ # 1. Make sure the policies are installed
+ # 2. Adjust /etc/default/grub
+ # 3. Adjust /etc/selinux/config
+ # 4. Rebuild grub.cfg and initrd
+
+ if [ -n "${ZYPPER_ARG}" -a "${ZYPPER_ARG}" != "install" ]; then
+ log_error "ERROR: Cannot combine 'setup-selinux' with zypper command
'${ZYPPER_ARG}'"
+ exit 1
+ fi
+ # Check if we need to install packages
+ for pkg in selinux-policy-targeted container-selinux; do
+ rpm -q --quiet ${pkg} || ZYPPER_ARG_PKGS+=("${pkg}")
+ done
+ if [ ${#ZYPPER_ARG_PKGS[@]} -ne 0 ]; then
+ ZYPPER_ARG="install"
+ fi
+ REWRITE_INITRD=1
+ REBUILD_KDUMP_INITRD=1
+
+ # Make sure /var/lib/selinux exists, else installing the
+ # Policy will fail
+ test -d /var/lib/selinux || mkdir -p /var/lib/selinux
+fi
+
# If no commands were given, assume "up"
if [ -z "${ZYPPER_ARG}" -a -z "${TELEM_CLASS}" -a "${REBOOT_AFTERWARDS}" -eq 0
\
-a "${DO_REGISTRATION}" -eq 0 -a "${DO_CLEANUP_OVERLAYS}" -eq 0 \
@@ -1031,6 +1065,10 @@
mkdir -p "${ETC_OVERLAY_DIR}" "${ETC_OVERLAY_WORK_DIR}"
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then
+ chcon --reference /etc "${ETC_OVERLAY_DIR}"
+ fi
+
get_etc_overlay_from /
current_upper="${fstab_upper}"
get_etc_overlay_from "/.snapshots/${BASE_SNAPSHOT_ID}/snapshot"
@@ -1307,6 +1345,24 @@
fi
fi
+ if [ ${SETUP_SELINUX} -eq 1 ]; then
+ # Adjust grub configuration
+
+ # Check if we don't have selinux already enabled.
+ grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q
security=selinux || \
+ sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1
security=selinux selinux=1"|g' /etc/default/grub
+ REWRITE_GRUB_CFG=1
+
+ if [ ! -e "${MOUNT_DIR}/etc/selinux/config" ]; then
+ log_error "ERROR: /etc/selinux/config does not exist!"
+ EXITCODE=1
+ fi
+ # Adjust selinux config
+ sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \
+ -e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \
+ "${MOUNT_DIR}/etc/selinux/config"
+ fi
+
if [ ${REWRITE_INITRD} -eq 1 ]; then
log_info "Creating new initrd"
chroot ${MOUNT_DIR} /sbin/mkinitrd
@@ -1346,7 +1402,7 @@
fi
if [ ${DO_RUN} -eq 1 ]; then
- chroot ${MOUNT_DIR} ${RUN_CMD}
+ chroot ${MOUNT_DIR} "${RUN_CMD[@]}"
fi
if [ ${RUN_SHELL} -eq 1 ]; then
@@ -1355,7 +1411,6 @@
fi
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then
- chcon --reference /etc "${ETC_OVERLAY_DIR}"
chcon --reference /etc/fstab "${MOUNT_DIR}/etc/fstab"
fi
