|
 |
7fa12a4 |
%global debug_package %{nil}
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
# container-selinux
|
|
|
7fa12a4 |
%global git0 https://github.com/projectatomic/container-selinux
|
|
|
7fa12a4 |
%if 0%{?fedora}
|
|
 |
c8e82ce |
%global commit0 3bbbad57f5827b02f91f847eb559a59cca7967af
|
|
|
7fa12a4 |
%else
|
|
|
dc5c398 |
# use upstream's RHEL-1.12 branch for CentOS 7
|
|
|
dc5c398 |
%global commit0 56c32da8a72f9e7af5daeaebac5b887830d123b1
|
|
|
7fa12a4 |
%endif
|
|
|
7fa12a4 |
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
# container-selinux stuff (prefix with ds_ for version/release etc.)
|
|
|
7fa12a4 |
# Some bits borrowed from the openstack-selinux package
|
|
|
7fa12a4 |
%global selinuxtype targeted
|
|
|
7fa12a4 |
%global moduletype services
|
|
|
7fa12a4 |
%global modulenames container
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
# Usage: _format var format
|
|
|
7fa12a4 |
# Expand 'modulenames' into various formats as needed
|
|
|
7fa12a4 |
# Format must contain '$x' somewhere to do anything useful
|
|
|
7fa12a4 |
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
# Relabel files
|
|
|
8602eba |
%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
# Version of SELinux we were using
|
|
|
7fa12a4 |
%if 0%{?fedora} >= 22
|
|
|
7fa12a4 |
%global selinux_policyver 3.13.1-220
|
|
|
7fa12a4 |
%else
|
|
|
7fa12a4 |
%global selinux_policyver 3.13.1-39
|
|
|
7fa12a4 |
%endif
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
Name: container-selinux
|
|
|
7fa12a4 |
%if 0%{?fedora} || 0%{?centos}
|
|
|
7fa12a4 |
Epoch: 2
|
|
|
7fa12a4 |
%endif
|
|
|
6c8c181 |
Version: 2.3
|
|
|
6c8c181 |
Release: 1%{?dist}
|
|
|
7fa12a4 |
License: GPLv2
|
|
|
7fa12a4 |
URL: %{git0}
|
|
|
7fa12a4 |
Summary: SELinux policies for container runtimes
|
|
|
7fa12a4 |
Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
|
|
7fa12a4 |
BuildArch: noarch
|
|
|
7fa12a4 |
BuildRequires: git
|
|
|
7fa12a4 |
BuildRequires: pkgconfig(systemd)
|
|
|
8602eba |
BuildRequires: selinux-policy >= %{selinux_policyver}
|
|
|
8602eba |
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
|
|
|
7fa12a4 |
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
|
|
|
7fa12a4 |
Requires: selinux-policy >= %{selinux_policyver}
|
|
|
7fa12a4 |
Requires(post): selinux-policy-base >= %{selinux_policyver}
|
|
|
8602eba |
Requires(post): selinux-policy-targeted >= %{selinux_policyver}
|
|
|
7fa12a4 |
Requires(post): policycoreutils
|
|
|
7fa12a4 |
%if 0%{?fedora}
|
|
|
7fa12a4 |
Requires(post): policycoreutils-python-utils
|
|
|
7fa12a4 |
%else
|
|
|
7fa12a4 |
Requires(post): policycoreutils-python
|
|
|
7fa12a4 |
%endif
|
|
|
7fa12a4 |
Requires(post): libselinux-utils
|
|
|
7fa12a4 |
Obsoletes: %{name} <= 2:1.12.5-13
|
|
|
7fa12a4 |
Obsoletes: docker-selinux <= 2:1.12.4-28
|
|
|
7fa12a4 |
Provides: docker-selinux = %{epoch}:%{version}-%{release}
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%description
|
|
|
7fa12a4 |
SELinux policy modules for use with container runtimes.
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%prep
|
|
|
7fa12a4 |
%autosetup -Sgit -n %{name}-%{commit0}
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%build
|
|
|
7fa12a4 |
make
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%install
|
|
|
7fa12a4 |
# install policy modules
|
|
|
7fa12a4 |
%_format MODULES $x.pp.bz2
|
|
|
7fa12a4 |
install -d %{buildroot}%{_datadir}/selinux/packages
|
|
|
7fa12a4 |
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
|
7fa12a4 |
install -p -m 644 container.if %{buildroot}%{_datadir}/selinux/devel/include/services
|
|
|
7fa12a4 |
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
|
|
|
7fa12a4 |
|
|
 |
6028ccc |
# remove spec file
|
|
|
7fa12a4 |
rm -rf container-selinux.spec
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%check
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%post
|
|
|
7fa12a4 |
# Install all modules in a single transaction
|
|
|
7fa12a4 |
if [ $1 -eq 1 ]; then
|
|
|
7fa12a4 |
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
|
|
7fa12a4 |
fi
|
|
|
7fa12a4 |
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
|
|
|
85f5b33 |
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
|
|
|
6028ccc |
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
|
|
|
85f5b33 |
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
|
|
|
85f5b33 |
%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
|
|
|
7fa12a4 |
if %{_sbindir}/selinuxenabled ; then
|
|
|
7fa12a4 |
%{_sbindir}/load_policy
|
|
|
7fa12a4 |
%relabel_files
|
|
|
7fa12a4 |
if [ $1 -eq 1 ]; then
|
|
|
6028ccc |
restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
|
|
|
7fa12a4 |
fi
|
|
|
7fa12a4 |
fi
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%postun
|
|
|
7fa12a4 |
if [ $1 -eq 0 ]; then
|
|
|
7fa12a4 |
%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
|
|
|
7fa12a4 |
if %{_sbindir}/selinuxenabled ; then
|
|
|
7fa12a4 |
%{_sbindir}/load_policy
|
|
|
7fa12a4 |
%relabel_files
|
|
|
7fa12a4 |
fi
|
|
|
7fa12a4 |
fi
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
#define license tag if not already defined
|
|
|
7fa12a4 |
%{!?_licensedir:%global license %doc}
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%files
|
|
|
7fa12a4 |
%doc README.md
|
|
|
7fa12a4 |
%{_datadir}/selinux/*
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
%changelog
|
|
|
c8e82ce |
* Tue Jan 17 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:3.1-1
|
|
|
c8e82ce |
- Fix labeling on /usr/bin/runc.*
|
|
|
c8e82ce |
- Add sandbox_net_domain access to container.te
|
|
|
c8e82ce |
- Remove containers ability to look at /etc content
|
|
|
c8e82ce |
|
|
|
dc5c398 |
* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-4
|
|
|
dc5c398 |
- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7
|
|
|
dc5c398 |
|
|
|
6028ccc |
* Tue Jan 10 2017 Jonathan Lebon <jlebon@redhat.com> - 2:2.2-3
|
|
|
6028ccc |
- properly disable docker module in %post
|
|
|
6028ccc |
|
|
|
8602eba |
* Sat Jan 07 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-2
|
|
|
8602eba |
- depend on selinux-policy-targeted
|
|
|
8602eba |
- relabel docker-latest* files as well
|
|
|
8602eba |
|
|
|
98c88e3 |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.2-1
|
|
|
98c88e3 |
- bump to v2.2
|
|
|
98c88e3 |
- additional labeling for ocid
|
|
|
98c88e3 |
|
|
|
57ea4c4 |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-2
|
|
|
57ea4c4 |
- install policy at level 200
|
|
|
57ea4c4 |
- From: Dan Walsh <dwalsh@redhat.com>
|
|
|
57ea4c4 |
|
|
|
7fa12a4 |
* Fri Jan 06 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:2.0-1
|
|
|
7fa12a4 |
- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a
|
|
|
7fa12a4 |
standalone package)
|
|
|
7fa12a4 |
- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel
|
|
|
7fa12a4 |
|
|
|
7fa12a4 |
* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2:1.12.4-29
|
|
|
7fa12a4 |
- new package (separated from docker)
|