From cee28ed09116a8a5d0bdecb0d327167d7bfcd85c Mon Sep 17 00:00:00 2001 From: Christian Kellner Date: Jun 10 2020 14:24:02 +0000 Subject: 17 upstream release Add a custom SELinux policy, shipped in a new osbuild-selinux sub- package, to allow setting labels unknown to the host. --- diff --git a/.gitignore b/.gitignore index b1ff089..4cf64d0 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /osbuild-14.tar.gz /osbuild-15.tar.gz /osbuild-16.tar.gz +/osbuild-17.tar.gz diff --git a/osbuild.spec b/osbuild.spec index 182f6a7..2b43ffc 100644 --- a/osbuild.spec +++ b/osbuild.spec @@ -1,6 +1,7 @@ %global forgeurl https://github.com/osbuild/osbuild +%global selinuxtype targeted -Version: 16 +Version: 17 %forgemeta @@ -34,6 +35,7 @@ Requires: systemd-container Requires: tar Requires: util-linux Requires: python3-%{pypi_name} = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) # Turn off dependency generators for assemblers, runners and stages. # They run in a container, so there's no reason to generate dependencies @@ -63,6 +65,18 @@ Requires: rpm-ostree Contains the necessary stages, assembler and source to build OSTree based images. +%package selinux +Summary: SELinux policies +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Contains the necessary SELinux policies that allows +osbuild to use labels unknown to the host inside the +containers it uses to build OS artifacts. + %prep %forgesetup @@ -70,6 +84,13 @@ to build OSTree based images. %py3_build make man +# SELinux +make -f /usr/share/selinux/devel/Makefile osbuild.pp +bzip2 -9 osbuild.pp + +%pre +%selinux_relabel_pre -s %{selinuxtype} + %install %py3_install @@ -99,6 +120,10 @@ mkdir -p %{buildroot}%{_mandir}/man5 install -p -m 0644 -t %{buildroot}%{_mandir}/man1/ docs/*.1 install -p -m 0644 -t %{buildroot}%{_mandir}/man5/ docs/*.5 +# SELinux +install -D -m 644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} %{name}.pp.bz2 +install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_selinux.8 + %check exit 0 # We have some integration tests, but those require running a VM, so that would @@ -129,9 +154,30 @@ exit 0 %{pkgdir}/stages/org.osbuild.ostree %{pkgdir}/stages/org.osbuild.rpm-ostree +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%{_mandir}/man8/%{name}_selinux.8.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + %changelog +* Wed Jun 10 2020 Christian Kellner - 17-1 +- new upstream relaese 17 +- Add custom SELinux policy that lets osbuild set labels inside + the build root that are unknown to the host. + * Thu Jun 4 2020 Christian Kellner - 16-1 -- new upstream release 15 +- new upstream release 16 - Drop sources-fix-break-when-secrets-is-None.patch included in the new upstream reelase. diff --git a/sources b/sources index 12cb433..8026313 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (osbuild-16.tar.gz) = 21041af1b617ef30ae7e6e27a986d094a13bcbc3a4d52d69272f24a88c49a0d4b5f57e4d54a7dd322053d607a2c859ff7586f0392d0e1efae163a9bfe6b5c065 +SHA512 (osbuild-17.tar.gz) = 63b7402e87665917d31a69e3a9c399dd22219b1f3bb1edec71a6c3d00eb996a4a297129ed33d46dad49c4d7d7f18e643166aace1de84e4741ecd929be0248021