rpms / udica

Clone
Source Code
GIT

#34 [DO NOT MERGE] udica-0.2.8-5
Opened a month ago by vmojzis. Modified a month ago
rpms/ vmojzis/udica kerberos  into  rawhide

Merge
file added
+91 
@@ -0,0 +1,91 @@ 
 

+ From aab4ef70ab704b97cbbaaf6a4ff9d6fcc1d1ae66 Mon Sep 17 00:00:00 2001
 

+ From: Vit Mojzis <vmojzis@redhat.com>
 

+ Date: Mon, 18 Mar 2024 16:23:36 +0100
 

+ Subject: [PATCH] Add --kerberos-access option
 

+ 

+ The option adds a new block inheritance, hence udica needs to require
 

+ the corresponding version of container-selinux.
 

+ 

+ Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 

+ ---
 

+  tests/test_kerberosaccess.podman.cil |  6 ++++++
 

+  tests/test_main.py                   | 14 ++++++++++++++
 

+  udica/__main__.py                    |  7 +++++++
 

+  udica/policy.py                      |  4 ++++
 

+  4 files changed, 31 insertions(+)
 

+  create mode 100644 tests/test_kerberosaccess.podman.cil
 

+ 

+ diff --git a/tests/test_kerberosaccess.podman.cil b/tests/test_kerberosaccess.podman.cil
 

+ new file mode 100644
 

+ index 0000000..7964a3b
 

+ --- /dev/null
 

+ +++ b/tests/test_kerberosaccess.podman.cil
 

+ @@ -0,0 +1,6 @@
 

+ +(block my_container
 

+ +    (blockinherit container)
 

+ +    (blockinherit kerberos_container)
 

+ +    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) 

+ +
 

+ +)
 

+ \ No newline at end of file
 

+ diff --git a/tests/test_main.py b/tests/test_main.py
 

+ index 0c73861..b14c331 100644
 

+ --- a/tests/test_main.py
 

+ +++ b/tests/test_main.py
 

+ @@ -331,6 +331,20 @@ class TestBase(unittest.TestCase):
 

+          self.assert_templates(output, ["base_container", "tty_container"])
 

+          self.assert_policy(test_file("test_ttyaccess.podman.cil"))
 

+  

+ +    def test_kerberosaccess_podman(self):
 

+ +        """podman run fedora"""
 

+ +        output = self.run_udica(
 

+ +            [
 

+ +                "udica",
 

+ +                "-j",
 

+ +                "tests/test_default.podman.json",
 

+ +                "--kerberos-access",
 

+ +                "my_container",
 

+ +            ]
 

+ +        )
 

+ +        self.assert_templates(output, ["base_container", "kerberos_container"])
 

+ +        self.assert_policy(test_file("test_kerberosaccess.podman.cil"))
 

+ +
 

+      def test_append_more_rules_podman(self):
 

+          """podman run fedora"""
 

+          output = self.run_udica(
 

+ diff --git a/udica/__main__.py b/udica/__main__.py
 

+ index 801499c..0fd5ab2 100644
 

+ --- a/udica/__main__.py
 

+ +++ b/udica/__main__.py
 

+ @@ -184,6 +184,13 @@ def get_args():
 

+              dest="VirtAccess",
 

+              action="store_true",
 

+          )
 

+ +        parser.add_argument(
 

+ +            "--kerberos-access",
 

+ +            help="Allow container to use Kerberos authentication ",
 

+ +            required=False,
 

+ +            dest="KerberosAccess",
 

+ +            action="store_true",
 

+ +        )
 

+          parser.add_argument(
 

+              "-s",
 

+              "--stream-connect",
 

+ diff --git a/udica/policy.py b/udica/policy.py
 

+ index 9d1eae0..0f36386 100644
 

+ --- a/udica/policy.py
 

+ +++ b/udica/policy.py
 

+ @@ -129,6 +129,10 @@ def create_policy(
 

+          policy.write("    (blockinherit tty_container)\n")
 

+          add_template("tty_container")
 

+  

+ +    if opts["KerberosAccess"]:
 

+ +        policy.write("    (blockinherit kerberos_container)\n")
 

+ +        add_template("kerberos_container")
 

+ +
 

+      if ports:
 

+          policy.write("    (blockinherit restricted_net_container)\n")
 

+          add_template("net_container")
 

+ -- 

+ 2.43.0
 

+

file modified
+6 -2 
@@ -1,13 +1,14 @@ 
 

  Summary: A tool for generating SELinux security policies for containers
 

  Name: udica
 

  Version: 0.2.8
 

- Release: 4%{?dist}
 

+ Release: 5%{?dist}
 

  Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
 

  #git format-patch -N v0.2.8 -- . ':!.cirrus.yml' ':!.github'
 

  Patch0001: 0001-Add-option-to-generate-custom-policy-for-a-confined-.patch
 

  Patch0002: 0002-Add-tests-covering-confined-user-policy-generation.patch
 

  Patch0003: 0003-confined-make-l-non-optional.patch
 

  Patch0004: 0004-confined-allow-asynchronous-I-O-operations.patch
 

+ Patch0005: 0005-Add-kerberos-access-option.patch
 

  License: GPL-3.0-or-later
 

  BuildArch: noarch
 

  Url: https://github.com/containers/udica
 
@@ -19,7 +20,7 @@ 
 

  Requires: python2 libsemanage-python libselinux-python
 

  %endif
 

  # container-selinux provides policy templates
 

- Requires: container-selinux >= 2.168.0-2
 

+ Requires: container-selinux >= 2:2.230.0-2
 

  

  %description
 

  Tool for generating SELinux security profiles for containers based on
 
@@ -66,6 +67,9 @@ 
 

  %endif
 

  

  %changelog
 

+ * Mon Mar 18 2024 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-5
 

+ - Add --kerberos-access option
 

+ 

  * Mon Feb 12 2024 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-4
 

  - confined: make "-l" non optional

  • Add --kerberos-access option

TODO: container-selinux dependency needs to be set after the new template is shipped

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/874484564acf42ac8804989e7c1347c4
Metadata
None
No Tags
Changes Summary 2
+91
file added
0005-Add-kerberos-access-option.patch
+6 -2
file changed
udica.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.