diff --git a/.gitignore b/.gitignore index 3971a54..0aad5ab 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /v0.1.3.tar.gz /v0.1.4.tar.gz /v0.1.5.tar.gz +/v0.1.6.tar.gz diff --git a/0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch b/0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch deleted file mode 100644 index 14761cb..0000000 --- a/0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 129555625ceca2d73faf862501c10fb3ee49b473 Mon Sep 17 00:00:00 2001 -From: Jan Zarsky -Date: Tue, 30 Apr 2019 11:41:10 +0200 -Subject: [PATCH] Add allow rules for container_runtime_t to base_container.cil - -Podman version 1.2.0 requires new allow rules. - -Fixes: -type=AVC msg=audit(1556617434.540:447): avc: denied { create } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 -type=AVC msg=audit(1556617434.541:448): avc: denied { search } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 -type=AVC msg=audit(1556617434.541:449): avc: denied { view } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 -type=AVC msg=audit(1556617434.541:450): avc: denied { setattr } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 ---- - udica/templates/base_container.cil | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/udica/templates/base_container.cil b/udica/templates/base_container.cil -index 88bb39b..ab9b776 100644 ---- a/udica/templates/base_container.cil -+++ b/udica/templates/base_container.cil -@@ -5,4 +5,5 @@ - (typeattributeset container_domain (process )) - (allow process proc_type (file (getattr open read))) - (allow process cpu_online_t (file (getattr open read))) -+(allow container_runtime_t process (key (create link read search setattr view write))) - ) --- -2.20.1 - diff --git a/sources b/sources index 33dcb37..c6861a0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v0.1.5.tar.gz) = 38cb9b0c9d42f807d05811631d460af80e65db5631e53230ea129d79d9844eeddc9c3f63ff17c121150afb1319b08cf6da085ce3e18945f4bf76b844365f741c +SHA512 (v0.1.6.tar.gz) = 1da3cd6e6c4a70b9ad76f3ccc6eb5f2418544ab778ec07145d1c44a7df6092d769a0afe4335e3b8afac444399e7fa720de65d1dfe2badb9a232ed70a3ea36386 diff --git a/udica.spec b/udica.spec index 17759af..6f5bf0f 100644 --- a/udica.spec +++ b/udica.spec @@ -1,7 +1,7 @@ Summary: A tool for generating SELinux security policies for containers Name: udica -Version: 0.1.5 -Release: 2%{?dist} +Version: 0.1.6 +Release: 1%{?dist} Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz License: GPLv3+ BuildArch: noarch @@ -13,7 +13,6 @@ Requires: python3 python3-libsemanage python3-libselinux BuildRequires: python2 python2-devel python2-setuptools Requires: python2 libsemanage-python libselinux-python %endif -patch00: 0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch %description Tool for generating SELinux security profiles for containers based on @@ -21,7 +20,6 @@ inspection of container JSON file. %prep %setup -q -%patch00 -p1 %build %if 0%{?fedora} || 0%{?rhel} > 7 @@ -60,6 +58,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %endif %changelog +* Thu May 16 2019 Lukas Vrabec - 0.1.6-1 +- New rebase with upstream adding new tests + * Tue Apr 30 2019 Lukas Vrabec - 0.1.5-2 - Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules. * Fri Apr 19 2019 Lukas Vrabec - 0.1.5-1