openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of container-selinux

Cathy Hu (cahu) accepted request 1222444 from

Cathy Hu (cahu) 9 days ago (revision 37)

- Update to version 2.233.0:
  * container_engine_t: small change to allow non root exec in a container
  * RPM: explicitly list ghosted paths and skip mode verification
  * container-selinux install on non selinux-policy-targeted systems (#332)
  * set container_log_t type for /var/log/kube-apiserver
  * Allow kubelet_t to create a sock file kubelet_var_lib_t
  * dontaudit spc_t to mmap_zero
  * Packit: update targets (#330)
  * container_engine_t: another round of small improvements (#327)
  * Allow container_device_plugin_t to use the network (#325)
  * RPM: cleanup changelog (#324)
  * TMT: Simplify tests

Cathy Hu (cahu) accepted request 1186575 from

Cathy Hu (cahu) 5 months ago (revision 36)

- Update to version 2.232.1:
  * Bump to v2.232.1
  * TMT: fix srpm download syntax on rawhide
  * Bump to 2.232.0
  * Packit: remove `update_release` key from downstream jobs (#313)
  * Update container-selinux.8 man page
  * Add ownership of /usr/share/udica (#312)
  * Packit/TMT: upstream maintenance of downstream gating tests
  * extend container_engine_t again
  * Allow spc_t to use localectl
  * Allow spc_t to use timedatectl
  * introduce container_use_xserver_devices boolean to allow GPU access

Johannes Segitz (jsegitz) accepted request 1172200 from

Johannes Segitz (jsegitz) 7 months ago (revision 35)

- Update to version 2.231.0:
  * Allow container domains to communicate with spc_t unix_stream_sockets
  * Move to %posttrans to ensure selinux-policy got updated before
    the commands run (bsc#1221720)

Johannes Segitz (jsegitz) accepted request 1166916 from

Cathy Hu (cahu) 7 months ago (revision 34)

- Manual update to version 2.230.0+git4.a8e389d to include this 
  commit that is needed for the main selinux-policy update to work:
  * Rename all /var/run file context entries to /run
- Update to version 2.230.0:
  * Move to tar_scm based packaging: added _service and _servicedata
  * Allow containers to unmount file systems
  * Add buildah as a container_runtime_exec_t label
  * Additional rules for container_user_t
  * improve container_engine_t

Johannes Segitz (jsegitz) accepted request 1138075 from

Johannes Segitz (jsegitz) 11 months ago (revision 33)

- Update to version 2.228:
  * Allow container domains to watch fifo_files
  * container_engine_t: improve for podman in kubernetes case
  * Allow spc_t to transition to install_t domain
  * Default to allowing containers to use dri devices
  * Allow access to BPF Filesystems
  * Fix kubernetes transition rule
  * Label kubensenter as well as kubenswrapper
  * Allow container domains to execute container_runtime_tmpfs_t files
  * Allow container domains to ptrace themselves
  * Allow container domains to use container_runtime_tmpfs_t as an entrypoint
  * Add boolean to allow containers to use dri devices
  * Give containers access to pod resources endpoint
  * Label kubenswrapper kubelet_exec_t

Johannes Segitz (jsegitz) accepted request 1112591 from

Johannes Segitz (jsegitz) about 1 year ago (revision 32)

- Update to version 2.222:
  * Allow containers to read/write inherited dri devices

Johannes Segitz (jsegitz) committed over 1 year ago (revision 31)

  * Allow containers to shutdown sockets inherited from container

Johannes Segitz (jsegitz) accepted request 1103976 from

Johannes Segitz (jsegitz) over 1 year ago (revision 30)

- Update to version 2.221:
  * Allow containers to shutdown sockets inheritted from container
    runtimes
  * Allow spc_t to use execmod libraries on container file systems
  * Add boolean to allow containers to read all cert files
  * More MLS Policy allow rules
  * Allow container runtimes using pasta bind icmp_socket to port_t
  * Fix spc_t transitions from container_runtime_domain

Johannes Segitz (jsegitz) accepted request 1088558 from

Johannes Segitz (jsegitz) over 1 year ago (revision 29)

- Update to version 2.215.0:
  * Add some MLS rules to policy
  * Allow container runtime to dyntransition to spc_t
  * Tighten controls on confined users
  * Add labels for /var/lib/shared
  * Cleanup entrypoint definitions
  * Allow container_device_plugin_t access to debugfs
  * Allow containers which use devices to map them

Johannes Segitz (jsegitz) accepted request 1082386 from

Johannes Segitz (jsegitz) over 1 year ago (revision 28)

- Update to version 2.211.0:
  * Don't transition to initrc_t domains from spc_t
  * Add tunable to allow sshd_t to launch container engines
  * Allow syslogd_t gettatr on inheritited runtime tmpfs files
  * Add container_file_t and container_ro_file_t as user_home_type
  * Set default context for local-path-provisioner
  * Allow daemon to send dbus messages to spc_t by

Johannes Segitz (jsegitz) accepted request 1075435 from

Johannes Segitz (jsegitz) over 1 year ago (revision 27)

- Update to version 2.206.0:
  * Allow unconfined domains to transition to container_runtime_t 
  * Allow container domains to transition to install_t  
  * Allow avirt_sandbox_domain to manage container_file_t types 
  * Allow containers to watch sysfs_t directories 
  * Allow spc_t to transption to rpm_script_t 
  * Add support to new user_namespace access check 
  * Smaller permission changes for container_init_t
- Drop spc.patch, is now included

Johannes Segitz (jsegitz) accepted request 1058701 from

Frederic Crozat (fcrozat) almost 2 years ago (revision 26)

- Update to version 2.198.0:
  * Fix spc_t transition rules on tmpfs_t
- Changes from 2.197.0:
  * Add boolean containers_use_ecryptfs policy
- Changes from 2.195.1:
  * Readd missing allow rules for container_t
- Changes from 2.194.0:
  * Allow syslogd_t to use tmpfs files created by container runtime
- Changes from 2.193.0:
  * Allow containers to mount tmpfs_t file systems
  * Label spc_t as a init initrc daemon
  * Allow userdomains to run containers
- Changes from 2.191.0:
  * Create container_logwriter_t type
- Changes from 2.190.1:
  * Support BuildKit
  * container.fc: Set label for kata-agent
  * support nerdctl
- Changes from 2.190.0:
  * Packit: initial enablement
  * Allow iptables to list directories labeled as container_file_t
- Changes from 2.189.0:
  * Dont audit searching other processes in /proc.

Johannes Segitz (jsegitz) accepted request 1058004 from

Johannes Segitz (jsegitz) almost 2 years ago (revision 25)

- Rename spc_timedated.patch to spc.patch
- Update spc.patch to allow privileged containers to use
  localectl (bsc#1207077)

Johannes Segitz (jsegitz) accepted request 1057911 from

Johannes Segitz (jsegitz) almost 2 years ago (revision 24)

- Add spc_timedated.patch to allow privileged containers to use
  timedatectl (bsc#1207054)

Johannes Segitz (jsegitz) accepted request 989141 from

Johannes Segitz (jsegitz) over 2 years ago (revision 23)

- Update to version 2.188.0:
  * Allow confined containers to mount overlay filesystems
  Fixed bsc#1201348

Johannes Segitz (jsegitz) accepted request 984493 from

Frederic Crozat (fcrozat) over 2 years ago (revision 22)

- Update to version 2.187.0:
  * Allow container domains to use /dev/zero
- Changes from 2.186.0:
  * Create policy for a container_device_t 
  * Allow containers to shutdown & setopt userdomain:sockets
- Changes from 2.183.0:
  * Allow containers to inherit all socket classes from container runtimes.
- Changes from 2.182.0:
  * Allow containers to inherit all socket classes
- Changes from 2.181.0:
  * Allow socket activated domains for tcp sockets from init_t and userdomains.