Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security:SELinux
container-selinux
container-selinux.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File container-selinux.changes of Package container-selinux
------------------------------------------------------------------- Thu Nov 07 12:04:40 UTC 2024 - cathy.hu@suse.com - Update to version 2.233.0: * container_engine_t: small change to allow non root exec in a container * RPM: explicitly list ghosted paths and skip mode verification * container-selinux install on non selinux-policy-targeted systems (#332) * set container_log_t type for /var/log/kube-apiserver * Allow kubelet_t to create a sock file kubelet_var_lib_t * dontaudit spc_t to mmap_zero * Packit: update targets (#330) * container_engine_t: another round of small improvements (#327) * Allow container_device_plugin_t to use the network (#325) * RPM: cleanup changelog (#324) * TMT: Simplify tests ------------------------------------------------------------------- Wed Jul 10 07:52:16 UTC 2024 - cathy.hu@suse.com - Update to version 2.232.1: * Bump to v2.232.1 * TMT: fix srpm download syntax on rawhide * Bump to 2.232.0 * Packit: remove `update_release` key from downstream jobs (#313) * Update container-selinux.8 man page * Add ownership of /usr/share/udica (#312) * Packit/TMT: upstream maintenance of downstream gating tests * extend container_engine_t again * Allow spc_t to use localectl * Allow spc_t to use timedatectl * introduce container_use_xserver_devices boolean to allow GPU access ------------------------------------------------------------------- Mon May 06 07:36:02 UTC 2024 - jsegitz@suse.com - Update to version 2.231.0: * Allow container domains to communicate with spc_t unix_stream_sockets * Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720) ------------------------------------------------------------------- Wed Apr 10 15:47:15 UTC 2024 - Cathy Hu <cathy.hu@suse.com> - Manual update to version 2.230.0+git4.a8e389d to include this commit that is needed for the main selinux-policy update to work: * Rename all /var/run file context entries to /run ------------------------------------------------------------------- Wed Apr 10 15:38:24 UTC 2024 - Cathy Hu <cathy.hu@suse.com> - Update to version 2.230.0: * Move to tar_scm based packaging: added _service and _servicedata * Allow containers to unmount file systems * Add buildah as a container_runtime_exec_t label * Additional rules for container_user_t * improve container_engine_t ------------------------------------------------------------------- Thu Jan 11 08:37:53 UTC 2024 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.228: * Allow container domains to watch fifo_files * container_engine_t: improve for podman in kubernetes case * Allow spc_t to transition to install_t domain * Default to allowing containers to use dri devices * Allow access to BPF Filesystems * Fix kubernetes transition rule * Label kubensenter as well as kubenswrapper * Allow container domains to execute container_runtime_tmpfs_t files * Allow container domains to ptrace themselves * Allow container domains to use container_runtime_tmpfs_t as an entrypoint * Add boolean to allow containers to use dri devices * Give containers access to pod resources endpoint * Label kubenswrapper kubelet_exec_t ------------------------------------------------------------------- Wed Sep 20 14:21:29 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.222: * Allow containers to read/write inherited dri devices ------------------------------------------------------------------- Tue Aug 15 05:48:12 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.221: * Allow containers to shutdown sockets inherited from container runtimes * Allow spc_t to use execmod libraries on container file systems * Add boolean to allow containers to read all cert files * More MLS Policy allow rules * Allow container runtimes using pasta bind icmp_socket to port_t * Fix spc_t transitions from container_runtime_domain ------------------------------------------------------------------- Tue May 23 07:32:16 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.215.0: * Add some MLS rules to policy * Allow container runtime to dyntransition to spc_t * Tighten controls on confined users * Add labels for /var/lib/shared * Cleanup entrypoint definitions * Allow container_device_plugin_t access to debugfs * Allow containers which use devices to map them ------------------------------------------------------------------- Mon Apr 24 07:24:46 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.211.0: * Don't transition to initrc_t domains from spc_t * Add tunable to allow sshd_t to launch container engines * Allow syslogd_t gettatr on inheritited runtime tmpfs files * Add container_file_t and container_ro_file_t as user_home_type * Set default context for local-path-provisioner * Allow daemon to send dbus messages to spc_t by ------------------------------------------------------------------- Wed Mar 29 13:04:36 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.206.0: * Allow unconfined domains to transition to container_runtime_t * Allow container domains to transition to install_t * Allow avirt_sandbox_domain to manage container_file_t types * Allow containers to watch sysfs_t directories * Allow spc_t to transption to rpm_script_t * Add support to new user_namespace access check * Smaller permission changes for container_init_t - Drop spc.patch, is now included ------------------------------------------------------------------- Mon Jan 16 12:47:34 UTC 2023 - Frederic Crozat <fcrozat@suse.com> - Update to version 2.198.0: * Fix spc_t transition rules on tmpfs_t - Changes from 2.197.0: * Add boolean containers_use_ecryptfs policy - Changes from 2.195.1: * Readd missing allow rules for container_t - Changes from 2.194.0: * Allow syslogd_t to use tmpfs files created by container runtime - Changes from 2.193.0: * Allow containers to mount tmpfs_t file systems * Label spc_t as a init initrc daemon * Allow userdomains to run containers - Changes from 2.191.0: * Create container_logwriter_t type - Changes from 2.190.1: * Support BuildKit * container.fc: Set label for kata-agent * support nerdctl - Changes from 2.190.0: * Packit: initial enablement * Allow iptables to list directories labeled as container_file_t - Changes from 2.189.0: * Dont audit searching other processes in /proc. ------------------------------------------------------------------- Thu Jan 12 13:02:32 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Rename spc_timedated.patch to spc.patch - Update spc.patch to allow privileged containers to use localectl (bsc#1207077) ------------------------------------------------------------------- Wed Jan 11 14:15:06 UTC 2023 - Johannes Segitz <jsegitz@suse.com> - Add spc_timedated.patch to allow privileged containers to use timedatectl (bsc#1207054) ------------------------------------------------------------------- Thu Jul 14 08:37:48 UTC 2022 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.188.0: * Allow confined containers to mount overlay filesystems Fixed bsc#1201348 ------------------------------------------------------------------- Wed Jun 22 13:17:49 UTC 2022 - Frederic Crozat <fcrozat@suse.com> - Update to version 2.187.0: * Allow container domains to use /dev/zero - Changes from 2.186.0: * Create policy for a container_device_t * Allow containers to shutdown & setopt userdomain:sockets - Changes from 2.183.0: * Allow containers to inherit all socket classes from container runtimes. - Changes from 2.182.0: * Allow containers to inherit all socket classes - Changes from 2.181.0: * Allow socket activated domains for tcp sockets from init_t and userdomains. ------------------------------------------------------------------- Tue Mar 22 08:35:54 UTC 2022 - Johannes Segitz <jsegitz@suse.com> - Add udica templates to the package ------------------------------------------------------------------- Fri Mar 18 12:04:25 UTC 2022 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.180.0 * Allow container domains to read/write kvm_device_t * Update kublet mappings to inlcude /usr/local/* * Allow container domains to use container runtime tcp and udp sockets * Alow containers to use unix_stream_sockets leaked from container runtimes * Allow userdomains to execute conmon_exec_t and use it as an entrypoint * Allow conmon_exec_t as an entrypoint * Add container_use_devices boolean to allow containers to use any device * Add explicit range transition for conmon * Add missing dbus class declaration into container_runtime_run() * Remove lockdown allow rules * Remove k3s fcontexts * Allow container domains to be used by user roles - Changed source url to allow for download via source service ------------------------------------------------------------------- Fri Nov 12 16:21:06 UTC 2021 - Richard Brown <rbrown@suse.com> - Update to version 2.171.0 * Define kubernetes_file_t as a config_type * Allow containers to be socket activated by user domains and by systemd. * Allow iptables to use fifo files of a container runtime * Allow container_runtime create all tmpfs content as container_runtime_tmpfs_t * Allow containers to create lnk_file on tmpfs_t directories. ------------------------------------------------------------------- Mon Aug 9 07:44:17 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Update to version 2.164.2 * Don't setup users for writing to pid_sockets * Allow container engines to be started from the staff user. * Allow spc_t domains to set bpf rules on any domain * Add support for k3s ------------------------------------------------------------------- Fri Apr 23 06:04:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Fix container runtime binary labels (bsc#1185030). You need to relable at least /usr/sbin if you're affected ------------------------------------------------------------------- Tue Feb 23 13:21:19 UTC 2021 - Thorsten Kukuk <kukuk@suse.com> - Update to version 2.158.0 - Add nfs remount support - Allow containers to execmod on nfs, samba and cephs remote shares - Allow confined users to send dbus messages to container_runtime ------------------------------------------------------------------- Mon Jan 11 10:40:32 UTC 2021 - Thorsten Kukuk <kukuk@suse.com> - Update to version 2.154.0 - Allow confined user domains to run confined container domains. - Allow all containers to use nfs shares, iff virt_use_nfs boolean is enabled. - Allow containers to read nsfs file systems. - KVM Container need to use tunnel sockets created by runtime. ------------------------------------------------------------------- Tue Nov 3 07:53:35 UTC 2020 - Ludwig Nussel <lnussel@suse.de> - Don't use BuildRequires based on shell script output. OBS can't evaluate that. ------------------------------------------------------------------- Thu Oct 29 07:52:21 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> - Update to version 2.150.0 - Add additional allow rules for kvm based containers using virtiofsd. ------------------------------------------------------------------- Wed Oct 14 12:57:07 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> - Update to version 2.145.0 - Add support for kubernetes_file_t - Allow container_t to open existing tun/tap ------------------------------------------------------------------- Wed Aug 12 09:11:30 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> - Minimize BuildRequires ------------------------------------------------------------------- Mon Aug 10 21:11:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> - Update to version 2.143.0 - support containerd/cri ------------------------------------------------------------------- Wed Aug 5 08:42:45 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> - Initial version
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor