Revisions of container-selinux
Johannes Segitz (jsegitz)
accepted
request 1172200
from
Johannes Segitz (jsegitz)
(revision 35)
- Update to version 2.231.0:
* Allow container domains to communicate with spc_t unix_stream_sockets
* Move to %posttrans to ensure selinux-policy got updated before
the commands run (bsc#1221720)
Johannes Segitz (jsegitz)
accepted
request 1166916
from
Cathy Hu (cahu)
(revision 34)
- Manual update to version 2.230.0+git4.a8e389d to include this commit that is needed for the main selinux-policy update to work: * Rename all /var/run file context entries to /run - Update to version 2.230.0: * Move to tar_scm based packaging: added _service and _servicedata * Allow containers to unmount file systems * Add buildah as a container_runtime_exec_t label * Additional rules for container_user_t * improve container_engine_t
Johannes Segitz (jsegitz)
accepted
request 1138075
from
Johannes Segitz (jsegitz)
(revision 33)
- Update to version 2.228: * Allow container domains to watch fifo_files * container_engine_t: improve for podman in kubernetes case * Allow spc_t to transition to install_t domain * Default to allowing containers to use dri devices * Allow access to BPF Filesystems * Fix kubernetes transition rule * Label kubensenter as well as kubenswrapper * Allow container domains to execute container_runtime_tmpfs_t files * Allow container domains to ptrace themselves * Allow container domains to use container_runtime_tmpfs_t as an entrypoint * Add boolean to allow containers to use dri devices * Give containers access to pod resources endpoint * Label kubenswrapper kubelet_exec_t
Johannes Segitz (jsegitz)
accepted
request 1112591
from
Johannes Segitz (jsegitz)
(revision 32)
- Update to version 2.222: * Allow containers to read/write inherited dri devices
Johannes Segitz (jsegitz)
committed
(revision 31)
* Allow containers to shutdown sockets inherited from container
Johannes Segitz (jsegitz)
accepted
request 1103976
from
Johannes Segitz (jsegitz)
(revision 30)
- Update to version 2.221:
* Allow containers to shutdown sockets inheritted from container
runtimes
* Allow spc_t to use execmod libraries on container file systems
* Add boolean to allow containers to read all cert files
* More MLS Policy allow rules
* Allow container runtimes using pasta bind icmp_socket to port_t
* Fix spc_t transitions from container_runtime_domain
Johannes Segitz (jsegitz)
accepted
request 1088558
from
Johannes Segitz (jsegitz)
(revision 29)
- Update to version 2.215.0: * Add some MLS rules to policy * Allow container runtime to dyntransition to spc_t * Tighten controls on confined users * Add labels for /var/lib/shared * Cleanup entrypoint definitions * Allow container_device_plugin_t access to debugfs * Allow containers which use devices to map them
Johannes Segitz (jsegitz)
accepted
request 1082386
from
Johannes Segitz (jsegitz)
(revision 28)
- Update to version 2.211.0: * Don't transition to initrc_t domains from spc_t * Add tunable to allow sshd_t to launch container engines * Allow syslogd_t gettatr on inheritited runtime tmpfs files * Add container_file_t and container_ro_file_t as user_home_type * Set default context for local-path-provisioner * Allow daemon to send dbus messages to spc_t by
Johannes Segitz (jsegitz)
accepted
request 1075435
from
Johannes Segitz (jsegitz)
(revision 27)
- Update to version 2.206.0: * Allow unconfined domains to transition to container_runtime_t * Allow container domains to transition to install_t * Allow avirt_sandbox_domain to manage container_file_t types * Allow containers to watch sysfs_t directories * Allow spc_t to transption to rpm_script_t * Add support to new user_namespace access check * Smaller permission changes for container_init_t - Drop spc.patch, is now included
Johannes Segitz (jsegitz)
accepted
request 1058701
from
Frederic Crozat (fcrozat)
(revision 26)
- Update to version 2.198.0: * Fix spc_t transition rules on tmpfs_t - Changes from 2.197.0: * Add boolean containers_use_ecryptfs policy - Changes from 2.195.1: * Readd missing allow rules for container_t - Changes from 2.194.0: * Allow syslogd_t to use tmpfs files created by container runtime - Changes from 2.193.0: * Allow containers to mount tmpfs_t file systems * Label spc_t as a init initrc daemon * Allow userdomains to run containers - Changes from 2.191.0: * Create container_logwriter_t type - Changes from 2.190.1: * Support BuildKit * container.fc: Set label for kata-agent * support nerdctl - Changes from 2.190.0: * Packit: initial enablement * Allow iptables to list directories labeled as container_file_t - Changes from 2.189.0: * Dont audit searching other processes in /proc.
Johannes Segitz (jsegitz)
accepted
request 1058004
from
Johannes Segitz (jsegitz)
(revision 25)
- Rename spc_timedated.patch to spc.patch - Update spc.patch to allow privileged containers to use localectl (bsc#1207077)
Johannes Segitz (jsegitz)
accepted
request 1057911
from
Johannes Segitz (jsegitz)
(revision 24)
- Add spc_timedated.patch to allow privileged containers to use timedatectl (bsc#1207054)
Johannes Segitz (jsegitz)
accepted
request 989141
from
Johannes Segitz (jsegitz)
(revision 23)
- Update to version 2.188.0: * Allow confined containers to mount overlay filesystems Fixed bsc#1201348
Johannes Segitz (jsegitz)
accepted
request 984493
from
Frederic Crozat (fcrozat)
(revision 22)
- Update to version 2.187.0: * Allow container domains to use /dev/zero - Changes from 2.186.0: * Create policy for a container_device_t * Allow containers to shutdown & setopt userdomain:sockets - Changes from 2.183.0: * Allow containers to inherit all socket classes from container runtimes. - Changes from 2.182.0: * Allow containers to inherit all socket classes - Changes from 2.181.0: * Allow socket activated domains for tcp sockets from init_t and userdomains.
Dominique Leuenberger (dimstar_suse)
committed
(revision 21)
buildservice-autocommit
accepted
request 964617
from
Thorsten Kukuk (kukuk)
(revision 20)
Thorsten Kukuk (kukuk)
(revision 20)
baserev update by copy to link target
Thorsten Kukuk (kukuk)
accepted
request 963880
from
Johannes Segitz (jsegitz)
(revision 19)
- Add udica templates to the package
buildservice-autocommit
accepted
request 962685
from
Jan Zerebecki (jzerebecki)
(revision 18)
Jan Zerebecki (jzerebecki)
(revision 18)
baserev update by copy to link target
Jan Zerebecki (jzerebecki)
accepted
request 962680
from
Johannes Segitz (jsegitz)
(revision 17)
- Update to version 2.180.0 * Allow container domains to read/write kvm_device_t * Update kublet mappings to inlcude /usr/local/* * Allow container domains to use container runtime tcp and udp sockets * Alow containers to use unix_stream_sockets leaked from container runtimes * Allow userdomains to execute conmon_exec_t and use it as an entrypoint * Allow conmon_exec_t as an entrypoint * Add container_use_devices boolean to allow containers to use any device * Add explicit range transition for conmon * Add missing dbus class declaration into container_runtime_run() * Remove lockdown allow rules * Remove k3s fcontexts * Allow container domains to be used by user roles - Changed source url to allow for download via source service
Johannes Segitz (jsegitz)
accepted
request 931165
from
Richard Brown (RBrownSUSE)
(revision 16)
- Update to version 2.171.0 * Define kubernetes_file_t as a config_type * Allow containers to be socket activated by user domains and by systemd. * Allow iptables to use fifo files of a container runtime * Allow container_runtime create all tmpfs content as container_runtime_tmpfs_t * Allow containers to create lnk_file on tmpfs_t directories.
Displaying revisions 1 - 20 of 35
