From add9a23171920308b470960e189c415a1141c86a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 10 2018 09:36:02 +0000
Subject: import container-selinux-2.55-1.el7


---

diff --git a/.container-selinux.metadata b/.container-selinux.metadata
index 5fc9338..d5156b3 100644
--- a/.container-selinux.metadata
+++ b/.container-selinux.metadata
@@ -1 +1 @@
-ac7fac23c989829f32fd150411c25cc767a57e1a SOURCES/container-selinux-ad8f0f7.tar.gz
+ada20c4a5f8bb4344f876a7c4583edf173db72ac SOURCES/container-selinux-54e47d5.tar.gz
diff --git a/.gitignore b/.gitignore
index 218afd4..22e0acb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/container-selinux-ad8f0f7.tar.gz
+SOURCES/container-selinux-54e47d5.tar.gz
diff --git a/SPECS/container-selinux.spec b/SPECS/container-selinux.spec
index 6df7661..4df8375 100644
--- a/SPECS/container-selinux.spec
+++ b/SPECS/container-selinux.spec
@@ -2,7 +2,7 @@
 
 # container-selinux
 %global git0 https://github.com/projectatomic/%{name}
-%global commit0 ad8f0f7a9ced4516b1d4f03bfa8939ed51f60eb9
+%global commit0 54e47d53228d455e1270e0c8df5b1c9334bb90ef
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
@@ -17,15 +17,15 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
 # Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* /etc/docker &> /dev/null || :
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
 # Version of SELinux we were using
-%global selinux_policyver 3.13.1-39
+%global selinux_policyver 3.13.1-183
 
 Name: container-selinux
 Epoch: 2
-Version: 2.42
-Release: 1.git%{shortcommit0}%{?dist}
+Version: 2.55
+Release: 1%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
@@ -56,7 +56,7 @@ Provides: docker-engine-selinux = %{epoch}:%{version}-%{release}
 SELinux policy modules for use with container runtimes.
 
 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%autosetup -Sgit  -n %{name}-%{commit0}
 
 %build
 make
@@ -109,11 +109,31 @@ fi
 %{_datadir}/selinux/*
 
 %changelog
-* Thu Feb 22 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.42-1
-- Remove typebounds access rules
+* Mon Mar 26 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.55-1
+    Allow iptables to read container state
+    Dontaudit attempts from containers to write to /proc/self
+    Allow spc_t to change attributes on container_runtime_t fifo files
 
-* Thu Jan 18 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
-- Add typebounds calls for container_runtime_t on spc_t and svirt_lxc_net_t
+* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.52-1
+- Add better support for writing custom selinux policy for customer container domains.
+
+* Thu Mar 8 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.51-1
+- Allow shell_exec_t as a container_runtime_t entrypoint
+
+* Wed Mar 7 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.50-1
+- Allow bin_t as a container_runtime_t entrypoint
+
+* Fri Mar 2 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.49-1
+- Add support for MLS running container runtimes
+- Add missing allow rules for running systemd in a container
+
+* Wed Feb 21 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.48-1
+- Update policy to match master branch
+- Remove typebounds and replace with nnp_transition and nosuid_transition calls
+
+* Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.41-1
+- Add support to nnp_transition for container domains
+- Eliminates need for typebounds.
 
 * Tue Jan 9 2018 Dan Walsh <dwalsh@fedoraproject.org> - 2.40-1
 - Allow container_runtime_t to use user ttys
@@ -131,11 +151,16 @@ satisfy the bounds check of container_t versus container_runtime_t.
 - Allow containers to use inherited ttys
 - Allow ostree to handle labels under /var/lib/containers/ostree
 
-* Tue Nov 28 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.36-1
 - Allow containers to relabelto/from all file types to container_file_t
+
+* Mon Nov 27 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.35-1
 - Allow container to map chr_files labeled container_file_t
 
-* Wed Nov 8 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
+* Wed Nov 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.34-1
+- Dontaudit container processes getattr on kernel file systems
+
+* Sun Nov 19 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.33-1
 - Allow containers to read /etc/resolv.conf and /etc/hosts if volume
 - mounted into container.
 
@@ -146,35 +171,41 @@ satisfy the bounds check of container_t versus container_runtime_t.
 - Allow the container runtime to dbus chat with dnsmasq
 - add dontaudit rules for container trying to write to /proc
 
-* Wed Oct 25 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.30-2.git7f2de1a
-- Relabel /etc/docker directory
+* Tue Oct 10 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.29-1
+- Add support for lxcd
+- Add support for labeling of tmpfs storage created within a container.
+
+* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.28-1
+- Allow a container to umount a container_file_t filesystem
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.27-1
+-  Allow container runtimes to work with the netfilter sockets
+-  Allow container_file_t to be an entrypoint for VM's
+-  Allow spc_t domains to transition to svirt_t
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.24-1
+-     Make sure container_runtime_t has all access of container_t
 
-* Wed Oct 11 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.30-1.git7f2de1a
-- bump to v2.30
-- Allow containers to create files on tmpfs file systems
-- Dontaudit containers attempts to write to /proc
+* Thu Sep 7 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.23-1
+- Allow container runtimes to create sockets in tmp dirs
 
-* Mon Oct 9 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.28-1.git85ce147
-- bump to v2.28
+* Tue Sep 5 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.22-1
+- Add additonal support for crio labeling.
 
-* Tue Sep 26 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.24-1.gitaeff029
-- bump to v2.24
+* Mon Aug 14 2017 Troy Dawson <tdawson@redhat.com> - 2.21-3
+- Fixup spec file conditionals
 
-* Tue Aug 08 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.21-2.gitba103ac
-- Resolves: #1469792
-- built @origin/RHEL-1.12 commit ba103ac
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 
-* Wed Jul 19 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.21-1
-- Resolves: #1469661
-- bump to v2.21
-- built commit 333854a
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.21-1
+- Allow containers to execmod on container_share_t files.
 
-* Mon Jul 10 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.20-2
-- Resolves: #1463549
-- built commit 532fa20
+* Thu Jul 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-2
+- Relabel runc and crio executables
 
-* Tue Jul 04 2017 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.20-1.1
-- rebase
+* Fri Jun 30 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2.20-1
+- Allow container processes to getsession
 
 * Wed Jun 14 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.19-2.1
 - update release tag to isolate from 7.3