# Spec file for Open vSwitch selinux policy.
# Copyright (C) 2018, Red Hat, Inc.
#
# Copying and distribution of this file, with or without modification,
# are permitted in any medium without royalty provided the copyright
# notice and this notice are preserved. This file is offered as-is,
# without warranty of any kind.
#
%global selinuxtype targeted
%global selinux_policyver 3.13.1-166.9
%global moduletype contrib
%global modulename openvswitch-custom
Name: openvswitch-selinux-extra-policy
Summary: Open vSwitch Extra SELinux Policy
Group: System Environment/Daemons
URL: http://www.openvswitch.org/
Version: 1.0
Source0: http://aconole.bytheb.org/files/openvswitch-selinux-policy.tar.gz
License: ASL 2.0
BuildArch: noarch
Release: 29%{?dist}
BuildRequires: autoconf automake libtool
BuildRequires: systemd-units openssl openssl-devel
BuildRequires: checkpolicy selinux-policy-devel git pkgconfig(systemd)
Conflicts: selinux-policy < 3.13.1-166.el7_4.9
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): selinux-policy-targeted >= %{selinux_policyver}
Requires(post): libselinux-utils
Requires(post): policycoreutils
%if 0%{?fedora} || 0%{?rhel} > 7
Requires(post): policycoreutils-python-utils
%else
Requires(post): policycoreutils-python
%endif
Patch10: 0001-enable-mlx5.patch
Patch20: 0001-ovs-vswitchd-enable-net_broadcast.patch
Patch30: 0001-changes-to-support-newer-hugetlbfs-restrictions.patch
Patch40: 0001-custom-post-2.9-testing.patch
Patch50: 0001-container-allow-container-runtime-via-selinux.patch
Patch51: 0002-containers-allow-container_t-domain-to-access-ovs-so.patch
Patch60: 0001-Allow-openvswitch-to-manage-its-files-sockets-in-a-c.patch
Patch61: 0002-Add-missing-type.patch
Patch62: 0001-Fix-the-container-context-change.patch
Patch70: 0001-selinux-update-for-netlink-socket-types.patch
Patch80: 0001-add-transition-domain-for-kmod-ctl.patch
Patch81: 0001-optional-container.patch
Patch82: 0002-transition-domain-backport-fix.patch
Patch83: 0001-add-missing-execute_no_trans.patch
Patch84: 0001-add-modules-dep-t-support.patch
Patch90: 0001-Allow-fowner-fsetid.patch
Patch100: 0001-bz1808567.patch
Patch101: 0001-netlink_rdma_socket-fix-permissions.patch
Patch102: 0001-capability-dont-audit-sys_admin.patch
Patch110: 0001-rhcos-spc-and-file-updates.patch
Patch120: 0001-ipsec_conf.patch
Patch130: 0001-tracefs-allow-openvswitch_module_load-to-.patch
%description
Tailored Open vSwitch SELinux policy for distribution
%prep
%autosetup -p 1
%build
make
%install
rm -rf $RPM_BUILD_ROOT
install -d %{buildroot}%{_datadir}/selinux/packages
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -m 0644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages
%check
%pre
if %{_sbindir}/selinuxenabled ; then
%selinux_relabel_pre -s %{selinuxtype}
fi
%post
%{_sbindir}/semodule -N -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi
%postun
if [ $1 -eq 0 ]; then
%{_sbindir}/semodule -N -s %{selinuxtype} -r %{modulename}
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi
fi
%posttrans
if %{_sbindir}/selinuxenabled ; then
%selinux_relabel_post -s %{selinuxtype}
fi
%files
%defattr(-,root,root,0755)
%attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp
%changelog
* Thu Feb 10 2022 Aaron Conole <aconole@redhat.com> - 1.0-29
- Allow ovs debug tracing points to load (#2026664)
* Wed Jan 27 2021 Aaron Conole <aconole@redhat.com> - 1.0-28
- Revert perf_event workaround (#1906278)
* Tue Jan 19 2021 Aaron Conole <aconole@redhat.com> - 1.0-27
- Include a workaround for the perf_event change (#1906278)
* Fri Jan 15 2021 Aaron Conole <aconole@redhat.com> - 1.0-26
- Update to include CA based ipsec use cases (#1906278)
* Thu Jan 14 2021 Aaron Conole <aconole@redhat.com> - 1.0-25
- Update to include additional ipsec use cases (#1906278)
* Tue Jan 12 2021 Aaron Conole <aconole@redhat.com> - 1.0-24
- Allow openvswitch to work in conjunction with the ipsec
monitoring daemon (#1906278)
* Wed Mar 25 2020 Aaron Conole <aconole@redhat.com> - 1.0-23
- Additional rhcos fixes (#1817511)
* Tue Mar 03 2020 Aaron Conole <aconole@redhat.com> - 1.0-22
- Don't audit sys_admin capability (#1800651)
* Mon Mar 02 2020 Aaron Conole <aconole@redhat.com> - 1.0-21
- Fix the netlink_rdma_socket permissions (#1800651)
* Fri Feb 28 2020 Aaron Conole <aconole@redhat.com> - 1.0-20
- Fix the container_var_run_t permissions (#1808567)
* Tue Oct 08 2019 Aaron Conole <aconole@redhat.com> - 1.0-19
- Fix fowner/fsetid permissions due to changes with the
runtimedir option (#1759695)
* Wed Jul 24 2019 Aaron Conole <aconole@redhat.com> - 1.0-18
- Fix missing module_deps_t definitions (#1732647)
* Thu Jul 11 2019 Aaron Conole <aconole@redhat.com> - 1.0-17
- Add missing 'execute_no_trans' (#1724127)
* Fri Jun 14 2019 Aaron Conole <aconole@redhat.com> - 1.0-16
- Fix the backport for the transition domain (#1706768)
* Fri Jun 14 2019 Aaron Conole <aconole@redhat.com> - 1.0-15
- Set container support to optional (#1715918)
* Thu Jun 13 2019 Aaron Conole <aconole@redhat.com> - 1.0.14
- Add ovs-kmod-ctl transition domain (#1706768)
* Fri May 31 2019 Aaron Conole <aconole@redhat.com> - 1.0-13
- Change dependency from container-selinux to selinux-policy-targeted (#1715918)
* Mon Apr 15 2019 Aaron Conole <aconole@redhat.com> - 1.0-12
- Fix for netlink rdma socket (#1690783)
- Fix for netlink netfilter socket (#1687941)
* Wed Feb 06 2019 Aaron Conole <aconole@redhat.com> - 1.0-11
- Allow openvswitch to manage its socket files in a container
* Tue Jan 08 2019 Aaron Conole <aconole@redhat.com> - 1.0-10
- Include the container-selinux package (#1649981)
* Wed Nov 28 2018 Aaron Conole <aconole@redhat.com> - 1.0-9
- Fix the selinux macros to work with image builds (#1643571)
* Tue Nov 06 2018 Aaron Conole <aconole@redhat.com> - 1.0-8
- Include container related changes (#1642591)
* Tue Aug 28 2018 Aaron Conole <aconole@redhat.com> - 1.0-7
- Include extra selinux changes for 2.10 (#1620257)
* Fri Aug 03 2018 Aaron Conole <aconole@redhat.com> - 1.0-6
- Include new hugetlbfs restrictions
* Thu Jul 26 2018 Aaron Conole <aconole@redhat.com> - 1.0-5
- Fix missing %{?dist} macro
- Check for SELinux before executing macros that require selinux
- Update to support RHEL8
* Wed May 30 2018 Aaron Conole <aconole@redhat.com> - 1.0-4
- Enable mlx5 usage of the net_raw capability (#1555440)
* Wed May 09 2018 Aaron Conole <aconole@redhat.com> - 1.0-3
- Set as conflicts with the selinux policy instead.
* Wed May 09 2018 Aaron Conole <aconole@redhat.com> - 1.0-2
- Merge to fast-datapath production branch
* Fri May 04 2018 Aaron Conole <aconole@redhat.com> - 1.0-1
- With fast-datapath branch
* Mon Feb 12 2018 Aaron Conole <aconole@redhat.com> - 1.0-0
- First Build