rpms / openvswitch-selinux-extra-policy

Clone
Source Code
GIT

Files

  1.   14b3584c277e15d7b3c5ecd85bea65a3bceede59
  2.   SPECS
  3.   openvswitch-selinux-extra-policy.spec
Blob Blame History Raw 
# Spec file for Open vSwitch selinux policy.

# Copyright (C) 2018, Red Hat, Inc.
#
# Copying and distribution of this file, with or without modification,
# are permitted in any medium without royalty provided the copyright
# notice and this notice are preserved.  This file is offered as-is,
# without warranty of any kind.
#

%global selinuxtype targeted
%global selinux_policyver 3.13.1-166.9
%global moduletype contrib
%global modulename openvswitch-custom

Name: openvswitch-selinux-extra-policy
Summary: Open vSwitch Extra SELinux Policy
Group: System Environment/Daemons
URL: http://www.openvswitch.org/
Version: 1.0
Source0: http://aconole.bytheb.org/files/openvswitch-selinux-policy.tar.gz

License: ASL 2.0
BuildArch: noarch
Release: 29%{?dist}

BuildRequires: autoconf automake libtool
BuildRequires: systemd-units openssl openssl-devel
BuildRequires: checkpolicy selinux-policy-devel git pkgconfig(systemd)
Conflicts: selinux-policy < 3.13.1-166.el7_4.9
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): selinux-policy-targeted >= %{selinux_policyver}
Requires(post): libselinux-utils
Requires(post): policycoreutils
%if 0%{?fedora} || 0%{?rhel} > 7
Requires(post): policycoreutils-python-utils
%else
Requires(post): policycoreutils-python
%endif

Patch10: 0001-enable-mlx5.patch
Patch20: 0001-ovs-vswitchd-enable-net_broadcast.patch
Patch30: 0001-changes-to-support-newer-hugetlbfs-restrictions.patch
Patch40: 0001-custom-post-2.9-testing.patch
Patch50: 0001-container-allow-container-runtime-via-selinux.patch
Patch51: 0002-containers-allow-container_t-domain-to-access-ovs-so.patch
Patch60: 0001-Allow-openvswitch-to-manage-its-files-sockets-in-a-c.patch
Patch61: 0002-Add-missing-type.patch
Patch62: 0001-Fix-the-container-context-change.patch
Patch70: 0001-selinux-update-for-netlink-socket-types.patch
Patch80: 0001-add-transition-domain-for-kmod-ctl.patch
Patch81: 0001-optional-container.patch
Patch82: 0002-transition-domain-backport-fix.patch
Patch83: 0001-add-missing-execute_no_trans.patch
Patch84: 0001-add-modules-dep-t-support.patch
Patch90: 0001-Allow-fowner-fsetid.patch
Patch100: 0001-bz1808567.patch
Patch101: 0001-netlink_rdma_socket-fix-permissions.patch
Patch102: 0001-capability-dont-audit-sys_admin.patch
Patch110: 0001-rhcos-spc-and-file-updates.patch
Patch120: 0001-ipsec_conf.patch
Patch130: 0001-tracefs-allow-openvswitch_module_load-to-.patch

%description
Tailored Open vSwitch SELinux policy for distribution

%prep
%autosetup -p 1

%build
make

%install
rm -rf $RPM_BUILD_ROOT
install -d %{buildroot}%{_datadir}/selinux/packages
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -m 0644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages

%check

%pre
if %{_sbindir}/selinuxenabled ; then
    %selinux_relabel_pre -s %{selinuxtype}
fi

%post
%{_sbindir}/semodule -N -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp
if %{_sbindir}/selinuxenabled ; then
    %{_sbindir}/load_policy
fi

%postun
if [ $1 -eq 0 ]; then
    %{_sbindir}/semodule -N -s %{selinuxtype} -r %{modulename}
    if %{_sbindir}/selinuxenabled ; then
        %{_sbindir}/load_policy
    fi
fi

%posttrans
if %{_sbindir}/selinuxenabled ; then
    %selinux_relabel_post -s %{selinuxtype}
fi

%files
%defattr(-,root,root,0755)
%attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp

%changelog
* Thu Feb 10 2022 Aaron Conole <aconole@redhat.com> - 1.0-29
- Allow ovs debug tracing points to load (#2026664)

* Wed Jan 27 2021 Aaron Conole <aconole@redhat.com> - 1.0-28
- Revert perf_event workaround (#1906278)

* Tue Jan 19 2021 Aaron Conole <aconole@redhat.com> - 1.0-27
- Include a workaround for the perf_event change (#1906278)

* Fri Jan 15 2021 Aaron Conole <aconole@redhat.com> - 1.0-26
- Update to include CA based ipsec use cases (#1906278)

* Thu Jan 14 2021 Aaron Conole <aconole@redhat.com> - 1.0-25
- Update to include additional ipsec use cases (#1906278)

* Tue Jan 12 2021 Aaron Conole <aconole@redhat.com> - 1.0-24
- Allow openvswitch to work in conjunction with the ipsec
  monitoring daemon (#1906278)

* Wed Mar 25 2020 Aaron Conole <aconole@redhat.com> - 1.0-23
- Additional rhcos fixes (#1817511)

* Tue Mar 03 2020 Aaron Conole <aconole@redhat.com> - 1.0-22
- Don't audit sys_admin capability (#1800651)

* Mon Mar 02 2020 Aaron Conole <aconole@redhat.com> - 1.0-21
- Fix the netlink_rdma_socket permissions (#1800651)

* Fri Feb 28 2020 Aaron Conole <aconole@redhat.com> - 1.0-20
- Fix the container_var_run_t permissions (#1808567)

* Tue Oct 08 2019 Aaron Conole <aconole@redhat.com> - 1.0-19
- Fix fowner/fsetid permissions due to changes with the
  runtimedir option (#1759695)

* Wed Jul 24 2019 Aaron Conole <aconole@redhat.com> - 1.0-18
- Fix missing module_deps_t definitions (#1732647)

* Thu Jul 11 2019 Aaron Conole <aconole@redhat.com> - 1.0-17
- Add missing 'execute_no_trans' (#1724127)

* Fri Jun 14 2019 Aaron Conole <aconole@redhat.com> - 1.0-16
- Fix the backport for the transition domain (#1706768)

* Fri Jun 14 2019 Aaron Conole <aconole@redhat.com> - 1.0-15
- Set container support to optional (#1715918)

* Thu Jun 13 2019 Aaron Conole <aconole@redhat.com> - 1.0.14
- Add ovs-kmod-ctl transition domain (#1706768)

* Fri May 31 2019 Aaron Conole <aconole@redhat.com> - 1.0-13
- Change dependency from container-selinux to selinux-policy-targeted (#1715918)

* Mon Apr 15 2019 Aaron Conole <aconole@redhat.com> - 1.0-12
- Fix for netlink rdma socket (#1690783)
- Fix for netlink netfilter socket (#1687941)

* Wed Feb 06 2019 Aaron Conole <aconole@redhat.com> - 1.0-11
- Allow openvswitch to manage its socket files in a container

* Tue Jan 08 2019 Aaron Conole <aconole@redhat.com> - 1.0-10
- Include the container-selinux package (#1649981)

* Wed Nov 28 2018 Aaron Conole <aconole@redhat.com> - 1.0-9
- Fix the selinux macros to work with image builds (#1643571)

* Tue Nov 06 2018 Aaron Conole <aconole@redhat.com> - 1.0-8
- Include container related changes (#1642591)

* Tue Aug 28 2018 Aaron Conole <aconole@redhat.com> - 1.0-7
- Include extra selinux changes for 2.10 (#1620257)

* Fri Aug 03 2018 Aaron Conole <aconole@redhat.com> - 1.0-6
- Include new hugetlbfs restrictions

* Thu Jul 26 2018 Aaron Conole <aconole@redhat.com> - 1.0-5
- Fix missing %{?dist} macro
- Check for SELinux before executing macros that require selinux
- Update to support RHEL8

* Wed May 30 2018 Aaron Conole <aconole@redhat.com> - 1.0-4
- Enable mlx5 usage of the net_raw capability (#1555440)

* Wed May 09 2018 Aaron Conole <aconole@redhat.com> - 1.0-3
- Set as conflicts with the selinux policy instead.

* Wed May 09 2018 Aaron Conole <aconole@redhat.com> - 1.0-2
- Merge to fast-datapath production branch

* Fri May 04 2018 Aaron Conole <aconole@redhat.com> - 1.0-1
- With fast-datapath branch

* Mon Feb 12 2018 Aaron Conole <aconole@redhat.com> - 1.0-0
- First Build

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation