diff --git a/.gitignore b/.gitignore
index 911dda1..d40d4ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libostree-2017.14.tar.xz
+SOURCES/libostree-2018.1.tar.xz
diff --git a/.ostree.metadata b/.ostree.metadata
index 2052abf..1377786 100644
--- a/.ostree.metadata
+++ b/.ostree.metadata
@@ -1 +1 @@
-bf5c21801eb160bdc1c06c1f63b361eafdd7af57 SOURCES/libostree-2017.14.tar.xz
+6f8cd6291a19068606fabec3e91fd6e59af86b79 SOURCES/libostree-2018.1.tar.xz
diff --git a/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch b/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch
new file mode 100644
index 0000000..00d9292
--- /dev/null
+++ b/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch
@@ -0,0 +1,114 @@
+From 9455cc49a6c53d7d5680031bcd5cb8d64ff9ca7d Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 5 Feb 2018 17:51:40 +0000
+Subject: [PATCH] deploy: SELinux-relabel installed kernel/initramfs data
+
+When we changed around the kernel location in rpm-ostree, we
+started installing the kernel into `/boot` as `modules_object_t`,
+and the current policy didn't permit that. For maximum compatibility,
+relabel installed kernel/initramfs/dtb as `boot_t`.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1536991
+---
+ src/libostree/ostree-sysroot-deploy.c | 60 ++++++++++++++++++++++++-----------
+ 1 file changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
+index 5dc5bde..63ed149 100644
+--- a/src/libostree/ostree-sysroot-deploy.c
++++ b/src/libostree/ostree-sysroot-deploy.c
+@@ -97,20 +97,38 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults,
+ * hardlink if we're on the same partition.
+ */
+ static gboolean
+-hardlink_or_copy_at (int src_dfd,
+- const char *src_subpath,
+- int dest_dfd,
+- const char *dest_subpath,
+- OstreeSysrootDebugFlags flags,
+- GCancellable *cancellable,
+- GError **error)
++install_into_boot (OstreeSePolicy *sepolicy,
++ int src_dfd,
++ const char *src_subpath,
++ int dest_dfd,
++ const char *dest_subpath,
++ OstreeSysrootDebugFlags flags,
++ GCancellable *cancellable,
++ GError **error)
+ {
+ if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) != 0)
+ {
+ if (G_IN_SET (errno, EMLINK, EXDEV))
+- return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath,
+- sysroot_flags_to_copy_flags (0, flags),
+- cancellable, error);
++ {
++ /* Be sure we relabel when copying the kernel, as in current
++ * e.g. Fedora it might be labeled module_object_t or usr_t,
++ * but policy may not allow other processes to read from that
++ * like kdump.
++ * See also https://github.com/fedora-selinux/selinux-policy/commit/747f4e6775d773ab74efae5aa37f3e5e7f0d4aca
++ * This means we also drop xattrs but...I doubt anyone uses
++ * non-SELinux xattrs for the kernel anyways aside from perhaps
++ * IMA but that's its own story.
++ */
++ g_auto(OstreeSepolicyFsCreatecon) fscreatecon = { 0, };
++ const char *boot_path = glnx_strjoina ("/boot/", glnx_basename (dest_subpath));
++ if (!_ostree_sepolicy_preparefscreatecon (&fscreatecon, sepolicy,
++ boot_path, S_IFREG | 0644,
++ error))
++ return FALSE;
++ return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath,
++ GLNX_FILE_COPY_NOXATTRS,
++ cancellable, error);
++ }
+ else
+ return glnx_throw_errno_prefix (error, "linkat(%s)", dest_subpath);
+ }
+@@ -1567,6 +1585,11 @@ install_deployment_kernel (OstreeSysroot *sysroot,
+ &deployment_dfd, error))
+ return FALSE;
+
++ /* We need to label the kernels */
++ g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error);
++ if (!sepolicy)
++ return FALSE;
++
+ /* Find the kernel/initramfs in the tree */
+ g_autoptr(OstreeKernelLayout) kernel_layout = NULL;
+ if (!get_kernel_from_tree (deployment_dfd, &kernel_layout,
+@@ -1602,11 +1625,10 @@ install_deployment_kernel (OstreeSysroot *sysroot,
+ return FALSE;
+ if (errno == ENOENT)
+ {
+- if (!hardlink_or_copy_at (kernel_layout->boot_dfd,
+- kernel_layout->kernel_srcpath,
+- bootcsum_dfd, kernel_layout->kernel_namever,
+- sysroot->debug_flags,
+- cancellable, error))
++ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->kernel_srcpath,
++ bootcsum_dfd, kernel_layout->kernel_namever,
++ sysroot->debug_flags,
++ cancellable, error))
+ return FALSE;
+ }
+
+@@ -1620,10 +1642,10 @@ install_deployment_kernel (OstreeSysroot *sysroot,
+ return FALSE;
+ if (errno == ENOENT)
+ {
+- if (!hardlink_or_copy_at (kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath,
+- bootcsum_dfd, kernel_layout->initramfs_namever,
+- sysroot->debug_flags,
+- cancellable, error))
++ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath,
++ bootcsum_dfd, kernel_layout->initramfs_namever,
++ sysroot->debug_flags,
++ cancellable, error))
+ return FALSE;
+ }
+ }
+--
+2.14.3
+
diff --git a/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch b/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch
new file mode 100644
index 0000000..dbdf748
--- /dev/null
+++ b/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch
@@ -0,0 +1,67 @@
+From 2b8d586c5a10e9574acd1ae49a60cbf11cf22830 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 29 Jan 2018 13:48:02 +0100
+Subject: [PATCH] switchroot: Ensure /sysroot is set to "private" propagation
+
+Downstream BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1498281
+
+This came up as a problem with `oci-umount` which was trying to ensure some host
+mounts like `/var/lib/containers` don't leak into privileged containers. But
+since our `/sysroot` mount wasn't private we also got a copy there.
+
+We should have done this from the very start - it makes `findmnt` way, way less
+ugly and is just the obviously right thing to do, will possibly create world
+peace etc.
+
+Closes: #1438
+Approved by: rhvgoyal
+---
+ src/switchroot/ostree-prepare-root.c | 11 +++++++++++
+ src/switchroot/ostree-remount.c | 9 +++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c
+index 43e15fcc..671a6a26 100644
+--- a/src/switchroot/ostree-prepare-root.c
++++ b/src/switchroot/ostree-prepare-root.c
+@@ -244,6 +244,17 @@ main(int argc, char *argv[])
+ err (EXIT_FAILURE, "failed to MS_MOVE %s to %s", deploy_path, root_mountpoint);
+ }
+
++ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
++ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
++ *
++ * Now in reality, today this is overridden by systemd: the *actual* way we fix this up
++ * is in ostree-remount.c. But let's do it here to express the semantics we want
++ * at the very start (perhaps down the line systemd will have compile/runtime option
++ * to say that the initramfs environment did everything right from the start).
++ */
++ if (mount ("none", "sysroot", NULL, MS_PRIVATE, NULL) < 0)
++ err (EXIT_FAILURE, "remounting 'sysroot' private");
++
+ if (getpid() == 1)
+ {
+ execl ("/sbin/init", "/sbin/init", NULL);
+diff --git a/src/switchroot/ostree-remount.c b/src/switchroot/ostree-remount.c
+index fe6b6f44..cc2b81b3 100644
+--- a/src/switchroot/ostree-remount.c
++++ b/src/switchroot/ostree-remount.c
+@@ -44,6 +44,15 @@ main(int argc, char *argv[])
+ struct stat stbuf;
+ int i;
+
++ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
++ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
++ *
++ * Today systemd remounts / (recursively) as shared, so we're undoing that as early
++ * as possible. See also a copy of this in ostree-prepare-root.c.
++ */
++ if (mount ("none", "/sysroot", NULL, MS_REC | MS_PRIVATE, NULL) < 0)
++ perror ("warning: While remounting /sysroot MS_PRIVATE");
++
+ if (path_is_on_readonly_fs ("/"))
+ {
+ /* If / isn't writable, don't do any remounts; we don't want
+--
+2.14.3
+
diff --git a/SPECS/ostree.spec b/SPECS/ostree.spec
index 12e7646..c74c97f 100644
--- a/SPECS/ostree.spec
+++ b/SPECS/ostree.spec
@@ -1,7 +1,7 @@
Summary: Tool for managing bootable, immutable filesystem trees
Name: ostree
-Version: 2017.14
-Release: 2%{?dist}
+Version: 2018.1
+Release: 4%{?dist}
#VCS: git:https://github.com/ostreedev/ostree
# The source tarball is generated via make -C packaging dist-snapshot
# which handles git submodules.
@@ -10,6 +10,11 @@ Source1: 91-ostree.preset
License: LGPLv2+
URL: https://github.com/ostreedev/ostree
+# https://bugzilla.redhat.com/show_bug.cgi?id=1498281
+Patch0: 0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1536991
+Patch1: 0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch
+
# For autosetup
BuildRequires: git
# We always run autogen.sh
@@ -151,8 +156,18 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
-* Tue Dec 05 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.14-2
-- Rebuild for 7.4
+* Mon Feb 05 2018 Colin Walters <walters@redhat.com> - 2018.1-4
+- Backport patch for SELinux labels of kernels in /boot
+- Resolves: #1536991
+
+* Tue Jan 30 2018 Colin Walters <walters@redhat.com> - 2018.1-3
+- Backport patch to fix mount propagation of /sysroot
+- Resolves: #1498281
+
+* Fri Jan 19 2018 Colin Walters <walters@redhat.com> - 2018.1-2
+- New upstream version for 7.5.0
+- https://github.com/ostreedev/ostree/releases/tag/v2018.1
+- https://github.com/ostreedev/ostree/releases/tag/v2017.15
* Tue Dec 05 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.14-1
- New upstream version for 7.4.4