# Spec file for Open vSwitch selinux policy. # Copyright (C) 2018, Red Hat, Inc. # # Copying and distribution of this file, with or without modification, # are permitted in any medium without royalty provided the copyright # notice and this notice are preserved. This file is offered as-is, # without warranty of any kind. # %global selinuxtype targeted %global selinux_policyver 3.13.1-166.9 %global moduletype contrib %global modulename openvswitch-custom Name: openvswitch-selinux-extra-policy Summary: Open vSwitch Extra SELinux Policy Group: System Environment/Daemons URL: http://www.openvswitch.org/ Version: 1.0 Source0: http://aconole.bytheb.org/files/openvswitch-selinux-policy.tar.gz License: ASL 2.0 BuildArch: noarch Release: 30%{?dist} BuildRequires: autoconf automake libtool BuildRequires: systemd-units openssl openssl-devel BuildRequires: checkpolicy selinux-policy-devel git pkgconfig(systemd) Conflicts: selinux-policy < 3.13.1-166.el7_4.9 Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): libselinux-utils Requires(post): policycoreutils %if 0%{?fedora} || 0%{?rhel} > 7 Requires(post): policycoreutils-python-utils %else Requires(post): policycoreutils-python %endif Patch10: 0001-enable-mlx5.patch Patch20: 0001-ovs-vswitchd-enable-net_broadcast.patch Patch30: 0001-changes-to-support-newer-hugetlbfs-restrictions.patch Patch40: 0001-custom-post-2.9-testing.patch Patch50: 0001-container-allow-container-runtime-via-selinux.patch Patch51: 0002-containers-allow-container_t-domain-to-access-ovs-so.patch Patch60: 0001-Allow-openvswitch-to-manage-its-files-sockets-in-a-c.patch Patch61: 0002-Add-missing-type.patch Patch62: 0001-Fix-the-container-context-change.patch Patch70: 0001-selinux-update-for-netlink-socket-types.patch Patch80: 0001-add-transition-domain-for-kmod-ctl.patch Patch81: 0001-optional-container.patch Patch82: 0002-transition-domain-backport-fix.patch Patch83: 0001-add-missing-execute_no_trans.patch Patch84: 0001-add-modules-dep-t-support.patch Patch90: 0001-Allow-fowner-fsetid.patch Patch100: 0001-bz1808567.patch Patch101: 0001-netlink_rdma_socket-fix-permissions.patch Patch102: 0001-capability-dont-audit-sys_admin.patch Patch110: 0001-rhcos-spc-and-file-updates.patch Patch120: 0001-ipsec_conf.patch Patch130: 0001-file_insert_watch_into_class_for_macro.patch Patch140: 0001-update-with-rhel9-testing.patch %description Tailored Open vSwitch SELinux policy for distribution %prep %autosetup -p 1 %build make %install rm -rf $RPM_BUILD_ROOT install -d %{buildroot}%{_datadir}/selinux/packages install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -m 0644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages %check %pre if %{_sbindir}/selinuxenabled ; then %selinux_relabel_pre -s %{selinuxtype} fi %post %{_sbindir}/semodule -N -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi %postun if [ $1 -eq 0 ]; then %{_sbindir}/semodule -N -s %{selinuxtype} -r %{modulename} if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi fi %posttrans if %{_sbindir}/selinuxenabled ; then %selinux_relabel_post -s %{selinuxtype} fi %files %defattr(-,root,root,0755) %attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp %changelog * Mon Jun 21 2021 Aaron Conole - 1.0-30 - Update after testing with rhel9 selinux policy * Mon Jun 07 2021 Aaron Conole - 1.0-29 - Update with fixes for the rhel9 selinux devel policy * Wed Jan 27 2021 Aaron Conole - 1.0-28 - Revert perf_event workaround (#1906278) * Tue Jan 19 2021 Aaron Conole - 1.0-27 - Include a workaround for the perf_event change (#1906278) * Fri Jan 15 2021 Aaron Conole - 1.0-26 - Update to include CA based ipsec use cases (#1906278) * Thu Jan 14 2021 Aaron Conole - 1.0-25 - Update to include additional ipsec use cases (#1906278) * Tue Jan 12 2021 Aaron Conole - 1.0-24 - Allow openvswitch to work in conjunction with the ipsec monitoring daemon (#1906278) * Wed Mar 25 2020 Aaron Conole - 1.0-23 - Additional rhcos fixes (#1817511) * Tue Mar 03 2020 Aaron Conole - 1.0-22 - Don't audit sys_admin capability (#1800651) * Mon Mar 02 2020 Aaron Conole - 1.0-21 - Fix the netlink_rdma_socket permissions (#1800651) * Fri Feb 28 2020 Aaron Conole - 1.0-20 - Fix the container_var_run_t permissions (#1808567) * Tue Oct 08 2019 Aaron Conole - 1.0-19 - Fix fowner/fsetid permissions due to changes with the runtimedir option (#1759695) * Wed Jul 24 2019 Aaron Conole - 1.0-18 - Fix missing module_deps_t definitions (#1732647) * Thu Jul 11 2019 Aaron Conole - 1.0-17 - Add missing 'execute_no_trans' (#1724127) * Fri Jun 14 2019 Aaron Conole - 1.0-16 - Fix the backport for the transition domain (#1706768) * Fri Jun 14 2019 Aaron Conole - 1.0-15 - Set container support to optional (#1715918) * Thu Jun 13 2019 Aaron Conole - 1.0.14 - Add ovs-kmod-ctl transition domain (#1706768) * Fri May 31 2019 Aaron Conole - 1.0-13 - Change dependency from container-selinux to selinux-policy-targeted (#1715918) * Mon Apr 15 2019 Aaron Conole - 1.0-12 - Fix for netlink rdma socket (#1690783) - Fix for netlink netfilter socket (#1687941) * Wed Feb 06 2019 Aaron Conole - 1.0-11 - Allow openvswitch to manage its socket files in a container * Tue Jan 08 2019 Aaron Conole - 1.0-10 - Include the container-selinux package (#1649981) * Wed Nov 28 2018 Aaron Conole - 1.0-9 - Fix the selinux macros to work with image builds (#1643571) * Tue Nov 06 2018 Aaron Conole - 1.0-8 - Include container related changes (#1642591) * Tue Aug 28 2018 Aaron Conole - 1.0-7 - Include extra selinux changes for 2.10 (#1620257) * Fri Aug 03 2018 Aaron Conole - 1.0-6 - Include new hugetlbfs restrictions * Thu Jul 26 2018 Aaron Conole - 1.0-5 - Fix missing %{?dist} macro - Check for SELinux before executing macros that require selinux - Update to support RHEL8 * Wed May 30 2018 Aaron Conole - 1.0-4 - Enable mlx5 usage of the net_raw capability (#1555440) * Wed May 09 2018 Aaron Conole - 1.0-3 - Set as conflicts with the selinux policy instead. * Wed May 09 2018 Aaron Conole - 1.0-2 - Merge to fast-datapath production branch * Fri May 04 2018 Aaron Conole - 1.0-1 - With fast-datapath branch * Mon Feb 12 2018 Aaron Conole - 1.0-0 - First Build