Merge pull request #1316 from bcressey/selinux-aliases

add aliases for container-selinux types
bottlerocket-os · Feb 12, 2021 · 7209733 · 7209733
2 parents c5eafc0 + 2e1fa38
commit 7209733
Show file tree

Hide file tree

Showing 20 changed files with 41 additions and 151 deletions.
diff --git a/packages/kubernetes-1.15/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.15/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -1,7 +1,7 @@
-From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From f655cc39ba3aef7792a013f765c429ede69cfd97 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
 Date: Sat, 18 May 2019 16:57:12 +0000
-Subject: [PATCH 1/4] always set relevant variables for cross compiling
+Subject: [PATCH] always set relevant variables for cross compiling
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
 ---
@@ -73,5 +73,5 @@ index e9c3b066..14c15994 100755
 
  kube::golang::unset_platform_envs() {
 -- 
-2.21.0
+2.26.2
 
diff --git a/...3-opt-out-of-module-mode-for-builds.patch → ...2-opt-out-of-module-mode-for-builds.patch b/...3-opt-out-of-module-mode-for-builds.patch → ...2-opt-out-of-module-mode-for-builds.patch
diff --git a/packages/kubernetes-1.15/0002-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.15/0002-override-SELinux-label-for-kubelet-plugins.patch
diff --git a/...kubelet-block-non-forwarded-packets.patch → ...kubelet-block-non-forwarded-packets.patch b/...kubelet-block-non-forwarded-packets.patch → ...kubelet-block-non-forwarded-packets.patch
diff --git a/...-include-etc-hosts-in-eviction-calc.patch → ...-include-etc-hosts-in-eviction-calc.patch b/...-include-etc-hosts-in-eviction-calc.patch → ...-include-etc-hosts-in-eviction-calc.patch
diff --git a/packages/kubernetes-1.15/kubernetes-1.15.spec b/packages/kubernetes-1.15/kubernetes-1.15.spec
@@ -22,14 +22,13 @@ Source4: kubelet-kubeconfig
 Source5: kubernetes-ca-crt
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
-Patch2: 0002-override-SELinux-label-for-kubelet-plugins.patch
 
 # Fix builds in $GOPATH when using Go 1.13 - drop when we catch up in v1.17.0
 # /~https://github.com/kubernetes/kubernetes/commit/8618c09
-Patch3: 0003-opt-out-of-module-mode-for-builds.patch
+Patch2: 0002-opt-out-of-module-mode-for-builds.patch
 
-Patch4: 0004-kubelet-block-non-forwarded-packets.patch
-Patch5: 0005-include-etc-hosts-in-eviction-calc.patch
+Patch3: 0003-kubelet-block-non-forwarded-packets.patch
+Patch4: 0004-include-etc-hosts-in-eviction-calc.patch
 
 BuildRequires: git
 BuildRequires: rsync

diff --git a/packages/kubernetes-1.16/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.16/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -1,18 +1,18 @@
-From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From 7b22b33975ae3134130d92e5a43a1cfed6e0f89c Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
 Date: Sat, 18 May 2019 16:57:12 +0000
-Subject: [PATCH 1/4] always set relevant variables for cross compiling
+Subject: [PATCH] always set relevant variables for cross compiling
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
 ---
  hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
  1 file changed, 30 insertions(+), 22 deletions(-)
 
 diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
-index e9c3b066..14c15994 100755
+index 5d9b084f..9244b43e 100755
 --- a/hack/lib/golang.sh
 +++ b/hack/lib/golang.sh
-@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+@@ -393,29 +393,37 @@ kube::golang::set_platform_envs() {
    export GOOS=${platform%/*}
    export GOARCH=${platform##*/}
 
@@ -73,5 +73,5 @@ index e9c3b066..14c15994 100755
 
  kube::golang::unset_platform_envs() {
 -- 
-2.21.0
+2.26.2
 
diff --git a/packages/kubernetes-1.16/0002-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.16/0002-override-SELinux-label-for-kubelet-plugins.patch
diff --git a/packages/kubernetes-1.16/kubernetes-1.16.spec b/packages/kubernetes-1.16/kubernetes-1.16.spec
@@ -22,7 +22,6 @@ Source4: kubelet-kubeconfig
 Source5: kubernetes-ca-crt
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
-Patch2: 0002-override-SELinux-label-for-kubelet-plugins.patch
 
 # Update aws-sdk-go for IMDSv2 support
 Patch100: aws-sdk-go-1.28.2.patch.bz2

diff --git a/packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -1,18 +1,18 @@
-From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From eaeb0bf4e72f04f787ee3aa58499de19a31f5634 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
 Date: Sat, 18 May 2019 16:57:12 +0000
-Subject: [PATCH 1/4] always set relevant variables for cross compiling
+Subject: [PATCH] always set relevant variables for cross compiling
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
 ---
  hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
  1 file changed, 30 insertions(+), 22 deletions(-)
 
 diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
-index e9c3b066..14c15994 100755
+index b646bbe2..21067172 100755
 --- a/hack/lib/golang.sh
 +++ b/hack/lib/golang.sh
-@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+@@ -393,29 +393,37 @@ kube::golang::set_platform_envs() {
    export GOOS=${platform%/*}
    export GOARCH=${platform##*/}
 
@@ -73,5 +73,5 @@ index e9c3b066..14c15994 100755
 
  kube::golang::unset_platform_envs() {
 -- 
-2.21.0
+2.26.2
 
diff --git a/packages/kubernetes-1.17/0002-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.17/0002-override-SELinux-label-for-kubelet-plugins.patch
diff --git a/packages/kubernetes-1.17/kubernetes-1.17.spec b/packages/kubernetes-1.17/kubernetes-1.17.spec
@@ -22,7 +22,6 @@ Source4: kubelet-kubeconfig
 Source5: kubernetes-ca-crt
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
-Patch2: 0002-override-SELinux-label-for-kubelet-plugins.patch
 
 # Update aws-sdk-go for IMDSv2 support
 Patch100: aws-sdk-go-1.28.2_k8s-1.17.8.patch.bz2

diff --git a/packages/kubernetes-1.18/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.18/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -1,18 +1,18 @@
-From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From 33d8f71872c51f189056d4e4aaa5427f7a09f0cf Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
 Date: Sat, 18 May 2019 16:57:12 +0000
-Subject: [PATCH 1/4] always set relevant variables for cross compiling
+Subject: [PATCH] always set relevant variables for cross compiling
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
 ---
  hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
  1 file changed, 30 insertions(+), 22 deletions(-)
 
 diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
-index e9c3b066..14c15994 100755
+index b646bbe2..21067172 100755
 --- a/hack/lib/golang.sh
 +++ b/hack/lib/golang.sh
-@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+@@ -393,29 +393,37 @@ kube::golang::set_platform_envs() {
    export GOOS=${platform%/*}
    export GOARCH=${platform##*/}
 
@@ -73,5 +73,5 @@ index e9c3b066..14c15994 100755
 
  kube::golang::unset_platform_envs() {
 -- 
-2.21.0
+2.26.2
 
diff --git a/packages/kubernetes-1.18/0002-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.18/0002-override-SELinux-label-for-kubelet-plugins.patch
diff --git a/packages/kubernetes-1.18/kubernetes-1.18.spec b/packages/kubernetes-1.18/kubernetes-1.18.spec
@@ -22,7 +22,6 @@ Source4: kubelet-kubeconfig
 Source5: kubernetes-ca-crt
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
-Patch2: 0002-override-SELinux-label-for-kubelet-plugins.patch
 
 BuildRequires: git
 BuildRequires: rsync

diff --git a/packages/kubernetes-1.19/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.19/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -1,18 +1,18 @@
-From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From 8b46abbb2f138096ec0f4237b8ce033c1fdc1d4d Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
 Date: Sat, 18 May 2019 16:57:12 +0000
-Subject: [PATCH 1/4] always set relevant variables for cross compiling
+Subject: [PATCH] always set relevant variables for cross compiling
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
 ---
  hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
  1 file changed, 30 insertions(+), 22 deletions(-)
 
 diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
-index e9c3b066..14c15994 100755
+index 58bc090b..c3b0820e 100755
 --- a/hack/lib/golang.sh
 +++ b/hack/lib/golang.sh
-@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+@@ -393,29 +393,37 @@ kube::golang::set_platform_envs() {
    export GOOS=${platform%/*}
    export GOARCH=${platform##*/}
 
@@ -73,5 +73,5 @@ index e9c3b066..14c15994 100755
 
  kube::golang::unset_platform_envs() {
 -- 
-2.21.0
+2.26.2
 
diff --git a/packages/kubernetes-1.19/0002-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.19/0002-override-SELinux-label-for-kubelet-plugins.patch
diff --git a/packages/kubernetes-1.19/kubernetes-1.19.spec b/packages/kubernetes-1.19/kubernetes-1.19.spec
@@ -22,7 +22,6 @@ Source4: kubelet-kubeconfig
 Source5: kubernetes-ca-crt
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
-Patch2: 0002-override-SELinux-label-for-kubelet-plugins.patch
 
 BuildRequires: git
 BuildRequires: rsync

diff --git a/packages/selinux-policy/object.cil b/packages/selinux-policy/object.cil
@@ -60,6 +60,11 @@
 (roletype object_r local_t)
 (context local (system_u object_r local_t s0))
 
+; Alias "container_file_t" to "local_t" for compatibility with
+; the container-selinux policy.
+(typealias container_file_t)
+(typealiasactual container_file_t local_t)
+
 ; Files for the API components.
 (type private_t)
 (roletype object_r private_t)
@@ -75,6 +80,11 @@
 (roletype object_r cache_t)
 (context cache (system_u object_r cache_t s0))
 
+; Alias "container_ro_file_t" to "cache_t" for compatibility with
+; the container-selinux policy.
+(typealias container_ro_file_t)
+(typealiasactual container_ro_file_t cache_t)
+
 ; Files for saved DHCP leases.
 (type lease_t)
 (roletype object_r lease_t)

diff --git a/packages/selinux-policy/subject.cil b/packages/selinux-policy/subject.cil
@@ -58,6 +58,11 @@
 (roletype system_r control_t)
 (context control (system_u system_r control_t s0))
 
+; Alias "spc_t" to "control_t" for compatibility with the
+; container-selinux policy.
+(typealias spc_t)
+(typealiasactual spc_t control_t)
+
 ; Processes that run inside highly privileged containers.
 (type super_t)
 (roletype system_r super_t)