From ec9a05e5e2e82363fae21131f869e2e34a597c50 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Fri, 6 Jan 2017 15:50:22 -0500 Subject: [PATCH] Fix conflicts with newly updated selinux policies The base selinux policies on centos/rhel/oraclelinux have all been updated in a way that conflicts with the policies we install with `docker-engine-selinux`. This patch fixes these conflicts. In addition, removes special cases for old/unsupported versions of fedora in our selinux package, and change to use a single minimum version for the selinux base policy package, as this is the minimum version required to use our selinux policy package. Signed-off-by: Brian Goff --- contrib/selinux/docker-engine-selinux/docker.fc | 2 -- contrib/selinux/docker-engine-selinux/docker.te | 7 ------- hack/make/.build-rpm/docker-engine-selinux.spec | 17 ++--------------- 3 files changed, 2 insertions(+), 24 deletions(-) diff --git a/contrib/selinux/docker-engine-selinux/docker.fc b/contrib/selinux/docker-engine-selinux/docker.fc index fe9c58a4ae..467d659604 100644 --- a/contrib/selinux/docker-engine-selinux/docker.fc +++ b/contrib/selinux/docker-engine-selinux/docker.fc @@ -7,8 +7,6 @@ /etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) /var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) /var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) /var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) diff --git a/contrib/selinux/docker-engine-selinux/docker.te b/contrib/selinux/docker-engine-selinux/docker.te index 999742f302..bad0bb6e4c 100644 --- a/contrib/selinux/docker-engine-selinux/docker.te +++ b/contrib/selinux/docker-engine-selinux/docker.te @@ -5,13 +5,6 @@ policy_module(docker, 1.0.0) # Declarations # -## -##

-## Allow sandbox containers manage fuse files -##

-##
-gen_tunable(virt_sandbox_use_fusefs, false) - ## ##

## Determine whether docker can diff --git a/hack/make/.build-rpm/docker-engine-selinux.spec b/hack/make/.build-rpm/docker-engine-selinux.spec index 706af36ac6..ae597bd774 100644 --- a/hack/make/.build-rpm/docker-engine-selinux.spec +++ b/hack/make/.build-rpm/docker-engine-selinux.spec @@ -13,20 +13,7 @@ URL: https://dockerproject.org Vendor: Docker Packager: Docker -# Version of SELinux we were using -%if 0%{?fedora} == 20 -%global selinux_policyver 3.12.1-197 -%endif # fedora 20 -%if 0%{?fedora} == 21 -%global selinux_policyver 3.13.1-105 -%endif # fedora 21 -%if 0%{?fedora} >= 22 -%global selinux_policyver 3.13.1-128 -%endif # fedora 22 -%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7 -%global selinux_policyver 3.13.1-23 -%endif # centos,rhel,oraclelinux 7 - +%global selinux_policyver 3.13.1-102 %global selinuxtype targeted %global moduletype services %global modulenames docker @@ -84,7 +71,7 @@ if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files if [ $1 -eq 1 ]; then - restorecon -R %{_sharedstatedir}/docker + restorecon -R %{_sharedstatedir}/docker fi fi