sle: support for sle-micro (#23)

- also, vagrantfiles for testing el7, el8, and sle
rancher · Nov 11, 2021 · 337f0a2 · 337f0a2
1 parent 0d36403
commit 337f0a2
Show file tree

Hide file tree

Showing 28 changed files with 1,187 additions and 219 deletions.
diff --git a/.drone.yml b/.drone.yml
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
-.dapper
 /dist
-/.vagrant/
+*.rpm
+.dapper
+.vagrant/
diff --git a/Dockerfile.centos7.dapper b/Dockerfile.centos7.dapper
@@ -1,6 +1,7 @@
 FROM centos:7
 
-RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq 
+RUN yum install -y epel-release \
+ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
 
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT ./dist

diff --git a/Dockerfile.centos8.dapper b/Dockerfile.centos8.dapper
@@ -1,6 +1,7 @@
 FROM centos:8
 
-RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq
+RUN yum install -y epel-release \
+ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
 
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT ./dist

diff --git a/Dockerfile.microos.dapper b/Dockerfile.microos.dapper
@@ -0,0 +1,15 @@
+ARG TUMBLEWEED=opensuse/tumbleweed
+FROM ${TUMBLEWEED}
+ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
+RUN chmod +x /bin/clone3-workaround
+SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
+RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
+
+
+ENV DAPPER_SOURCE /source
+ENV DAPPER_OUTPUT ./dist
+ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
+ENV HOME ${DAPPER_SOURCE}
+WORKDIR ${DAPPER_SOURCE}
+
+ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"]
diff --git a/Makefile b/Makefile
@@ -1,5 +1,6 @@
 CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
 CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
+MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
 
 .dapper:
 	@echo Downloading dapper
@@ -14,4 +15,10 @@ $(CENTOS7_TARGETS): .dapper
 $(CENTOS8_TARGETS): .dapper
 	./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%)
 
-.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS)
+$(MICROOS_TARGETS): .dapper
+	./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)
+
+clean:
+	rm -rf dist/ Dockerfile.*.dapper[0-9]*
+
+.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(MICROOS_TARGETS) clean
diff --git a/README.md b/README.md
@@ -1,6 +1,11 @@
 # rke2-selinux
 RKE2 selinux policy repository
 
+## Signing Keys
+
+- https://rpm.rancher.io/public.key
+- https://rpm-testing.rancher.io/public.key
+
 ## Versioning/Tagging
 
 The version parsing logic for `rancher/rke2-selinux` expects tags to be of a certain format (that directly correlates to RPM naming)

diff --git a/policy/centos7/rke2-selinux.spec b/policy/centos7/rke2-selinux.spec
@@ -1,7 +1,6 @@
 # vim: sw=4:ts=4:et
 
-
-%define relabel_files() \
+%define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
@@ -16,32 +15,42 @@ restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \
 restorecon -R /var/run/flannel
 
-
 %define selinux_policyver 3.13.1-252
 %define container_policyver 2.107-3
-
-Name:   rke2-selinux
-Version:	%{rke2_selinux_version}
-Release:	%{rke2_selinux_release}.el7
-Summary:	SELinux policy module for rke2
-
-Group:	System Environment/Base		
-License:	ASL 2.0
-URL:		http://rancher.com
-Source0:	rke2.pp
-Source1:	rke2.if
-
+%define container_policy_epoch 2
+%define container_policy_schism 2.164.2
+
+Name:       rke2-selinux
+Version:    %{rke2_selinux_version}
+Release:    %{rke2_selinux_release}.el7
+Summary:    SELinux policy module for rke2
+
+Group:      System Environment/Base
+License:    ASL 2.0
+URL:        https://rke2.io
+Source0:    rke2.pp
+Source1:    rke2.if
+
+BuildArch:      noarch
+BuildRequires:  container-selinux >= %{container_policy_epoch}:%{container_policyver}
+BuildRequires:  container-selinux < %{container_policy_epoch}:%{container_policy_schism}
+BuildRequires:  git
+BuildRequires:  selinux-policy >= %{selinux_policyver}
+BuildRequires:  selinux-policy-devel >= %{selinux_policyver}
 
 Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): policycoreutils
+Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
+Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism}
 Requires(postun): policycoreutils
 
+Provides: %{name} = %{version}-%{release}
+Obsoletes: rke2-selinux < 0.9
 Conflicts: k3s-selinux
 
-BuildArch: noarch
-
 %description
-This package installs and sets up the  SELinux policy security module for rke2.
+This package installs and sets up the SELinux policy security module for rke2.
 
 %install
 install -d %{buildroot}%{_datadir}/selinux/packages
@@ -50,29 +59,26 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
 install -d %{buildroot}/etc/selinux/targeted/contexts/users/
 
+%pre
+%selinux_relabel_pre
 
 %post
 semodule -n -i %{_datadir}/selinux/packages/rke2.pp
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
-    %relabel_files
-
+    %rke2_relabel_files
 fi;
-exit 0
 
 %postun
 if [ $1 -eq 0 ]; then
-    semodule -n -r rke2
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-
-    fi;
+    %selinux_modules_uninstall rke2
 fi;
-exit 0
+
+%posttrans
+%selinux_relabel_post
 
 %files
 %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
 %{_datadir}/selinux/devel/include/contrib/rke2.if
 
-
 %changelog
diff --git a/policy/centos7/rke2.fc b/policy/centos7/rke2.fc
@@ -1,20 +1,22 @@
 # vim: sw=8:ts=8:et
+
 /etc/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /lib/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/local/lib/systemd/system/rke2.*                                --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/bin/rke2                                                       --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/rancher/rke2/data/[^/]*/charts(/.*)?                           gen_context(system_u:object_r:container_config_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots              -d  gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*        -d  gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.*         <<none>>
 /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)?            gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/rke2/server/logs(/.*)?                                 gen_context(system_u:object_r:container_log_t,s0)
 /var/run/flannel(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
 /var/run/k3s(/.*)?                                                      gen_context(system_u:object_r:container_var_run_t,s0)
 /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?                 gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/log/containers(/.*)?                                               gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?                                                     gen_context(system_u:object_r:container_log_t,s0)
-/var/lib/rancher/rke2/server/logs(/.*)?                                 gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/centos7/rke2.if b/policy/centos7/rke2.if
@@ -2,6 +2,7 @@
 interface(`rke2_filetrans_named_content',`
 
     gen_require(`
+        type container_config_t;
         type container_file_t;
         type container_log_t;
         type container_runtime_exec_t;
@@ -15,6 +16,7 @@ interface(`rke2_filetrans_named_content',`
     container_filetrans_named_content($1)
     files_pid_filetrans($1, container_var_run_t, dir, "rke2")
     filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
+    filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
     filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "snapshots")
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
     filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")

diff --git a/policy/centos8/rke2-selinux.spec b/policy/centos8/rke2-selinux.spec
@@ -1,7 +1,6 @@
 # vim: sw=4:ts=4:et
 
-
-%define relabel_files() \
+%define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
@@ -16,32 +15,39 @@ restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \
 restorecon -R /var/run/flannel
 
-
 %define selinux_policyver 3.13.1-252
 %define container_policyver 2.167.0-1
+%define container_policy_epoch 2
 
-Name:   rke2-selinux
-Version:	%{rke2_selinux_version}
-Release:	%{rke2_selinux_release}.el8
-Summary:	SELinux policy module for rke2
+Name:       rke2-selinux
+Version:    %{rke2_selinux_version}
+Release:    %{rke2_selinux_release}.el8
+Summary:    SELinux policy module for rke2
 
-Group:	System Environment/Base
-License:	ASL 2.0
-URL:		http://rancher.com
-Source0:	rke2.pp
-Source1:	rke2.if
+Group:      System Environment/Base
+License:    ASL 2.0
+URL:        https://rke2.io
+Source0:    rke2.pp
+Source1:    rke2.if
 
+BuildArch:      noarch
+BuildRequires:  container-selinux >= %{container_policy_epoch}:%{container_policyver}
+BuildRequires:  git
+BuildRequires:  selinux-policy >= %{selinux_policyver}
+BuildRequires:  selinux-policy-devel >= %{selinux_policyver}
 
 Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= 2:%{container_policyver}
+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): policycoreutils
+Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
 Requires(postun): policycoreutils
 
+Provides: %{name} = %{version}-%{release}
+Obsoletes: rke2-selinux < 0.9
 Conflicts: k3s-selinux
 
-BuildArch: noarch
-
 %description
-This package installs and sets up the  SELinux policy security module for rke2.
+This package installs and sets up the SELinux policy security module for rke2.
 
 %install
 install -d %{buildroot}%{_datadir}/selinux/packages
@@ -50,29 +56,26 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
 install -d %{buildroot}/etc/selinux/targeted/contexts/users/
 
+%pre
+%selinux_relabel_pre
 
 %post
 semodule -n -i %{_datadir}/selinux/packages/rke2.pp
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
-    %relabel_files
-
+    %rke2_relabel_files
 fi;
-exit 0
 
 %postun
 if [ $1 -eq 0 ]; then
-    semodule -n -r rke2
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-
-    fi;
+    %selinux_modules_uninstall rke2
 fi;
-exit 0
+
+%posttrans
+%selinux_relabel_post
 
 %files
 %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
 %{_datadir}/selinux/devel/include/contrib/rke2.if
 
-
 %changelog
diff --git a/policy/centos8/rke2.fc b/policy/centos8/rke2.fc
@@ -1,13 +1,26 @@
 # vim: sw=8:ts=8:et
+
+# commented items are lines retained for parity when comparing policy between target distributions.
+# these are commented because they will cause conflict and/or crash when attempting to install with upstream
+# container-selinux: https://github.com/containers/container-selinux/pull/140/files
+
 /etc/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /lib/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/local/lib/systemd/system/rke2.*                                --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/bin/rke2                                                       --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
+#/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/rancher/rke2/data/[^/]*/charts(/.*)?                           gen_context(system_u:object_r:container_config_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots              -d  gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*        -d  gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.*         <<none>>
 /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)?            gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/rke2/server/logs(/.*)?                                 gen_context(system_u:object_r:container_log_t,s0)
+#/var/run/flannel(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s(/.*)?                                                      gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?                 gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+#/var/log/containers(/.*)?                                               gen_context(system_u:object_r:container_log_t,s0)
+#/var/log/pods(/.*)?                                                     gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/centos8/rke2.if b/policy/centos8/rke2.if
@@ -2,6 +2,7 @@
 interface(`rke2_filetrans_named_content',`
 
     gen_require(`
+        type container_config_t;
         type container_file_t;
         type container_log_t;
         type container_runtime_exec_t;
@@ -16,6 +17,7 @@ interface(`rke2_filetrans_named_content',`
     container_filetrans_named_content($1)
     files_pid_filetrans($1, container_var_run_t, dir, "rke2")
     filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
+    filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
     filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
     filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")