container-selinux-2:2.55-1.el7$>}*W Y;kn>?'?'td  $ L ")?       4 \ |   ( 8 09 0:0>#@#B#G#H$I$<X$DY$PZ$x[$\$]$^%b%d&e&f&l&t&u&v'w'0x'P'pCcontainer-selinux2.551.el7SELinux policies for container runtimesSELinux policy modules for use with container runtimes.Zx86-01.bsys.centos.orgoCentOSGPLv2CentOS BuildSystem Unspecifiedhttps://github.com/projectatomic/container-selinuxlinuxnoarch# Install all modules in a single transaction if [ $1 -eq 1 ]; then /usr/sbin/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi export MODULES=""; for x in container; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done; /usr/sbin/semodule -n -s targeted -r container 2> /dev/null /usr/sbin/semodule -n -s targeted -d docker 2> /dev/null /usr/sbin/semodule -n -s targeted -d gear 2> /dev/null /usr/sbin/semodule -n -X 200 -s targeted -i $MODULES > /dev/null if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy /usr/sbin/restorecon -R /usr/bin/docker* /var/run/containerd.sock /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker-containerd.service /usr/lib/systemd/system/docker-latest.service /usr/lib/systemd/system/docker-latest-containerd.service /etc/docker /usr/libexec/docker* &> /dev/null || : if [ $1 -eq 1 ]; then restorecon -R /var/lib/docker &> /dev/null || : fi fiif [ $1 -eq 0 ]; then /usr/sbin/semodule -n -r container docker &> /dev/null || : if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy /usr/sbin/restorecon -R /usr/bin/docker* /var/run/containerd.sock /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker-containerd.service /usr/lib/systemd/system/docker-latest.service /usr/lib/systemd/system/docker-latest-containerd.service /etc/docker /usr/libexec/docker* &> /dev/null || : fi fi #define license tag if not already defined&>PlA큤AAA큤A큤ZZ=ZZZZ=ZZ093be781f9916163b4f01d3f7edd672d735d3d8347b5aa643cfa3c58057c6d5d97d35871d6dcbbeddc0e5d72140fac6e392d5576c1c630518591023309742ba43e407b3cfd77fbb58ce25a41839c9d399027ce6dd3298e8ae81b054c734011d7rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootcontainer-selinux-2.55-1.el7.src.rpmcontainer-selinuxdocker-engine-selinuxdocker-selinux       /bin/sh/bin/shlibselinux-utilspolicycoreutilspolicycoreutils-pythonrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)selinux-policyselinux-policy-baseselinux-policy-targetedrpmlib(PayloadIsXz)2.5-113.0.4-14.6.0-14.0-13.13.1-1833.13.1-1833.13.1-1835.2-14.11.3ZZ%Z%Z@Z - 2.55-1Dan Walsh - 2.52-1Dan Walsh - 2.51-1Dan Walsh - 2.50-1Dan Walsh - 2.49-1Dan Walsh - 2.48-1Dan Walsh - 2.41-1Dan Walsh - 2.40-1Dan Walsh - 2.39-1Dan Walsh - 2.38-1Dan Walsh - 2.37-1Dan Walsh - 2.36-1Dan Walsh - 2.35-1Dan Walsh - 2.34-1Dan Walsh - 2.33-1Dan Walsh - 2.32-1Dan Walsh - 2.31-1Dan Walsh - 2.29-1Dan Walsh - 2.28-1Dan Walsh - 2.27-1Dan Walsh - 2.24-1Dan Walsh - 2.23-1Dan Walsh - 2.22-1Troy Dawson - 2.21-3Fedora Release Engineering - 2:2.21-2Dan Walsh - 2.21-1Dan Walsh - 2.20-2Dan Walsh - 2.20-1Lokesh Mandvekar - 2:2.19-2.1Dan Walsh - 2:2.19-1Lokesh Mandvekar - 2:2.15-1.1Dan Walsh - 2:2.10-2.1Dan Walsh - 2:2.10-1Lokesh Mandvekar - 2:2.9-4Lokesh Mandvekar - 2:2.9-3Lokesh Mandvekar - 2:2.9-2Lokesh Mandvekar - 2:2.8-2Lokesh Mandvekar - 2:2.7-1Lokesh Mandvekar - 2:2.4-2Dan Walsh - 2:2.4-1Dan Walsh - 2:2.3-1Lokesh Mandvekar - 2:2.2-4Jonathan Lebon - 2:2.2-3Lokesh Mandvekar - 2:2.2-2Lokesh Mandvekar - 2:2.2-1Lokesh Mandvekar - 2:2.0-2Lokesh Mandvekar - 2:2.0-1Lokesh Mandvekar - 2:1.12.4-29Allow iptables to read container state Dontaudit attempts from containers to write to /proc/self Allow spc_t to change attributes on container_runtime_t fifo files- Add better support for writing custom selinux policy for customer container domains.- Allow shell_exec_t as a container_runtime_t entrypoint- Allow bin_t as a container_runtime_t entrypoint- Add support for MLS running container runtimes - Add missing allow rules for running systemd in a container- Update policy to match master branch - Remove typebounds and replace with nnp_transition and nosuid_transition calls- Add support to nnp_transition for container domains - Eliminates need for typebounds.- Allow container_runtime_t to use user ttys - Fixes bounds check for container_t- Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t.- Allow container runtimes to mmap container_file_t devices - Add labeling for rhel push plugin- Allow containers to use inherited ttys - Allow ostree to handle labels under /var/lib/containers/ostree- Allow containers to relabelto/from all file types to container_file_t- Allow container to map chr_files labeled container_file_t- Dontaudit container processes getattr on kernel file systems- Allow containers to read /etc/resolv.conf and /etc/hosts if volume - mounted into container.- Make sure users creating content in /var/lib with right labels- Allow the container runtime to dbus chat with dnsmasq - add dontaudit rules for container trying to write to /proc- Add support for lxcd - Add support for labeling of tmpfs storage created within a container.- Allow a container to umount a container_file_t filesystem- Allow container runtimes to work with the netfilter sockets - Allow container_file_t to be an entrypoint for VM's - Allow spc_t domains to transition to svirt_t- Make sure container_runtime_t has all access of container_t- Allow container runtimes to create sockets in tmp dirs- Add additonal support for crio labeling.- Fixup spec file conditionals- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- Allow containers to execmod on container_share_t files.- Relabel runc and crio executables- Allow container processes to getsession- update release tag to isolate from 7.3- Fix mcs transition problem on stdin/stdout/stderr - Add labels for CRI-O - Allow containers to use tunnel sockets- Resolves: #1451289 - rebase to v2.15 - built @origin/RHEL-1.12 commit 583ca40- Make sure we have a late enough version of policycoreutils- Update to the latest container-selinux patch from upstream - Label files under /usr/libexec/lxc as container_runtime_exec_t - Give container_t access to XFRM sockets - Allow spc_t to dbus chat with init system - Allow containers to read cgroup configuration mounted into a container- Resolves: #1425574 - built commit 79a6d70- Resolves: #1420591 - built @origin/RHEL-1.12 commit 8f876c4- built @origin/RHEL-1.12 commit 33cb78b-- built origin/RHEL-1.12 commit 21dd37b- correct version-release in changelog entries- Add typebounds statement for container_t from container_runtime_t - We should only label runc not runc*- Fix labeling on /usr/bin/runc.* - Add sandbox_net_domain access to container.te - Remove containers ability to look at /etc content- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7- properly disable docker module in %post- depend on selinux-policy-targeted - relabel docker-latest* files as well- bump to v2.2 - additional labeling for ocid- install policy at level 200 - From: Dan Walsh - Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a standalone package) - include projectatomic/RHEL-1.12 branch commit for building on centos/rhel- new package (separated from docker)/bin/sh/bin/shcontainer-selinuxdocker-selinux2:2.55-1.el72:2.55-1.el72:2.55-1.el7 2:1.12.5-142:1.12.4-28container-selinux-2.55README.mddevelincludeservicescontainer.ifpackagescontainer.pp.bz2/usr/share/doc//usr/share/doc/container-selinux-2.55//usr/share/selinux//usr/share/selinux/devel//usr/share/selinux/devel/include//usr/share/selinux/devel/include/services//usr/share/selinux/packages/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m32 -march=x86-64 -mtune=generic -mfpmath=sse -fasynchronous-unwind-tablesdrpmxz2noarch-redhat-linux-gnudirectoryASCII text?7zXZ !#,VQ]"k%xĉNμ5#+mz qw+m`!qoDKܖPk雜UsլoZC z?4g҄pA܆XMw@ "Yw,-pT^^ܽXjEa.-voE=;D; &_K]])\iN~WJG?*RbbEoAPV\\x,EK?m-yj3&u#+JCvUcl0%::f@WbxWErYۆ1s"~X@_)*趥WpܠH]-OY\|Z [V63`%P] ^syWlj䃀>YQFR򡽂\9./Nҫ*0qt*0LsChK~-#w~XW(IzD4fWIpF{DލZMksWlG-g3J/b*Pkg5[)]+ 2vFC*//H;<뀚{v#mmk2Ux(؝OO+_'Wmm} n T:x+PV,Ȁ1a[Λ)@MQ`~o-=pv'geUNH* TpNiuV]3!q7{ %2Bˤպ+6&i˦7]6Gma7,6\Sҗ$Cgbs g{UmcNm`/St=(#wyЬl^,~]'N sPxY :M,_fVThiƼjf'OhI9e8b8X;]DaȽxLc+1keMЦA=uwVާB['' (0BLPL55v*`|| zC˄Gy^ mv'Mд,WϤInDFR9;;aI.MXeߥB$u)ϛ3t\*n_oF oCR>^6E=ݣ:, Z#bTlQɴL)PhAPs&D,(9S/nsʹ#hyc\'s cd#qd)٘_2mrYILw{E ɍK!q3hM0rUaeJhkMCnh􉑑$̶X[Hak Gױu}Yh# LJtZm9~ ܓҽ.dp؄%=#Ͼ8Lrm;㤂m. QE+P(аNArYx9rrԃai1MZV].!9 J~QF,4w~`ُIAe󱂪V4k|lf>"cOEq99`qFiFYe`{~`fR=Wɳ{[@Tfmı{v 8\3l;v4]svJg̔!HcQo  ]5tXX`-0(l¡V.v)WS@3@GgOބUBW9zm;`‰__ bD +Qod;{(:mb3chwIIւ{Y>j9&ۗIQ>/ƕkJ>OS\͉$r\ή>Rʈ-9.}:b!486J4бكwgY(ijK쮏Ętuiy2"B-R0t䴈yKo"_5-\TZ&? mVhU ЁK2ͫg‡./r; LAg6B$G SҨPi0Š|֙GDkewM 1f5ntݡH魷X?}TA< 2+Ac::J  LRW6hP"bOD`4t{k#/g*pM ]G\tod;|A}DkueSTНsj8(ȵ\ι21n4MxM~OИ>@ä:=gPGMPZḆ=,rmuWu.#-eOm{Tڗ@]%K]ڊ=n7| Ftm0f{.N9 y(Pb@~69 *lo$-S&z r/@ w3Mt(,>ʉ1Y=Y [UTKbW-q_~ǦNb1<ڏ ($cE=i:HօS%}KJt@0@Up+PB˿"!Hqq{ f3G:*BV#5@4TUG`8X$DjQiIއ)g(JF. 迾%$U{NGP㱮.W&xko5+}Z4L'@ke;K/uR,.&XRXwqTqf-0ǾZ$#$?ڹ)W6s|6:щE|KTLۈX*awAb[)uk]K*6Q7@4W4.,@'gEF ݶ? mxEB+;;Yd >e=bS˟\žu|Zǰ\sr! FCiQ6%Fy4n2,W^gj@ky]`i9v%0U:#(Y}b*e9;![ff?᳗DI\|.d\@,Hsmjztu2#L nT3ەՎq)WCd{d]8hB^-^>+-wy@&\H#Sib9a 4j.)|~ l1A$[# ,[W__lAT3ϛfִ6Y+u&Sg< X:m":md8;1W1s#:mVL )}w78Ic̔-.<5Z)c ihs^'? ،_j,ew0(#w0wh,sWD̀ .8􀭈*J4) B[پ2~E2$j}zU;^007eLUpBY+]0XjثU-[,FePE>WVŧw.f> _?3' v]:bZ/N|!.̜0/SilY }@Fԉ4_ۢ!>hfl{!Rul_e[XVUص-[lG"p)tI}oiQdXi$TJ`H?ȻPW\$'0/ճ>ԢQE[ΚoD޸-hӞwKc"NdWN NPF63}7HDךZPŚ_E*SByoo4? 7۹!-.4B+Ax\ B6I4V} An`gjA_յ<=c0 ]]t 4bҼ6Wjӥ<98ۋ 70tGu,s:?8Q}EdALM`rTwTLj0"MU;'/A0] +2Šh 0R6V7⃐y;jSb<ǀ=H)Iw?!$'ܚn '|0vO<1UDr6;&. 4EM\U+0hn[&{o=~3 w&OĺݿY)nZ!3_.CNɸ?zZkDde9s%߀ .tb8ƺ_nŨDWqʤ%wkNd`8X+2geERTs;7xEG\-#JXvxEzn''4Psq܂b$`QFh?d+ƲКC&+?%: \Ĭ({?84K^]^ZJ0[W 2ׄ:d@ۂ?^agJr0Z|皩mS`FB:Eŏr#D5J#zQ~p-@ӄAJZcF- =_E6p>fJE&f-˯I v-TZ8Gcԑn}QtIG`ޔc`vCl3G|@С=q=7eiġj>bQn3 rx]!iLxh Ax(M3XR6b @q@nࡃ{ǿyh(uCǔY01-rVPLD})bD5θ`PH&X8\{uaDDE%y ͽ")hu"%@)AbSsJ 5h93(o 2} Hho 7MniϖcBzm5R~$TA(1= ^䃾ebj="!?Vn[TX+x(G4:\*\CJ}8CenJQXKVضdқm19 itj[E Ϡ+o&ndfFr eZ}xſد5۞_?Vhk<|:0[Q9{?CH3o EIJHԧ88. bHPl ɑ0/<ì~cU)1&H},s2A|F2:R%.*a*7[77(4tmdžBt5oj& @bi>`*gXUw?T4e, /|IDm)%&Xuq坷}xXBXb %cDe0G;ХJiEcv6E5R2h?p@O3Ag=̦,aM+rf1QzJJEȜ_帗VZ16 \ dyeFʿ0}Syo-m`X덯x- MQ=' .ağCuNFH3dC3M|n3:nJ?1,8Wn-#tye]I}snO_mG*ka (4:j%o@nZUd!A]P7""0*6N[xR'jycWXf:ǾqUbWj_gEѿjح>9"McX*pw_L!cO|iYq' FlV\m%NH>M0@2obT[nr˅zոw\cH fAr_m[L; K1 v+{E ʰloV2NЈH91y{} XL 7Ojv =qa))h͚]X)?>)H ~O|/VU,jdjU><*2"zwDD4)/'EIY@ ',C1bkQ4(bRJfZDՑ@jɣh4AT0.$+U,osVG' ġCUhYL4"6ʸudQO/w~%a:Z'2nry~bȃ==yu{Ylį.ąUi5}ICGO;]=VӾ/5)2^ WVI2qpUk#n/B?bxH1&8J%zj rlV\V%O7mFWZ+>bX[ݮOh" u\32^^+їq8$C{<܆"oJ,m wi1!cfȦdJOˋjU@`تK\TT}%3~r:T5s+U .{T&}j% XȞnX&;^(aD=ִ=k"qS !\SE,o=&wcmY\kf:ק*Kl8/pO3n(z毃L.y 9Ϭ=:Q{h{/Șw+u?#0uVKܝR6W6.Lp[ΜҠqLrԙlH!y RWKD~1C#0HG#38kf#qb!)uo¤7<Ək<*8q3r8Qq$WmpW۠|:̋OWrѻK ?2ʇ/Oh:,;و 5N wf7Q}tqUc%LR}Z2Y)%3Sמ<Ɉ|/sS [V3/V{Pwy3āTS#nOǩJw!iĒN-%FٯZj%вa "pڮB2Ad8X.#~%$#" P*̉mfGӊ;pw&U2@՚F`GQmM3# M@|11u#l kzbهC۹ ݜwgjoAOxp^y!Dd }i;W>Jg*#P%c`LĤ#<`f{ds 2 M ńuH4V)c. "lkF<3=< *uL&t h aY/U- wƠyf!y3H &=|ujG+3o*}hBs]X$;Ly>F+dP>HlP౾dܥux? #Rp]맂Y)%_+5P &=g2): ^+M8O.4ri=bi<=qYvcӜk4hWOh;Dz9 :MXG{E}w#!B_ၽek>9O)E&;&,PAfƖ{$O1ܺR?F'rmڛ ]OKchI!% {0XƂK(ڋٛgy wDCO\* k+#V0`#]61, K7Fg}Ff BC _6JA\GS 1@ Vʦ9υ JVlqk:hwf>SЩTUҾDNW_!tq/Q0:-7S5p!J]UzQƘq-ܧhb# DCs q[(309A7Aԡ,IԱt׻_n Qŷ_67$lB|Fc ۓ<{B@9D;TOzKGfHl.H%8ŇU&v^yc_U_~WuHeH;U`&pKX2YB:ۃ83i`deA{0\ȚU5c{@wp'Echfu͉);J՗*7KjT0sOx'w&@ |ޔjDoЄ\P]Ȓ?\o mN>HC% V^_Tb oI;~k'I+Ա#^`ӺUK3nJVuAu-s*W޴QMH^k߉ ԏYJ r/>*cOv*,F/KnYq_R%^ YqyҎϐkq?$W"wz9LuR$E:C {i>3T'D ؂ޣDz:g?3Î D4: Z2? &CsiAjcWRٴDc&EgJ1)ft(8fs ds1$6jޑ2HF{G\T`6mG֥J2Lc"6k4D 9ɝ3t TQ7U<=6$NB|%sE8ۊwPq`_n1 '5ۨ=!Vw !7\P-Mp> nZ*[:zWSknK{Κw# <1-F*=c@ .p};Ն, V=U<&3Sd?$q`%Z߁9?ܟ!).u@)æzI~i` ^r`}`^缬dXWWS|c42n~9*ͺb|QW*fRq,w")1)DAf!ӽr@W8~ ~bԲ˭s_lgCA'>\|!7r0@.NKn-0O\wbPbn%lybb_a;Gƶ,*;)* n`3'hNS2jSx ߙU$(J[M2GBܐZ5)b\4ގ)Pk'8,-?k=Kڧ;Xlo7#6b[.'B>ul~QX/%kP fL +f=f19H? h6G"$k-0z߭cG=HUe2* fx'C*f+;VǝH^Dֺ'9CTp~ @&%b5:$ml ͳ]N< J>6qrxTʲVy_,QcB8n༶E\5!A-}c ̝5.Rk)_vL,xIrM7 %CWǰMoha.R츖d*#Iڤl}mEد|>iөՐz`~upނ:cd*НO@U,Q﻽ 륫cpv2H! <`F`[Wv 9Jׄi>1cpk}m[~]62}_^GWXc0gKaɱm6R3&";>K/|f4! ` zZ ӡ]4'L7g΢C>O4>W {/*$Zy~S޻r*7Z5bRhvS)}ylJ{G4@+hfԭd8f@"k *3AMCx#8ݤAxo 8:upTٶHWBUi=ۑ'҉G>Ȉk<\d_7J$LVL݃&ʒd:hnTb^"ǟ{ceu-Yw-/WȒp? Gv4xA: GP,tز-mѿIM PgA L[k9D:ƨP ;//KY(S:@a\'CuH _3ԴVED r>:q8wkHmi^a>FtrgʑI-EU~HtFEx^@MfҫV ̏4rv}0] FQbrQrF:s,W2fZhrd~L'7_t#Ki3UYs1oH7pK^KI,c9(`K [~FjO7s\c)_[޳A+gxN͚x P7r ֨M->jk5, ei|`o(yMPL@Oݼ=(Ϲ?[G! d{{?O*1\y_ُpJYs9ʙ5xm$MKJ:N2OK~`n.r$,s!d1iʈXI H)'Vz G4 ׿{)4;%2OǝD,{"i gm3Tjʥ9k2R܊#@*1RUqt/F%u ~2dP5R=sz+[BC~w"r^ a5rL&Jq.V?5BHڑ 3/4 :|x0lD!ZdUY >iߔ:K$P{Zߡ:>ȏidlƌBfxNSZ͜Qn |?U V Xi s| /&\x3ϭ\?gb:!w~M%AoJa CfDUE(p4dq% A[OG̣~gkĞl1G=PӚ\.w n Sʩd_1s!q} !s*Be5贽 []x38yBa?4MN㛒< 5?VZC5l5Iĝ(u%V8*Yuӳ}_ŧeAZI1 s|%&TU@M0=l-LXB0EAY Y}nd0<=#&*ubn9R&DvN(fr(x&,̐ʵ