search

containers / container-selinux

SELinux policy files for Container Runtimes
GNU General Public License v2.0
257 stars 91 forks source link

Fix conditionalized %changelog content #247

Closed nforro closed 1 year ago

nforro commented 1 year ago

Related to https://github.com/packit/packit/issues/1974.

rhatdan commented 1 year ago

@lsm5 PTAL

lsm5 commented 1 year ago 

Complete!
/usr/libexec/bats-core/bats-preprocess: line 113: warning: command substitution: ignored null byte in input
1..17
ok 1 podman selinux: confined container
not ok 2 podman selinux: container with label=disable
# (from function `is' in file /usr/share/podman/test/system/helpers.bash, line 731,
#  from function `check_label' in file /usr/share/podman/test/system/410-selinux.bats, line 23,
#  in test file /usr/share/podman/test/system/410-selinux.bats, line 42)
#   `check_label "--security-opt label=disable" "spc_t"' failed
# [13:09:17.216311713] # podman rm -t 0 --all --force --ignore
# [13:09:17.252229797] # podman ps --all --external --format {{.ID}} {{.Names}}
# [13:09:17.285896222] # podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
# [13:09:17.313990219] quay.io/libpod/testimage:20221018 f5a99120db64
# [13:09:17.323832893] # podman run --rm --security-opt label=disable quay.io/libpod/testimage:20221018 cat -v /proc/self/attr/current
# [13:09:17.673041365] unconfined_u:unconfined_r:spc_t:s0^@
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #|     FAIL: SELinux role should always be system_r
# #| expected: '.*_u:system_r:.*' (using expr)
# #|   actual: 'unconfined_u:unconfined_r:spc_t:s0^@'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# # [teardown]
# [13:09:17.693807821] # podman pod rm -t 0 --all --force --ignore
# [13:09:17.719841772] # podman rm -t 0 --all --force --ignore
# [13:09:17.743804695] # podman network prune --force
# [13:09:17.767985043] # podman volume rm -a -f
not ok 3 podman selinux: privileged container
# (from function `is' in file /usr/share/podman/test/system/helpers.bash, line 731,
#  from function `check_label' in file /usr/share/podman/test/system/410-selinux.bats, line 23,
#  in test file /usr/share/podman/test/system/410-selinux.bats, line 46)
#   `check_label "--privileged --userns=host" "spc_t"' failed
# [13:09:17.813740801] # podman rm -t 0 --all --force --ignore
# [13:09:17.842612751] # podman ps --all --external --format {{.ID}} {{.Names}}
# [13:09:17.872028871] # podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
# [13:09:17.900134288] quay.io/libpod/testimage:20221018 f5a99120db64
# [13:09:17.909988692] # podman run --rm --privileged --userns=host quay.io/libpod/testimage:20221018 cat -v /proc/self/attr/current
# [13:09:18.248564636] unconfined_u:unconfined_r:spc_t:s0^@
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #|     FAIL: SELinux role should always be system_r
# #| expected: '.*_u:system_r:.*' (using expr)
# #|   actual: 'unconfined_u:unconfined_r:spc_t:s0^@'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# # [teardown]
# [13:09:18.268434347] # podman pod rm -t 0 --all --force --ignore
# [13:09:18.297378468] # podman rm -t 0 --all --force --ignore
# [13:09:18.322649795] # podman network prune --force
# [13:09:18.347727318] # podman volume rm -a -f
ok 4 podman selinux: init container
ok 5 podman selinux: init container with --security-opt type
ok 6 podman selinux: init container with --security-opt level&type
ok 7 podman selinux: init container with --security-opt level
not ok 8 podman selinux: pid=host
# (from function `is' in file /usr/share/podman/test/system/helpers.bash, line 731,
#  from function `check_label' in file /usr/share/podman/test/system/410-selinux.bats, line 23,
#  in test file /usr/share/podman/test/system/410-selinux.bats, line 74)
#   `check_label "--pid=host" "spc_t"' failed
# [13:09:20.932183074] # podman rm -t 0 --all --force --ignore
# [13:09:20.961507012] # podman ps --all --external --format {{.ID}} {{.Names}}
# [13:09:20.990596186] # podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
# [13:09:21.019109040] quay.io/libpod/testimage:20221018 f5a99120db64
# [13:09:21.030905538] # podman run --rm --pid=host quay.io/libpod/testimage:20221018 cat -v /proc/self/attr/current
# [13:09:21.386675856] unconfined_u:unconfined_r:spc_t:s0^@
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #|     FAIL: SELinux role should always be system_r
# #| expected: '.*_u:system_r:.*' (using expr)
# #|   actual: 'unconfined_u:unconfined_r:spc_t:s0^@'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# # [teardown]
# [13:09:21.401253684] # podman pod rm -t 0 --all --force --ignore
# [13:09:21.427532018] # podman rm -t 0 --all --force --ignore
# [13:09:21.451293408] # podman network prune --force
# [13:09:21.476004405] # podman volume rm -a -f
ok 9 podman selinux: container with overridden range
rhatdan commented 1 year ago

This is a chicken and egg scenario. Need to get container-selinux updated, so we can get podman PR merged, to handle this change.

rhatdan commented 1 year ago

https://github.com/containers/podman/pull/18439

lsm5 commented 1 year ago

Thanks a lot @nforro .