Merge pull request #208 from lsm5/Makefile-and-packit-updates

Makefile and packit updates
containers · Mar 6, 2023 · 75f7d29 · 75f7d29
2 parents 1c4fffa + 4f3b18b
commit 75f7d29
Show file tree

Hide file tree

Showing 4 changed files with 150 additions and 39 deletions.
diff --git a/.packit.sh b/.packit.sh
@@ -14,14 +14,14 @@ git archive --prefix=container-selinux-$HEAD_VERSION/ -o container-selinux-$HEAD
 
 # RPM Spec modifications
 
-# Fix Version
+# Update Version in spec with Version from container.te
 sed -i "s/^Version:.*/Version: $HEAD_VERSION/" container-selinux.spec
 
-# Fix Release
+# Update Release in spec with Packit's release envvar
 sed -i "s/^Release: %autorelease/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" container-selinux.spec
 
-# Fix Source0
-sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-$HEAD_VERSION.tar.gz/" container-selinux.spec
+# Update Source tarball name in spec
+sed -i "s/^Source:.*.tar.gz/Source: %{name}-$HEAD_VERSION.tar.gz/" container-selinux.spec
 
-# Fix autosetup
-sed -i "s/^%autosetup.*/%autosetup -Sgit -n %{name}-$HEAD_VERSION/" container-selinux.spec
+# Update setup macro to use the correct build dir
+sed -i "s/^%setup.*/%autosetup -Sgit -n %{name}-$HEAD_VERSION/" container-selinux.spec
diff --git a/.packit.yaml b/.packit.yaml
@@ -1,38 +1,23 @@
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/
 
-upstream_package_name: container-selinux
-downstream_package_name: container-selinux
+# Build targets can be found at:
+# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
+
+specfile_path: container-selinux.spec
 
 jobs:
   - job: copr_build
     # Run on every PR
     trigger: pull_request
-    # Defaults to x86_64 unless architecture is explicitly specified
-    targets:
-      - fedora-rawhide
-    actions:
-      post-upstream-clone:
-        - "curl -O https://src.fedoraproject.org/rpms/container-selinux/raw/rawhide/f/container-selinux.spec"
-      fix-spec-file:
-        - bash .packit.sh
-
-  - job: copr_build
-    trigger: pull_request
-    targets:
-      - fedora-37
-    actions:
-      post-upstream-clone:
-        - "curl -O https://src.fedoraproject.org/rpms/container-selinux/raw/f37/f/container-selinux.spec"
-      fix-spec-file:
-        - bash .packit.sh
-
-  - job: copr_build
-    trigger: pull_request
-    targets:
-      - fedora-36
+    owner: rhcontainerbot
+    project: packit-builds
+    enable_net: true
+    srpm_build_deps:
+      - make
+      - rpkg
     actions:
       post-upstream-clone:
-        - "curl -O https://src.fedoraproject.org/rpms/container-selinux/raw/f36/f/container-selinux.spec"
+        - rpkg spec --outdir ./
       fix-spec-file:
         - bash .packit.sh
diff --git a/Makefile b/Makefile
@@ -1,6 +1,9 @@
-TARGETS?=container
-MODULES?=${TARGETS:=.pp.bz2}
-SHAREDIR?=/usr/share
+TARGETS ?= container
+MODULES ?= ${TARGETS:=.pp.bz2}
+# DATADIR seems to be the more commonly used variable
+# Point SHAREDIR to DATADIR by default to not break existing users
+DATADIR ?= /usr/share
+SHAREDIR ?= ${DATADIR}
 
 all: ${TARGETS:=.pp.bz2}
 
@@ -22,7 +25,11 @@ install-policy: all
 	semodule -i ${TARGETS}.pp.bz2
 
 install: man
-	install -D -m 644 ${TARGETS}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/container.pp.bz2
-	install -D -m 644 container.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/container.if
-	install -D -m 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
-	install -D -m 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/continer_contexts
+	install -D -pm 644 ${TARGETS}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/container.pp.bz2
+	install -D -pm 644 container.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/container.if
+	install -D -pm 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
+	install -D -pm 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/selinux/contexts
+
+install.udica-templates:
+	install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
+	install -pm 644 udica-templates/*.cil $(DESTDIR)$(SHAREDIR)/udica/templates
diff --git a/container-selinux.spec.rpkg b/container-selinux.spec.rpkg
@@ -0,0 +1,119 @@
+# For automatic rebuilds in COPR
+
+# The following tag is to get correct syntax highlighting for this file in vim text editor
+# vim: syntax=spec
+
+%global debug_package %{nil}
+
+# container-selinux stuff (prefix with ds_ for version/release etc.)
+# Some bits borrowed from the openstack-selinux package
+%global selinuxtype targeted
+%global moduletype services
+%global modulenames container
+
+# Usage: _format var format
+# Expand 'modulenames' into various formats as needed
+# Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
+
+Name: {{{ git_dir_name }}}
+Epoch: 101
+Version: {{{ git_dir_version }}}
+Release: 1%{?dist}
+License: GPLv2
+URL: https://github.com/containers/container-selinux
+Summary: SELinux policies for container runtimes
+VCS: {{{ git_dir_vcs }}}
+Source: {{{ git_dir_pack }}}
+BuildArch: noarch
+BuildRequires: make
+BuildRequires: git-core
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy >= %_selinux_policy_version
+BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+# RE: rhbz#1195804 - ensure min NVR for selinux-policy
+Requires: selinux-policy >= %_selinux_policy_version
+Requires(post): selinux-policy-base >= %_selinux_policy_version
+Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): policycoreutils
+Requires(post): libselinux-utils
+Requires(post): sed
+Obsoletes: %{name} <= 2:1.12.5-13
+Obsoletes: docker-selinux <= 2:1.12.4-28
+Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release}
+Conflicts: udica < 0.2.6-1
+Conflicts: k3s-selinux <= 0.4-1
+
+%description
+SELinux policy modules for use with container runtimes.
+
+%prep
+{{{ git_dir_setup_macro }}}
+%if ! 0%{?fedora} && 0%{?rhel} <= 8
+sed -i 's/watch watch_reads//' container.if
+sed -i '/systemd_chat_resolved/d' container.te
+%endif
+
+sed -i 's/man: install-policy/man:/' Makefile
+sed -i 's/install: man/install:/' Makefile
+
+# https://github.com/containers/container-selinux/issues/203
+%if 0%{?fedora} <= 37
+sed -i '/user_namespace/d' container.te
+%endif
+
+%build
+make
+
+%install
+# install policy modules
+%_format MODULES $x.pp.bz2
+%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates
+
+%check
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post
+# Install all modules in a single transaction
+if [ $1 -eq 1 ]; then
+   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
+fi
+%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
+%selinux_modules_install -s %{selinuxtype} $MODULES
+. %{_sysconfdir}/selinux/config
+sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
+matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
+
+%postun
+if [ $1 -eq 0 ]; then
+   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+fi
+
+%posttrans
+%selinux_relabel_post -s %{selinuxtype}
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%doc README.md
+%{_datadir}/selinux/*
+%{_mandir}/man8/*
+%dir %{_datadir}/containers/selinux
+%{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica/templates/
+%{_datadir}/udica/templates/*
+
+%triggerpostun -- container-selinux < 2:2.162.1-3
+if %{_sbindir}/selinuxenabled ; then
+    echo "Fixing Rootless SELinux labels in homedir"
+    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null
+fi
+
+%changelog
+{{{ git_dir_changelog }}}