support sles 15 with sle micro packages (#21)

* support for suse/opensuse systems
* use pre-defined selinux functions in rpm specs
* clean up dapper build files
* adjustments for upstream
  - get rid of extra space in %description
  - for centos/[7|8] set max version of container-selinux to 2.164.1
  - for microos set min version of container-selinux to 2.164.2
  - for microos comment file-contexts that overlap with container-selinx >= 2.164.2

Signed-off-by: Jacob Blain Christen <[email protected]>

Dockerfile.centos7.dapper

@@ -1,6 +1,7 @@
 FROM centos:7
 
-RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq 
+RUN yum install -y epel-release \
+ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
 
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT ./dist

Dockerfile.centos8.dapper

@@ -1,6 +1,7 @@
 FROM centos:8
 
-RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq
+RUN yum install -y epel-release \
+ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
 
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT ./dist

Dockerfile.microos.dapper

@@ -0,0 +1,11 @@
+ARG TUMBLEWEED=opensuse/tumbleweed
+FROM ${TUMBLEWEED}
+RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
+
+ENV DAPPER_SOURCE /source
+ENV DAPPER_OUTPUT ./dist
+ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
+ENV HOME ${DAPPER_SOURCE}
+WORKDIR ${DAPPER_SOURCE}
+
+ENTRYPOINT ["./policy/microos/scripts/entry"]

Makefile

@@ -1,5 +1,6 @@
 CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
 CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
+MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
 
 .dapper:
 	@echo Downloading dapper
@@ -14,4 +15,7 @@ $(CENTOS7_TARGETS): .dapper
 $(CENTOS8_TARGETS): .dapper
 	./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%)
 
+$(MICROOS_TARGETS): .dapper
+	./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)
+
 .PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS)

policy/centos7/k3s-selinux.spec

@@ -1,7 +1,7 @@
 # vim: sw=4:ts=4:et
 
 
-%define relabel_files() \
+%define k3s_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
@@ -31,17 +31,20 @@ URL:		http://k3s.io
 Source0:	k3s.pp
 Source1:	k3s.if
 
+BuildArch: noarch
+BuildRequires: container-selinux >= %{container_policyver}
+BuildRequires: container-selinux < 2:2.164.2
+BuildRequires: git
+BuildRequires: selinux-policy-devel
 
 Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}, container-selinux < 2:2.164.2
 Requires(postun): policycoreutils
 
 Conflicts: rke2-selinux
 
-BuildArch: noarch
-
 %description
-This package installs and sets up the  SELinux policy security module for k3s.
+This package installs and sets up the SELinux policy security module for k3s.
 
 %install
 install -d %{buildroot}%{_datadir}/selinux/packages
@@ -50,25 +53,23 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
 install -d %{buildroot}/etc/selinux/targeted/contexts/users/
 
+%pre
+%selinux_relabel_pre
 
 %post
-semodule -n -i %{_datadir}/selinux/packages/k3s.pp
+%selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
-    %relabel_files
-
+    %k3s_relabel_files
 fi;
-exit 0
 
 %postun
 if [ $1 -eq 0 ]; then
-    semodule -n -r k3s
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-
-    fi;
+    %selinux_modules_uninstall k3s
 fi;
-exit 0
+
+%posttrans
+%selinux_relabel_post
 
 %files
 %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp

policy/centos7/k3s.fc

@@ -1,20 +1,21 @@
 # vim: sw=8:ts=8:et
-/etc/systemd/system/k3s.*						--	gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/bin/k3s								--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/lib/systemd/system/k3s.*						--	gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/local/bin/k3s							--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/rancher/k3s(/.*)?							gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/rancher/k3s/data(/.*)?							gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/rancher/k3s/storage(/.*)?						gen_context(system_u:object_r:container_file_t,s0)
-#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots(/.*)?			gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots			-d	gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*		-d	gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*			<<none>>
-/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?			gen_context(system_u:object_r:container_share_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?				gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
-/var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
-/var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
+
+/etc/systemd/system/k3s.*                                       --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/k3s.*                                   --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/local/lib/systemd/system/k3s.*                             --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/local/s?bin/k3s                                            --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/k3s                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/cni(/.*)?                                                  gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pods(/.*)?                                         gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/rancher/k3s(/.*)?                                          gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots           -d  gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*     -d  gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*      <<none>>
+/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?         gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/data(/.*)?                                     gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/rancher/k3s/storage(/.*)?                                  gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containers(/.*)?                                           gen_context(system_u:object_r:container_log_t,s0)
+/var/log/pods(/.*)?                                                 gen_context(system_u:object_r:container_log_t,s0)
+/var/run/flannel(/.*)?                                              gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?             gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)

policy/centos7/scripts/build

@@ -17,5 +17,8 @@ rpmbuild \
     --define "_rpmdir ${PWD}/dist" \
     -ba k3s-selinux.spec
 
+#yum install -y dist/noarch/k3s-selinux-*.rpm
+#semodule --disable k3s
+#yum remove k3s-selinux
 mkdir -p /source/dist/centos7
 cp -r dist/* /source/dist/centos7

policy/centos8/k3s-selinux.spec

@@ -1,7 +1,7 @@
 # vim: sw=4:ts=4:et
 
 
-%define relabel_files() \
+%define k3s_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
@@ -18,7 +18,7 @@ restorecon -R /var/run/flannel
 
 
 %define selinux_policyver 3.13.1-252
-%define container_policyver 2.124.0-1
+%define container_policyver 2.159.0-1
 
 Name:   k3s-selinux
 Version:	%{k3s_selinux_version}
@@ -31,17 +31,20 @@ URL:		http://k3s.io
 Source0:	k3s.pp
 Source1:	k3s.if
 
+BuildArch: noarch
+BuildRequires: container-selinux >= %{container_policyver}
+BuildRequires: container-selinux < 2:2.164.2
+BuildRequires: git
+BuildRequires: selinux-policy-devel
 
 Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}, container-selinux < 2:2.164.2
 Requires(postun): policycoreutils
 
 Conflicts: rke2-selinux
 
-BuildArch: noarch
-
 %description
-This package installs and sets up the  SELinux policy security module for k3s.
+This package installs and sets up the SELinux policy security module for k3s.
 
 %install
 install -d %{buildroot}%{_datadir}/selinux/packages
@@ -50,25 +53,23 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
 install -d %{buildroot}/etc/selinux/targeted/contexts/users/
 
+%pre
+%selinux_relabel_pre
 
 %post
-semodule -n -i %{_datadir}/selinux/packages/k3s.pp
+%selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
-    %relabel_files
-
+    %k3s_relabel_files
 fi;
-exit 0
 
 %postun
 if [ $1 -eq 0 ]; then
-    semodule -n -r k3s
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-
-    fi;
+    %selinux_modules_uninstall k3s
 fi;
-exit 0
+
+%posttrans
+%selinux_relabel_post
 
 %files
 %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp

policy/centos8/k3s.fc

@@ -1,20 +1,21 @@
 # vim: sw=8:ts=8:et
-/etc/systemd/system/k3s.*						--	gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/bin/k3s								--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/lib/systemd/system/k3s.*						--	gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/local/bin/k3s							--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/rancher/k3s(/.*)?							gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/rancher/k3s/data(/.*)?							gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/rancher/k3s/storage(/.*)?						gen_context(system_u:object_r:container_file_t,s0)
-#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots(/.*)?			gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots			-d	gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*		-d	gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*			<<none>>
-/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?			gen_context(system_u:object_r:container_share_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?				gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
-/var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
-/var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
+
+/etc/systemd/system/k3s.*                                       --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/k3s.*                                   --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/local/lib/systemd/system/k3s.*                             --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/local/s?bin/k3s                                            --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/k3s                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/cni(/.*)?                                                  gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pods(/.*)?                                         gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/rancher/k3s(/.*)?                                          gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots           -d  gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*     -d  gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*      <<none>>
+/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?         gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/data(/.*)?                                     gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/var/lib/rancher/k3s/storage(/.*)?                                  gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containers(/.*)?                                           gen_context(system_u:object_r:container_log_t,s0)
+/var/log/pods(/.*)?                                                 gen_context(system_u:object_r:container_log_t,s0)
+/var/run/flannel(/.*)?                                              gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?             gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)

policy/centos8/scripts/build

@@ -17,5 +17,8 @@ rpmbuild \
     --define "_rpmdir ${PWD}/dist" \
     -ba k3s-selinux.spec
 
+#dnf install -y dist/noarch/k3s-selinux-*.rpm
+#semodule --disable k3s
+#dnf remove k3s-selinux
 mkdir -p /source/dist/centos8
 cp -r dist/* /source/dist/centos8

policy/microos/k3s-selinux.spec

@@ -0,0 +1,82 @@
+# vim: sw=4:ts=4:et
+
+
+%define k3s_relabel_files() \
+mkdir -p /var/lib/cni; \
+mkdir -p /var/lib/kubelet/pods; \
+mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
+mkdir -p /var/lib/rancher/k3s/data; \
+mkdir -p /var/run/flannel; \
+mkdir -p /var/run/k3s; \
+restorecon -R -i /etc/systemd/system/k3s.service; \
+restorecon -R -i /usr/lib/systemd/system/k3s.service; \
+restorecon -R /var/lib/cni; \
+restorecon -R /var/lib/kubelet; \
+restorecon -R /var/lib/rancher; \
+restorecon -R /var/run/k3s; \
+restorecon -R /var/run/flannel
+
+
+%define selinux_policyver 20210716-3.1
+%define container_policyver 2.164.2-1.1
+
+Name:   k3s-selinux
+Version:	%{k3s_selinux_version}
+Release:	%{k3s_selinux_release}.sle
+Summary:	SELinux policy module for k3s
+
+Group:	System Environment/Base		
+License:	ASL 2.0
+URL:		http://k3s.io
+Source0:	k3s.pp
+Source1:	k3s.if
+
+BuildArch: noarch
+BuildRequires: container-selinux >= %{container_policyver}
+BuildRequires: container-selinux < 2:2.164.2
+BuildRequires: git
+BuildRequires: selinux-policy-devel
+
+Requires: policycoreutils, selinux-tools
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(postun): policycoreutils
+
+Conflicts: rke2-selinux
+
+%description
+This package installs and sets up the SELinux policy security module for k3s.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+%pre
+%selinux_relabel_pre
+
+%post
+%selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %k3s_relabel_files
+fi;
+
+%postun
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall k3s
+fi;
+
+%posttrans
+%selinux_relabel_post
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
+%{_datadir}/selinux/devel/include/contrib/k3s.if
+
+
+%changelog
+* Mon Feb 24 2020 Darren Shepherd <[email protected]> 1.0-1
+- Initial version
+

policy/microos/k3s.fc

@@ -0,0 +1,21 @@
+# vim: sw=8:ts=8:et
+
+/etc/systemd/system/k3s.*                                       --  gen_context(system_u:object_r:container_unit_file_t,s0)
+#/usr/lib/systemd/system/k3s.*                                   --  gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/local/lib/systemd/system/k3s.*                             --  gen_context(system_u:object_r:container_unit_file_t,s0)
+#/usr/local/s?bin/k3s                                            --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/usr/s?bin/k3s                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/var/lib/cni(/.*)?                                                  gen_context(system_u:object_r:container_var_lib_t,s0)
+#/var/lib/kubelet/pods(/.*)?                                         gen_context(system_u:object_r:container_file_t,s0)
+#/var/lib/rancher/k3s(/.*)?                                          gen_context(system_u:object_r:container_var_lib_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots           -d  gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*     -d  gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*      <<none>>
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?         gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/data(/.*)?                                     gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/var/lib/rancher/k3s/storage(/.*)?                                  gen_context(system_u:object_r:container_file_t,s0)
+#/var/log/containers(/.*)?                                           gen_context(system_u:object_r:container_log_t,s0)
+#/var/log/pods(/.*)?                                                 gen_context(system_u:object_r:container_log_t,s0)
+#/var/run/flannel(/.*)?                                              gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?             gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)