File rancher-selinux.changes of Package rancher-selinux
-------------------------------------------------------------------
Fri Jul 04 17:56:19 UTC 2025 - RST Bot <security-rancher@suse.com>
- Update to version 0.2.production.1:
* Add job to trigger OBS releases
* To be removed: Disable existing release steps
* Add watch context on dir
* add prometheusSpec.maximumStartupDurationSecond to 60 This fixes https://github.com/rancher/rancher-selinux/actions/runs/15209198874/job/42882707923
* Fedora41: improve comments
* microOS: consolidate gen_req and update container-selinux/selinux-policy versions
* centos8: consolidate gen_req and update container-selinux/selinux-policy versions
-------------------------------------------------------------------
Sat Jun 07 04:50:00 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.7.production.1:
* Add watch context on dir
* add prometheusSpec.maximumStartupDurationSecond to 60
This fixes
https://github.com/rancher/rancher-selinux/actions/runs/15209198874/job/42882707923
* Fedora41: improve comments
* microOS: consolidate gen_req and update
container-selinux/selinux-policy versions
* centos8: consolidate gen_req and update
container-selinux/selinux-policy versions
* centos9: consolidate gen_req and update
container-selinux/selinux-policy versions
* Update support matrix
* chore(deps): update actions/setup-go digest to d35c59a
* Add coverage and support matrix
* e2e: Increase kubectl timeouts and verification *Increase
timeouts to 240s *Add kubectl wait --for=create
node/$(hostname) --timeout=240s *Add rancher-webhook
deployment creation verification through kubectl wait (create).
*The above removes the need of `wait 180`, as we wait for the
deployment to be created to use its name for querying
rancher-webhook status.
* Refactor: Consolidate gen_require statements for clarity
*Allow rke_logreader_t socket binding (2020/tcp) *Allow
rke_logreader_t container_log_t:file watch;
* Add prometheus_node_export_t policy for fedora41
* Replace Fedora37 by Fedora41
- Remove Fedora37
- Add Fedora41 image, limactl template, gh e2e matrix and
hack/upload dir
- Replace uname option to -m (print the machine hardware name)
instead of -p (print the processor type)
-------------------------------------------------------------------
Fri Apr 18 19:24:05 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.6.production.1:
* chore(deps): update github actions
* chore(deps): pin dependencies
* e2e: set selinux to true installRancherLogging and improve debug
* policy: fix rke_logreader_t for centos8
* build: add jq package for centos
* policy: add prometheus_node_export_t policy for centos8
* build: add amd64 arch for kubectl and fix ausearch/seinfo
commands
* e2e: Rancher Logging SELinux context validation
* e2e: Rancher Monitoring SELinux context validation
* build: add kubectl shasum verification and arch detection
* Mofidied according to suggestion in issue #59
* fix error SELinux is preventing /fluent-bit/bin/fluent-bit from
listen access on the tcp_socket port None
* Mofidied according to suggestion in issue #59
* e2e: Increase timeouts To avoid intermittent failures, Rancher
needs to be given enough time to trigger all its background
processes, just as spawning Fleet and trigger different Helm
operations.
* Add rancher-monitoring for E2E
* Remove centos7 The upstream CentOS 7 is no longer supported and
the code has now been removed.
* e2e: Basic structure for testing
* fix error SELinux is preventing /fluent-bit/bin/fluent-bit from
listen access on the tcp_socket port None
* Add initial Renovate configuration
* Add prom_node_exporter_t support for MicroOs
* Shorten and refine the policy for Prometheus Node Exporter
The previous policy had a typo which did not embed the
`prom_node_exporter_t` type in the container_domain.
This made the policy longer than expected since all interfaces
and allows required to be added manually. Having the
`prom_node_exporter_t` as container_domain includes by default
all reqs.
* Add support for prometheus node-exporter container The
Monitoring chart in Rancher can be used with SELinux enabled,
however with the container-selinux policy installed the
node-exporter container inherits container_t, which is not
allowed to run several tasks.
This commit adds a new type prom_node_exporter_t along with the
required rules to allow node-exporter to run with least
permissions.
-------------------------------------------------------------------
Thu Aug 01 11:18:46 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.production.1:
* Revert "Fix secret path"
* build: Fix secret path
* build: Transition from GH secrets to Vault
* build: Fix CentOS mirrorlist DNS failure
-------------------------------------------------------------------
Wed Feb 14 20:11:19 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.4.production.1:
* build: Fixes AWS upload issue The AWS upload was failing with:
* build: Fix version validation to support -rc
* build: Publish artefacts to the GH release
* build: Fix production sign process
* build: Fix aws cli path
* build: Transition release from drone to GHA
* build: Refactor upload process
* build: Refactor signing process
* build: Add GHA for testing build process
* build: Refactor repo-metadata
* build: Consolidate into a single Dockerfile
* build: Add %-build target This target groups all the subtargets
needed to build a specific policy
* build: Refactor versioning
* build: Refactor build scripts
-------------------------------------------------------------------
Sun Jan 7 18:44:14 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 0.3.production.1:
* Add file watch permission from rke_logreader_t to
container_var_lib_t by @andypitcher in
https://github.com/rancher/rancher-selinux/pull/38
* Add Fedora / CoreOS 37 by @bbaumgartl in
https://github.com/rancher/rancher-selinux/pull/13
* Replace kubernetes_file_t with rke_etc_t for centos7 by
@andypitcher in
https://github.com/rancher/rancher-selinux/pull/37
* 32 watch permissions are required by fluentbit by @lopf in
https://github.com/rancher/rancher-selinux/pull/33
* Add CODEOWNERS by @macedogm in
https://github.com/rancher/rancher-selinux/pull/15
* Add initial Renovate configuration by @renovate-rancher in
https://github.com/rancher/rancher-selinux/pull/16
* Fix microos build by @cmurphy in
https://github.com/rancher/rancher-selinux/pull/14
* Update rancher/dapper Docker tag to v0.6.0 by @renovate-rancher
in https://github.com/rancher/rancher-selinux/pull/17
* Use CentOS stream8 instead of centos:8 by @macedogm in
https://github.com/rancher/rancher-selinux/pull/19
* Add centos9 support to rancher-selinux by @andypitcher in
https://github.com/rancher/rancher-selinux/pull/20
* Improve Centos9's rpms signing and upload by @andypitcher in
https://github.com/rancher/rancher-selinux/pull/21
* Update gpg import with --batch and change expect prompt by
@andypitcher in
https://github.com/rancher/rancher-selinux/pull/22
* Remove use of expect/rpmmacros and configure --pinentry-mode by
@andypitcher in
https://github.com/rancher/rancher-selinux/pull/23
* Update pipeline and scripts for EL9 by @macedogm in
https://github.com/rancher/rancher-selinux/pull/25
* Add missing `s3://` prefix by @macedogm in
https://github.com/rancher/rancher-selinux/pull/26
* Create and upload repo metadata by @macedogm in
https://github.com/rancher/rancher-selinux/pull/29
* Backport pipeline improvements for EL7/8/MicroOS by
@andypitcher in
https://github.com/rancher/rancher-selinux/pull/27
* Fix MicroOS/Centos7 pipeline issues by @andypitcher in
https://github.com/rancher/rancher-selinux/pull/30
* EL7 fix sign script's path by @andypitcher in
https://github.com/rancher/rancher-selinux/pull/31
-------------------------------------------------------------------
Tue Mar 21 16:15:41 UTC 2023 - rbrown@suse.com
- Update to version 0.3-rc1.testing.1:
* Dockerfile.centos8.dapper: point to vault.epel.cloud which is more reliable
* add openSUSE/SLE MicroOS
* Fix CentOS 8 Dapperfile after EOL
* Add rke_kubereader_t to read kubernetes_file_t
-------------------------------------------------------------------
Wed Jan 26 11:55:12 UTC 2022 - Richard Brown <rbrown@suse.com>
- Add missing specfile license/copyright
-------------------------------------------------------------------
Mon Jan 10 07:37:40 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- create new package rancher-selinux
- currently built on code from a PR to enable SUSE/openSUSE MicroOS:
https://github.com/rancher/rancher-selinux/pull/10
