Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-08-15 09:57:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Thu Aug 15 09:57:36 2024 rev:70 rq:1193871 version:20240814
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-08-10 19:06:25.842370339 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.7232/selinux-policy.changes
2024-08-15 09:57:42.725431423 +0200
@@ -1,0 +2,49 @@
+Wed Aug 14 12:11:13 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240814:
+ * Dontaudit dac_override of fstab generator (bsc#1229127)
+
+-------------------------------------------------------------------
+Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy...@suse.com>
+
+- Drop varrun-convert.sh script as it causes issues with
+ container-selinux update (bsc#1228951)
+
+-------------------------------------------------------------------
+Mon Aug 12 15:30:47 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240812:
+ * Update libvirt policy
+ * Add port 80/udp and 443/udp to http_port_t definition
+ * Additional updates stalld policy for bpf usage
+ * Label systemd-pcrextend and systemd-pcrlock properly
+ * Allow coreos_installer_t work with partitions
+ * Revert "Allow coreos-installer-generator work with partitions"
+ * Add policy for systemd-pcrextend
+ * Update policy for systemd-getty-generator
+ * Allow ip command write to ipsec's logs
+ * Allow virt_driver_domain read virtd-lxc files in /proc
+ * Revert "Allow svirt read virtqemud fifo files"
+ * Update virtqemud policy for libguestfs usage
+ * Allow virtproxyd create and use its private tmp files
+ * Allow virtproxyd read network state
+ * Allow virt_driver_domain create and use log files in /var/log
+ * Allow samba-dcerpcd work with ctdb cluster
+ * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
+ * Allow setroubleshootd execute sendmail with a domain transition
+ * Allow key.dns_resolve set attributes on the kernel key ring
+ * Update qatlib policy for v24.02 with new features
+ * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
+ * Allow tlp status power services
+ * Allow virtqemud domain transition on passt execution
+ * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
+ * Allow boothd connect to systemd-userdbd over a unix socket
+ * Update policy for awstats scripts
+ * Allow bitlbee execute generic programs in system bin directories
+ * Allow login_userdomain read aliases file
+ * Allow login_userdomain read ipsec config files
+ * Allow login_userdomain read all pid files
+ * Allow rsyslog read systemd-logind session files
+ * Allow libvirt-dbus stream connect to virtlxcd
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240809.tar.xz
varrun-convert.sh
New:
----
selinux-policy-20240814.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.PgxxsG/_old 2024-08-15 09:57:43.497463734 +0200
+++ /var/tmp/diff_new_pack.PgxxsG/_new 2024-08-15 09:57:43.497463734 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240809
+Version: 20240814
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -61,9 +61,6 @@
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
-# Script to convert /var/run file context entries to /run
-Source37: varrun-convert.sh
-
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
@@ -221,7 +218,6 @@
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
-%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
%verify(not md5 size mtime)
%{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
%nil
@@ -258,7 +254,6 @@
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
-%{_libexecdir}/selinux/varrun-convert.sh %2; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
@@ -315,7 +310,6 @@
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
-%{_libexecdir}/selinux/varrun-convert.sh
%package sandbox
Summary: SELinux policy sandbox
@@ -383,9 +377,6 @@
cp $i selinux_config
done
-mkdir -p %{buildroot}%{_libexecdir}/selinux
-install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
-
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.PgxxsG/_old 2024-08-15 09:57:43.565466580 +0200
+++ /var/tmp/diff_new_pack.PgxxsG/_new 2024-08-15 09:57:43.569466747 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">02657ab47aa16a1ed9638b511b4ed12298f2352b</param></service><service
name="tar_scm">
+ <param
name="changesrevision">e9e6076cfc96d33de1645e596ab0061c755c95b2</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20240809.tar.xz -> selinux-policy-20240814.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/awstats.if
new/selinux-policy-20240814/policy/modules/contrib/awstats.if
--- old/selinux-policy-20240809/policy/modules/contrib/awstats.if
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/awstats.if
2024-08-14 14:05:47.000000000 +0200
@@ -36,6 +36,25 @@
########################################
## <summary>
+## Execute the awstats scripts in the awstats scripts domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`awstats_domtrans_script',`
+ gen_require(`
+ type awstats_script_t, awstats_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, awstats_script_exec_t, awstats_script_t)
+')
+
+########################################
+## <summary>
## Execute awstats cgi scripts in the caller domain. (Deprecated)
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/awstats.te
new/selinux-policy-20240814/policy/modules/contrib/awstats.te
--- old/selinux-policy-20240809/policy/modules/contrib/awstats.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/awstats.te
2024-08-14 14:05:47.000000000 +0200
@@ -41,7 +41,7 @@
manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
-allow awstats_t { awstats_content_t awstats_script_exec_t }:dir
search_dir_perms;
+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir
list_dir_perms;
can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/bitlbee.te
new/selinux-policy-20240814/policy/modules/contrib/bitlbee.te
--- old/selinux-policy-20240809/policy/modules/contrib/bitlbee.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/bitlbee.te
2024-08-14 14:05:47.000000000 +0200
@@ -78,6 +78,7 @@
kernel_read_system_state(bitlbee_t)
kernel_read_kernel_sysctls(bitlbee_t)
+corecmd_exec_bin(bitlbee_t)
corecmd_exec_shell(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/boothd.te
new/selinux-policy-20240814/policy/modules/contrib/boothd.te
--- old/selinux-policy-20240809/policy/modules/contrib/boothd.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/boothd.te
2024-08-14 14:05:47.000000000 +0200
@@ -77,5 +77,9 @@
')
optional_policy(`
+ systemd_userdbd_stream_connect(boothd_t)
+')
+
+optional_policy(`
sysnet_read_config(boothd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/coreos_installer.te
new/selinux-policy-20240814/policy/modules/contrib/coreos_installer.te
--- old/selinux-policy-20240809/policy/modules/contrib/coreos_installer.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/coreos_installer.te
2024-08-14 14:05:47.000000000 +0200
@@ -67,10 +67,18 @@
')
optional_policy(`
+ lvm_read_config(coreos_installer_generator_t)
+')
+
+optional_policy(`
miscfiles_read_localization(coreos_installer_t)
')
optional_policy(`
+ raid_filetrans_named_content(coreos_installer_generator_t)
+')
+
+optional_policy(`
sysnet_dns_name_resolve(coreos_installer_t)
')
@@ -117,14 +125,6 @@
')
optional_policy(`
- lvm_read_config(coreos_installer_generator_t)
-')
-
-optional_policy(`
- raid_filetrans_named_content(coreos_installer_generator_t)
-')
-
-optional_policy(`
sssd_read_public_files(coreos_installer_generator_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/ctdb.if
new/selinux-policy-20240814/policy/modules/contrib/ctdb.if
--- old/selinux-policy-20240809/policy/modules/contrib/ctdb.if 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/ctdb.if 2024-08-14
14:05:47.000000000 +0200
@@ -172,6 +172,25 @@
########################################
## <summary>
+## Map ctdbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_map_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 ctdbd_var_lib_t:file map;
+')
+
+########################################
+## <summary>
## Manage ctdbd lib files.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/keyutils.te
new/selinux-policy-20240814/policy/modules/contrib/keyutils.te
--- old/selinux-policy-20240809/policy/modules/contrib/keyutils.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/keyutils.te
2024-08-14 14:05:47.000000000 +0200
@@ -42,6 +42,7 @@
kernel_read_key(keyutils_dns_resolver_t)
kernel_view_key(keyutils_dns_resolver_t)
+kernel_setattr_key(keyutils_dns_resolver_t)
init_search_pid_dirs(keyutils_dns_resolver_t)
sysnet_read_config(keyutils_dns_resolver_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/logrotate.te
new/selinux-policy-20240814/policy/modules/contrib/logrotate.te
--- old/selinux-policy-20240809/policy/modules/contrib/logrotate.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/logrotate.te
2024-08-14 14:05:47.000000000 +0200
@@ -245,6 +245,7 @@
optional_policy(`
awstats_domtrans(logrotate_t)
+ awstats_domtrans_script(logrotate_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/networkmanager.te
new/selinux-policy-20240814/policy/modules/contrib/networkmanager.te
--- old/selinux-policy-20240809/policy/modules/contrib/networkmanager.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/networkmanager.te
2024-08-14 14:05:47.000000000 +0200
@@ -593,6 +593,8 @@
allow NetworkManager_dispatcher_tlp_t self:unix_dgram_socket {
create_socket_perms sendto };
allow NetworkManager_dispatcher_custom_t self:unix_dgram_socket {
create_socket_perms sendto };
+allow NetworkManager_dispatcher_t networkmanager_dispatcher_plugin:process
sigkill;
+
allow NetworkManager_dispatcher_t NetworkManager_unit_file_t:file getattr;
allow NetworkManager_dispatcher_cloud_t NetworkManager_unit_file_t:file
getattr;
allow NetworkManager_dispatcher_cloud_t NetworkManager_unit_file_t:service {
start status stop };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/qatlib.te
new/selinux-policy-20240814/policy/modules/contrib/qatlib.te
--- old/selinux-policy-20240809/policy/modules/contrib/qatlib.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/qatlib.te
2024-08-14 14:05:47.000000000 +0200
@@ -40,11 +40,14 @@
kernel_load_module(qatlib_t)
kernel_read_proc_files(qatlib_t)
kernel_request_load_module(qatlib_t)
+kernel_stream_connect(qatlib_t)
corecmd_exec_shell(qatlib_t)
corecmd_exec_bin(qatlib_t)
dev_create_sysfs_files(qatlib_t)
+dev_getattr_generic_chr_files(qatlib_t)
+
dev_rw_sysfs(qatlib_t)
dev_rw_vfio_dev(qatlib_t)
dev_setattr_vfio_dev(qatlib_t)
@@ -59,6 +62,10 @@
')
optional_policy(`
+ gnome_read_generic_cache_files(qatlib_t)
+')
+
+optional_policy(`
miscfiles_read_hwdata(qatlib_t)
miscfiles_read_localization(qatlib_t)
')
@@ -75,5 +82,5 @@
optional_policy(`
systemd_search_unit_dirs(qatlib_t)
+ systemd_userdbd_stream_connect(qatlib_t)
')
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/samba.te
new/selinux-policy-20240814/policy/modules/contrib/samba.te
--- old/selinux-policy-20240809/policy/modules/contrib/samba.te 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/samba.te 2024-08-14
14:05:47.000000000 +0200
@@ -1263,6 +1263,11 @@
')
optional_policy(`
+ ctdbd_stream_connect(winbind_rpcd_t)
+ ctdbd_map_lib_files(winbind_rpcd_t)
+')
+
+optional_policy(`
cups_read_config(winbind_rpcd_t)
cups_stream_connect(winbind_rpcd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/setroubleshoot.te
new/selinux-policy-20240814/policy/modules/contrib/setroubleshoot.te
--- old/selinux-policy-20240809/policy/modules/contrib/setroubleshoot.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/setroubleshoot.te
2024-08-14 14:05:47.000000000 +0200
@@ -195,6 +195,10 @@
rpm_use_script_fds(setroubleshootd_t)
')
+optional_policy(`
+ sendmail_domtrans(setroubleshootd_t)
+')
+
########################################
#
# setroubleshoot_fixit local policy
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/stalld.te
new/selinux-policy-20240814/policy/modules/contrib/stalld.te
--- old/selinux-policy-20240809/policy/modules/contrib/stalld.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/stalld.te
2024-08-14 14:05:47.000000000 +0200
@@ -21,8 +21,10 @@
#
allow stalld_t self:bpf { map_create map_read map_write prog_load prog_run };
allow stalld_t self:capability { sys_nice sys_resource };
+allow stalld_t self:capability2 { bpf perfmon };
allow stalld_t self:process { fork setsched setrlimit };
allow stalld_t self:fifo_file rw_fifo_file_perms;
+allow stalld_t self:process setrlimit;
allow stalld_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(stalld_t, stalld_var_run_t, stalld_var_run_t)
@@ -44,6 +46,8 @@
files_read_etc_files(stalld_t)
+fs_list_bpf_dirs(stalld_t)
+
selinux_read_security_files(stalld_t)
logging_send_syslog_msg(stalld_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/tlp.te
new/selinux-policy-20240814/policy/modules/contrib/tlp.te
--- old/selinux-policy-20240809/policy/modules/contrib/tlp.te 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/tlp.te 2024-08-14
14:05:47.000000000 +0200
@@ -111,6 +111,7 @@
systemd_exec_systemctl(tlp_t)
systemd_read_unit_files(tlp_t)
systemd_search_unit_dirs(tlp_t)
+ systemd_status_power_services(tlp_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/virt.fc
new/selinux-policy-20240814/policy/modules/contrib/virt.fc
--- old/selinux-policy-20240809/policy/modules/contrib/virt.fc 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/virt.fc 2024-08-14
14:05:47.000000000 +0200
@@ -48,7 +48,16 @@
/var/lib/libvirt/lockd(/.*)?
gen_context(system_u:object_r:virt_var_lockd_t,s0)
/var/lib/libvirt/qemu(/.*)?
gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-/var/log/libvirt(/.*)?
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)?
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtinterfaced.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtnetworkd.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtnodedevd.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtnwfilterd.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtproxyd.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtqemud.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtsecretd.log --
gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/virtstoraged.log --
gen_context(system_u:object_r:virt_log_t,s0)
+
/run/libvirtd\.pid --
gen_context(system_u:object_r:virt_var_run_t,s0)
# Use parentheses so that "interface" is not recognized as a keyword by M4
/run/libvirt/interfac(e)(/.*)?
gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/virt.if
new/selinux-policy-20240814/policy/modules/contrib/virt.if
--- old/selinux-policy-20240809/policy/modules/contrib/virt.if 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/virt.if 2024-08-14
14:05:47.000000000 +0200
@@ -398,6 +398,24 @@
allow $1 svirt_t:unix_stream_socket { getopt read setopt write };
')
+#######################################
+## <summary>
+## Connect to lxc process over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect_lxc',`
+ gen_require(`
+ type virtd_lxc_t, virt_lxc_var_run_t;
+ ')
+
+ stream_connect_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t,
virtd_lxc_t)
+')
+
########################################
## <summary>
## Allow domain to attach to virt TUN devices
@@ -646,6 +664,25 @@
')
########################################
+## <summary>
+## Manage virt pid sock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_pid_sock_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_sock_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
## <summary>
## Create objects in the pid directory
## with a private type with a type transition.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/contrib/virt.te
new/selinux-policy-20240814/policy/modules/contrib/virt.te
--- old/selinux-policy-20240809/policy/modules/contrib/virt.te 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/contrib/virt.te 2024-08-14
14:05:47.000000000 +0200
@@ -306,6 +306,14 @@
init_daemon_domain(virt_dbus_t, virt_dbus_exec_t)
init_nnp_daemon_domain(virt_dbus_t)
+# common rules for virt_driver_domain;
+
+read_files_pattern(virt_driver_domain, virtd_lxc_t, virtd_lxc_t)
+
+optional_policy(`
+ systemd_userdbd_stream_connect(virt_driver_domain)
+')
+
# virtinterfaced
type virtinterfaced_t, virt_driver_domain;
type virtinterfaced_exec_t, virt_driver_executable;
@@ -361,6 +369,9 @@
virt_driver_template(virtproxyd_t)
files_type(virtproxyd_t)
+type virtproxyd_tmp_t;
+files_tmp_file(virtproxyd_tmp_t)
+
type virtproxyd_var_run_t, virt_driver_var_run;
files_pid_file(virtproxyd_var_run_t)
@@ -483,7 +494,6 @@
allow svirt_t virtlogd_t:unix_stream_socket connectto;
allow svirt_t virtqemud_t:tun_socket attach_queue;
-allow svirt_t virtqemud_t:fifo_file read;
allow svirt_t virtqemud_var_run_t:file write;
read_files_pattern(svirt_t, virtqemud_t, virtqemud_t)
@@ -521,6 +531,10 @@
allow svirt_tcg_t self:process { execmem execstack };
allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+allow svirt_tcg_t virtqemud_var_run_t: file write;
+
+read_files_pattern(svirt_tcg_t, virtqemud_t, virtqemud_t)
+
kernel_read_vm_sysctls(svirt_tcg_t)
corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -1267,7 +1281,8 @@
virt_write_qemu_pid_files(passt_t)
virt_create_qemu_pid_files(passt_t)
virt_manage_qemu_pid_sock_files(passt_t)
- virt_read_pid_files(passt_t)
+ virt_manage_pid_files(passt_t)
+ virt_manage_pid_sock_files(passt_t)
virt_svirt_write_tmp(passt_t)
')
')
@@ -1861,6 +1876,12 @@
# virt_driver_domain local policy (common rules)
#
+manage_files_pattern(virt_driver_domain, virt_log_t, virt_log_t)
+
+optional_policy(`
+ logging_log_filetrans(virt_driver_domain, virt_log_t, file)
+')
+
optional_policy(`
policykit_dbus_chat(virt_driver_domain)
')
@@ -1981,7 +2002,10 @@
corecmd_exec_bin(virtnodedevd_t)
corecmd_exec_shell(virtnodedevd_t)
+dev_read_vfio_dev(virtnodedevd_t)
dev_rw_mtrr(virtnodedevd_t)
+dev_rw_sysfs(virtnodedevd_t)
+dev_write_sysfs_dirs(virtnodedevd_t)
files_map_var_lib_files(virtnodedevd_t)
files_watch_etc_dirs(virtnodedevd_t)
@@ -1993,10 +2017,6 @@
')
optional_policy(`
- systemd_userdbd_stream_connect(virtnodedevd_t)
-')
-
-optional_policy(`
udev_domtrans(virtnodedevd_t)
udev_read_pid_files(virtnodedevd_t)
')
@@ -2052,6 +2072,9 @@
allow virtproxyd_t virt_dbus_t:dir search_dir_perms;
allow virtproxyd_t virt_dbus_t:file read_file_perms;
+manage_files_pattern(virtproxyd_t, virtproxyd_tmp_t, virtproxyd_tmp_t)
+files_tmp_filetrans(virtproxyd_t, virtproxyd_tmp_t, file)
+
manage_dirs_pattern(virtproxyd_t, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t)
manage_files_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t)
@@ -2059,6 +2082,8 @@
files_pid_filetrans(virtproxyd_t, virtproxyd_var_run_t, { dir file sock_file }
)
filetrans_pattern(virtproxyd_t, virt_var_run_t, virtproxyd_var_run_t, { file
sock_file } )
+kernel_read_network_state(virtproxyd_t)
+
corenet_tcp_bind_generic_node(virtproxyd_t)
corenet_tcp_bind_virt_port(virtproxyd_t)
@@ -2068,16 +2093,12 @@
dnsmasq_filetrans_named_content_fromdir(virtproxyd_t,
virtproxyd_var_run_t)
')
-optional_policy(`
- systemd_userdbd_stream_connect(virtproxyd_t)
-')
-
#######################################
#
# virtqemud local policy
#
allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run
};
-allow virtqemud_t self:capability { audit_write chown dac_override
dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_chroot
sys_ptrace sys_rawio };
+allow virtqemud_t self:capability { audit_write chown dac_override
dac_read_search fowner fsetid kill net_admin setpcap setgid setuid sys_admin
sys_chroot sys_ptrace sys_rawio sys_resource };
allow virtqemud_t self:capability2 { bpf perfmon };
allow virtqemud_t self:cap_userns kill;
@@ -2087,11 +2108,14 @@
allow virtqemud_t self:tun_socket create;
allow virtqemud_t self:udp_socket { connect create getattr };
+allow virtqemud_t qemu_var_run_t:dir relabelfrom;
+
allow virtqemud_t svirt_t:process { getattr setsched signal signull transition
};
allow virtqemud_t svirt_t:unix_stream_socket { connectto
create_stream_socket_perms };
allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
-
-allow virtqemud_t qemu_var_run_t:dir relabelfrom;
+allow virtqemud_t svirt_tcg_t: process { setsched signal signull transition };
+allow virtqemud_t svirt_tcg_t: unix_stream_socket { connectto
create_stream_socket_perms };
+allow virtqemud_t svirt_tmpfs_t:file { map write };
allow virtqemud_t virt_cache_t:file { relabelfrom relabelto };
@@ -2126,12 +2150,15 @@
manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
filetrans_pattern(virtqemud_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
+read_chr_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
+setattr_chr_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
manage_fifo_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
read_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
+read_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)
manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t)
@@ -2149,6 +2176,7 @@
read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t)
kernel_io_uring_use(virtqemud_t)
+kernel_mount_proc(virtqemud_t)
kernel_read_all_proc(virtqemud_t)
kernel_read_network_state_symlinks(virtqemud_t)
kernel_read_vm_sysctls(virtqemud_t)
@@ -2170,6 +2198,8 @@
dev_rw_kvm(virtqemud_t)
dev_rw_lvm_control(virtqemud_t)
dev_rw_vhost(virtqemud_t)
+dev_setattr_urand(virtqemud_t)
+dev_unmount_fs(virtqemud_t)
files_mounton_non_security(virtqemud_t)
files_read_all_symlinks(virtqemud_t)
@@ -2198,13 +2228,11 @@
init_stream_connect(virtqemud_t)
init_stream_connect_script(virtqemud_t)
+selinux_compute_create_context(virtqemud_t)
+
sysnet_exec_ifconfig(virtqemud_t)
sysnet_manage_config(virtqemud_t)
-userdom_read_all_users_state(virtqemud_t)
-userdom_read_user_home_content_files(virtqemud_t)
-userdom_relabel_user_home_files(virtqemud_t)
-
tunable_policy(`virtqemud_use_execmem',`
allow virtqemud_t self:process { execmem execstack };
')
@@ -2226,6 +2254,10 @@
')
optional_policy(`
+ passt_domtrans(virtqemud_t)
+')
+
+optional_policy(`
policykit_dbus_chat(virtqemud_t)
')
@@ -2245,7 +2277,14 @@
optional_policy(`
systemd_dbus_chat_machined(virtqemud_t)
- systemd_userdbd_stream_connect(virtqemud_t)
+')
+
+optional_policy(`
+ userdom_manage_tmp_files(virtqemud_t)
+ userdom_manage_tmp_sockets(virtqemud_t)
+ userdom_read_all_users_state(virtqemud_t)
+ userdom_read_user_home_content_files(virtqemud_t)
+ userdom_relabel_user_home_files(virtqemud_t)
')
#######################################
@@ -2499,6 +2538,7 @@
allow virt_dbus_t virtproxyd_t:unix_stream_socket connectto;
allow virt_dbus_t virtqemud_t:unix_stream_socket connectto;
allow virt_dbus_t virtqemud_var_run_t:sock_file write;
+virt_stream_connect_lxc(virt_dbus_t)
kernel_read_proc_files(virt_dbus_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/kernel/corenetwork.te.in
new/selinux-policy-20240814/policy/modules/kernel/corenetwork.te.in
--- old/selinux-policy-20240809/policy/modules/kernel/corenetwork.te.in
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/kernel/corenetwork.te.in
2024-08-14 14:05:47.000000000 +0200
@@ -193,7 +193,7 @@
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0,
tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0,
tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0,
tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, udp,80,s0, tcp,81,s0, tcp,443,s0, udp,443,s0,
tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,9000,s0) #8443 is
mod_nss default port
network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0,
tcp,10001-10010,s0) # 8118 is for privoxy
network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0)
network_port(intermapper, tcp,8181,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/kernel/devices.if
new/selinux-policy-20240814/policy/modules/kernel/devices.if
--- old/selinux-policy-20240809/policy/modules/kernel/devices.if
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/kernel/devices.if
2024-08-14 14:05:47.000000000 +0200
@@ -110,6 +110,24 @@
########################################
## <summary>
+## Unmount the device filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem unmount;
+')
+
+########################################
+## <summary>
## Mount a filesystem on /dev
## </summary>
## <param name="domain">
@@ -5426,6 +5444,24 @@
')
########################################
+## <summary>
+## Allow set attributes of dev/urandom.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
## <summary>
## Getattr generic the USB devices.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/kernel/filesystem.if
new/selinux-policy-20240814/policy/modules/kernel/filesystem.if
--- old/selinux-policy-20240809/policy/modules/kernel/filesystem.if
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/kernel/filesystem.if
2024-08-14 14:05:47.000000000 +0200
@@ -601,6 +601,26 @@
########################################
## <summary>
+## List bpf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_bpf_dirs',`
+ gen_require(`
+ type bpf_t;
+ ')
+
+ list_dirs_pattern($1, bpf_t, bpf_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Manage bpf directories.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/ipsec.if
new/selinux-policy-20240814/policy/modules/system/ipsec.if
--- old/selinux-policy-20240809/policy/modules/system/ipsec.if 2024-08-09
14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/ipsec.if 2024-08-14
14:05:47.000000000 +0200
@@ -170,6 +170,25 @@
########################################
## <summary>
+## Allow the specified domain to write to ipsec's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_write_log',`
+ gen_require(`
+ type ipsec_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, ipsec_log_t, ipsec_log_t)
+')
+
+########################################
+## <summary>
## Execute the IPSEC management program in the caller domain.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/logging.if
new/selinux-policy-20240814/policy/modules/system/logging.if
--- old/selinux-policy-20240809/policy/modules/system/logging.if
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/logging.if
2024-08-14 14:05:47.000000000 +0200
@@ -1809,6 +1809,24 @@
#######################################
## <summary>
+## Write to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_write_journal_files',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:file { setattr write };
+')
+
+#######################################
+## <summary>
## Watch the /run/log/journal directory.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/logging.te
new/selinux-policy-20240814/policy/modules/system/logging.te
--- old/selinux-policy-20240809/policy/modules/system/logging.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/logging.te
2024-08-14 14:05:47.000000000 +0200
@@ -777,6 +777,7 @@
systemd_map_bootchart_tmpfs_files(syslogd_t)
systemd_list_conf_dirs(syslogd_t)
systemd_read_conf_files(syslogd_t)
+ systemd_read_logind_sessions_files(syslogd_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/sysnetwork.te
new/selinux-policy-20240814/policy/modules/system/sysnetwork.te
--- old/selinux-policy-20240809/policy/modules/system/sysnetwork.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/sysnetwork.te
2024-08-14 14:05:47.000000000 +0200
@@ -479,6 +479,7 @@
')
optional_policy(`
+ ipsec_write_log(ifconfig_t)
ipsec_write_pid(ifconfig_t)
ipsec_setcontext_default_spd(ifconfig_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/systemd.fc
new/selinux-policy-20240814/policy/modules/system/systemd.fc
--- old/selinux-policy-20240809/policy/modules/system/systemd.fc
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/systemd.fc
2024-08-14 14:05:47.000000000 +0200
@@ -59,6 +59,8 @@
/usr/lib/systemd/systemd-mountwork --
gen_context(system_u:object_r:systemd_mountfsd_exec_t,s0)
/usr/lib/systemd/systemd-nsresourced --
gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
/usr/lib/systemd/systemd-nsresourcework --
gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-pcrextend --
gen_context(system_u:object_r:systemd_pcrextend_exec_t,s0)
+/usr/lib/systemd/systemd-pcrlock --
gen_context(system_u:object_r:systemd_pcrlock_exec_t,s0)
/usr/lib/systemd/systemd-pstore --
gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
/usr/lib/systemd/systemd-rfkill --
gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
/usr/lib/systemd/systemd-socket-proxyd --
gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
@@ -104,6 +106,7 @@
/var/lib/systemd/pstore(/.*)?
gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
/var/lib/systemd/rfkill(/.*)?
gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
/var/lib/systemd/linger(/.*)?
gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
+/var/lib/systemd/sleep(/.*)?
gen_context(system_u:object_r:systemd_sleep_var_lib_t,s0)
/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
/var/lib/private/systemd/journal-upload(/.*)?
gen_context(system_u:object_r:systemd_journal_upload_var_lib_t,s0)
/var/lib/private/systemd/timesync(/.*)?
gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
@@ -119,7 +122,6 @@
/run/systemd/default-hostname --
gen_context(system_u:object_r:hostname_etc_t,s0)
/run/systemd/generator -d
gen_context(system_u:object_r:systemd_unit_file_t,s0)
-/run/systemd/generator/systemd-zram-setup@zram0\.service\.d(/.*)?
gen_context(system_u:object_r:systemd_zram_generator_unit_file_t,s0)
/run/systemd/generator/.+ <<none>>
/run/systemd/io\.systemd\.NamespaceResource -s
gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/systemd.te
new/selinux-policy-20240814/policy/modules/system/systemd.te
--- old/selinux-policy-20240809/policy/modules/system/systemd.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/systemd.te
2024-08-14 14:05:47.000000000 +0200
@@ -268,6 +268,8 @@
files_pid_file(systemd_userdbd_runtime_t)
systemd_domain_template(systemd_sleep)
+type systemd_sleep_var_lib_t;
+files_type(systemd_sleep_var_lib_t)
systemd_domain_template(systemd_pstore)
type systemd_pstore_var_lib_t;
@@ -280,6 +282,9 @@
systemd_domain_template(systemd_mountfsd)
+systemd_domain_template(systemd_pcrextend)
+systemd_domain_template(systemd_pcrlock)
+
#######################################
#
# Systemd_logind local policy
@@ -1298,7 +1303,7 @@
dev_write_kmsg(systemd_generator)
dev_write_kmsg(systemd_generator)
-files_map_etc_files(systemd_generator)
+files_map_read_etc_files(systemd_generator)
fs_getattr_all_fs(systemd_generator)
fs_search_cgroup_dirs(systemd_generator)
init_read_state(systemd_generator)
@@ -1333,10 +1338,14 @@
')
### getty generator
+dontaudit systemd_getty_generator_t self:capability dac_override;
dev_read_sysfs(systemd_getty_generator_t)
-init_read_state(systemd_getty_generator_t)
term_use_unallocated_ttys(systemd_getty_generator_t)
+optional_policy(`
+ userdom_use_user_ttys(systemd_getty_generator_t)
+')
+
### gpt generator
allow systemd_gpt_generator_t self:capability sys_rawio;
dontaudit systemd_gpt_generator_t self:capability sys_admin;
@@ -1781,6 +1790,8 @@
allow systemd_sleep_t systemd_unit_file_t:service { start stop };
+manage_files_pattern(systemd_sleep_t, systemd_sleep_var_lib_t,
systemd_sleep_var_lib_t)
+
kernel_dgram_send(systemd_sleep_t)
corecmd_exec_bin(systemd_sleep_t)
@@ -1884,3 +1895,16 @@
init_named_pid_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
dir, "nsresource")
init_named_pid_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
file, "io.systemd.NamespaceResource")
+
+########################################
+#
+# systemd_pcrextend and systemd_pcrlock local policy
+#
+
+permissive systemd_pcrextend_t;
+
+optional_policy(`
+ logging_write_journal_files(systemd_pcrextend_t)
+')
+
+permissive systemd_pcrlock_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240809/policy/modules/system/userdomain.te
new/selinux-policy-20240814/policy/modules/system/userdomain.te
--- old/selinux-policy-20240809/policy/modules/system/userdomain.te
2024-08-09 14:34:46.000000000 +0200
+++ new/selinux-policy-20240814/policy/modules/system/userdomain.te
2024-08-14 14:05:47.000000000 +0200
@@ -403,6 +403,7 @@
files_map_read_var_files(login_userdomain)
files_map_var_lib_files(login_userdomain)
files_read_var_lib_symlinks(login_userdomain)
+files_read_all_pids(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
files_watch_home(login_userdomain)
@@ -451,6 +452,10 @@
')
optional_policy(`
+ ipsec_read_config(login_userdomain)
+')
+
+optional_policy(`
gnome_exec_atspi(login_userdomain)
gnome_watch_generic_data_home_dirs(login_userdomain)
gnome_watch_home_config_dirs(login_userdomain)
@@ -463,6 +468,10 @@
')
optional_policy(`
+ mta_read_aliases(login_userdomain)
+')
+
+optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
