Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-09-12 16:54:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.17570 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Thu Sep 12 16:54:06 2024 rev:79 rq:1200261 version:20240912
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-09-10 21:12:23.883949470 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.17570/selinux-policy.changes
2024-09-12 16:54:16.791668002 +0200
@@ -1,0 +2,16 @@
+Thu Sep 12 07:34:20 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240912:
+ * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs
(bsc#1230011)
+ * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
+ * Initial policy for udev-trigger-generator (bsc#1230315)
+
+-------------------------------------------------------------------
+Tue Sep 10 13:33:53 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240910:
+ * Allow init_t mount syslog socket (bsc#1230134)
+ * Allow init_t create syslog files (bsc#1230134)
+ * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240905.tar.xz
New:
----
selinux-policy-20240912.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.VrvO9j/_old 2024-09-12 16:54:17.623702616 +0200
+++ /var/tmp/diff_new_pack.VrvO9j/_new 2024-09-12 16:54:17.623702616 +0200
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240905
+Version: 20240912
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.VrvO9j/_old 2024-09-12 16:54:17.699705778 +0200
+++ /var/tmp/diff_new_pack.VrvO9j/_new 2024-09-12 16:54:17.703705945 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">48af429a1e0c001269e8f1e0cf4f677e74cfce46</param></service><service
name="tar_scm">
+ <param
name="changesrevision">f8d70ad2b8a5d2628cd1ee881ccedbcebf189d3d</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20240905.tar.xz -> selinux-policy-20240912.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240905/policy/modules/system/init.te
new/selinux-policy-20240912/policy/modules/system/init.te
--- old/selinux-policy-20240905/policy/modules/system/init.te 2024-09-05
16:10:07.000000000 +0200
+++ new/selinux-policy-20240912/policy/modules/system/init.te 2024-09-12
09:33:00.000000000 +0200
@@ -397,6 +397,7 @@
libs_rw_ld_so_cache(init_t)
logging_create_devlog_dev(init_t)
+logging_create_journal_files(init_t)
logging_send_syslog_msg(init_t)
logging_send_audit_msgs(init_t)
logging_manage_generic_logs(init_t)
@@ -404,6 +405,7 @@
logging_relabel_devlog_dev(init_t)
logging_manage_audit_config(init_t)
logging_create_syslog_netlink_audit_socket(init_t)
+logging_mounton_syslog_pid_socket(init_t)
logging_write_var_log_dirs(init_t)
logging_manage_var_log_symlinks(init_t)
logging_dgram_accept(init_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240905/policy/modules/system/logging.if
new/selinux-policy-20240912/policy/modules/system/logging.if
--- old/selinux-policy-20240905/policy/modules/system/logging.if
2024-09-05 16:10:07.000000000 +0200
+++ new/selinux-policy-20240912/policy/modules/system/logging.if
2024-09-12 09:33:00.000000000 +0200
@@ -739,6 +739,24 @@
########################################
## <summary>
+## Use the syslog pid sock_file as mount point.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_mounton_syslog_pid_socket',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:sock_file mounton;
+')
+
+########################################
+## <summary>
## Relabel the syslog pid sock_file.
## </summary>
## <param name="domain">
@@ -1790,6 +1808,24 @@
')
#######################################
+## <summary>
+## Create files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_create_journal_files',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:file { create };
+')
+
+#######################################
## <summary>
## Map files in /run/log/journal/ directory.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240905/policy/modules/system/systemd.fc
new/selinux-policy-20240912/policy/modules/system/systemd.fc
--- old/selinux-policy-20240905/policy/modules/system/systemd.fc
2024-09-05 16:10:07.000000000 +0200
+++ new/selinux-policy-20240912/policy/modules/system/systemd.fc
2024-09-12 09:33:00.000000000 +0200
@@ -78,6 +78,7 @@
/usr/lib/systemd/systemd-modules-load --
gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-network-generator --
gen_context(system_u:object_r:systemd_network_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/btrfs-soft-reboot-generator --
gen_context(system_u:object_r:systemd_btrfs_soft_reboot_generator_exec_t,s0)
/usr/lib/systemd/system-generators/growpart-generator.sh --
gen_context(system_u:object_r:systemd_growpart_generator_exec_t,s0)
/usr/lib/systemd/system-generators/ibft-rule-generator --
gen_context(system_u:object_r:systemd_ibft_rule_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-bless-boot-generator --
gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
@@ -91,6 +92,7 @@
/usr/lib/systemd/system-generators/status-mail-generator.sh --
gen_context(system_u:object_r:systemd_status_mail_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-sysv-generator --
gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-tpm2-generator --
gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/udev-trigger-generator --
gen_context(system_u:object_r:systemd_udev_trigger_generator_exec_t,s0)
/usr/lib/systemd/system-generators/zram-generator --
gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
/usr/lib/systemd/system-generators/.+ --
gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)
/usr/lib/systemd/zram-generator.conf --
gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240905/policy/modules/system/systemd.te
new/selinux-policy-20240912/policy/modules/system/systemd.te
--- old/selinux-policy-20240905/policy/modules/system/systemd.te
2024-09-05 16:10:07.000000000 +0200
+++ new/selinux-policy-20240912/policy/modules/system/systemd.te
2024-09-12 09:33:00.000000000 +0200
@@ -195,6 +195,8 @@
### domains and file types for systemd generators
# bless-boot-generator
systemd_generator_template(systemd_bless_boot_generator)
+# btrfs-soft-reboot-generator
+systemd_generator_template(systemd_btrfs_soft_reboot_generator)
# cryptsetup-generator
systemd_generator_template(systemd_cryptsetup_generator)
# debug-generator
@@ -219,6 +221,8 @@
systemd_generator_template(systemd_sysv_generator)
# tpm2-generator
systemd_generator_template(systemd_tpm2_generator)
+# udev-trigger-generator
+systemd_generator_template(systemd_udev_trigger_generator)
# zram-generator
systemd_generator_template(systemd_zram_generator)
type systemd_zram_generator_conf_t;
@@ -1319,6 +1323,11 @@
### bless-boot generator
fs_read_efivarfs_files(systemd_bless_boot_generator_t)
+### systemd-btrfs-soft-reboot generator
+mount_read_pid_files(systemd_btrfs_soft_reboot_generator_t)
+
+permissive systemd_btrfs_soft_reboot_generator_t;
+
### cryptsetup generator
manage_dirs_pattern(systemd_cryptsetup_generator_t,
systemd_fstab_generator_unit_file_t, systemd_fstab_generator_unit_file_t)
manage_files_pattern(systemd_cryptsetup_generator_t,
systemd_fstab_generator_unit_file_t, systemd_fstab_generator_unit_file_t)
@@ -1406,7 +1415,9 @@
### ibft-rule-generator (from open-iscsi package)
corecmd_exec_bin(systemd_ibft_rule_generator_t)
+udev_create_rules_dir(systemd_ibft_rule_generator_t)
udev_manage_rules_files(systemd_ibft_rule_generator_t)
+udev_named_filetrans_runtime_generated_rules(systemd_ibft_rule_generator_t)
optional_policy(`
# ignore #!/bin/bash reading passwd file
@@ -1448,6 +1459,19 @@
### tpm2 generator
dev_list_sysfs(systemd_tpm2_generator_t)
+### udev trigger generator
+corecmd_exec_bin(systemd_udev_trigger_generator_t)
+
+dev_list_sysfs(systemd_udev_trigger_generator_t)
+dev_read_sysfs(systemd_udev_trigger_generator_t)
+
+optional_policy(`
+ # ignore #!/bin/bash reading passwd file
+ auth_dontaudit_read_passwd_file(systemd_udev_trigger_generator_t)
+')
+
+permissive systemd_udev_trigger_generator_t;
+
### zram generator
allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file
write_file_perms;
permissive systemd_zram_generator_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240905/policy/modules/system/udev.if
new/selinux-policy-20240912/policy/modules/system/udev.if
--- old/selinux-policy-20240905/policy/modules/system/udev.if 2024-09-05
16:10:07.000000000 +0200
+++ new/selinux-policy-20240912/policy/modules/system/udev.if 2024-09-12
09:33:00.000000000 +0200
@@ -172,6 +172,42 @@
########################################
## <summary>
+## Create udev rules directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_rules_dir',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## named filetrans from udev_var_run_t to udev_rules_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+interface(`udev_named_filetrans_runtime_generated_rules',`
+ gen_require(`
+ type udev_rules_t;
+ type udev_var_run_t;
+ ')
+
+ filetrans_pattern($1, udev_var_run_t, udev_rules_t, dir, "rules.d")
+')
+
+########################################
+## <summary>
## Do not audit search of udev database directories.
## </summary>
## <param name="domain">
