commit selinux-policy for openSUSE:Factory

Source-Sync Thu, 17 Jul 2025 08:20:51 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2025-07-17 17:17:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "selinux-policy"

Thu Jul 17 17:17:46 2025 rev:120 rq:1293635 version:20250716

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2025-07-09 17:26:03.605685190 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.8875/selinux-policy.changes  
2025-07-17 17:18:23.438816883 +0200
@@ -1,0 +2,13 @@
+Wed Jul 16 08:17:57 UTC 2025 - Cathy Hu <cathy...@suse.com>
+
+- Update to version 20250716:
+  * Allow virtqemud_t use its private tmpfs files (bsc#1242998)
+  * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998)
+  * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998)
+  * Extend virtqemud_t tcp_socket permissions (bsc#1242998)
+  * Mark configfs_t as mountpoint (bsc#1246080)
+  * healthchecker: add proper optional_policy() guards
+  * Allow virtqemud_t to read and write generic pty (bsc#1242998)
+  * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470)
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20250703.tar.xz

New:
----
  selinux-policy-20250716.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.geQhUN/_old  2025-07-17 17:18:24.270851486 +0200
+++ /var/tmp/diff_new_pack.geQhUN/_new  2025-07-17 17:18:24.274851651 +0200
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20250703
+Version:        20250716
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.geQhUN/_old  2025-07-17 17:18:24.342854479 +0200
+++ /var/tmp/diff_new_pack.geQhUN/_new  2025-07-17 17:18:24.346854646 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">e6cb43eff1dbcc1c2327f6dcb680984ad0a88465</param></service></servicedata>
+              <param 
name="changesrevision">68c4038281d54812db3c49ccc4a84b84172a82c1</param></service></servicedata>
 (No newline at EOF)
 


++++++ selinux-policy-20250703.tar.xz -> selinux-policy-20250716.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/contrib/health-checker.te 
new/selinux-policy-20250716/policy/modules/contrib/health-checker.te
--- old/selinux-policy-20250703/policy/modules/contrib/health-checker.te        
2025-07-03 11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/contrib/health-checker.te        
2025-07-16 10:15:50.000000000 +0200
@@ -59,17 +59,26 @@
 dev_read_sysfs(health_checker_t)
 
 # permissions for health checker: rollback()
-## to execute 'mount'
-mount_exec(health_checker_t)
-mount_manage_pid_files(health_checker_t)
 ## mount accessing block device information 
 storage_getattr_fixed_disk_dev(health_checker_t)
 ## mount able to remount
 fs_remount_xattr_fs(health_checker_t)
+
+## to execute 'mount'
+optional_policy(`
+    mount_exec(health_checker_t)
+    mount_manage_pid_files(health_checker_t)
+')
+
 ## for 'systemctl reboot'
-dbus_connect_system_bus(health_checker_t)
-dbus_system_bus_client(health_checker_t)
-systemd_dbus_chat_logind(health_checker_t)
+optional_policy(`
+    dbus_connect_system_bus(health_checker_t)
+    dbus_system_bus_client(health_checker_t)
+    optional_policy(`
+        systemd_dbus_chat_logind(health_checker_t)
+    ')
+')
+
 ## for 'btrfs subvolume set-default ${LAST_WORKING_BTRFS_ID} /.snapshots'
 optional_policy(`
        snapper_select_boot_snapshot(health_checker_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/contrib/plymouthd.te 
new/selinux-policy-20250716/policy/modules/contrib/plymouthd.te
--- old/selinux-policy-20250703/policy/modules/contrib/plymouthd.te     
2025-07-03 11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/contrib/plymouthd.te     
2025-07-16 10:15:50.000000000 +0200
@@ -100,6 +100,10 @@
 term_use_unallocated_ttys(plymouthd_t)
 
 optional_policy(`
+       systemd_passwd_agent_read_proc_state(plymouthd_t)
+')
+
+optional_policy(`
        gnome_read_config(plymouthd_t)
 ')
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/contrib/virt.te 
new/selinux-policy-20250716/policy/modules/contrib/virt.te
--- old/selinux-policy-20250703/policy/modules/contrib/virt.te  2025-07-03 
11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/contrib/virt.te  2025-07-16 
10:15:50.000000000 +0200
@@ -403,6 +403,9 @@
 type virtqemud_tmp_t;
 files_tmp_file(virtqemud_tmp_t)
 
+type virtqemud_tmpfs_t;
+files_tmpfs_file(virtqemud_tmpfs_t)
+
 type virtqemud_var_run_t, virt_driver_var_run;
 files_pid_file(virtqemud_var_run_t)
 
@@ -2176,7 +2179,7 @@
 allow virtqemud_t self:cap_userns kill;
 allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
 allow virtqemud_t self:process { getpgid setcap setexec setrlimit setsched 
setsockcreate };
-allow virtqemud_t self:tcp_socket create_socket_perms;
+allow virtqemud_t self:tcp_socket create_stream_socket_perms;
 allow virtqemud_t self:tun_socket { create relabelfrom relabelto };
 allow virtqemud_t self:udp_socket { connect create_socket_perms };
 
@@ -2232,6 +2235,9 @@
 manage_sock_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t)
 files_tmp_filetrans(virtqemud_t, virtqemud_tmp_t, { file dir sock_file})
 
+manage_files_pattern(virtqemud_t, virtqemud_tmpfs_t, virtqemud_tmpfs_t)
+fs_tmpfs_filetrans(virtqemud_t, virtqemud_tmpfs_t, file)
+
 manage_dirs_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
 manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
 manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
@@ -2296,6 +2302,7 @@
 dev_setattr_input_dev(virtqemud_t)
 dev_setattr_sev(virtqemud_t)
 dev_setattr_urand(virtqemud_t)
+dev_setattr_userfaultfd(virtqemud_t)
 dev_unmount_fs(virtqemud_t)
 
 files_mounton_non_security(virtqemud_t)
@@ -2341,6 +2348,9 @@
 sysnet_exec_ifconfig(virtqemud_t)
 sysnet_manage_config(virtqemud_t)
 
+term_use_generic_ptys(virtqemud_t)
+term_use_ptmx(virtqemud_t)
+
 tunable_policy(`virtqemud_use_execmem',`
        allow virtqemud_t self:process { execmem execstack };
 ')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/kernel/devices.if 
new/selinux-policy-20250716/policy/modules/kernel/devices.if
--- old/selinux-policy-20250703/policy/modules/kernel/devices.if        
2025-07-03 11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/kernel/devices.if        
2025-07-16 10:15:50.000000000 +0200
@@ -5886,6 +5886,24 @@
        read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
 
+########################################
+## <summary>
+##     Setattr userfaultfd device.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_setattr_userfaultfd',`
+       gen_require(`
+               type device_t, userfaultfd_device_t;
+       ')
+
+       setattr_chr_files_pattern($1, device_t, userfaultfd_device_t)
+')
+
 ######################################
 ## <summary>
 ##     Read and write userio device.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/kernel/filesystem.te 
new/selinux-policy-20250716/policy/modules/kernel/filesystem.te
--- old/selinux-policy-20250703/policy/modules/kernel/filesystem.te     
2025-07-03 11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/kernel/filesystem.te     
2025-07-16 10:15:50.000000000 +0200
@@ -113,6 +113,7 @@
 
 type configfs_t;
 fs_type(configfs_t)
+files_mountpoint(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
 
 type cpusetfs_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250703/policy/modules/system/systemd.if 
new/selinux-policy-20250716/policy/modules/system/systemd.if
--- old/selinux-policy-20250703/policy/modules/system/systemd.if        
2025-07-03 11:26:04.000000000 +0200
+++ new/selinux-policy-20250716/policy/modules/system/systemd.if        
2025-07-16 10:15:50.000000000 +0200
@@ -1261,6 +1261,24 @@
 
 ########################################
 ## <summary>
+##     Read the process state (/proc/pid) of systemd_passwd_agent_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_read_proc_state',`
+       gen_require(`
+              type systemd_passwd_agent_t;
+       ')
+
+       ps_process_pattern($1, systemd_passwd_agent_t)
+')
+
+########################################
+## <summary>
 ##     Send generic signals to systemd_passwd_agent processes.
 ## </summary>
 ## <param name="domain">

commit selinux-policy for openSUSE:Factory

Reply via email to