Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-10-23 16:35:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Thu Oct 23 16:35:29 2025 rev:133 rq:1312810 version:20251021 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-10-18 14:36:41.131584551 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1980/selinux-policy.changes 2025-10-23 16:35:51.950398206 +0200 @@ -1,0 +2,28 @@ +Tue Oct 21 09:07:33 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251021: + * Allow snapper sdbootutil plugin read emmc devices (bsc#1231354) + * Allow pcrlock to delete pid entries + * Allow systemd_pcrlock_t to manage its pid files + * Mark snapper_sdbootutil_plugin_t as permissive + * Drop unnamed filetrans, should be done upstream (bsc#1241964) + * Label pcrlock pid file correctly (bsc#1241964) + * Allow snapper sdbootutil plugin send msg to system bus (bsc#1241964) + * snapper takes output from stdout/err, allow pcrlock to write + * Add tpm2_getcap permissions to snapper sdbootutil (bsc#1244573) + * Allow snapper sdbootutil plugin to read snapper data and conf + * Allow snapper sdbootutil plugin to grep /proc/stat (bsc#1241964) + * Replace snapper tmp file access for pcrlock (bsc#1241964) + * Allow snapper sdbootutil read kernel module dirs (bsc#1241964) + * Allow snapper sdbootutil plugin use bootctl (bsc#1241964) + * Allow snapper sdbootutil plugin to list and read sysfs (bsc#1241964) + * Allow snapper sdbootutil sys_admin (bsc#1241964) + * Allow snapper sdbootutils plugin to findmnt (bsc#1241964) + * Allow snapper sdbootutil plugin rw tpm (bsc#1233358) + * Move manage dos permissions and dontaudit execmem to snapper sdbootutils plugin (bsc#1241964) + * Move snapper domtrans to sdbootutil to plugin (bsc#1241964) + * Revert snapper access to keys, move to sdbootutils plugin policy (bsc#1241964) + * Add initial seperate policy for sdbootutil called by snapper (bsc#1233358) + * Allow sort in snapper_grub_plugin_t read cpu.max (bsc#1252095) + +------------------------------------------------------------------- Old: ---- selinux-policy-20251016.tar.xz New: ---- selinux-policy-20251021.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.BW8O4q/_old 2025-10-23 16:35:52.618426398 +0200 +++ /var/tmp/diff_new_pack.BW8O4q/_new 2025-10-23 16:35:52.618426398 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251016 +Version: 20251021 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.BW8O4q/_old 2025-10-23 16:35:52.706430111 +0200 +++ /var/tmp/diff_new_pack.BW8O4q/_new 2025-10-23 16:35:52.714430449 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">fcbf2d50912529c066398d15c9cf4fb5b53bb57a</param></service></servicedata> + <param name="changesrevision">d6c73e869d97cca1ef6c45c3e888339d57c887c5</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20251016.tar.xz -> selinux-policy-20251021.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/contrib/snapper.fc new/selinux-policy-20251021/policy/modules/contrib/snapper.fc --- old/selinux-policy-20251016/policy/modules/contrib/snapper.fc 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/contrib/snapper.fc 2025-10-21 11:05:47.000000000 +0200 @@ -3,6 +3,7 @@ /usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0) /usr/lib/snapper/plugins/50-etc -- gen_context(system_u:object_r:snapper_tu_etc_plugin_exec_t,s0) /usr/lib/snapper/plugins/(00-)?grub -- gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0) +/usr/lib/snapper/plugins/10-sdbootutil.snapper -- gen_context(system_u:object_r:snapper_sdbootutil_plugin_exec_t,s0) /etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) /etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/contrib/snapper.if new/selinux-policy-20251021/policy/modules/contrib/snapper.if --- old/selinux-policy-20251016/policy/modules/contrib/snapper.if 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/contrib/snapper.if 2025-10-21 11:05:47.000000000 +0200 @@ -97,6 +97,24 @@ ######################################## ## <summary> +## Allow a domain to write to snapper pipe +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snapper_write_inherited_pipe',` + gen_require(` + type snapperd_t; + ') + + allow $1 snapperd_t:fifo_file write_fifo_file_perms; +') + +######################################## +## <summary> ## Allow a domain to select the boot snapshot ## ## Warning: should only be used for direct btrfs invocation @@ -180,3 +198,40 @@ dontaudit snapperd_t snapper_$1_plugin_t:process { noatsecure rlimitinh siginh }; ') +####################################### +## <summary> +## Allow domain to manage snapper +## sdbootutil plugin temporary files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snapper_sdbootutil_plugin_manage_tmp_files',` + gen_require(` + type snapper_sdbootutil_plugin_tmp_t; + ') + + allow $1 snapper_sdbootutil_plugin_tmp_t:file manage_file_perms; +') + +####################################### +## <summary> +## Allow domain to manage snapper +## sdbootutil plugin temporary directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snapper_sdbootutil_plugin_manage_tmp_dirs',` + gen_require(` + type snapper_sdbootutil_plugin_tmp_t; + ') + + allow $1 snapper_sdbootutil_plugin_tmp_t:dir manage_dir_perms; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/contrib/snapper.te new/selinux-policy-20251021/policy/modules/contrib/snapper.te --- old/selinux-policy-20251016/policy/modules/contrib/snapper.te 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/contrib/snapper.te 2025-10-21 11:05:47.000000000 +0200 @@ -32,9 +32,6 @@ allow snapperd_t self:fifo_file rw_fifo_file_perms; allow snapperd_t self:unix_stream_socket create_stream_socket_perms; -# PCRE JIT, not needed, has a fallback if it's denied -dontaudit snapperd_t self: process { execmem }; - manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t) logging_log_filetrans(snapperd_t, snapperd_log_t, file) @@ -57,12 +54,8 @@ kernel_setsched(snapperd_t) kernel_stream_connect(snapperd_t) -kernel_view_key(snapperd_t) domain_read_all_domains_state(snapperd_t) -domain_read_view_all_domains_keyrings(snapperd_t) - -userdom_view_all_users_keys(snapperd_t) corecmd_exec_shell(snapperd_t) corecmd_exec_bin(snapperd_t) @@ -86,17 +79,11 @@ fs_mount_xattr_fs(snapperd_t) fs_unmount_xattr_fs(snapperd_t) -fstools_domtrans(snapperd_t) - storage_raw_read_fixed_disk(snapperd_t) auth_use_nsswitch(snapperd_t) optional_policy(` - init_view_key(snapperd_t) -') - -optional_policy(` packagekit_dbus_chat(snapperd_t) ') @@ -128,8 +115,6 @@ optional_policy(` systemd_exec_systemctl(snapperd_t) - systemd_domtrans_pcrlock(snapperd_t) - systemd_manage_pcrlock_files(snapperd_t) ') ######################################## @@ -141,12 +126,18 @@ snapper_plugin_template(grub); snapper_plugin_template(tu_etc); +snapper_plugin_template(sdbootutil); + +type snapper_sdbootutil_plugin_tmp_t; +files_tmp_file(snapper_sdbootutil_plugin_tmp_t) ### snapper grub plugin bootloader_domtrans(snapper_grub_plugin_t) corecmd_exec_bin(snapper_grub_plugin_t) files_manage_isid_type_dirs(snapper_grub_plugin_t) files_manage_isid_type_files(snapper_grub_plugin_t) +# sort reads cpu.max +fs_read_cgroup_files(snapper_grub_plugin_t) snapper_filetrans_named_content(snapper_grub_plugin_t) kernel_read_unlabeled_lnk_files(snapper_grub_plugin_t) @@ -187,3 +178,95 @@ # needed for systemd dynamicuser kernel_stream_connect(snapper_tu_etc_plugin_t) + + +### snapper sdbootutil plugin + +# for btrfs +allow snapper_sdbootutil_plugin_t self:capability sys_admin; +# PCRE JIT for grep, not needed, has a fallback if it's denied +dontaudit snapper_sdbootutil_plugin_t self:process execmem; + +read_files_pattern(snapper_sdbootutil_plugin_t, snapperd_conf_t, snapperd_conf_t) +read_files_pattern(snapper_sdbootutil_plugin_t, snapperd_data_t, snapperd_data_t) +manage_dirs_pattern(snapper_sdbootutil_plugin_t, snapper_sdbootutil_plugin_tmp_t, snapper_sdbootutil_plugin_tmp_t) +manage_files_pattern(snapper_sdbootutil_plugin_t, snapper_sdbootutil_plugin_tmp_t, snapper_sdbootutil_plugin_tmp_t) +files_tmp_filetrans(snapper_sdbootutil_plugin_t, snapper_sdbootutil_plugin_tmp_t, { file dir }) + +# grep /proc/stat +kernel_read_proc_files(snapper_sdbootutil_plugin_t) +kernel_view_key(snapper_sdbootutil_plugin_t) + +corecmd_exec_bin(snapper_sdbootutil_plugin_t) + +dev_list_sysfs(snapper_sdbootutil_plugin_t) +dev_read_sysfs(snapper_sdbootutil_plugin_t) +dev_rw_tpm(snapper_sdbootutil_plugin_t) +domain_read_view_all_domains_keyrings(snapper_sdbootutil_plugin_t) + +# to delete /etc/systemd/tpm2-pcr-signature.json, +# maybe this should have its own label +files_delete_etc_dir_entry(snapper_sdbootutil_plugin_t) +files_delete_etc_files(snapper_sdbootutil_plugin_t) + +files_list_kernel_modules(snapper_sdbootutil_plugin_t) + +# grep through /var/lib/sdbootutil, maybe label it in the future +# and then this would be better +files_read_var_lib_files(snapper_sdbootutil_plugin_t) + +files_search_all(snapper_sdbootutil_plugin_t) + +fs_getattr_all_fs(snapper_sdbootutil_plugin_t) +fs_getattr_all_files(snapper_sdbootutil_plugin_t) +fs_manage_dos_files(snapper_sdbootutil_plugin_t) +fs_manage_efivarfs_files(snapper_sdbootutil_plugin_t) +fstools_domtrans(snapper_sdbootutil_plugin_t) + +init_read_state(snapper_sdbootutil_plugin_t) + +seutil_read_file_contexts(snapper_sdbootutil_plugin_t) + +snapper_select_boot_snapshot(snapper_sdbootutil_plugin_t) + +storage_raw_read_fixed_disk_blk_device(snapper_sdbootutil_plugin_t) +# for emmc devices, might be revisited though +storage_raw_read_removable_device(snapper_sdbootutil_plugin_t) + +udev_read_db(snapper_sdbootutil_plugin_t) +udev_search_pids(snapper_sdbootutil_plugin_t) + +userdom_view_all_users_keys(snapper_sdbootutil_plugin_t) + +permissive snapper_sdbootutil_plugin_t; + +optional_policy(` + auth_dontaudit_read_passwd_file(snapper_sdbootutil_plugin_t) +') + +optional_policy(` + # to allow tpm2_getcap connect to system bus + dbus_send_system_bus(snapper_sdbootutil_plugin_t) + dbus_stream_connect_system_dbusd(snapper_sdbootutil_plugin_t) + dbus_write_pid_sock_files(snapper_sdbootutil_plugin_t) +') + +optional_policy(` + init_view_key(snapper_sdbootutil_plugin_t) +') + +optional_policy(` + # for cryptsetup + lvm_domtrans(snapper_sdbootutil_plugin_t) +') + +optional_policy(` + systemd_domtrans_pcrlock(snapper_sdbootutil_plugin_t) + systemd_manage_pcrlock_files(snapper_sdbootutil_plugin_t) +') + +optional_policy(` + # if tpm2.0-abrmd is installed, tpm2_getcap will use it + tabrmd_rw_unix_stream_sockets(snapper_sdbootutil_plugin_t) + tabrmd_dbus_chat(snapper_sdbootutil_plugin_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/system/systemd.fc new/selinux-policy-20251021/policy/modules/system/systemd.fc --- old/selinux-policy-20251016/policy/modules/system/systemd.fc 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/system/systemd.fc 2025-10-21 11:05:47.000000000 +0200 @@ -160,7 +160,7 @@ /run/systemd/machine(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) /run/systemd/machines.lock -- gen_context(system_u:object_r:systemd_machined_var_run_t,s0) -/run/systemd/pcrlock.json -- gen_context(system_u:object_r:systemd_pcrlock_var_lib_t,s0) +/run/systemd/pcrlock.json -- gen_context(system_u:object_r:systemd_pcrlock_var_run_t,s0) /run/systemd/oom(/.*)? gen_context(system_u:object_r:systemd_oomd_var_run_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/system/systemd.if new/selinux-policy-20251021/policy/modules/system/systemd.if --- old/selinux-policy-20251016/policy/modules/system/systemd.if 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/system/systemd.if 2025-10-21 11:05:47.000000000 +0200 @@ -1012,12 +1012,6 @@ ') can_exec($1,systemd_pcrlock_exec_t) - systemd_pcrlock_filetrans_named_content($1) - init_var_lib_filetrans($1, systemd_pcrlock_var_lib_t, file) - # this should be a named file transition like - # init_var_lib_filetrans($1, systemd_pcrlock_var_lib_t, file, "pcrlock.json") - # but ATM system creates a temporary file like .#pcrlock.jsonabb6f6e6c7abd54f - # the pound sign can be used, so we have to use this rule until this is changed ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251016/policy/modules/system/systemd.te new/selinux-policy-20251021/policy/modules/system/systemd.te --- old/selinux-policy-20251016/policy/modules/system/systemd.te 2025-10-16 12:06:34.000000000 +0200 +++ new/selinux-policy-20251021/policy/modules/system/systemd.te 2025-10-21 11:05:47.000000000 +0200 @@ -332,6 +332,9 @@ type systemd_pcrlock_var_lib_t; files_type(systemd_pcrlock_var_lib_t); +type systemd_pcrlock_var_run_t; +files_pid_file(systemd_pcrlock_var_run_t) + ####################################### # # Systemd_logind local policy @@ -2155,13 +2158,14 @@ systemd_manage_pcrlock_files(systemd_pcrlock_t) -init_read_pid_files(systemd_pcrlock_t) init_search_var_lib_dirs(systemd_pcrlock_t) init_var_lib_filetrans(systemd_pcrlock_t, systemd_pcrlock_var_lib_t, { dir file }) -# These files are also created in /run and then moved to their proper location -init_pid_filetrans(systemd_pcrlock_t, systemd_pcrlock_var_lib_t, { dir file }) systemd_pcrlock_filetrans_named_content(systemd_pcrlock_t) +init_delete_pid_dir_entry(systemd_pcrlock_t) +init_read_pid_files(systemd_pcrlock_t) +manage_files_pattern(systemd_pcrlock_t, systemd_pcrlock_var_run_t, systemd_pcrlock_var_run_t) + dev_list_sysfs(systemd_pcrlock_t) dev_read_sysfs(systemd_pcrlock_t) dev_rw_tpm(systemd_pcrlock_t) @@ -2175,8 +2179,9 @@ udev_read_db(systemd_pcrlock_t) optional_policy(` - snapper_manage_tmp_files(systemd_pcrlock_t) - snapper_manage_tmp_dirs(systemd_pcrlock_t) + snapper_sdbootutil_plugin_manage_tmp_files(systemd_pcrlock_t) + snapper_sdbootutil_plugin_manage_tmp_dirs(systemd_pcrlock_t) + snapper_write_inherited_pipe(systemd_pcrlock_t) ') # still keep it permissive for now. Failure to run can prevent booting permissive systemd_pcrlock_t;
