Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-01-06 17:41:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Jan 6 17:41:50 2026 rev:144 rq:1325575 version:20260106 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-12-20 21:46:24.606985263 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1928/selinux-policy.changes 2026-01-06 17:42:21.524164734 +0100 @@ -1,0 +2,44 @@ +Tue Jan 06 10:33:03 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260106: + * linuxptp: add support for dropping root privileges + * fail2ban: Tweak selinux regex for /run/fail2ban. + * Allow virtqemud setattr dri devices + * Allow irqbalance create and use netlink generic socket + * Allow thumb_t connect to XDM over a unix domain stream socket + * Allow systemd-homework to remove ~/.identity-blob + * Revert "Allow kl2tpd create and use netlink_generic_socket" + * Support cockpit privileged access for the staff user + * Update su_domain_type policy for kerberized su + * Allow sshd-session inherit limits from its parent process + * Allow systemd-machined read virtd process state + * Allow kl2tpd create and use netlink_generic_socket + * Update policy for redfish-finder + * Label the greetd login manager framework as a display manager + * Allow sshd-auth get attributes of sshd vsock socket + * Confine redfish_finder - host api discovery service + * Allow iptables read firewalld process state + * Allow tuned_t use its private tmpfs files + * The commit addresses the following AVC denials: + * Allow passwd read and write a sshd-session unnamed pipes + * Allow sshd-auth capabilities + * Allow sshd-auth read network sysctls + * Label /run/insights-client.ppid with insights_client_run_t + * fix: unbreak thumbnailing for Thunar/tumblerd + * Add files_mounton_generic_tmp_dirs() interface + * Add the rpm_signal() interface + * Allow session_bus_type get the attributes of the pidfs filesystem + * Allow pcscd get the attributes of the pidfs filesystem + * Allow sssd get the attributes of the pidfs filesystem + * Allow KDE Plasma Login Manager to function as a display manager + * Allow mdadm search filesystem_type directories + * Update policy for dhcpc_hook_t + * Label /usr/libexec/dhcpcd-run-hooks with dhcpc_hook_exec_t + * Allow staff role read/write cockpit-session unix stream sockets + * Allow stap server read virtual memory sysctls +- Syncing with upstream rawhide selinux-policy up to: + * 415e98f61041ebd8158063d62e750cd391841e00 +- Update embedded container-selinux version to commit: + * 3f7c37e93e172f531de233f40a58a1b8ec6ff17d (v2.245.0) + +------------------------------------------------------------------- @@ -5,0 +50,6 @@ + +------------------------------------------------------------------- +Fri Dec 19 08:41:23 UTC 2025 - Danish Prakash <[email protected]> + +- macros.selinux-policy: Introduce %selinux_requires_min macro +that requires all relevant dependencies except for *-python Old: ---- selinux-policy-20251219.tar.xz New: ---- selinux-policy-20260106.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.umywwY/_old 2026-01-06 17:42:22.304196829 +0100 +++ /var/tmp/diff_new_pack.umywwY/_new 2026-01-06 17:42:22.308196993 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251219 +Version: 20260106 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.umywwY/_old 2026-01-06 17:42:22.380199957 +0100 +++ /var/tmp/diff_new_pack.umywwY/_new 2026-01-06 17:42:22.388200287 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">b6f226e4cd6b7896a07dfb02cd7cb6fad8fa7eb5</param></service></servicedata> + <param name="changesrevision">233d96579f268a6a082b61e3fc68cb2f08381daa</param></service></servicedata> (No newline at EOF) ++++++ container.fc ++++++ --- /var/tmp/diff_new_pack.umywwY/_old 2026-01-06 17:42:22.412201275 +0100 +++ /var/tmp/diff_new_pack.umywwY/_new 2026-01-06 17:42:22.416201439 +0100 @@ -20,11 +20,14 @@ /usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/incus-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/incus -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/incus/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) @@ -53,6 +56,7 @@ /usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/incus.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) @@ -66,6 +70,7 @@ /var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/incus(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) @@ -100,6 +105,8 @@ HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) /var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) @@ -127,6 +134,8 @@ /run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) +/var/cache/incus(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) + /var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) /opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) @@ -164,10 +173,15 @@ /srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/run/incus/unix.socket(.*)? -s gen_context(system_u:object_r:container_var_run_t,s0) +/run/incus(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) /var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0) + +/var/log/incus(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) + /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.umywwY/_old 2026-01-06 17:42:22.452202921 +0100 +++ /var/tmp/diff_new_pack.umywwY/_new 2026-01-06 17:42:22.456203087 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.244.0) +policy_module(container, 2.245.0) gen_require(` class passwd rootok; @@ -83,6 +83,22 @@ ## </desc> gen_tunable(container_use_ecryptfs, false) +## <desc> +## <p> +## Allow containers to read shared public files +## (public_content_t & public_content_rw_t) +## </p> +## </desc> +gen_tunable(container_read_public_content, false) + +## <desc> +## <p> +## Allow containers to read and write shared public +## files (public_content_rw_t) +## </p> +## </desc> +gen_tunable(container_manage_public_content, false) + attribute container_runtime_domain; container_runtime_domain_template(container_runtime) typealias container_runtime_t alias docker_t; @@ -1452,6 +1468,14 @@ allow container_init_t self:cap_userns sys_admin; ') +tunable_policy(`container_read_public_content',` + miscfiles_read_public_files(container_domain) +') + +tunable_policy(`container_manage_public_content',` + miscfiles_manage_public_files(container_domain) +') + allow container_init_domain self:netlink_audit_socket nlmsg_relay; # container_engine_t is for running a container engine within a container ++++++ macros.selinux-policy ++++++ --- /var/tmp/diff_new_pack.umywwY/_old 2026-01-06 17:42:22.492204569 +0100 +++ /var/tmp/diff_new_pack.umywwY/_new 2026-01-06 17:42:22.496204733 +0100 @@ -33,8 +33,8 @@ %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp -# %selinux_requires -%selinux_requires \ +# %selinux_requires_min - minimal required set of packages +%selinux_requires_min \ Requires: selinux-policy >= %{_selinux_policy_version} \ BuildRequires: pkgconfig(systemd) \ BuildRequires: selinux-policy \ @@ -42,6 +42,11 @@ Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ Requires(post): libselinux-utils \ Requires(post): policycoreutils \ +%{nil} + +# %selinux_requires +%selinux_requires \ +%selinux_requires_min \ %if 0%{?fedora} || 0%{?rhel} > 7 || 0%{suse_version} > 1500\ Requires(post): policycoreutils-python-utils \ %else \ ++++++ selinux-policy-20251219.tar.xz -> selinux-policy-20260106.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/dist/targeted/modules.conf new/selinux-policy-20260106/dist/targeted/modules.conf --- old/selinux-policy-20251219/dist/targeted/modules.conf 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/dist/targeted/modules.conf 2026-01-06 11:32:43.000000000 +0100 @@ -3097,6 +3097,14 @@ # switcheroo = module +# Layer: contrib +# Module: redfish-finder +# +# Policy for redfish-finder: Redfish host api discovery service +# +# +redfish-finder = module + # SUSE specific modules # Layer: contrib diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/admin/su.te new/selinux-policy-20260106/policy/modules/admin/su.te --- old/selinux-policy-20251219/policy/modules/admin/su.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/admin/su.te 2026-01-06 11:32:43.000000000 +0100 @@ -83,10 +83,19 @@ ') optional_policy(` + userdom_tmp_filetrans_user_tmp(su_domain_type, file) + userdom_manage_user_tmp_files(su_domain_type) +') + +optional_policy(` # used when the password has expired usermanage_read_crack_db(su_domain_type) ') +optional_policy(` + ssh_signull(su_domain_type) +') + # Modify .Xauthority file (via xauth program). optional_policy(` xserver_user_home_dir_filetrans_user_xauth(su_domain_type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/admin/sudo.if new/selinux-policy-20260106/policy/modules/admin/sudo.if --- old/selinux-policy-20251219/policy/modules/admin/sudo.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/admin/sudo.if 2026-01-06 11:32:43.000000000 +0100 @@ -59,7 +59,7 @@ allow $1_sudo_t $3:file read_file_perms;; allow $1_sudo_t $3:key search; - allow $1_sudo_t $1_t:unix_stream_socket { connectto read write }; + allow $1_sudo_t $1_t:unix_stream_socket { getattr connectto ioctl read write }; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -115,6 +115,10 @@ ') optional_policy(` + ssh_agent_stream_connect($1_sudo_t) + ') + + optional_policy(` systemd_domtrans_systemctl($1_sudo_t, $3) systemd_logind_stream_connect($1_sudo_t) systemd_systemctl_entrypoint($3) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/admin/usermanage.te new/selinux-policy-20260106/policy/modules/admin/usermanage.te --- old/selinux-policy-20251219/policy/modules/admin/usermanage.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/admin/usermanage.te 2026-01-06 11:32:43.000000000 +0100 @@ -428,6 +428,10 @@ ') optional_policy(` + ssh_session_rw_pipes(passwd_t) +') + +optional_policy(` sssd_domtrans(passwd_t) sssd_manage_lib_files(passwd_t) sssd_manage_public_files(passwd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/cockpit.if new/selinux-policy-20260106/policy/modules/contrib/cockpit.if --- old/selinux-policy-20251219/policy/modules/contrib/cockpit.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/cockpit.if 2026-01-06 11:32:43.000000000 +0100 @@ -64,6 +64,26 @@ ######################################## ## <summary> +## Read and write cockpit_session_t unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`cockpit_session_rw_stream_sockets',` + interface(`cockpit_session_rw_stream_sockets',` + gen_require(` + type cockpit_session_t; + ') + + allow $1 cockpit_session_t:unix_stream_socket { read write }; + ') +') + +######################################## +## <summary> ## Create cockpit unix_stream_sockets. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/dbus.te new/selinux-policy-20260106/policy/modules/contrib/dbus.te --- old/selinux-policy-20251219/policy/modules/contrib/dbus.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/dbus.te 2026-01-06 11:32:43.000000000 +0100 @@ -374,6 +374,7 @@ files_watch_usr_dirs(session_bus_type) files_watch_var_lib_dirs(session_bus_type) +fs_getattr_pidfs(session_bus_type) fs_getattr_romfs(session_bus_type) fs_getattr_xattr_fs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/fail2ban.fc new/selinux-policy-20260106/policy/modules/contrib/fail2ban.fc --- old/selinux-policy-20251219/policy/modules/contrib/fail2ban.fc 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/fail2ban.fc 2026-01-06 11:32:43.000000000 +0100 @@ -1,7 +1,10 @@ +#/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) /var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) + +/run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/firewalld.if new/selinux-policy-20260106/policy/modules/contrib/firewalld.if --- old/selinux-policy-20251219/policy/modules/contrib/firewalld.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/firewalld.if 2026-01-06 11:32:43.000000000 +0100 @@ -122,6 +122,26 @@ ######################################## ## <summary> +## Read firewalld process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firewalld_read_state',` + gen_require(` + type firewalld_t; + ') + + allow $1 firewalld_t:dir { search_dir_perms read }; + allow $1 firewalld_t:file read_file_perms; + allow $1 firewalld_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Dontaudit read and write leaked firewalld file descriptors ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/insights_client.fc new/selinux-policy-20260106/policy/modules/contrib/insights_client.fc --- old/selinux-policy-20251219/policy/modules/contrib/insights_client.fc 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/insights_client.fc 2026-01-06 11:32:43.000000000 +0100 @@ -21,3 +21,4 @@ /var/log/insights-client(/.*)? gen_context(system_u:object_r:insights_client_var_log_t,s0) /run/insights-client\.pid -- gen_context(system_u:object_r:insights_client_run_t,s0) +/run/insights-client\.ppid -- gen_context(system_u:object_r:insights_client_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/insights_client.if new/selinux-policy-20260106/policy/modules/contrib/insights_client.if --- old/selinux-policy-20251219/policy/modules/contrib/insights_client.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/insights_client.if 2026-01-06 11:32:43.000000000 +0100 @@ -105,6 +105,7 @@ filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, "machine-id") files_pid_filetrans($1, insights_client_run_t, file, "insights-client.pid") + files_pid_filetrans($1, insights_client_run_t, file, "insights-client.ppid") files_tmp_filetrans($1, insights_client_tmp_t, dir, "insights-client") files_tmp_filetrans($1, insights_client_tmp_t, file, "insights-client.ppid") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/irqbalance.te new/selinux-policy-20260106/policy/modules/contrib/irqbalance.te --- old/selinux-policy-20251219/policy/modules/contrib/irqbalance.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/irqbalance.te 2026-01-06 11:32:43.000000000 +0100 @@ -37,6 +37,7 @@ allow irqbalance_t self:capability { setpcap net_admin }; dontaudit irqbalance_t self:capability sys_tty_config; allow irqbalance_t self:cap_userns setpcap; +allow irqbalance_t self:netlink_generic_socket create_socket_perms; allow irqbalance_t self:process { getcap getsched setcap signal_perms }; allow irqbalance_t self:{udp_socket netlink_generic_socket} create_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/kdump.te new/selinux-policy-20260106/policy/modules/contrib/kdump.te --- old/selinux-policy-20251219/policy/modules/contrib/kdump.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/kdump.te 2026-01-06 11:32:43.000000000 +0100 @@ -160,6 +160,7 @@ files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) +fs_read_dos_files(kdump_t) kernel_read_system_state(kdumpctl_t) kernel_stream_connect(kdumpctl_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/linuxptp.te new/selinux-policy-20260106/policy/modules/contrib/linuxptp.te --- old/selinux-policy-20251219/policy/modules/contrib/linuxptp.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/linuxptp.te 2026-01-06 11:32:43.000000000 +0100 @@ -108,7 +108,7 @@ # phc2sys local policy # -allow phc2sys_t self:capability sys_time; +allow phc2sys_t self:capability { chown dac_override sys_time }; allow phc2sys_t self:fifo_file rw_fifo_file_perms; allow phc2sys_t self:unix_stream_socket create_stream_socket_perms; allow phc2sys_t self:shm create_shm_perms; @@ -159,12 +159,15 @@ allow ptp4l_t self:unix_stream_socket create_stream_socket_perms; allow ptp4l_t self:shm create_shm_perms; allow ptp4l_t self:udp_socket create_socket_perms; -allow ptp4l_t self:capability { net_admin net_raw sys_admin sys_time }; +allow ptp4l_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_time }; allow ptp4l_t self:capability2 { bpf wake_alarm }; +allow ptp4l_t self:process { setcap }; allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms; allow ptp4l_t phc2sys_t:unix_dgram_socket sendto; +create_lnk_files_pattern(ptp4l_t, var_run_t, var_run_t) + manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) @@ -174,6 +177,8 @@ manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t) fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file }) +auth_use_nsswitch(ptp4l_t) + corenet_udp_bind_generic_node(ptp4l_t) corenet_udp_bind_ptp_event_port(ptp4l_t) corenet_udp_bind_reserved_port(ptp4l_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/pcscd.te new/selinux-policy-20260106/policy/modules/contrib/pcscd.te --- old/selinux-policy-20251219/policy/modules/contrib/pcscd.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/pcscd.te 2026-01-06 11:32:43.000000000 +0100 @@ -61,6 +61,7 @@ files_read_etc_runtime_files(pcscd_t) +fs_getattr_pidfs(pcscd_t) fs_search_cgroup_dirs(pcscd_t) term_use_unallocated_ttys(pcscd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/raid.te new/selinux-policy-20260106/policy/modules/contrib/raid.te --- old/selinux-policy-20251219/policy/modules/contrib/raid.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/raid.te 2026-01-06 11:32:43.000000000 +0100 @@ -115,6 +115,7 @@ fs_manage_cgroup_files(mdadm_t) fs_read_efivarfs_files(mdadm_t) fs_read_tmpfs_files(mdadm_t) +fs_search_all(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.fc new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.fc --- old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.fc 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.fc 2026-01-06 11:32:43.000000000 +0100 @@ -0,0 +1 @@ +/usr/bin/redfish-finder -- gen_context(system_u:object_r:redfish_finder_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.if new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.if --- old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.if 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.if 2026-01-06 11:32:43.000000000 +0100 @@ -0,0 +1,39 @@ +## <summary>Redfish - host api discovery service</summary> + +######################################## +## <summary> +## Execute a domain transition to run redfish-finder. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`redfish_finder_domtrans',` + gen_require(` + type redfish_finder_t, redfish_finder_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, redfish_finder_exec_t, redfish_finder_t) +') + +####################################### +## <summary> +## Execute redfish-finder in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`redfish_finder_exec',` + gen_require(` + type redfish_finder_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, redfish_finder_exec_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.te new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.te --- old/selinux-policy-20251219/policy/modules/contrib/redfish-finder.te 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/redfish-finder.te 2026-01-06 11:32:43.000000000 +0100 @@ -0,0 +1,44 @@ +policy_module(redfish-finder, 1.0) + +######################################## +# +# Declarations +# + +type redfish_finder_t; +type redfish_finder_exec_t; +init_daemon_domain(redfish_finder_t, redfish_finder_exec_t) + +######################################## +# +# redfish-finder local policy +# + +permissive redfish_finder_t; + +corecmd_exec_bin(redfish_finder_t) +dev_read_sysfs(redfish_finder_t) + +optional_policy(` + auth_read_passwd_file(redfish_finder_t) +') + +optional_policy(` + dbus_chat_session_bus(redfish_finder_t) + dbus_send_system_bus(redfish_finder_t) + dbus_stream_connect_system_dbusd(redfish_finder_t) + dbus_write_pid_sock_files(redfish_finder_t) +') + +optional_policy(` + dmidecode_domtrans(redfish_finder_t) +') + +optional_policy(` + networkmanager_dbus_chat(redfish_finder_t) +') + +optional_policy(` + sysnet_read_config(redfish_finder_t) + sysnet_write_config(redfish_finder_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/rpm.if new/selinux-policy-20260106/policy/modules/contrib/rpm.if --- old/selinux-policy-20251219/policy/modules/contrib/rpm.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/rpm.if 2026-01-06 11:32:43.000000000 +0100 @@ -195,6 +195,24 @@ ######################################## ## <summary> +## Send a generic signal to rpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_signal',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:process signal; +') + +######################################## +## <summary> ## Send a kill signal to rpm. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/sssd.te new/selinux-policy-20260106/policy/modules/contrib/sssd.te --- old/selinux-policy-20251219/policy/modules/contrib/sssd.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/sssd.te 2026-01-06 11:32:43.000000000 +0100 @@ -132,6 +132,7 @@ fs_getattr_cgroup(sssd_t) fs_search_cgroup_dirs(sssd_t) +fs_getattr_pidfs(sssd_t) fs_getattr_tmpfs(sssd_t) fs_getattr_xattr_fs(sssd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/stapserver.te new/selinux-policy-20260106/policy/modules/contrib/stapserver.te --- old/selinux-policy-20251219/policy/modules/contrib/stapserver.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/stapserver.te 2026-01-06 11:32:43.000000000 +0100 @@ -66,6 +66,7 @@ kernel_read_system_state(stapserver_t) kernel_read_kernel_sysctls(stapserver_t) +kernel_read_vm_sysctls(stapserver_t) kernel_read_fs_sysctls(stapserver_t) files_list_kernel_modules(stapserver_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/thumb.te new/selinux-policy-20260106/policy/modules/contrib/thumb.te --- old/selinux-policy-20251219/policy/modules/contrib/thumb.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/thumb.te 2026-01-06 11:32:43.000000000 +0100 @@ -99,6 +99,7 @@ files_mounton_rootfs(thumb_t) files_watch_etc_dirs(thumb_t) files_watch_usr_dirs(thumb_t) +files_mounton_generic_tmp_dirs(thumb_t) fs_getattr_all_fs(thumb_t) fs_read_dos_files(thumb_t) @@ -108,6 +109,7 @@ fs_dontaudit_getattr_nsfs_files(thumb_t) fs_mounton_tmpfs(thumb_t) fs_all_mount_fs_perms_xattr_fs(thumb_t) +fs_all_mount_fs_perms_tmpfs(thumb_t) auth_read_passwd(thumb_t) @@ -134,6 +136,7 @@ term_dontaudit_use_unallocated_ttys(thumb_t) +term_mount_pty_fs(thumb_t) userdom_dontaudit_setattr_user_tmp(thumb_t) userdom_read_user_tmp_files(thumb_t) @@ -212,3 +215,7 @@ optional_policy(` systemd_userdbd_stream_connect(thumb_t) ') + +optional_policy(` + xserver_stream_connect_xdm(thumb_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/tuned.te new/selinux-policy-20260106/policy/modules/contrib/tuned.te --- old/selinux-policy-20251219/policy/modules/contrib/tuned.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/tuned.te 2026-01-06 11:32:43.000000000 +0100 @@ -28,6 +28,9 @@ type tuned_tmp_t; files_tmp_file(tuned_tmp_t) +type tuned_tmpfs_t; +files_tmpfs_file(tuned_tmpfs_t) + type tuned_var_run_t; files_pid_file(tuned_var_run_t) @@ -64,6 +67,10 @@ files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir }) can_exec(tuned_t, tuned_tmp_t) +manage_files_pattern(tuned_t, tuned_tmpfs_t, tuned_tmpfs_t) +fs_tmpfs_filetrans(tuned_t, tuned_tmpfs_t, file) +allow tuned_t tuned_tmpfs_t:file map; + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/virt.if new/selinux-policy-20260106/policy/modules/contrib/virt.if --- old/selinux-policy-20251219/policy/modules/contrib/virt.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/virt.if 2026-01-06 11:32:43.000000000 +0100 @@ -2259,6 +2259,25 @@ ######################################## ## <summary> +## Read the virtd process state. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_virtd_read_state',` + gen_require(` + type virtd_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, virtd_t) +') + +######################################## +## <summary> ## Read the svirt process state. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/contrib/virt.te new/selinux-policy-20260106/policy/modules/contrib/virt.te --- old/selinux-policy-20251219/policy/modules/contrib/virt.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/contrib/virt.te 2026-01-06 11:32:43.000000000 +0100 @@ -2296,7 +2296,8 @@ dev_getattr_fs(virtqemud_t) dev_read_cpuid(virtqemud_t) dev_rw_sysfs(virtqemud_t) -dev_rw_inherited_dri(virtqemud_t) +dev_rw_dri(virtqemud_t) +dev_setattr_dri_dev(virtqemud_t) dev_read_urand(virtqemud_t) dev_rw_sgx_vepc(virtqemud_t) dev_rw_vfio_dev(virtqemud_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/kernel/corecommands.fc new/selinux-policy-20260106/policy/modules/kernel/corecommands.fc --- old/selinux-policy-20251219/policy/modules/kernel/corecommands.fc 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/kernel/corecommands.fc 2026-01-06 11:32:43.000000000 +0100 @@ -61,6 +61,11 @@ /etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0) /etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) +/etc/plasmalogin/Xsession -- gen_context(system_u:object_r:bin_t,s0) +/etc/plasmalogin/wayland-session -- gen_context(system_u:object_r:bin_t,s0) +/etc/plasmalogin/Xsetup -- gen_context(system_u:object_r:bin_t,s0) +/etc/plasmalogin/Xstop -- gen_context(system_u:object_r:bin_t,s0) + /etc/sddm/Xsession -- gen_context(system_u:object_r:bin_t,s0) /etc/sddm/wayland-session -- gen_context(system_u:object_r:bin_t,s0) /etc/sddm/Xsetup -- gen_context(system_u:object_r:bin_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/kernel/files.if new/selinux-policy-20260106/policy/modules/kernel/files.if --- old/selinux-policy-20251219/policy/modules/kernel/files.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/kernel/files.if 2026-01-06 11:32:43.000000000 +0100 @@ -6924,6 +6924,24 @@ allow $1 tmp_t:dir watch_with_perm_dir_perms; ') +########################################## +## <summary> +## Mounton generic tmp directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`files_mounton_generic_tmp_dirs',` + gen_require(` + type tmp_t; + ') + + allow $1 tmp_t:dir mounton; +') + ######################################## ## <summary> ## Allow shared library text relocations in tmp files. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/roles/staff.te new/selinux-policy-20260106/policy/modules/roles/staff.te --- old/selinux-policy-20251219/policy/modules/roles/staff.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/roles/staff.te 2026-01-06 11:32:43.000000000 +0100 @@ -127,6 +127,10 @@ ') optional_policy(` + cockpit_session_rw_stream_sockets(staff_t) +') + +optional_policy(` colord_dbus_chat(staff_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/services/ssh.if new/selinux-policy-20260106/policy/modules/services/ssh.if --- old/selinux-policy-20251219/policy/modules/services/ssh.if 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/services/ssh.if 2026-01-06 11:32:43.000000000 +0100 @@ -812,6 +812,25 @@ ######################################## ## <summary> +## Connect to ssh_agent_type over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_agent_stream_connect',` + gen_require(` + type ssh_agent_tmp_t; + attribute ssh_agent_type; + ') + + stream_connect_pattern($1, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) +') + +######################################## +## <summary> ## Getattr ssh home directory ## </summary> ## <param name="domain"> @@ -1317,6 +1336,24 @@ allow $1 sshd_session_t:unix_stream_socket rw_stream_socket_perms; ') +######################################## +## <summary> +## Read and write a sshd-session unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_session_rw_pipes',` + gen_require(` + type sshd_session_t; + ') + + allow $1 sshd_session_t:fifo_file rw_inherited_fifo_file_perms; +') + ##################################### ## <summary> ## Allow sshd-session dyntransition to a specified domain. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/services/ssh.te new/selinux-policy-20260106/policy/modules/services/ssh.te --- old/selinux-policy-20251219/policy/modules/services/ssh.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/services/ssh.te 2026-01-06 11:32:43.000000000 +0100 @@ -85,7 +85,7 @@ ssh_session_dyntransition_to(sshd_net_t) allow sshd_session_t self:capability { audit_write chown dac_read_search setgid setuid sys_resource }; -allow sshd_session_t self:process { setcurrent setexec setkeycreate setrlimit setsched }; +allow sshd_session_t self:process { rlimitinh setcurrent setexec setkeycreate setrlimit setsched }; allow sshd_session_t self:netlink_audit_socket { create nlmsg_relay }; allow sshd_session_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow sshd_session_t self:udp_socket { connect create getattr }; @@ -168,13 +168,17 @@ ssh_auth_dyntransition_to(sshd_net_t) domtrans_pattern(sshd_session_t, sshd_auth_exec_t, sshd_auth_t) +allow sshd_auth_t self:capability { setgid setuid sys_chroot }; allow sshd_auth_t self:process { setcurrent setrlimit }; allow sshd_auth_t self:unix_dgram_socket { create ioctl }; allow sshd_auth_t sshd_t:tcp_socket { getattr read write getopt setopt }; +allow sshd_auth_t sshd_t:vsock_socket getattr; + allow sshd_auth_t sshd_session_t:unix_stream_socket { read write }; kernel_read_proc_files(sshd_auth_t) +kernel_read_net_sysctls(sshd_auth_t) optional_policy(` auth_use_nsswitch(sshd_auth_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/services/xserver.fc new/selinux-policy-20260106/policy/modules/services/xserver.fc --- old/selinux-policy-20251219/policy/modules/services/xserver.fc 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/services/xserver.fc 2026-01-06 11:32:43.000000000 +0100 @@ -53,6 +53,7 @@ /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0) +/etc/greetd(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) /etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) /etc/sysconfig/displaymanager -- gen_context(system_u:object_r:xdm_etc_t,s0) /etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) @@ -99,11 +100,18 @@ /usr/bin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/nodm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/plasmalogin -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/plasma-login-wallpaper -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/startplasma-login-wayland -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/libexec/plasma-login-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/libexec/plasmalogin-helper.* -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -156,6 +164,8 @@ /var/lib/cosmic-greeter(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/plasmalogin(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -184,6 +194,8 @@ /run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) +/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) +/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) /run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -192,6 +204,7 @@ /run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/run/plasmalogin(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) /run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/system/iptables.te new/selinux-policy-20260106/policy/modules/system/iptables.te --- old/selinux-policy-20251219/policy/modules/system/iptables.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/system/iptables.te 2026-01-06 11:32:43.000000000 +0100 @@ -146,6 +146,7 @@ optional_policy(` firewalld_read_config(iptables_t) + firewalld_read_state(iptables_t) firewalld_read_pid_files(iptables_t) firewalld_dontaudit_write_tmp_files(iptables_t) firewalld_dontaudit_leaks(iptables_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/system/sysnetwork.fc new/selinux-policy-20260106/policy/modules/system/sysnetwork.fc --- old/selinux-policy-20251219/policy/modules/system/sysnetwork.fc 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/system/sysnetwork.fc 2026-01-06 11:32:43.000000000 +0100 @@ -57,6 +57,8 @@ /usr/bin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/bin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/libexec/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_hook_exec_t,s0) + # # /var # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/system/sysnetwork.te new/selinux-policy-20260106/policy/modules/system/sysnetwork.te --- old/selinux-policy-20251219/policy/modules/system/sysnetwork.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/system/sysnetwork.te 2026-01-06 11:32:43.000000000 +0100 @@ -31,6 +31,11 @@ type dhcpc_helper_exec_t; init_script_file(dhcpc_helper_exec_t) +type dhcpc_hook_t; +type dhcpc_hook_exec_t; +role system_r types dhcpc_hook_t; +application_domain(dhcpc_hook_t, dhcpc_hook_exec_t) + type dhcpc_state_t; files_type(dhcpc_state_t) @@ -308,6 +313,46 @@ ') ######################################## +# +# DHCP client hook local policy +# + +permissive dhcpc_hook_t; +domtrans_pattern(dhcpc_t, dhcpc_hook_exec_t, dhcpc_hook_t) + +allow dhcpc_hook_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(dhcpc_hook_t, dhcpc_var_run_t, dhcpc_var_run_t) +manage_files_pattern(dhcpc_hook_t, dhcpc_var_run_t, dhcpc_var_run_t) +files_pid_filetrans(dhcpc_hook_t, dhcpc_var_run_t, { file dir sock_file }) + +corecmd_exec_bin(dhcpc_hook_t) +corecmd_exec_shell(dhcpc_hook_t) +files_rw_etc_files(dhcpc_hook_t) + +optional_policy(` + auth_read_passwd_file(dhcpc_hook_t) +') + +optional_policy(` + dbus_send_system_bus(dhcpc_hook_t) + dbus_stream_connect_system_dbusd(dhcpc_hook_t) + dbus_write_pid_sock_files(dhcpc_hook_t) +') + +optional_policy(` + init_ioctl_stream_sockets(dhcpc_hook_t) +') + +optional_policy(` + nscd_socket_use(dhcpc_hook_t) +') + +optional_policy(` + sysnet_manage_config(dhcpc_hook_t) +') + +######################################## # # Ifconfig local policy # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/system/systemd-homed.te new/selinux-policy-20260106/policy/modules/system/systemd-homed.te --- old/selinux-policy-20251219/policy/modules/system/systemd-homed.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/system/systemd-homed.te 2026-01-06 11:32:43.000000000 +0100 @@ -189,6 +189,7 @@ files_delete_home_dir(systemd_homework_t) files_search_home(systemd_homework_t) files_home_filetrans(systemd_homework_t, systemd_homed_crypto_luks_t, file) +delete_files_pattern(systemd_homework_t, systemd_homed_record_t, systemd_homed_record_t) # unlabeled home directories files_manage_isid_type_dirs(systemd_homework_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251219/policy/modules/system/systemd.te new/selinux-policy-20260106/policy/modules/system/systemd.te --- old/selinux-policy-20251219/policy/modules/system/systemd.te 2025-12-19 12:10:05.000000000 +0100 +++ new/selinux-policy-20260106/policy/modules/system/systemd.te 2026-01-06 11:32:43.000000000 +0100 @@ -655,6 +655,7 @@ virt_getattr_sandbox_filesystem(systemd_machined_t) virt_read_sandbox_files(systemd_machined_t) virt_svirt_read_state(systemd_machined_t) + virt_virtd_read_state(systemd_machined_t) ') #######################################
