Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-01-28 15:07:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Jan 28 15:07:00 2026 rev:147 rq:1329290 version:20260126 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-01-21 14:11:55.601257314 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1928/selinux-policy.changes 2026-01-28 15:07:43.463441898 +0100 @@ -1,0 +2,31 @@ +Mon Jan 26 09:59:16 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260126: + * Allow thumb_t stream connect to systemd-machined + * Allow thumb_t stream connect to systemd-homed + * Allow aide get attributes of tmpfs and devtmpfs filesystems + * Allow sshd noatsecure on sshd-session execution + * Confine rhc-worker-playbook.worker and rhc-playbook-verifier + * Allow kernel_t to read/write all domains' pipes + * Allow domain read sysfs files + * allow abrt_dump_oops to write to init sockets + * Add insights_client service interfaces + * Allow plasma login manager stop login services + * Allow NM nvme dispatcher script start systemd services + * Allow sshd_net_t ioctl on unix_stream_socket of sshd_session_t + * Allow sshd-session read, write, and map ica tmpfs files + * Allow aide get attributes of a filesystem with extended attributes + * Set correct label for glycin fontconfig (bsc#1253682) + * Set correct gstreamer directory label for gnome-desktop-thumbnailer (bsc#1253682) + * Logwatch zz-runtime uses uptime (bsc#1255862) + * Add auth_login_pgm_signull interface (bsc#1255862) + * Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) + * Allow l2tpd_t access to netlink and sysfs + * Label miscellaneous /dev/papr-* devices + * Allow qemu-ga to skip authentication + * Revert "Allow systemd-coredump signull containers" + * Allow systemd-coredump signull containers +- Syncing with upstream rawhide selinux-policy up to: + * b8928889681b041f10e511fd17accbcb2f82d5e0 + +------------------------------------------------------------------- Old: ---- selinux-policy-20260120.tar.xz New: ---- selinux-policy-20260126.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.DwCvxM/_old 2026-01-28 15:07:45.019506535 +0100 +++ /var/tmp/diff_new_pack.DwCvxM/_new 2026-01-28 15:07:45.035507200 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260120 +Version: 20260126 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.DwCvxM/_old 2026-01-28 15:07:45.539528135 +0100 +++ /var/tmp/diff_new_pack.DwCvxM/_new 2026-01-28 15:07:45.599530627 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">d0d57a55b9c2f43ea6d3c9c25513363acdb0802c</param></service></servicedata> + <param name="changesrevision">64cbd1464f31820abcc59c8369778d5943ea46da</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260120.tar.xz -> selinux-policy-20260126.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/abrt.te new/selinux-policy-20260126/policy/modules/contrib/abrt.te --- old/selinux-policy-20260120/policy/modules/contrib/abrt.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/abrt.te 2026-01-26 10:59:15.000000000 +0100 @@ -591,6 +591,8 @@ init_read_var_lib_files(abrt_dump_oops_t) +init_write_pid_socket(abrt_dump_oops_t) + optional_policy(` samba_stream_connect_winbind(abrt_dump_oops_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/aide.te new/selinux-policy-20260126/policy/modules/contrib/aide.te --- old/selinux-policy-20260120/policy/modules/contrib/aide.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/aide.te 2026-01-26 10:59:15.000000000 +0100 @@ -37,6 +37,7 @@ dev_getattr_all_blk_files(aide_t) dev_getattr_all_chr_files(aide_t) +dev_getattr_fs(aide_t) dev_read_rand(aide_t) dev_read_urand(aide_t) @@ -46,6 +47,9 @@ files_getattr_all_pipes(aide_t) files_getattr_all_sockets(aide_t) +fs_getattr_tmpfs(aide_t) +fs_getattr_xattr_fs(aide_t) + init_stream_connectto(aide_t) mls_file_read_to_clearance(aide_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/gnome.fc new/selinux-policy-20260126/policy/modules/contrib/gnome.fc --- old/selinux-policy-20260120/policy/modules/contrib/gnome.fc 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/gnome.fc 2026-01-26 10:59:15.000000000 +0100 @@ -1,5 +1,6 @@ HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.cache/gnome-desktop-thumbnailer/gstreamer-.*(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/gpg.te new/selinux-policy-20260126/policy/modules/contrib/gpg.te --- old/selinux-policy-20260120/policy/modules/contrib/gpg.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/gpg.te 2026-01-26 10:59:15.000000000 +0100 @@ -202,6 +202,13 @@ ') optional_policy(` + rhc_playbook_verifier_manage_var_lib_files(gpg_t) + + rhc_worker_playbook_ioctl_fifo_files(gpg_t) + rhc_worker_playbook_read_fifo_files(gpg_t) +') + +optional_policy(` rpm_manage_cache(gpg_t) ') @@ -371,6 +378,12 @@ ') optional_policy(` + rhc_playbook_verifier_manage_var_lib_files(gpg_agent_t) + rhc_playbook_verifier_manage_var_lib_dirs(gpg_agent_t) + rhc_playbook_verifier_watch_var_lib_dirs(gpg_agent_t) +') + +optional_policy(` gpm_getattr_gpmctl(gpg_agent_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/insights_client.if new/selinux-policy-20260126/policy/modules/contrib/insights_client.if --- old/selinux-policy-20260120/policy/modules/contrib/insights_client.if 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/insights_client.if 2026-01-26 10:59:15.000000000 +0100 @@ -492,3 +492,57 @@ files_search_tmp($1) manage_sock_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t) ') + +######################################## +## <summary> +## Get insights_client service status +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`insights_client_service_status',` + gen_require(` + type insights_client_unit_file_t; + ') + + allow $1 insights_client_unit_file_t:service status; +') + +######################################## +## <summary> +## Start insights_client service +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`insights_client_service_start',` + gen_require(` + type insights_client_unit_file_t; + ') + + allow $1 insights_client_unit_file_t:service { status start }; +') + +######################################## +## <summary> +## Stop insights_client service +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`insights_client_service_stop',` + gen_require(` + type insights_client_unit_file_t; + ') + + allow $1 insights_client_unit_file_t:service { status stop }; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/l2tp.te new/selinux-policy-20260126/policy/modules/contrib/l2tp.te --- old/selinux-policy-20260120/policy/modules/contrib/l2tp.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/l2tp.te 2026-01-26 10:59:15.000000000 +0100 @@ -30,6 +30,7 @@ allow l2tpd_t self:process signal_perms; allow l2tpd_t self:fifo_file rw_fifo_file_perms; allow l2tpd_t self:netlink_socket create_socket_perms; +allow l2tpd_t self:netlink_generic_socket create_socket_perms; allow l2tpd_t self:rawip_socket create_socket_perms; allow l2tpd_t self:socket create_socket_perms; allow l2tpd_t self:tcp_socket { accept listen }; @@ -77,6 +78,7 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) +dev_read_sysfs(l2tpd_t) term_setattr_generic_ptys(l2tpd_t) term_use_generic_ptys(l2tpd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/logwatch.te new/selinux-policy-20260126/policy/modules/contrib/logwatch.te --- old/selinux-policy-20260120/policy/modules/contrib/logwatch.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/logwatch.te 2026-01-26 10:59:15.000000000 +0100 @@ -149,6 +149,10 @@ ') optional_policy(` + auth_login_pgm_signull(logwatch_t) +') + +optional_policy(` bind_read_config(logwatch_t) bind_read_zone(logwatch_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/networkmanager.te new/selinux-policy-20260126/policy/modules/contrib/networkmanager.te --- old/selinux-policy-20260120/policy/modules/contrib/networkmanager.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/networkmanager.te 2026-01-26 10:59:15.000000000 +0100 @@ -739,6 +739,7 @@ systemd_status_systemd_services(NetworkManager_dispatcher_ddclient_t) systemd_start_systemd_services(NetworkManager_dispatcher_sendmail_t) systemd_status_systemd_services(NetworkManager_dispatcher_sendmail_t) + systemd_start_systemd_services(NetworkManager_dispatcher_nvme_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/rhcd.fc new/selinux-policy-20260126/policy/modules/contrib/rhcd.fc --- old/selinux-policy-20260120/policy/modules/contrib/rhcd.fc 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/rhcd.fc 2026-01-26 10:59:15.000000000 +0100 @@ -1,7 +1,12 @@ /usr/bin/rhcd -- gen_context(system_u:object_r:rhcd_exec_t,s0) +/usr/libexec/rhc-playbook-verifier -- gen_context(system_u:object_r:rhc_playbook_verifier_exec_t,s0) +/usr/libexec/rhc/rhc-worker-playbook.worker -- gen_context(system_u:object_r:rhc_worker_playbook_exec_t,s0) + /usr/lib/systemd/system/rhcd.* -- gen_context(system_u:object_r:rhcd_unit_file_t,s0) -/var/log/rhc-worker-playbook(/.*)? gen_context(system_u:object_r:rhcd_var_log_t,s0) +/var/lib/rhc-playbook-verifier(/.*)? gen_context(system_u:object_r:rhc_playbook_verifier_var_lib_t,s0) + +/var/log/rhc-worker-playbook(/.*)? gen_context(system_u:object_r:rhc_worker_playbook_log_t,s0) /run/rhc(/.*)? gen_context(system_u:object_r:rhcd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/rhcd.if new/selinux-policy-20260126/policy/modules/contrib/rhcd.if --- old/selinux-policy-20260120/policy/modules/contrib/rhcd.if 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/rhcd.if 2026-01-26 10:59:15.000000000 +0100 @@ -109,3 +109,96 @@ allow $1 rhcd_t:unix_dgram_socket sendto; ') + +###################################### +## <summary> +## Read rhc_worker_playbook fifo files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_worker_playbook_read_fifo_files',` + gen_require(` + type rhc_worker_playbook_t; + ') + + allow $1 rhc_worker_playbook_t:fifo_file read_fifo_file_perms; +') + +###################################### +## <summary> +## Ioctl rhc_worker_playbook fifo files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_worker_playbook_ioctl_fifo_files',` + gen_require(` + type rhc_worker_playbook_t; + ') + + allow $1 rhc_worker_playbook_t:fifo_file ioctl; +') + +###################################### +## <summary> +## Manage rhc_playbook_verifier /var/lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_playbook_verifier_manage_var_lib_files',` + gen_require(` + type rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +') + +###################################### +## <summary> +## Manage rhc_playbook_verifier /var/lib dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_playbook_verifier_manage_var_lib_dirs',` + gen_require(` + type rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +') + +###################################### +## <summary> +## Watch rhc_playbook_verifier /var/lib dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_playbook_verifier_watch_var_lib_dirs',` + gen_require(` + type rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t; + ') + + files_search_var_lib($1) + watch_dirs_pattern($1, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/rhcd.te new/selinux-policy-20260126/policy/modules/contrib/rhcd.te --- old/selinux-policy-20260120/policy/modules/contrib/rhcd.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/rhcd.te 2026-01-26 10:59:15.000000000 +0100 @@ -9,6 +9,16 @@ type rhcd_exec_t; init_daemon_domain(rhcd_t, rhcd_exec_t) +type rhc_worker_playbook_t; +type rhc_worker_playbook_exec_t; +application_domain(rhc_worker_playbook_t, rhc_worker_playbook_exec_t) +role system_r types rhc_worker_playbook_t; + +type rhc_playbook_verifier_t; +type rhc_playbook_verifier_exec_t; +application_domain(rhc_playbook_verifier_t, rhc_playbook_verifier_exec_t) +role system_r types rhc_playbook_verifier_t; + type rhcd_unit_file_t; systemd_unit_file(rhcd_unit_file_t) @@ -24,6 +34,18 @@ type rhcd_var_run_t; files_pid_file(rhcd_var_run_t) +type rhc_playbook_verifier_var_lib_t; +files_type(rhc_playbook_verifier_var_lib_t) + +type rhc_worker_playbook_log_t; +logging_log_file(rhc_worker_playbook_log_t) + +type rhc_worker_playbook_tmp_t; +files_tmp_file(rhc_worker_playbook_tmp_t) + +type rhc_worker_playbook_tmpfs_t; +files_tmp_file(rhc_worker_playbook_tmpfs_t) + ######################################## # # rhcd local policy @@ -219,3 +241,131 @@ userdom_manage_admin_files(rhcd_t) userdom_view_all_users_keys(rhcd_t) ') + +######################################## +# +# rhc_worker_playbook local policy +# +domtrans_pattern(rhcd_t, rhc_worker_playbook_exec_t, rhc_worker_playbook_t) +permissive rhc_worker_playbook_t; + +allow rhc_worker_playbook_t self:capability sys_rawio; + +allow rhc_worker_playbook_t self:netlink_generic_socket create_socket_perms; +allow rhc_worker_playbook_t self:netlink_route_socket r_netlink_socket_perms; +allow rhc_worker_playbook_t self:tcp_socket create_stream_socket_perms; +allow rhc_worker_playbook_t self:udp_socket { connect connected_socket_perms }; +allow rhc_worker_playbook_t self:unix_dgram_socket create_socket_perms; + +#allow rhc_worker_playbook_t file_type:file read_file_perms; +#allow rhc_worker_playbook_t file_type:dir list_dir_perms; +#allow rhc_worker_playbook_t file_type:lnk_file read_lnk_file_perms; + +manage_files_pattern(rhc_worker_playbook_t, rhc_worker_playbook_log_t, rhc_worker_playbook_log_t) +create_dirs_pattern(rhc_worker_playbook_t, rhc_worker_playbook_log_t, rhc_worker_playbook_log_t) + +manage_dirs_pattern(rhc_worker_playbook_t, rhc_worker_playbook_tmp_t, rhc_worker_playbook_tmp_t) +manage_files_pattern(rhc_worker_playbook_t, rhc_worker_playbook_tmp_t, rhc_worker_playbook_tmp_t) +files_tmp_filetrans(rhc_worker_playbook_t, rhc_worker_playbook_tmp_t, { dir file }) + +manage_files_pattern(rhc_worker_playbook_t, rhc_worker_playbook_tmpfs_t, rhc_worker_playbook_tmpfs_t) +fs_tmpfs_filetrans(rhc_worker_playbook_t, rhc_worker_playbook_tmpfs_t, file) +allow rhc_worker_playbook_t rhc_worker_playbook_tmpfs_t:file map; + +kernel_read_net_sysctls(rhc_worker_playbook_t) + +corecmd_exec_bin(rhc_worker_playbook_t) +corecmd_exec_shell(rhc_worker_playbook_t) + +corenet_tcp_bind_generic_node(rhc_worker_playbook_t) + +dev_getattr_all(rhc_worker_playbook_t) + +files_read_all_files(rhc_worker_playbook_t) +files_read_all_symlinks(rhc_worker_playbook_t) +files_list_all(rhc_worker_playbook_t) + +fs_getattr_xattr_fs(rhc_worker_playbook_t) + +#storage_raw_read_fixed_disk_blk_device(rhc_worker_playbook_t) +storage_raw_read_fixed_disk(rhc_worker_playbook_t) + +optional_policy(` + auth_can_read_shadow_passwords(rhc_worker_playbook_t) +') + +optional_policy(` + dmidecode_domtrans(rhc_worker_playbook_t) +') + +optional_policy(` + init_read_state(rhc_worker_playbook_t) +') + +optional_policy(` + logging_send_syslog_msg(rhc_worker_playbook_t) +') + +optional_policy(` + libs_domtrans_ldconfig(rhc_worker_playbook_t) +') + +optional_policy(` + lvm_domtrans(rhc_worker_playbook_t) +') + +optional_policy(` + ssh_exec(rhc_worker_playbook_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(rhc_worker_playbook_t) +') + +optional_policy(` + term_use_generic_ptys(rhc_worker_playbook_t) +') + +optional_policy(` + udev_domtrans(rhc_worker_playbook_t) +') + +# interactions with other types from this module +allow rhc_worker_playbook_t rhcd_t:unix_stream_socket connectto; +allow rhcd_t rhc_worker_playbook_t:unix_stream_socket connectto; +allow rhcd_t rhc_worker_playbook_t:process sigkill; + +######################################## +# +# rhc_playbook_verifier local policy +# +domtrans_pattern(rhc_worker_playbook_t, rhc_playbook_verifier_exec_t, rhc_playbook_verifier_t) +permissive rhc_playbook_verifier_t; + +allow rhc_playbook_verifier_t self:unix_stream_socket connectto; + +manage_files_pattern(rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +manage_dirs_pattern(rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +allow rhc_playbook_verifier_t rhc_playbook_verifier_var_lib_t:dir watch; + +corecmd_exec_bin(rhc_playbook_verifier_t) + +optional_policy(` + auth_read_passwd(rhc_playbook_verifier_t) +') + +optional_policy(` + gpg_domtrans(rhc_playbook_verifier_t) + gpg_domtrans_agent(rhc_playbook_verifier_t) + + gpg_agent_stream_connect(rhc_playbook_verifier_t) +') + +optional_policy(` + miscfiles_read_generic_certs(rhc_playbook_verifier_t) +') + +optional_policy(` + userdom_manage_tmp_dirs(rhc_playbook_verifier_t) + userdom_write_user_tmp_sockets(rhc_playbook_verifier_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/thumb.te new/selinux-policy-20260126/policy/modules/contrib/thumb.te --- old/selinux-policy-20260120/policy/modules/contrib/thumb.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/thumb.te 2026-01-26 10:59:15.000000000 +0100 @@ -213,9 +213,14 @@ ') optional_policy(` + systemd_machined_stream_connect(thumb_t) systemd_userdbd_stream_connect(thumb_t) ') optional_policy(` + systemd_homed_stream_connect(thumb_t) +') + +optional_policy(` xserver_stream_connect_xdm(thumb_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/contrib/virt_supplementary.te new/selinux-policy-20260126/policy/modules/contrib/virt_supplementary.te --- old/selinux-policy-20260120/policy/modules/contrib/virt_supplementary.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/contrib/virt_supplementary.te 2026-01-26 10:59:15.000000000 +0100 @@ -42,6 +42,7 @@ gen_require(` class passwd passwd; + class passwd rootok; ') type virt_qmf_t; @@ -160,6 +161,7 @@ allow virt_qemu_ga_t self:capability { dac_override dac_read_search sys_admin sys_time sys_tty_config }; allow virt_qemu_ga_t self:passwd passwd; +allow virt_qemu_ga_t self:passwd rootok; allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/kernel/devices.fc new/selinux-policy-20260126/policy/modules/kernel/devices.fc --- old/selinux-policy-20260120/policy/modules/kernel/devices.fc 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/kernel/devices.fc 2026-01-26 10:59:15.000000000 +0100 @@ -109,6 +109,10 @@ /dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/papr-hvpipe -c gen_context(system_u:object_r:papr_hvpipe_device_t,s0) +/dev/papr-indices -c gen_context(system_u:object_r:papr_indices_device_t,s0) +/dev/papr-physical-attestation -c gen_context(system_u:object_r:papr_phy_attest_device_t,s0) +/dev/papr-platform-dump -c gen_context(system_u:object_r:papr_platform_dump_device_t,s0) /dev/papr-sysparm -c gen_context(system_u:object_r:papr_sysparm_device_t,s0) /dev/papr-vpd -c gen_context(system_u:object_r:papr_vpd_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/kernel/devices.te new/selinux-policy-20260126/policy/modules/kernel/devices.te --- old/selinux-policy-20260120/policy/modules/kernel/devices.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/kernel/devices.te 2026-01-26 10:59:15.000000000 +0100 @@ -323,6 +323,14 @@ # # Types for /dev/papr-* devices # +type papr_hvpipe_device_t; +dev_node(papr_hvpipe_device_t) +type papr_indices_device_t; +dev_node(papr_indices_device_t) +type papr_phy_attest_device_t; +dev_node(papr_phy_attest_device_t) +type papr_platform_dump_device_t; +dev_node(papr_platform_dump_device_t) type papr_sysparm_device_t; dev_node(papr_sysparm_device_t) type papr_vpd_device_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/kernel/domain.if new/selinux-policy-20260126/policy/modules/kernel/domain.if --- old/selinux-policy-20260120/policy/modules/kernel/domain.if 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/kernel/domain.if 2026-01-26 10:59:15.000000000 +0100 @@ -1412,6 +1412,24 @@ ######################################## ## <summary> +## Read/write all domains' unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`domain_rw_all_pipes',` + gen_require(` + attribute domain; + ') + + allow $1 domain:fifo_file rw_file_perms; +') + +######################################## +## <summary> ## Allow specified type to set context of all ## domains IPSEC associations. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/kernel/domain.te new/selinux-policy-20260126/policy/modules/kernel/domain.te --- old/selinux-policy-20260120/policy/modules/kernel/domain.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/kernel/domain.te 2026-01-26 10:59:15.000000000 +0100 @@ -152,6 +152,7 @@ # Use trusted objects in /dev dev_read_cpu_online(domain) +dev_read_sysfs(domain) dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/kernel/kernel.te new/selinux-policy-20260126/policy/modules/kernel/kernel.te --- old/selinux-policy-20260120/policy/modules/kernel/kernel.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/kernel/kernel.te 2026-01-26 10:59:15.000000000 +0100 @@ -393,6 +393,7 @@ domain_search_all_domains_state(kernel_t) domain_connect_all_stream_sockets(kernel_t) domain_rw_all_sockets(kernel_t) +domain_rw_all_pipes(kernel_t) # Needed for overlayfs mounter checks # (see: https://bugzilla.redhat.com/show_bug.cgi?id=2215454) domain_obj_id_change_exemption(kernel_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/services/ssh.te new/selinux-policy-20260126/policy/modules/services/ssh.te --- old/selinux-policy-20260120/policy/modules/services/ssh.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/services/ssh.te 2026-01-26 10:59:15.000000000 +0100 @@ -90,9 +90,10 @@ allow sshd_session_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow sshd_session_t self:udp_socket { connect create getattr }; +allow sshd_t sshd_session_t:process noatsecure; allow sshd_net_t sshd_t:vsock_socket { read write }; allow sshd_net_t sshd_session_t:fifo_file write; -allow sshd_net_t sshd_session_t:unix_stream_socket { read write }; +allow sshd_net_t sshd_session_t:unix_stream_socket { ioctl read write }; allow sshd_session_t sshd_t:tcp_socket { getattr getopt read setopt write }; allow sshd_session_t sshd_t:unix_stream_socket { read write }; allow sshd_session_t sshd_t:vsock_socket { getattr }; @@ -130,6 +131,10 @@ ') optional_policy(` + ica_rw_map_tmpfs_files(sshd_session_t) +') + +optional_policy(` systemd_dbus_chat_hostnamed(sshd_session_t) systemd_userdbd_stream_connect(sshd_session_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/services/xserver.fc new/selinux-policy-20260126/policy/modules/services/xserver.fc --- old/selinux-policy-20260120/policy/modules/services/xserver.fc 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/services/xserver.fc 2026-01-26 10:59:15.000000000 +0100 @@ -2,6 +2,7 @@ # HOME_DIR # HOME_DIR/\.cache/fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.cache/glycin/usr/libexec/glycin-loaders/.+/glycin-svg/fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.config/fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/services/xserver.te new/selinux-policy-20260126/policy/modules/services/xserver.te --- old/selinux-policy-20260120/policy/modules/services/xserver.te 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/services/xserver.te 2026-01-26 10:59:15.000000000 +0100 @@ -458,7 +458,7 @@ allow xdm_t x_domain:system { status reload }; -allow xdm_t xdm_unit_file_t:service { status start }; +allow xdm_t xdm_unit_file_t:service { status start stop }; allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260120/policy/modules/system/authlogin.if new/selinux-policy-20260126/policy/modules/system/authlogin.if --- old/selinux-policy-20260120/policy/modules/system/authlogin.if 2026-01-20 09:40:28.000000000 +0100 +++ new/selinux-policy-20260126/policy/modules/system/authlogin.if 2026-01-26 10:59:15.000000000 +0100 @@ -2695,6 +2695,24 @@ ######################################## ## <summary> +## Send a SIGNULL signal to login programs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_login_pgm_signull',` + gen_require(` + attribute login_pgm; + ') + + allow $1 login_pgm:process signull; +') + +######################################## +## <summary> ## Manage the keyrings of all login programs ## </summary> ## <param name="domain">
