commit container-selinux for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2026-02-21 21:01:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "container-selinux"

Sat Feb 21 21:01:02 2026 rev:36 rq:1333998 version:2.246.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2025-12-17 17:34:10.854134591 +0100
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.1977/container-selinux.changes
    2026-02-21 21:01:28.991715699 +0100
@@ -1,0 +2,9 @@
+Thu Feb 19 15:14:17 UTC 2026 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 2.246.0:
+  * Allow containers to mount on container_var_run_t directories
+  * Allow container_runtime_domain runtime fifo_files transition
+  * Allow TUN/TAP device access for container_engine_t
+  * Add the container_signull() interface
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.245.0.tar.xz

New:
----
  container-selinux-2.246.0.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.6iYAWI/_old  2026-02-21 21:01:30.731787036 +0100
+++ /var/tmp/diff_new_pack.6iYAWI/_new  2026-02-21 21:01:30.731787036 +0100
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.245.0
+Version:        2.246.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.6iYAWI/_old  2026-02-21 21:01:30.787789332 +0100
+++ /var/tmp/diff_new_pack.6iYAWI/_new  2026-02-21 21:01:30.791789496 +0100
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/containers/container-selinux.git</param>
-              <param 
name="changesrevision">3f7c37e93e172f531de233f40a58a1b8ec6ff17d</param></service></servicedata>
+              <param 
name="changesrevision">521cf8c56e8df7cd6809571ed9e796b495ceaa71</param></service></servicedata>
 (No newline at EOF)
 

++++++ container-selinux-2.245.0.tar.xz -> container-selinux-2.246.0.tar.xz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/.packit.yaml 
new/container-selinux-2.246.0/.packit.yaml
--- old/container-selinux-2.245.0/.packit.yaml  2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/.packit.yaml  2026-02-19 13:11:16.000000000 
+0100
@@ -74,9 +74,6 @@
   - job: copr_build
     trigger: commit
     packages: [container-selinux-fedora]
-    notifications:
-      failure_comment:
-        message: "podman-next COPR build failed. @containers/packit-build 
please check."
     branch: main
     owner: rhcontainerbot
     project: podman-next
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/Makefile 
new/container-selinux-2.246.0/Makefile
--- old/container-selinux-2.245.0/Makefile      2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/Makefile      2026-02-19 13:11:16.000000000 
+0100
@@ -37,3 +37,16 @@
 install.udica-templates:
        install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
        install -pm 644 udica-templates/*.cil 
$(DESTDIR)$(SHAREDIR)/udica/templates
+
+.PHONY: validate-xml
+validate-xml:
+       @echo "Validating XML in policy files..."
+       @hash xmllint 2>/dev/null || { echo "Error: xmllint not found. Please 
install libxml2." >&2; exit 1; }
+       @test -d $(SHAREDIR)/selinux/devel/include/support || { echo "Error: 
selinux-policy-devel not properly installed." >&2; exit 1; }
+       @tmpdir=$$(mktemp -d) && \
+       echo "Generating XML from policy files..." && \
+       python3 $(SHAREDIR)/selinux/devel/include/support/segenxml.py -w -m 
./$(TARGETS) > "$$tmpdir/$(TARGETS).xml" || { echo "Error: Failed to generate 
XML." >&2; rm -rf "$$tmpdir"; exit 1; } && \
+       echo "Validating generated XML..." && \
+       xmllint --noout "$$tmpdir/$(TARGETS).xml" || { echo "Error: XML 
validation failed." >&2; rm -rf "$$tmpdir"; exit 1; } && \
+       echo "XML validation successful." && \
+       rm -rf "$$tmpdir"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/OWNERS 
new/container-selinux-2.246.0/OWNERS
--- old/container-selinux-2.245.0/OWNERS        2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/OWNERS        2026-02-19 13:11:16.000000000 
+0100
@@ -1,5 +1,6 @@
 approvers:
-  - haircommander   
+  - haircommander
+  - jankaluza
   - lsm5
   - rhatdan
   - wrabcak
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/container.if 
new/container-selinux-2.246.0/container.if
--- old/container-selinux-2.245.0/container.if  2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/container.if  2026-02-19 13:11:16.000000000 
+0100
@@ -418,6 +418,25 @@
 
 ########################################
 ## <summary>
+##     Write container PID fifo files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`container_write_pid_fifo_files',`
+       gen_require(`
+               type container_var_run_t;
+       ')
+
+       files_search_pids($1)
+       write_fifo_files_pattern($1, container_var_run_t, container_var_run_t)
+')
+
+########################################
+## <summary>
 ##     Execute container server in the container domain.
 ## </summary>
 ## <param name="domain">
@@ -1066,3 +1085,21 @@
        files_type($1)
        files_mountpoint($1)
 ')
+
+#######################################
+## <summary>
+##      Send null signals to container.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+#
+interface(`container_signull',`
+        gen_require(`
+                type container_t;
+        ')
+
+        allow $1 container_t:process signull;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/container.te 
new/container-selinux-2.246.0/container.te
--- old/container-selinux-2.245.0/container.te  2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/container.te  2026-02-19 13:11:16.000000000 
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.245.0)
+policy_module(container, 2.246.0)
 
 gen_require(`
        class passwd rootok;
@@ -86,7 +86,7 @@
 ## <desc>
 ##  <p>
 ##  Allow containers to read shared public files
-##  (public_content_t & public_content_rw_t)
+##  (public_content_t &amp; public_content_rw_t)
 ##  </p>
 ## </desc>
 gen_tunable(container_read_public_content, false)
@@ -337,7 +337,7 @@
 manage_sock_files_pattern(container_runtime_domain, container_var_run_t, 
container_var_run_t)
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, 
container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file 
lnk_file sock_file })
-files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file 
lnk_file sock_file })
+files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir 
fifo_file file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set 
relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom 
rw_chr_file_perms setattr_chr_file_perms };
@@ -1365,8 +1365,8 @@
 
 allow container_t proc_t:filesystem remount;
 
-# Allow containers to access shared runtime directories for OCI runtime 
optimizations
-allow container_t container_var_run_t:dir list_dir_perms;
+# Allow containers to access and mount on shared runtime directories for OCI 
runtime optimizations
+allow container_t container_var_run_t:dir { list_dir_perms mounton };
 
 # Container kvm - Policy for running kata containers
 container_domain_template(container_kvm, container)
@@ -1500,6 +1500,8 @@
 term_mount_pty_fs(container_engine_t)
 term_use_generic_ptys(container_engine_t)
 
+corenet_rw_tun_tap_dev(container_engine_t)
+
 allow container_engine_t container_file_t:chr_file mounton;
 allow container_engine_t filesystem_type:{dir file} mounton;
 allow container_engine_t proc_kcore_t:file mounton;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/plans/main.fmf 
new/container-selinux-2.246.0/plans/main.fmf
--- old/container-selinux-2.245.0/plans/main.fmf        2025-12-15 
16:33:19.000000000 +0100
+++ new/container-selinux-2.246.0/plans/main.fmf        2026-02-19 
13:11:16.000000000 +0100
@@ -21,6 +21,10 @@
     discover+:
         test: /test/basic_check
 
+/xmllint_validation:
+    discover+:
+        test: /test/xmllint_validation
+
 /podman_rootful_system:
     discover+:
         test: /test/podman_rootful_system
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.245.0/test/main.fmf 
new/container-selinux-2.246.0/test/main.fmf
--- old/container-selinux-2.245.0/test/main.fmf 2025-12-15 16:33:19.000000000 
+0100
+++ new/container-selinux-2.246.0/test/main.fmf 2026-02-19 13:11:16.000000000 
+0100
@@ -13,6 +13,13 @@
         semodule -B
         rpm -Vqf /var/lib/selinux/*/active/modules/200/container
 
+/xmllint_validation:
+    summary: Validate XML in SELinux policy files
+    require+:
+        - libxml2
+        - selinux-policy-devel
+    test: make -C .. validate-xml
+
 /podman_rootful_system:
     summary: Run SELinux specific Podman system tests
     test: bash ./podman-rootful-tests.sh