Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-03-11 20:49:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Mar 11 20:49:59 2026 rev:154 rq:1338232 version:20260311 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-03-10 20:37:08.456048244 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.8177/selinux-policy.changes 2026-03-11 20:50:15.809471636 +0100 @@ -1,0 +2,10 @@ +Wed Mar 11 08:20:07 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260311: + * Allow redis_t to create netlink_rdma_socket + * Allow systemd create symlinks in /run/varlink/registry + * Support hooks in /run/systemd/resolve.hook + * Allow virtlogd_t dac_override for virtlock (bsc#1253389) + * Allow mdadm use modprobe (bsc#1257793) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260310.tar.xz New: ---- selinux-policy-20260311.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.Uwd0oy/_old 2026-03-11 20:50:17.325533100 +0100 +++ /var/tmp/diff_new_pack.Uwd0oy/_new 2026-03-11 20:50:17.329533263 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260310 +Version: 20260311 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Uwd0oy/_old 2026-03-11 20:50:17.421536993 +0100 +++ /var/tmp/diff_new_pack.Uwd0oy/_new 2026-03-11 20:50:17.429537317 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">0378402079a8c5e42936ef9e8f079c531088a936</param></service></servicedata> + <param name="changesrevision">98ea6e7f0280ea85501ca008907550c2cd221946</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260310.tar.xz -> selinux-policy-20260311.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/contrib/raid.te new/selinux-policy-20260311/policy/modules/contrib/raid.te --- old/selinux-policy-20260310/policy/modules/contrib/raid.te 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/contrib/raid.te 2026-03-11 09:19:42.000000000 +0100 @@ -121,6 +121,8 @@ mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) +modutils_domtrans_kmod(mdadm_t) + storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/contrib/redis.te new/selinux-policy-20260311/policy/modules/contrib/redis.te --- old/selinux-policy-20260310/policy/modules/contrib/redis.te 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/contrib/redis.te 2026-03-11 09:19:42.000000000 +0100 @@ -49,6 +49,9 @@ allow redis_t self:unix_stream_socket create_stream_socket_perms; allow redis_t self:tcp_socket create_stream_socket_perms; +# RDMA +allow redis_t self:netlink_rdma_socket create_socket_perms; + manage_files_pattern(redis_t, redis_conf_t, redis_conf_t) manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/system/init.te new/selinux-policy-20260311/policy/modules/system/init.te --- old/selinux-policy-20260310/policy/modules/system/init.te 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/system/init.te 2026-03-11 09:19:42.000000000 +0100 @@ -595,8 +595,10 @@ systemd_hostnamed_delete_config(init_t) systemd_manage_conf_files(init_t) systemd_rw_networkd_tmpfs_files(init_t) + systemd_machined_create_pid_lnk_files(init_t) systemd_machined_watch_user_ptys(init_t) systemd_machined_watch_reads_user_ptys(init_t) + systemd_varlink_registry_create_lnk_files(init_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/system/systemd.fc new/selinux-policy-20260311/policy/modules/system/systemd.fc --- old/selinux-policy-20260310/policy/modules/system/systemd.fc 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/system/systemd.fc 2026-03-11 09:19:42.000000000 +0100 @@ -171,11 +171,17 @@ /run/systemd/pcrlock.json -- gen_context(system_u:object_r:systemd_pcrlock_var_run_t,s0) /run/systemd/oom(/.*)? gen_context(system_u:object_r:systemd_oomd_var_run_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) +/run/systemd/resolve\.hook/io\.systemd\.Machine -s gen_context(system_u:object_r:systemd_machined_var_run_t,s0) +/run/systemd/resolve\.hook/io\.systemd\.Network -s gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) /run/systemd/import(/.*)? gen_context(system_u:object_r:systemd_importd_var_run_t,s0) /run/systemd/timesync(/.*)? gen_context(system_u:object_r:systemd_timedated_var_run_t,s0) /run/systemd/zram-generator.conf -- gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0) +/run/varlink -d gen_context(system_u:object_r:systemd_varlink_t,s0) +/run/varlink/registry -d gen_context(system_u:object_r:systemd_varlink_registry_t,s0) +/run/varlink/registry/.+ -l gen_context(system_u:object_r:systemd_varlink_registry_t,s0) + /run/log/bootchart.* -- gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0) /run/log/systemd/tpm2-measure.log -- gen_context(system_u:object_r:systemd_pcrlock_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/system/systemd.if new/selinux-policy-20260311/policy/modules/system/systemd.if --- old/selinux-policy-20260310/policy/modules/system/systemd.if 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/system/systemd.if 2026-03-11 09:19:42.000000000 +0100 @@ -2497,6 +2497,25 @@ manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ') +######################################## +## <summary> +## Create systemd-machined PID symlinks +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_machined_create_pid_lnk_files',` + gen_require(` + type systemd_machined_var_run_t; + ') + + files_search_pids($1) + create_lnk_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) +') + ###################################### ## <summary> ## List systemd-machined PID files. @@ -3431,3 +3450,22 @@ allow $1 systemd_oomd_var_run_t:sock_file write; files_search_pids($1) ') + +######################################## +## <summary> +## Create /run/varlink/registry symlinks +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_varlink_registry_create_lnk_files',` + gen_require(` + type systemd_varlink_registry_t; + ') + + files_search_pids($1) + create_lnk_files_pattern($1, systemd_varlink_registry_t, systemd_varlink_registry_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260310/policy/modules/system/systemd.te new/selinux-policy-20260311/policy/modules/system/systemd.te --- old/selinux-policy-20260310/policy/modules/system/systemd.te 2026-03-10 18:22:30.000000000 +0100 +++ new/selinux-policy-20260311/policy/modules/system/systemd.te 2026-03-11 09:19:42.000000000 +0100 @@ -351,6 +351,12 @@ type systemd_pcrlock_var_run_t; files_pid_file(systemd_pcrlock_var_run_t) +# /run/varlink{,/registry} +type systemd_varlink_t; +files_pid_file(systemd_varlink_t) +type systemd_varlink_registry_t; +files_pid_file(systemd_varlink_registry_t) + ####################################### # # Systemd_logind local policy @@ -624,7 +630,9 @@ init_start(systemd_machined_t) init_stop(systemd_machined_t) init_manage_config_transient_files(systemd_machined_t) +init_create_pid_dirs(systemd_machined_t) init_named_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, file, "machines.lock") +init_named_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, sock_file, "io.systemd.Machine") logging_dgram_send(systemd_machined_t) @@ -731,6 +739,8 @@ dev_read_sysfs(systemd_networkd_t) dev_write_kmsg(systemd_networkd_t) +init_create_pid_dirs(systemd_networkd_t) +init_named_pid_filetrans(systemd_networkd_t, systemd_networkd_var_run_t, sock_file, "io.systemd.Network") init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif") sysnet_manage_config(systemd_networkd_t) @@ -1761,6 +1771,7 @@ list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +allow systemd_resolved_t systemd_networkd_var_run_t:sock_file write; allow systemd_resolved_t systemd_networkd_var_run_t:dir watch_dir_perms; kernel_dgram_send(systemd_resolved_t)
