Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2026-03-17 19:02:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Tue Mar 17 19:02:42 2026 rev:37 rq:1339329 version:2.247.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2026-02-21 21:01:28.991715699 +0100
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.8177/container-selinux.changes
2026-03-17 19:03:57.811343855 +0100
@@ -0,0 +1,9 @@
+Mon Mar 16 09:20:21 UTC 2026 - Johannes Segitz <[email protected]>
+
+- Update to version 2.247.0:
+ * Allow user_u users to run podman containers
+ * Allow staff_t and user_t to start podman.socket via systemd
+ * Add missing type transitions for overlay-containers directories
+ * container_t: allow listen on smc_socket
+ * Condition ptrace permission on deny_ptrace boolean
+
Old:
----
container-selinux-2.246.0.tar.xz
New:
----
container-selinux-2.247.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.Z8aUMb/_old 2026-03-17 19:03:58.287363581 +0100
+++ /var/tmp/diff_new_pack.Z8aUMb/_new 2026-03-17 19:03:58.287363581 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.246.0
+Version: 2.247.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Z8aUMb/_old 2026-03-17 19:03:58.347366068 +0100
+++ /var/tmp/diff_new_pack.Z8aUMb/_new 2026-03-17 19:03:58.351366234 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
- <param
name="changesrevision">521cf8c56e8df7cd6809571ed9e796b495ceaa71</param></service></servicedata>
+ <param
name="changesrevision">f336064bb5a086cab121c02acf285a68fa4b8352</param></service></servicedata>
(No newline at EOF)
++++++ container-selinux-2.246.0.tar.xz -> container-selinux-2.247.0.tar.xz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.246.0/SECURITY.md
new/container-selinux-2.247.0/SECURITY.md
--- old/container-selinux-2.246.0/SECURITY.md 2026-02-19 13:11:16.000000000
+0100
+++ new/container-selinux-2.247.0/SECURITY.md 2026-03-13 14:58:55.000000000
+0100
@@ -1,4 +1,3 @@
## Security and Disclosure Information Policy for the container-selinux Project
-The container-selinux Project follows the [Security and Disclosure Information
Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the
Containers Projects.
-
+The container-selinux Project follows the [Security and Disclosure Information
Policy](https://github.com/containers/container-libs/blob/main/SECURITY.md) for
the Containers Projects.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.246.0/container.if
new/container-selinux-2.247.0/container.if
--- old/container-selinux-2.246.0/container.if 2026-02-19 13:11:16.000000000
+0100
+++ new/container-selinux-2.247.0/container.if 2026-03-13 14:58:55.000000000
+0100
@@ -607,9 +607,11 @@
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-layers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-containers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay2-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay2-layers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay2-containers")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"atomic")
userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
@@ -681,7 +683,10 @@
type container_file_t;
')
- allow $1 container_runtime_t:process { ptrace signal_perms };
+ allow $1 container_runtime_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 container_runtime_t:process ptrace;
+ ')
ps_process_pattern($1, container_runtime_t)
admin_pattern($1, container_config_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.246.0/container.te
new/container-selinux-2.247.0/container.te
--- old/container-selinux-2.246.0/container.te 2026-02-19 13:11:16.000000000
+0100
+++ new/container-selinux-2.247.0/container.te 2026-03-13 14:58:55.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.246.0)
+policy_module(container, 2.247.0)
gen_require(`
class passwd rootok;
@@ -99,6 +99,15 @@
## </desc>
gen_tunable(container_manage_public_content, false)
+## <desc>
+## <p>
+## Allow user_t confined users to run podman containers.
+## Disabled by default since user_t is the most restricted
+## confined user type.
+## </p>
+## </desc>
+gen_tunable(user_t_run_containers, false)
+
attribute container_runtime_domain;
container_runtime_domain_template(container_runtime)
typealias container_runtime_t alias docker_t;
@@ -838,7 +847,9 @@
optional_policy(`
unconfined_domain_noaudit(spc_t)
- domain_ptrace_all_domains(spc_t)
+ tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(spc_t)
+ ')
# This should eventually be in upstream policy.
# https://github.com/fedora-selinux/selinux-policy/pull/806
allow spc_t domain:bpf { map_create map_read map_write prog_load
prog_run };
@@ -1135,6 +1146,7 @@
allow container_net_domain self:sctp_socket listen;
allow container_net_domain self:packet_socket create_socket_perms;
allow container_net_domain self:socket create_socket_perms;
+allow container_net_domain self:smc_socket listen;
allow container_net_domain self:rawip_socket create_stream_socket_perms;
allow container_net_domain self:netlink_kobject_uevent_socket
create_socket_perms;
allow container_net_domain self:netlink_tcpdiag_socket nlmsg_read;
@@ -1333,13 +1345,26 @@
allow userdomain self:cap_userns ~{ sys_module };
container_read_state(userdomain)
allow userdomain container_runtime_t:process { noatsecure rlimitinh
siginh };
- container_runtime_run(user_t, user_r)
+ role user_r types container_runtime_t;
role user_r types container_user_domain;
staff_role_change_to(system_r)
+ unprivuser_role_change_to(system_r)
allow staff_t container_runtime_t:process signal_perms;
allow staff_t container_domain:process signal_perms;
+
+ # Allow confined user systemd instances to create and manage sockets
+ # for podman.socket activation (user-level systemd pre-labels the
+ # socket as container_runtime_t via setsockcreatecon)
+ allow { staff_t user_t } container_runtime_t:unix_stream_socket {
create bind listen getattr setopt };
+
+ tunable_policy(`user_t_run_containers',`
+ container_runtime_domtrans(user_t)
+ allow user_t container_runtime_t:process signal_perms;
+ allow user_t container_domain:process signal_perms;
+ ')
+
allow container_domain userdomain:socket_class_set { accept ioctl read
getattr lock write append getopt shutdown setopt };
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.246.0/plans/main.fmf
new/container-selinux-2.247.0/plans/main.fmf
--- old/container-selinux-2.246.0/plans/main.fmf 2026-02-19
13:11:16.000000000 +0100
+++ new/container-selinux-2.247.0/plans/main.fmf 2026-03-13
14:58:55.000000000 +0100
@@ -22,6 +22,10 @@
test: /test/basic_check
/xmllint_validation:
+ enabled: false
+ adjust:
+ - when: initiator == packit
+ enabled: true
discover+:
test: /test/xmllint_validation
