Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2021-09-02 23:20:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Thu Sep 2 23:20:08 2021 rev:17 rq:915717 version:20210716 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2021-08-19 13:39:10.097414033 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1899/selinux-policy.changes 2021-09-02 23:20:15.676549478 +0200 @@ -1,0 +2,24 @@ +Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Modified fix_systemd.patch to allow systemd gpt generator access to + udev files (bsc#1189280) + +------------------------------------------------------------------- +Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedrou...@suse.com> + +- fix rebootmgr does not trigger the reboot properly (boo#1189878) + * fix managing /etc/rebootmgr.conf + * allow rebootmgr_t to cope with systemd and dbus messaging + +------------------------------------------------------------------- +Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Properly label cockpit files +- Allow wicked to communicate with network manager on DBUS (bsc#1188331) + +------------------------------------------------------------------- +Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedrou...@suse.com> + +- Added policy module for rebootmgr (jsc#SMO-28) + +------------------------------------------------------------------- New: ---- rebootmgr.fc rebootmgr.if rebootmgr.te ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:16.916551023 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:16.920551028 +0200 @@ -81,6 +81,9 @@ Source126: wicked.te Source127: wicked.if Source128: wicked.fc +Source129: rebootmgr.te +Source130: rebootmgr.if +Source131: rebootmgr.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -422,7 +425,7 @@ cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do cp $i policy/modules/contrib done ++++++ fix_cockpit.patch ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:17.064551208 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:17.064551208 +0200 @@ -9,10 +9,10 @@ policy/modules/contrib/cockpit.te | 2 ++ 1 file changed, 2 insertions(+) -Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te -+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.te @@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex dev_read_urand(cockpit_ws_t) # for authkey dev_read_rand(cockpit_ws_t) # for libssh @@ -23,3 +23,25 @@ # cockpit-ws can connect to other hosts via ssh corenet_tcp_connect_ssh_port(cockpit_ws_t) +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc +@@ -3,12 +3,12 @@ + /usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + +-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + + /usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + ++++++ fix_systemd.patch ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:17.152551318 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:17.156551322 +0200 @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/system/systemd.te +Index: fedora-policy-20210716/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210628/policy/modules/system/systemd.te -@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20210716.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210716/policy/modules/system/systemd.te +@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ apache_read_tmp_files(systemd_logind_t) ') -@@ -854,6 +858,10 @@ optional_policy(` +@@ -859,6 +863,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,3 +24,12 @@ ####################################### # # rfkill policy +@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_ + systemd_create_unit_file_dirs(systemd_gpt_generator_t) + systemd_create_unit_file_lnk(systemd_gpt_generator_t) + ++udev_read_pid_files(systemd_gpt_generator_t) ++ + ####################################### + # + # systemd_resolved domain ++++++ modules-minimum-base.conf ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:17.212551392 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:17.212551392 +0200 @@ -412,4 +412,3 @@ # Name service cache daemon # nscd = module - ++++++ modules-targeted-base.conf ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:17.304551507 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:17.304551507 +0200 @@ -412,3 +412,10 @@ # Policy for wicked # wicked = module + +# Layer: system +# Module: rebootmgr +# +# Policy for rebootmgr +# +rebootmgr = module ++++++ rebootmgr.fc ++++++ /usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) ++++++ rebootmgr.if ++++++ ## <summary>policy for rebootmgr</summary> ######################################## ## <summary> ## Execute rebootmgr_exec_t in the rebootmgr domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`rebootmgr_domtrans',` gen_require(` type rebootmgr_t, rebootmgr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) ') ###################################### ## <summary> ## Execute rebootmgr in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rebootmgr_exec',` gen_require(` type rebootmgr_exec_t; ') corecmd_search_bin($1) can_exec($1, rebootmgr_exec_t) ') ######################################## ## <summary> ## Send and receive messages from ## rebootmgr over dbus. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rebootmgr_dbus_chat',` gen_require(` type rebootmgr_t; class dbus send_msg; ') allow $1 rebootmgr_t:dbus send_msg; allow rebootmgr_t $1:dbus send_msg; ') ++++++ rebootmgr.te ++++++ policy_module(rebootmgr, 1.0.0) ######################################## # # Declarations # type rebootmgr_t; type rebootmgr_exec_t; init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) ######################################## # # rebootmgr local policy # allow rebootmgr_t self:process { fork }; allow rebootmgr_t self:fifo_file rw_fifo_file_perms; allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; domain_use_interactive_fds(rebootmgr_t) files_manage_etc_files(rebootmgr_t) logging_send_syslog_msg(rebootmgr_t) miscfiles_read_localization(rebootmgr_t) systemd_start_power_services(rebootmgr_t) systemd_dbus_chat_logind(rebootmgr_t) unconfined_dbus_chat(rebootmgr_t) optional_policy(` dbus_system_bus_client(rebootmgr_t) dbus_connect_system_bus(rebootmgr_t) ') ++++++ wicked.te ++++++ --- /var/tmp/diff_new_pack.jG0Dge/_old 2021-09-02 23:20:17.616551896 +0200 +++ /var/tmp/diff_new_pack.jG0Dge/_new 2021-09-02 23:20:17.616551896 +0200 @@ -494,6 +494,10 @@ virt_dbus_chat(wicked_t) ') +optional_policy(` + networkmanager_dbus_chat(wicked_t) +') + #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #')