Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-03-14 17:42:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1905 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Thu Mar 14 17:42:42 2024 rev:58 rq:1157662 version:20240313
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-02-09 23:51:39.049517287 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1905/selinux-policy.changes
2024-03-14 17:42:54.396641243 +0100
@@ -1,0 +2,29 @@
+Wed Mar 13 11:02:43 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240313:
+ * Assign alts_exec_t to files_type
+
+-------------------------------------------------------------------
+Fri Mar 08 09:05:08 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240308:
+ * Support /bin/alts in the policy (bsc#1217530)
+ * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
+
+-------------------------------------------------------------------
+Wed Mar 06 15:41:20 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240306:
+ * Replace init domtrans rule for confined users to allow exec init
+ * Update dbus_role_template() to allow user service status
+ * Allow polkit status all systemd services
+ * Allow setroubleshootd create and use inherited io_uring
+ * Allow load_policy read and write generic ptys
+
+-------------------------------------------------------------------
+Mon Mar 04 16:19:28 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240304:
+ * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240205.tar.xz
New:
----
selinux-policy-20240313.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.ZspeGM/_old 2024-03-14 17:42:55.312674828 +0100
+++ /var/tmp/diff_new_pack.ZspeGM/_new 2024-03-14 17:42:55.316674975 +0100
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240205
+Version: 20240313
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.ZspeGM/_old 2024-03-14 17:42:55.388677615 +0100
+++ /var/tmp/diff_new_pack.ZspeGM/_new 2024-03-14 17:42:55.392677762 +0100
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">e17843ad685ede6b0ba9a2571bf3199e56408f83</param></service><service
name="tar_scm">
+ <param
name="changesrevision">45f14b8b76e738bbd167b44362388814a95c498e</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ modules-targeted-contrib.conf ++++++
--- /var/tmp/diff_new_pack.ZspeGM/_old 2024-03-14 17:42:55.636686708 +0100
+++ /var/tmp/diff_new_pack.ZspeGM/_new 2024-03-14 17:42:55.640686855 +0100
@@ -2762,3 +2762,10 @@
#
coreos_installer = module
+## Layer: contrib
+## Module: libalternatives
+##
+## libalternatives
+##
+libalternatives = module
+
++++++ selinux-policy-20240205.tar.xz -> selinux-policy-20240313.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20240205/.copr/.gitignore
new/selinux-policy-20240313/.copr/.gitignore
--- old/selinux-policy-20240205/.copr/.gitignore 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20240313/.copr/.gitignore 2024-03-13
12:02:05.000000000 +0100
@@ -0,0 +1 @@
+*.src.rpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20240205/.gitignore
new/selinux-policy-20240313/.gitignore
--- old/selinux-policy-20240205/.gitignore 1970-01-01 01:00:00.000000000
+0100
+++ new/selinux-policy-20240313/.gitignore 2024-03-13 12:02:05.000000000
+0100
@@ -0,0 +1,6 @@
+/base.conf
+/base.fc
+/policy/modules/kernel/corenetwork.te
+/policy/modules/kernel/corenetwork.if
+/*.pp
+/tmp/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/dbus.if
new/selinux-policy-20240313/policy/modules/contrib/dbus.if
--- old/selinux-policy-20240205/policy/modules/contrib/dbus.if 2024-02-05
16:48:02.010622949 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/dbus.if 2024-03-13
12:02:05.000000000 +0100
@@ -97,7 +97,7 @@
allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh };
allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:dbus send_msg;
- allow $1_dbusd_t $3:system { start reload };
+ allow $1_dbusd_t $3:system { reload start status };
allow $1_dbusd_t session_dbusd_tmp_t:service { start stop };
allow $3 session_dbusd_tmp_t:dir manage_dir_perms;
allow $3 session_dbusd_tmp_t:file manage_file_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/libalternatives.fc
new/selinux-policy-20240313/policy/modules/contrib/libalternatives.fc
--- old/selinux-policy-20240205/policy/modules/contrib/libalternatives.fc
1970-01-01 01:00:00.000000000 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/libalternatives.fc
2024-03-13 12:02:05.000000000 +0100
@@ -0,0 +1 @@
+/usr/bin/alts -- gen_context(system_u:object_r:alts_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/libalternatives.if
new/selinux-policy-20240313/policy/modules/contrib/libalternatives.if
--- old/selinux-policy-20240205/policy/modules/contrib/libalternatives.if
1970-01-01 01:00:00.000000000 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/libalternatives.if
2024-03-13 12:02:05.000000000 +0100
@@ -0,0 +1 @@
+## <summary>policy for alts</summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/libalternatives.te
new/selinux-policy-20240313/policy/modules/contrib/libalternatives.te
--- old/selinux-policy-20240205/policy/modules/contrib/libalternatives.te
1970-01-01 01:00:00.000000000 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/libalternatives.te
2024-03-13 12:02:05.000000000 +0100
@@ -0,0 +1,6 @@
+policy_module(libalternatives, 0.0.1)
+
+# All processes should be able to execute libalternatives /bin/alts in the
caller domain
+type alts_exec_t;
+files_type(alts_exec_t)
+domain_can_exec(alts_exec_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/policykit.te
new/selinux-policy-20240313/policy/modules/contrib/policykit.te
--- old/selinux-policy-20240205/policy/modules/contrib/policykit.te
2024-02-05 16:48:02.023956465 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/policykit.te
2024-03-13 12:02:05.000000000 +0100
@@ -152,7 +152,7 @@
systemd_read_logind_sessions_files(policykit_t)
systemd_login_list_pid_dirs(policykit_t)
systemd_login_read_pid_files(policykit_t)
- systemd_status_systemd_services(policykit_t)
+ systemd_status_all_unit_files(policykit_t)
')
########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/setroubleshoot.te
new/selinux-policy-20240313/policy/modules/contrib/setroubleshoot.te
--- old/selinux-policy-20240205/policy/modules/contrib/setroubleshoot.te
2024-02-05 16:48:02.027289844 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/setroubleshoot.te
2024-03-13 12:02:05.000000000 +0100
@@ -90,7 +90,7 @@
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t,
setroubleshoot_var_run_t)
files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file
sock_file dir })
-
+kernel_io_uring_use(setroubleshootd_t)
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
kernel_read_net_sysctls(setroubleshootd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/contrib/virt.te
new/selinux-policy-20240313/policy/modules/contrib/virt.te
--- old/selinux-policy-20240205/policy/modules/contrib/virt.te 2024-02-05
16:48:02.030623222 +0100
+++ new/selinux-policy-20240313/policy/modules/contrib/virt.te 2024-03-13
12:02:05.000000000 +0100
@@ -1886,8 +1886,6 @@
corenet_rw_tun_tap_dev(virtnetworkd_t)
-corecmd_exec_bin(virtnetworkd_t)
-
dev_rw_sysfs(virtnetworkd_t)
sysnet_domtrans_ifconfig(virtnetworkd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/kernel/domain.if
new/selinux-policy-20240313/policy/modules/kernel/domain.if
--- old/selinux-policy-20240205/policy/modules/kernel/domain.if 2024-02-05
16:48:02.033956601 +0100
+++ new/selinux-policy-20240313/policy/modules/kernel/domain.if 2024-03-13
12:02:05.000000000 +0100
@@ -1925,3 +1925,21 @@
allow $1 domain:perf_event rw_inherited_perf_event_perms;
')
+
+########################################
+## <summary>
+## Allow all domains to execute type without domain transition
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_can_exec',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ can_exec(domain, $1)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/services/ssh.te
new/selinux-policy-20240313/policy/modules/services/ssh.te
--- old/selinux-policy-20240205/policy/modules/services/ssh.te 2024-02-05
16:48:02.037289981 +0100
+++ new/selinux-policy-20240313/policy/modules/services/ssh.te 2024-03-13
12:02:05.000000000 +0100
@@ -391,6 +391,7 @@
optional_policy(`
ica_rw_map_tmpfs_files(sshd_t)
+ ica_rw_map_tmpfs_files(ssh_keygen_t)
')
optional_policy(`
@@ -639,6 +640,7 @@
allow sshd_net_t self:process setrlimit;
dev_rw_crypto(sshd_net_t)
+dev_rw_crypto(ssh_keygen_t)
init_ioctl_stream_sockets(sshd_net_t)
init_rw_tcp_sockets(sshd_net_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/system/selinuxutil.te
new/selinux-policy-20240313/policy/modules/system/selinuxutil.te
--- old/selinux-policy-20240205/policy/modules/system/selinuxutil.te
2024-02-05 16:48:02.037289981 +0100
+++ new/selinux-policy-20240313/policy/modules/system/selinuxutil.te
2024-03-13 12:02:05.000000000 +0100
@@ -208,6 +208,7 @@
selinux_set_all_booleans(load_policy_t)
term_use_console(load_policy_t)
+term_use_generic_ptys(load_policy_t)
term_list_ptys(load_policy_t)
term_write_unallocated_ttys(load_policy_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240205/policy/modules/system/userdomain.if
new/selinux-policy-20240313/policy/modules/system/userdomain.if
--- old/selinux-policy-20240205/policy/modules/system/userdomain.if
2024-02-05 16:48:02.037289981 +0100
+++ new/selinux-policy-20240313/policy/modules/system/userdomain.if
2024-03-13 12:02:05.000000000 +0100
@@ -1520,7 +1520,7 @@
corenet_tcp_bind_xserver_port($1_t)
corenet_tcp_bind_generic_node($1_usertype)
- init_domtrans($1_t)
+ init_exec($1_t)
init_rw_stream_sockets($1_t)
storage_rw_fuse($1_t)
