Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-06-18 22:51:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.19518 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Tue Jun 18 22:51:01 2024 rev:62 rq:1181332 version:20240617
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-06-14 18:57:11.968953030 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.19518/selinux-policy.changes
2024-06-18 22:51:48.506667509 +0200
@@ -1,0 +2,7 @@
+Mon Jun 17 14:36:01 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240617:
+ * Allow gnome control center to set autologin (bsc#1222978)
+ * Dontaudit xdm_t to getattr on root_t (bsc#1223145)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240613.tar.xz
New:
----
selinux-policy-20240617.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.b4Q6TJ/_old 2024-06-18 22:51:49.562706445 +0200
+++ /var/tmp/diff_new_pack.b4Q6TJ/_new 2024-06-18 22:51:49.562706445 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240613
+Version: 20240617
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.b4Q6TJ/_old 2024-06-18 22:51:49.666710279 +0200
+++ /var/tmp/diff_new_pack.b4Q6TJ/_new 2024-06-18 22:51:49.674710574 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">2cc0ac20c300647eefb1dc0a3c0856277c16af0d</param></service><service
name="tar_scm">
+ <param
name="changesrevision">1de27a0d8c5938ce63f0a9f6add5f6e4ffa00565</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20240613.tar.xz -> selinux-policy-20240617.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240613/policy/modules/contrib/accountsd.te
new/selinux-policy-20240617/policy/modules/contrib/accountsd.te
--- old/selinux-policy-20240613/policy/modules/contrib/accountsd.te
2024-06-13 10:10:05.000000000 +0200
+++ new/selinux-policy-20240617/policy/modules/contrib/accountsd.te
2024-06-17 16:35:25.000000000 +0200
@@ -107,3 +107,11 @@
xserver_manage_xdm_etc_files(accountsd_t)
xserver_watch_xdm_etc_dirs(accountsd_t)
')
+
+# Handle /etc/sysconfig/displaymanager together with GDM (xdm_t) (bsc#1222978)
+optional_policy(`
+ # Label all files created by accountsd_t under /run called
"displaymanager.new" as xdm_etc_t
+ xserver_var_run_etc_filetrans_named_content(accountsd_t,
"displaymanager.new")
+ # Write /etc/sysconfig/displaymanager
+ xserver_etc_filetrans_named_content(accountsd_t, "displaymanager")
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240613/policy/modules/kernel/files.if
new/selinux-policy-20240617/policy/modules/kernel/files.if
--- old/selinux-policy-20240613/policy/modules/kernel/files.if 2024-06-13
10:10:05.000000000 +0200
+++ new/selinux-policy-20240617/policy/modules/kernel/files.if 2024-06-17
16:35:25.000000000 +0200
@@ -2910,6 +2910,25 @@
########################################
## <summary>
+## Do not audit attempts to getattr files in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { getattr };
+')
+
+########################################
+## <summary>
## Do not audit attempts to read files in
## the root directory.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240613/policy/modules/services/xserver.fc
new/selinux-policy-20240617/policy/modules/services/xserver.fc
--- old/selinux-policy-20240613/policy/modules/services/xserver.fc
2024-06-13 10:10:05.000000000 +0200
+++ new/selinux-policy-20240617/policy/modules/services/xserver.fc
2024-06-17 16:35:25.000000000 +0200
@@ -54,6 +54,7 @@
/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0)
/etc/[mg]dm(/.*)?
gen_context(system_u:object_r:xdm_etc_t,s0)
+/etc/sysconfig/displaymanager --
gen_context(system_u:object_r:xdm_etc_t,s0)
/etc/[mg]dm/Init(/.*)?
gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
/etc/[mg]dm/PostLogin(/.*)?
gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
/etc/[mg]dm/PostSession(/.*)?
gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240613/policy/modules/services/xserver.if
new/selinux-policy-20240617/policy/modules/services/xserver.if
--- old/selinux-policy-20240613/policy/modules/services/xserver.if
2024-06-13 10:10:05.000000000 +0200
+++ new/selinux-policy-20240617/policy/modules/services/xserver.if
2024-06-17 16:35:25.000000000 +0200
@@ -2510,3 +2510,56 @@
files_pid_filetrans($1, xdm_var_run_t, dir, "gdm")
')
+
+######################################
+## <summary>
+## Transition to xdm named content in /run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Only transition for files with this name.
+## </summary>
+## </param>
+#
+interface(`xserver_var_run_etc_filetrans_named_content',`
+ gen_require(`
+ type var_run_t;
+ type xdm_var_run_t;
+ type xdm_etc_t;
+ ')
+
+ filetrans_pattern($1, var_run_t, xdm_var_run_t, dir)
+ manage_dirs_pattern($1, xdm_var_run_t, xdm_var_run_t)
+ filetrans_pattern($1, xdm_var_run_t, xdm_etc_t, file, $2)
+')
+
+######################################
+## <summary>
+## Transition to xdm named content in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Only transition for files with this name.
+## </summary>
+## </param>
+#
+interface(`xserver_etc_filetrans_named_content',`
+ gen_require(`
+ type etc_t;
+ type xdm_etc_t;
+ ')
+
+ manage_dirs_pattern($1, etc_t, etc_t)
+ filetrans_pattern($1, etc_t, xdm_etc_t, file, $2)
+ relabel_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240613/policy/modules/services/xserver.te
new/selinux-policy-20240617/policy/modules/services/xserver.te
--- old/selinux-policy-20240613/policy/modules/services/xserver.te
2024-06-13 10:10:05.000000000 +0200
+++ new/selinux-policy-20240617/policy/modules/services/xserver.te
2024-06-17 16:35:25.000000000 +0200
@@ -659,6 +659,7 @@
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_getattr_root_files(xdm_t)
files_dontaudit_write_usr_files(xdm_t)
files_dontaudit_access_check_etc(xdm_t)
files_dontaudit_getattr_all_dirs(xdm_t)
@@ -1866,3 +1867,11 @@
',`
dev_dontaudit_rw_dri(dridomain)
')
+
+# Handle /etc/sysconfig/displaymanager together with accountsservice
(accountsd_t) (bsc#1222978)
+optional_policy(`
+ # Label all files created by xdm_t under /run called
"displaymanager.new" as xdm_etc_t
+ xserver_var_run_etc_filetrans_named_content(xdm_t, "displaymanager.new")
+ # Write /etc/sysconfig/displaymanager
+ xserver_etc_filetrans_named_content(xdm_t, "displaymanager")
+')
