commit selinux-policy for openSUSE:Factory

Source-Sync Sat, 13 Jul 2024 23:49:52 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2024-07-14 08:48:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "selinux-policy"

Sun Jul 14 08:48:58 2024 rev:64 rq:1186820 version:20240710

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2024-07-03 20:29:43.283793827 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.17339/selinux-policy.changes 
2024-07-14 08:49:37.966537312 +0200
@@ -1,0 +2,67 @@
+Wed Jul 10 07:45:13 UTC 2024 - cathy...@suse.com
+
+- Enable sap module
+- Add equivalency in file_contexts.subs_dist
+  * /bin /usr/bin
+  * /sbin /usr/bin
+  * /usr/sbin /usr/bin
+- Update to version 20240710:
+  * Change fc in rebootmgr module for /sbin -> /usr/bin
+  * Change fc in rpm module for /sbin -> /usr/bin
+  * Change fc in rsync module for /sbin -> /usr/bin
+  * Change fc in wicked module for /sbin -> /usr/bin
+  * Confine libvirt-dbus
+  * Allow virtqemud the kill capability in user namespace
+  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
+  * Allow dhcpcd the kill capability
+  * Allow systemd-networkd list /var/lib/systemd/network
+  * Allow sysadm_t run systemd-nsresourced bpf programs
+  * Update policy for systemd generators interactions
+  * Allow create memory.pressure files with cgroup_memory_pressure_t
+  * Add support for libvirt hooks
+  * Allow certmonger read and write tpm devices
+  * Allow all domains to connect to systemd-nsresourced over a unix socket
+  * Allow systemd-machined read the vsock device
+  * Update policy for systemd generators
+  * Allow ptp4l_t request that the kernel load a kernel module
+  * Allow sbd to trace processes in user namespace
+  * Allow request-key execute scripts
+  * Update policy for haproxyd
+  * Update policy for systemd-nsresourced
+  * Correct sbin-related file context entries
+  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
+  * Allow virt_driver_domain read files labeled unconfined_t
+  * Allow virt_driver_domain dbus chat with policykit
+  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
+  * Add rules for interactions between generators
+  * Label memory.pressure files with cgroup_memory_pressure_t
+  * Revert "Allow some systemd services write to cgroup files"
+  * Update policy for systemd-nsresourced
+  * Label /usr/bin/ntfsck with fsadm_exec_t
+  * Allow systemd_fstab_generator_t read tmpfs files
+  * Update policy for systemd-nsresourced
+  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
+  * Remove a few lines duplicated between {dkim,milter}.fc
+  * Alias /bin â /usr/bin and remove redundant paths
+  * Drop duplicate line for /usr/sbin/unix_chkpwd
+  * Drop duplicate paths for /usr/sbin
+  * Update systemd-generator policy
+  * Remove permissive domain for bootupd_t
+  * Remove permissive domain for coreos_installer_t
+  * Remove permissive domain for afterburn_t
+  * Add the sap module to modules.conf
+  * Move unconfined_domain(sap_unconfined_t) to an optional block
+  * Create the sap module
+  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
+  * Allow systemd-coredump read nsfs files
+  * Allow generators auto file transition only for plain files
+  * Allow systemd-hwdb write to the kernel messages device
+  * Escape "interface" as a file name in a virt filetrans pattern
+  * Allow gnome-software work for login_userdomain
+  * Allow systemd-machined manage runtime sockets
+  * Revert "Allow systemd-machined manage runtime sockets"
+  * Allow postfix_domain connect to postgresql over a unix socket
+  * Dontaudit systemd-coredump sys_admin capability
+- Update container-selinux
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20240702.tar.xz

New:
----
  selinux-policy-20240710.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.mfMWq0/_old  2024-07-14 08:49:40.238620319 +0200
+++ /var/tmp/diff_new_pack.mfMWq0/_new  2024-07-14 08:49:40.242620465 +0200
@@ -33,7 +33,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240702
+Version:        20240710
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.mfMWq0/_old  2024-07-14 08:49:40.314623096 +0200
+++ /var/tmp/diff_new_pack.mfMWq0/_new  2024-07-14 08:49:40.318623242 +0200
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">174046c04175d806c0ea28d37f7b5ff8ac5afc8e</param></service><service
 name="tar_scm">
+              <param 
name="changesrevision">aa9c35290108fc65d5bf3d39813b1ce19e24ae4a</param></service><service
 name="tar_scm">
                 <param 
name="url">https://github.com/containers/container-selinux.git</param>
               <param 
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
 name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>


++++++ container.te ++++++
--- /var/tmp/diff_new_pack.mfMWq0/_old  2024-07-14 08:49:40.422627041 +0200
+++ /var/tmp/diff_new_pack.mfMWq0/_new  2024-07-14 08:49:40.426627188 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.230.0)
+policy_module(container, 2.232.1)
 
 gen_require(`
        class passwd rootok;
@@ -40,6 +40,13 @@
 
 ## <desc>
 ##  <p>
+##  Allow containers to use any xserver device volume mounted into container, 
mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
+## <desc>
+##  <p>
 ##  Allow containers to use any dri device volume mounted into container
 ##  </p>
 ## </desc>
@@ -777,6 +784,8 @@
 optional_policy(`
        systemd_dbus_chat_machined(spc_t)
        systemd_dbus_chat_logind(spc_t)
+       systemd_dbus_chat_timedated(spc_t)
+       systemd_dbus_chat_localed(spc_t)
 ')
 
 domain_transition_all(spc_t)
@@ -1087,6 +1096,7 @@
 allow container_net_domain self:netlink_kobject_uevent_socket 
create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket 
create_netlink_socket_perms;
 
+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1394,6 +1404,11 @@
        allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')
 
+tunable_policy(`container_use_xserver_devices',`
+       dev_getattr_xserver_misc_dev(container_t)
+       dev_rw_xserver_misc(container_t)
+')
+
 tunable_policy(`container_use_dri_devices',`
        dev_rw_dri(container_domain)
 ')
@@ -1432,6 +1447,23 @@
 allow container_engine_t proc_kcore_t:file mounton;
 allow container_engine_t proc_t:filesystem remount;
 allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file mounton;
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+       gen_require(`
+               type devtty_t;
+       ')
+       allow container_engine_t devtty_t:chr_file mounton;
+')
 
 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@@ -1444,6 +1476,7 @@
        unconfined_domain(kubelet_t)
 ')
 
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 
 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)

++++++ file_contexts.subs_dist ++++++
--- /var/tmp/diff_new_pack.mfMWq0/_old  2024-07-14 08:49:40.470628795 +0200
+++ /var/tmp/diff_new_pack.mfMWq0/_new  2024-07-14 08:49:40.474628942 +0200
@@ -17,4 +17,7 @@
 /var/adm/netconfig/md5/etc /etc
 /var/adm/netconfig/md5/var /var
 /usr/etc /etc
+/bin /usr/bin
+/sbin /usr/bin
+/usr/sbin /usr/bin
 

++++++ modules-targeted-contrib.conf ++++++
--- /var/tmp/diff_new_pack.mfMWq0/_old  2024-07-14 08:49:40.598633471 +0200
+++ /var/tmp/diff_new_pack.mfMWq0/_new  2024-07-14 08:49:40.602633618 +0200
@@ -2776,3 +2776,10 @@
 ##
 kiwi = module
 
+# Layer: contrib
+# Module: sap
+#
+# sap
+#
+sap = module
+

++++++ selinux-policy-20240702.tar.xz -> selinux-policy-20240710.tar.xz ++++++
++++ 6539 lines of diff (skipped)

commit selinux-policy for openSUSE:Factory

Reply via email to