Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-07-30 11:53:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Tue Jul 30 11:53:15 2024 rev:66 rq:1189796 version:20240726
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-07-15 19:46:36.473792324 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1882/selinux-policy.changes
2024-07-30 11:53:21.542848730 +0200
@@ -1,0 +2,20 @@
+Fri Jul 26 13:38:26 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240726:
+ * Allow snapper grub plugin to manage unlabeled_t and read link files
+
+-------------------------------------------------------------------
+Thu Jul 25 07:43:52 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240725:
+ * Initial policy for grub2 snapper plugin (bsc#1228205)
+
+-------------------------------------------------------------------
+Tue Jul 16 10:57:07 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240716:
+ * Set microos autorelabel script to systemd_autorelabel_generator_t
+ * Allow systemd_generator to write kmsg
+ * Initial policy for systemd growpart-generator (bsc#1226824)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240715.tar.xz
New:
----
selinux-policy-20240726.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.XxjC1L/_old 2024-07-30 11:53:25.290999799 +0200
+++ /var/tmp/diff_new_pack.XxjC1L/_new 2024-07-30 11:53:25.315000767 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240715
+Version: 20240726
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.XxjC1L/_old 2024-07-30 11:53:25.763018824 +0200
+++ /var/tmp/diff_new_pack.XxjC1L/_new 2024-07-30 11:53:25.775019308 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">a43a23eeaaacb1d90707bb00384efb94dc268b9e</param></service><service
name="tar_scm">
+ <param
name="changesrevision">00a1eee94f80469b4b233f87194d42b3ea5de181</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20240715.tar.xz -> selinux-policy-20240726.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/contrib/snapper.fc
new/selinux-policy-20240726/policy/modules/contrib/snapper.fc
--- old/selinux-policy-20240715/policy/modules/contrib/snapper.fc
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/contrib/snapper.fc
2024-07-26 15:34:21.000000000 +0200
@@ -1,6 +1,7 @@
/usr/bin/snapperd --
gen_context(system_u:object_r:snapperd_exec_t,s0)
/usr/lib/snapper/systemd-helper --
gen_context(system_u:object_r:snapperd_exec_t,s0)
+/usr/lib/snapper/plugins/grub --
gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0)
/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/contrib/snapper.if
new/selinux-policy-20240726/policy/modules/contrib/snapper.if
--- old/selinux-policy-20240715/policy/modules/contrib/snapper.if
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/contrib/snapper.if
2024-07-26 15:34:21.000000000 +0200
@@ -97,3 +97,30 @@
files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
')
+########################################
+## <summary>
+## Create a set of derived types for various
+## snapper plugins
+## </summary>
+## <param name="prefix">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`snapper_plugin_template',`
+ gen_require(`
+ attribute snapper_plugin;
+ type snapperd_t;
+ ')
+
+ type snapper_$1_plugin_t, snapper_plugin;
+ type snapper_$1_plugin_exec_t;
+ domain_type(snapper_$1_plugin_t)
+ domain_entry_file(snapper_$1_plugin_t, snapper_$1_plugin_exec_t)
+
+ role system_r types snapper_$1_plugin_t;
+ domtrans_pattern(snapperd_t, snapper_$1_plugin_exec_t,
snapper_$1_plugin_t)
+ dontaudit snapperd_t snapper_$1_plugin_t:process { noatsecure rlimitinh
siginh };
+')
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/contrib/snapper.te
new/selinux-policy-20240726/policy/modules/contrib/snapper.te
--- old/selinux-policy-20240715/policy/modules/contrib/snapper.te
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/contrib/snapper.te
2024-07-26 15:34:21.000000000 +0200
@@ -111,3 +111,28 @@
optional_policy(`
snapper_relabel_snapshots(snapperd_t)
')
+
+########################################
+#
+# snapper plugins policy
+#
+
+attribute snapper_plugin;
+
+snapper_plugin_template(grub);
+
+### snapper grub plugin
+bootloader_exec(snapper_grub_plugin_t)
+corecmd_exec_bin(snapper_grub_plugin_t)
+files_manage_isid_type_dirs(snapper_grub_plugin_t)
+files_manage_isid_type_files(snapper_grub_plugin_t)
+snapper_filetrans_named_content(snapper_grub_plugin_t)
+kernel_read_unlabeled_lnk_files(snapper_grub_plugin_t)
+
+allow snapper_grub_plugin_t snapperd_data_t:dir manage_dir_perms;
+allow snapper_grub_plugin_t snapperd_data_t:file manage_file_perms;
+dontaudit snapper_grub_plugin_t self:capability { sys_admin };
+
+optional_policy(`
+ auth_dontaudit_read_passwd_file(snapper_grub_plugin_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/system/selinuxutil.fc
new/selinux-policy-20240726/policy/modules/system/selinuxutil.fc
--- old/selinux-policy-20240715/policy/modules/system/selinuxutil.fc
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/system/selinuxutil.fc
2024-07-26 15:34:21.000000000 +0200
@@ -29,7 +29,7 @@
/usr/lib/selinux(/.*)?
gen_context(system_u:object_r:policy_src_t,s0)
-/usr/lib/systemd/system-generators/selinux-autorelabel-generator\.sh --
gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/selinux-autorelabel-generator(\.sh)?
-- gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0)
/usr/libexec/selinux/selinux-autorelabel --
gen_context(system_u:object_r:semanage_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/system/selinuxutil.te
new/selinux-policy-20240726/policy/modules/system/selinuxutil.te
--- old/selinux-policy-20240715/policy/modules/system/selinuxutil.te
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/system/selinuxutil.te
2024-07-26 15:34:21.000000000 +0200
@@ -854,6 +854,9 @@
# src:mkdir -p "$earlydir/selinux-autorelabel.service.d"
systemd_unit_file_filetrans(selinux_autorelabel_generator_t,
selinux_autorelabel_generator_unit_file_t, dir)
+ # (opensuse microos only) filetrans unit files:
/run/systemd/generator/.*-relabel.service
+ systemd_unit_file_filetrans(selinux_autorelabel_generator_t,
selinux_autorelabel_generator_unit_file_t, file)
+
# src:ln -sf "$unitdir/selinux-autorelabel.target"
"$earlydir/default.target"
systemd_manage_unit_symlinks(selinux_autorelabel_generator_t)
systemd_getattr_generic_unit_files(selinux_autorelabel_generator_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/system/systemd.fc
new/selinux-policy-20240726/policy/modules/system/systemd.fc
--- old/selinux-policy-20240715/policy/modules/system/systemd.fc
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/system/systemd.fc
2024-07-26 15:34:21.000000000 +0200
@@ -76,6 +76,7 @@
/usr/lib/systemd/systemd-modules-load --
gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-network-generator --
gen_context(system_u:object_r:systemd_network_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/growpart-generator.sh --
gen_context(system_u:object_r:systemd_growpart_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-bless-boot-generator --
gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-cryptsetup-generator --
gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-debug-generator --
gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240715/policy/modules/system/systemd.te
new/selinux-policy-20240726/policy/modules/system/systemd.te
--- old/selinux-policy-20240715/policy/modules/system/systemd.te
2024-07-15 13:55:08.000000000 +0200
+++ new/selinux-policy-20240726/policy/modules/system/systemd.te
2024-07-26 15:34:21.000000000 +0200
@@ -205,6 +205,8 @@
systemd_generator_template(systemd_getty_generator)
# gpt-generator
systemd_generator_template(systemd_gpt_generator)
+# growpart-generator
+systemd_generator_template(systemd_growpart_generator)
# rc-local-generator
systemd_generator_template(systemd_rc_local_generator)
# ssh-generator
@@ -1283,6 +1285,7 @@
fs_getattr_cgroup(systemd_generator)
fs_search_cgroup_dirs(systemd_generator)
kernel_read_proc_files(systemd_generator)
+dev_write_kmsg(systemd_generator)
### Rules for individual systemd generator domains
@@ -1297,7 +1300,6 @@
create_lnk_files_pattern(systemd_fstab_generator_t, systemd_unit_file_type,
systemd_unit_file_type)
-dev_write_kmsg(systemd_fstab_generator_t)
dev_write_sysfs_dirs(systemd_fstab_generator_t)
files_getattr_all_dirs(systemd_fstab_generator_t)
@@ -1322,7 +1324,6 @@
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket
create_socket_perms;
dev_read_sysfs(systemd_gpt_generator_t)
-dev_write_kmsg(systemd_gpt_generator_t)
dev_read_rand(systemd_gpt_generator_t)
files_list_boot(systemd_gpt_generator_t)
@@ -1352,6 +1353,23 @@
udev_read_pid_files(systemd_gpt_generator_t)
')
+### growpart generator
+
+# needed for cat, ln
+corecmd_exec_bin(systemd_growpart_generator_t)
+
+# needed for lsblk
+dev_list_sysfs(systemd_growpart_generator_t)
+dev_read_sysfs(systemd_growpart_generator_t)
+storage_getattr_fixed_disk_dev(systemd_growpart_generator_t)
+
+optional_policy(`
+ # ignore #!/bin/bash reading passwd file
+ auth_dontaudit_read_passwd_file(systemd_growpart_generator_t)
+')
+
+permissive systemd_growpart_generator_t;
+
### systemd rc_local generator
init_exec_script_files(systemd_rc_local_generator_t)
@@ -1380,7 +1398,6 @@
dev_create_sysfs_files(systemd_zram_generator_t)
dev_rw_sysfs(systemd_zram_generator_t)
-dev_write_kmsg(systemd_zram_generator_t)
# for systemd-detect-virt - needs to be confined
corecmd_exec_bin(systemd_zram_generator_t)
