Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2021-03-02 12:27:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.2378 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Tue Mar 2 12:27:48 2021 rev:6 rq:874863 version:2.158.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2021-01-15 19:44:32.625870191 +0100
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.2378/container-selinux.changes
2021-03-02 12:30:57.055602691 +0100
@@ -1,0 +2,8 @@
+Tue Feb 23 13:21:19 UTC 2021 - Thorsten Kukuk <[email protected]>
+
+- Update to version 2.158.0
+ - Add nfs remount support
+ - Allow containers to execmod on nfs, samba and cephs remote shares
+ - Allow confined users to send dbus messages to container_runtime
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.154.0.tar.gz
New:
----
container-selinux-2.158.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.vhVaIM/_old 2021-03-02 12:30:57.655603107 +0100
+++ /var/tmp/diff_new_pack.vhVaIM/_new 2021-03-02 12:30:57.659603110 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.154.0
+Version: 2.158.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ container-selinux-2.154.0.tar.gz -> container-selinux-2.158.0.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.154.0/container.if
new/container-selinux-2.158.0/container.if
--- old/container-selinux-2.154.0/container.if 2020-12-30 18:20:50.000000000
+0100
+++ new/container-selinux-2.158.0/container.if 2021-02-11 22:35:06.000000000
+0100
@@ -44,6 +44,7 @@
container_runtime_domtrans($1)
role $2 types container_runtime_t;
+ allow $1 container_runtime_t:dbus send_msg;
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.154.0/container.te
new/container-selinux-2.158.0/container.te
--- old/container-selinux-2.154.0/container.te 2020-12-30 18:20:50.000000000
+0100
+++ new/container-selinux-2.158.0/container.te 2021-02-11 22:35:06.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.154.0)
+policy_module(container, 2.158.0)
gen_require(`
class passwd rootok;
')
@@ -468,10 +468,12 @@
fs_manage_nfs_files(container_runtime_domain)
fs_manage_nfs_named_sockets(container_runtime_domain)
fs_manage_nfs_symlinks(container_runtime_domain)
+ fs_remount_nfs(container_runtime_domain)
fs_mount_nfs(container_runtime_domain)
fs_unmount_nfs(container_runtime_domain)
fs_exec_nfs_files(container_runtime_domain)
kernel_rw_fs_sysctls(container_runtime_domain)
+ allow container_runtime_domain nfs_t:file execmod;
')
tunable_policy(`virt_use_samba',`
@@ -480,6 +482,14 @@
fs_manage_cifs_named_sockets(container_runtime_domain)
fs_manage_cifs_symlinks(container_runtime_domain)
fs_exec_cifs_files(container_runtime_domain)
+ allow container_runtime_domain cifs_t:file execmod;
+
+ fs_manage_cifs_files(container_domain)
+ fs_manage_cifs_dirs(container_domain)
+ fs_manage_cifs_named_sockets(container_domain)
+ fs_manage_cifs_symlinks(container_domain)
+ fs_exec_cifs_files(container_domain)
+ allow container_domain cifs_t:file execmod;
')
gen_require(`
@@ -494,6 +504,7 @@
fs_mount_nfs(container_domain)
fs_unmount_nfs(container_domain)
fs_exec_nfs_files(container_domain)
+ allow container_domain nfs_t:file execmod;
')
tunable_policy(`container_use_cephfs',`
@@ -501,6 +512,7 @@
manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
manage_dirs_pattern(container_domain, cephfs_t, cephfs_t)
exec_files_pattern(container_domain, cephfs_t, cephfs_t)
+ allow container_domain cephfs_t:file execmod;
')
fs_manage_fusefs_named_sockets(container_runtime_domain)
@@ -733,6 +745,7 @@
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms
map };
allow container_domain container_runtime_t:unix_dgram_socket sendto;
+allow container_domain container_runtime_domain:tun_socket relabelfrom;
allow container_domain container_runtime_domain:fd use;
allow container_runtime_domain container_domain:fd use;
allow container_domain self:socket_class_set { create_socket_perms map accept
};
@@ -1197,6 +1210,8 @@
fs_manage_cgroup_dirs(container_init_t)
fs_manage_cgroup_files(container_init_t)
+logging_send_syslog_msg(container_init_t)
+
allow container_init_t proc_t:filesystem remount;
optional_policy(`
