Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package container-selinux for openSUSE:Factory checked in at 2025-07-30 11:41:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/container-selinux (Old) and /work/SRC/openSUSE:Factory/.container-selinux.new.13279 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux" Wed Jul 30 11:41:40 2025 rev:29 rq:1296255 version:2.239.0 Changes: -------- --- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes 2025-07-08 15:28:42.993435907 +0200 +++ /work/SRC/openSUSE:Factory/.container-selinux.new.13279/container-selinux.changes 2025-07-30 11:42:07.986657327 +0200 @@ -1,0 +2,6 @@ +Thu Jul 24 12:22:54 UTC 2025 - Robert Frohl <[email protected]> + +- Add workaround for rootless docker iptables AVCs (bsc#1246348) + adding rootless-docker_iptables.patch + +------------------------------------------------------------------- New: ---- rootless-docker_iptables.patch ----------(New B)---------- New:- Add workaround for rootless docker iptables AVCs (bsc#1246348) adding rootless-docker_iptables.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ container-selinux.spec ++++++ --- /var/tmp/diff_new_pack.bPPzhz/_old 2025-07-30 11:42:10.406757607 +0200 +++ /var/tmp/diff_new_pack.bPPzhz/_new 2025-07-30 11:42:10.434758767 +0200 @@ -32,6 +32,8 @@ License: GPL-2.0-only URL: https://github.com/containers/container-selinux Source0: container-selinux-%{version}.tar.xz +# PATCH-FIX-UPSTREAM rootless-docker_iptables.patch https://github.com/containers/container-selinux/pull/388 +Patch01: rootless-docker_iptables.patch BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-%{selinuxtype} @@ -48,6 +50,7 @@ %prep %setup -q +%patch -P 1 -p1 %build %make_build ++++++ rootless-docker_iptables.patch ++++++ commit 10cc7ecacd631368e23691a77dbfe63ac6ca855f Author: Robert Frohl <[email protected]> Date: Wed Jul 16 14:35:45 2025 +0200 Dontaudit dac_override for iptables_t There are AVCs observed during rootless docker 'systemctl --user restart docker.service', but no functional impact. Minimal steps to reproduce: > sudo modprobe ip_tables > # creates /proc/net/ip_tables_names > systemctl --user restart docker.service > # reproduces the AVCs ---- type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(..) : cwd=/home/user3 type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(..) : avc: denied { dac_override } for pid=4979 comm=iptables capability=dac_override scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 ---- Fixes: bsc#1246348 Signed-off-by: Robert Frohl <[email protected]> diff --git a/container.te b/container.te index 9e20607..271efa8 100644 --- a/container.te +++ b/container.te @@ -465,6 +465,7 @@ optional_policy(` container_append_file(iptables_t) allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; allow iptables_t container_file_type:dir list_dir_perms; + dontaudit iptables_t self:cap_userns dac_override; ') optional_policy(`
