Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-09-03 21:06:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Sep 3 21:06:56 2025 rev:123 rq:1302415 version:20250902 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-08-13 16:28:25.667198177 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1977/selinux-policy.changes 2025-09-03 21:07:09.479943564 +0200 @@ -1,0 +2,28 @@ +Tue Sep 02 11:18:02 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20250902: + * Label /usr/lib/systemd/systemd-ssh-issue with systemd_ssh_issue_exec_t + * Allow stalld map sysfs files + * Allow NetworkManager-dispatcher-winbind get pidfs attributes + * Allow openvpn create and use generic netlink socket + * policy_capabilities: remove estimated from released versions + * policy_capabilities: add stub for userspace_initial_context + * add netlink_xperm policy capability and nlmsg permission definitions + * policy_capabilities: add ioctl_skip_cloexec + * selinux-policy: add allow rule for tuned_ppd_t + * selinux-policy: add allow rule for switcheroo_control_t + * Label /run/audit with auditd_var_run_t + * Allow virtqemud start a vm which uses nbdkit + * Add nbdkit_signal() and nbdkit_signull() interfaces + * Fix insights_client interfaces names + * Add insights_core and insights_client interfaces + * dist/targeted/modules.conf: enable slrnpull module + * Allow bootupd delete symlinks in the /boot directory + * Allow systemd-coredumpd capabilities in the user namespace + * Allow openvswitch read virtqemud process state +- Syncing with upstream rawhide selinux-policy up to: + * 17956d28c011c35560e75a7293ac5924df57a1ee +- Update embedded container-selinux version to commit: + * 5997aa524734886d35e187f52de2546f25c9f500 (version 2.241.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20250812.tar.xz New: ---- selinux-policy-20250902.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.VQ02gM/_old 2025-09-03 21:07:10.367981090 +0200 +++ /var/tmp/diff_new_pack.VQ02gM/_new 2025-09-03 21:07:10.371981258 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20250812 +Version: 20250902 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.VQ02gM/_old 2025-09-03 21:07:10.435983963 +0200 +++ /var/tmp/diff_new_pack.VQ02gM/_new 2025-09-03 21:07:10.439984132 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">23289c57c31a08f3e9ba3e0ea8cc5c735e50c08d</param></service></servicedata> + <param name="changesrevision">a4461ceddfa0519a7c3b9ea8e8f9c6f96f1a33b9</param></service></servicedata> (No newline at EOF) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.VQ02gM/_old 2025-09-03 21:07:10.467985316 +0200 +++ /var/tmp/diff_new_pack.VQ02gM/_new 2025-09-03 21:07:10.471985484 +0200 @@ -19,6 +19,7 @@ corecmd_search_bin($1) domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) allow container_runtime_t $1:fifo_file setattr; + allow $1 container_runtime_t:bpf prog_run; ') ######################################## ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.VQ02gM/_old 2025-09-03 21:07:10.499986668 +0200 +++ /var/tmp/diff_new_pack.VQ02gM/_new 2025-09-03 21:07:10.499986668 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.240.0) +policy_module(container, 2.241.0) gen_require(` class passwd rootok; @@ -743,7 +743,7 @@ allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; fs_fusefs_entrypoint(unconfined_domain_type) - domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) + container_runtime_domtrans(unconfined_domain_type) ') optional_policy(` @@ -1335,6 +1335,7 @@ container_manage_share_dirs(init_t) container_filetrans_named_content(init_t) container_runtime_read_tmpfs_files(init_t) +allow init_t container_runtime_t:bpf prog_run; gen_require(` attribute device_node; ++++++ selinux-policy-20250812.tar.xz -> selinux-policy-20250902.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/dist/targeted/modules.conf new/selinux-policy-20250902/dist/targeted/modules.conf --- old/selinux-policy-20250812/dist/targeted/modules.conf 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/dist/targeted/modules.conf 2025-09-02 13:17:37.000000000 +0200 @@ -2138,7 +2138,7 @@ # # Service for downloading news feeds the slrn newsreader. # -slrnpull = on +slrnpull = module # Layer: services # Module: smartmon @@ -2316,11 +2316,12 @@ tmpreaper = module # Layer: contrib -# Module: glusterd +# Module: tomcat # # policy for tomcat service # tomcat = module + # Layer: services # Module: tor # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/flask/access_vectors new/selinux-policy-20250902/policy/flask/access_vectors --- old/selinux-policy-20250812/policy/flask/access_vectors 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/flask/access_vectors 2025-09-02 13:17:37.000000000 +0200 @@ -636,6 +636,7 @@ { nlmsg_read nlmsg_write + nlmsg } class netlink_firewall_socket @@ -650,6 +651,7 @@ { nlmsg_read nlmsg_write + nlmsg } class netlink_nflog_socket @@ -660,6 +662,7 @@ { nlmsg_read nlmsg_write + nlmsg } class netlink_selinux_socket @@ -673,6 +676,7 @@ nlmsg_relay nlmsg_readpriv nlmsg_tty_audit + nlmsg } class netlink_ip6fw_socket diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/bootupd.te new/selinux-policy-20250902/policy/modules/contrib/bootupd.te --- old/selinux-policy-20250812/policy/modules/contrib/bootupd.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/bootupd.te 2025-09-02 13:17:37.000000000 +0200 @@ -45,6 +45,7 @@ domain_use_interactive_fds(bootupd_t) files_create_boot_dirs(bootupd_t) +files_delete_boot_symlinks(bootupd_t) files_read_etc_files(bootupd_t) files_manage_boot_files(bootupd_t) files_read_root_files(bootupd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/insights_client.if new/selinux-policy-20250902/policy/modules/contrib/insights_client.if --- old/selinux-policy-20250812/policy/modules/contrib/insights_client.if 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/insights_client.if 2025-09-02 13:17:37.000000000 +0200 @@ -323,6 +323,63 @@ ######################################## ## <summary> +## Create insights_client lib socket files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_client_create_lib_sock_files',` + gen_require(` + type insights_client_var_lib_t; + ') + + files_search_var_lib($1) + create_sock_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t) +') + +######################################## +## <summary> +## Write insights_client lib socket files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_client_write_lib_sock_files',` + gen_require(` + type insights_client_var_lib_t; + ') + + files_search_var_lib($1) + write_sock_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t) +') + +######################################## +## <summary> +## Setattr insights_client lib socket files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_client_setattr_lib_sock_files',` + gen_require(` + type insights_client_var_lib_t; + ') + + files_search_var_lib($1) + setattr_sock_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t) +') + +######################################## +## <summary> ## Append insights_client log files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/insights_core.if new/selinux-policy-20250902/policy/modules/contrib/insights_core.if --- old/selinux-policy-20250812/policy/modules/contrib/insights_core.if 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/insights_core.if 2025-09-02 13:17:37.000000000 +0200 @@ -42,7 +42,7 @@ ######################################## ## <summary> -## Read insights_client lib files. +## Read insights_core lib files. ## </summary> ## <param name="domain"> ## <summary> @@ -61,6 +61,25 @@ ') ######################################## +## <summary> +## Read insights_core tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_core_read_tmp_files',` + gen_require(` + type insights_core_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, insights_core_tmp_t, insights_core_tmp_t) +') + +######################################## ## <summary> ## Allow the specified domain to read insights-core state files in /proc. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/nbdkit.if new/selinux-policy-20250902/policy/modules/contrib/nbdkit.if --- old/selinux-policy-20250812/policy/modules/contrib/nbdkit.if 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/nbdkit.if 2025-09-02 13:17:37.000000000 +0200 @@ -103,6 +103,46 @@ ######################################## ## <summary> +## Send a generic signal to nbdkit +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +ifndef(`nbdkit_signal',` + interface(`nbdkit_signal',` + gen_require(` + type nbdkit_t; + ') + + allow $1 nbdkit_t:process signal; + ') +') + +######################################## +## <summary> +## Send signull to nbdkit +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +ifndef(`nbdkit_signull',` + interface(`nbdkit_signull',` + gen_require(` + type nbdkit_t; + ') + + allow $1 nbdkit_t:process signull; + ') +') + +######################################## +## <summary> ## Allow attempts to connect to nbdkit ## with a unix stream socket. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/networkmanager.te new/selinux-policy-20250902/policy/modules/contrib/networkmanager.te --- old/selinux-policy-20250812/policy/modules/contrib/networkmanager.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/networkmanager.te 2025-09-02 13:17:37.000000000 +0200 @@ -639,6 +639,8 @@ files_manage_etc_files(NetworkManager_dispatcher_console_t) +fs_getattr_pidfs(NetworkManager_dispatcher_winbind_t) + init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) init_status(NetworkManager_dispatcher_custom_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/openvpn.te new/selinux-policy-20250902/policy/modules/contrib/openvpn.te --- old/selinux-policy-20250812/policy/modules/contrib/openvpn.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/openvpn.te 2025-09-02 13:17:37.000000000 +0200 @@ -79,6 +79,7 @@ allow openvpn_t self:unix_stream_socket { accept connectto listen }; allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow openvpn_t self:netlink_generic_socket create_socket_perms; allow openvpn_t self:netlink_route_socket nlmsg_write; dontaudit openvpn_t self:capability2 block_suspend ; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/openvswitch.te new/selinux-policy-20250902/policy/modules/contrib/openvswitch.te --- old/selinux-policy-20250812/policy/modules/contrib/openvswitch.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/openvswitch.te 2025-09-02 13:17:37.000000000 +0200 @@ -169,6 +169,7 @@ virt_rw_svirt_image(openvswitch_t) virt_stream_connect_svirt(openvswitch_t) virt_rw_stream_sockets_svirt(openvswitch_t) + virt_virtqemud_read_state(openvswitch_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/stalld.te new/selinux-policy-20250902/policy/modules/contrib/stalld.te --- old/selinux-policy-20250812/policy/modules/contrib/stalld.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/stalld.te 2025-09-02 13:17:37.000000000 +0200 @@ -38,6 +38,7 @@ kernel_setsched(stalld_t) dev_read_sysfs(stalld_t) +dev_map_sysfs(stalld_t) domain_getsched_all_domains(stalld_t) domain_read_all_domains_state(stalld_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/switcheroo.te new/selinux-policy-20250902/policy/modules/contrib/switcheroo.te --- old/selinux-policy-20250812/policy/modules/contrib/switcheroo.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/switcheroo.te 2025-09-02 13:17:37.000000000 +0200 @@ -21,6 +21,8 @@ dev_list_sysfs(switcheroo_control_t) dev_read_sysfs(switcheroo_control_t) +fs_getattr_tmpfs(switcheroo_control_t) + optional_policy(` dbus_connect_system_bus(switcheroo_control_t) dbus_system_bus_client(switcheroo_control_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/tuned.te new/selinux-policy-20250902/policy/modules/contrib/tuned.te --- old/selinux-policy-20250812/policy/modules/contrib/tuned.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/tuned.te 2025-09-02 13:17:37.000000000 +0200 @@ -186,6 +186,8 @@ dev_watch_sysfs_dirs(tuned_ppd_t) dev_watch_reads_sysfs_dirs(tuned_ppd_t) +fs_getattr_xattr_fs(tuned_ppd_t) + optional_policy(` auth_read_passwd_file(tuned_ppd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/virt.if new/selinux-policy-20250902/policy/modules/contrib/virt.if --- old/selinux-policy-20250812/policy/modules/contrib/virt.if 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/virt.if 2025-09-02 13:17:37.000000000 +0200 @@ -2241,6 +2241,24 @@ ######################################## ## <summary> +## Read the virtqemud process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_virtqemud_read_state',` + gen_require(` + type virtqemud_t; + ') + + ps_process_pattern($1, virtqemud_t) +') + +######################################## +## <summary> ## Execute virsh in the caller domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/contrib/virt.te new/selinux-policy-20250902/policy/modules/contrib/virt.te --- old/selinux-policy-20250812/policy/modules/contrib/virt.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/contrib/virt.te 2025-09-02 13:17:37.000000000 +0200 @@ -2387,6 +2387,9 @@ optional_policy(` nbdkit_domtrans(virtqemud_t) + nbdkit_signal(virtqemud_t) + nbdkit_signull(virtqemud_t) + nbdkit_stream_connect(virtqemud_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/kernel/files.if new/selinux-policy-20250902/policy/modules/kernel/files.if --- old/selinux-policy-20250812/policy/modules/kernel/files.if 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/kernel/files.if 2025-09-02 13:17:37.000000000 +0200 @@ -3623,6 +3623,24 @@ ######################################## ## <summary> +## Delete symlinks in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_boot_symlinks',` + gen_require(` + type boot_t; + ') + + delete_files_pattern($1, boot_t, boot_t) +') + +######################################## +## <summary> ## Create, read, write, and delete symbolic links ## in the /boot directory. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/system/logging.fc new/selinux-policy-20250902/policy/modules/system/logging.fc --- old/selinux-policy-20250812/policy/modules/system/logging.fc 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/system/logging.fc 2025-09-02 13:17:37.000000000 +0200 @@ -66,6 +66,7 @@ /var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') +/run/audit(/.*)? gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) /run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/system/logging.te new/selinux-policy-20250902/policy/modules/system/logging.te --- old/selinux-policy-20250812/policy/modules/system/logging.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/system/logging.te 2025-09-02 13:17:37.000000000 +0200 @@ -225,7 +225,7 @@ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) +files_pid_filetrans(auditd_t, auditd_var_run_t, { dir file sock_file }) manage_files_pattern(auditd_t, auditd_tmp_t, auditd_tmp_t) manage_dirs_pattern(auditd_t, auditd_tmp_t, auditd_tmp_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/system/systemd.fc new/selinux-policy-20250902/policy/modules/system/systemd.fc --- old/selinux-policy-20250812/policy/modules/system/systemd.fc 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/system/systemd.fc 2025-09-02 13:17:37.000000000 +0200 @@ -66,6 +66,7 @@ /usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0) /usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0) /usr/lib/systemd/systemd-socket-proxyd -- gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0) +/usr/lib/systemd/systemd-ssh-issue -- gen_context(system_u:object_r:systemd_ssh_issue_exec_t,s0) /usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) /usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/modules/system/systemd.te new/selinux-policy-20250902/policy/modules/system/systemd.te --- old/selinux-policy-20250812/policy/modules/system/systemd.te 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/modules/system/systemd.te 2025-09-02 13:17:37.000000000 +0200 @@ -183,6 +183,8 @@ type systemd_socket_proxyd_unit_file_t; systemd_unit_file(systemd_socket_proxyd_unit_file_t) +systemd_domain_template(systemd_ssh_issue) + systemd_domain_template(systemd_timedated) typeattribute systemd_timedated_t systemd_domain; typealias systemd_timedated_t alias gnomeclock_t; @@ -1160,6 +1162,20 @@ ####################################### # +# systemd-ssh-issue local policy +# + +permissive systemd_ssh_issue_t; + +allow systemd_ssh_issue_t self:vsock_socket create_socket_perms; + +kernel_dgram_send(systemd_ssh_issue_t) + +dev_read_sysfs(systemd_ssh_issue_t) +dev_read_vsock(systemd_ssh_issue_t); + +####################################### +# # Timedated policy # @@ -1311,7 +1327,7 @@ # setpcap - to drop capabilities allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_admin sys_chroot sys_ptrace }; dontaudit systemd_coredump_t self:capability sys_resource; -allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace }; +allow systemd_coredump_t self:cap_userns { dac_read_search dac_override setgid setuid sys_admin sys_chroot sys_ptrace }; # To set its capability set allow systemd_coredump_t self:process setcap; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250812/policy/policy_capabilities new/selinux-policy-20250902/policy/policy_capabilities --- old/selinux-policy-20250812/policy/policy_capabilities 2025-08-12 12:33:43.000000000 +0200 +++ new/selinux-policy-20250902/policy/policy_capabilities 2025-09-02 13:17:37.000000000 +0200 @@ -100,9 +100,41 @@ policycap nnp_nosuid_transition; # Enable extended genfscon labeling for symlinks. -# Requires libsepol 3.1 (estimated) and kernel 5.7 (estimated). +# Requires libsepol 3.1 and kernel 5.7. # # Added checks: # (none) # policycap genfs_seclabel_symlinks; + +# Always allow FIOCLEX and FIONCLEX ioctl. +# Requires libsepol 3.4 and kernel 5.18. +# +# Removed checks: +# common file/socket: ioctl { 0x5450 0x5451 } +# +#policycap ioctl_skip_cloexec; + +# Enable separate user space context for processes started before first +# policy load. +# Requires libsepol 3.7 and kernel 6.8. +# +# Added checks: +# (none) +#policycap userspace_initial_context; + +# Enable netlink xperms support. Requires libsepol 3.8+ +# and kernel 6.13. +# +# Checks enabled: +# netlink_route_socket: nlmsg { nlmsg_type } +# netlink_tcpdiag_socket: nlmsg { nlmsg_type } +# netlink_xfrm_socket: nlmsg { nlmsg_type } +# netlink_audit_socket: nlmsg { nlmsg_type } +# +# Checks disabled: +# netlink_route_socket: nlmsg_read nlmsg_write +# netlink_tcpdiag_socket: nlmsg_read nlmsg_write +# netlink_xfrm_socket: nlmsg_read nlmsg_write +# netlink_audit_socket: nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit +#policycap netlink_xperm;
