Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-12-15 11:35:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Mon Dec 15 11:35:14 2025 rev:141 rq:1322558 version:20251211 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-12-11 18:32:23.150912821 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1939/selinux-policy.changes 2025-12-15 11:35:29.209662067 +0100 @@ -1,0 +2,11 @@ +Thu Dec 11 10:38:53 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251211: + * Create seperate type for /run/account (bsc#1253469) + * Make newidmapd_t, pwaccessd_t, pwupdd_t permissive until testing is complete (bsc#1253469) + * Allow polkit access pwaccessd varlink socket (bsc#1253469) + * Allow account-utils use userdbd varlink socket (bsc#1253469) + * Initial policy for account-utils (bsc#1253469) + * Allow virtlogd_t dac_override (bsc#1253389) + +------------------------------------------------------------------- Old: ---- selinux-policy-20251208.tar.xz New: ---- selinux-policy-20251211.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.3fBP7e/_old 2025-12-15 11:35:32.177787278 +0100 +++ /var/tmp/diff_new_pack.3fBP7e/_new 2025-12-15 11:35:32.197788121 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251208 +Version: 20251211 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.3fBP7e/_old 2025-12-15 11:35:32.817814277 +0100 +++ /var/tmp/diff_new_pack.3fBP7e/_new 2025-12-15 11:35:32.833814952 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">88ac5853a00190c20d1bb9fd61e8b86bf7fa177c</param></service></servicedata> + <param name="changesrevision">4e60e1a9c9346a246c9a2a3afe1da10ab97afcbd</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20251208.tar.xz -> selinux-policy-20251211.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/dist/targeted/modules.conf new/selinux-policy-20251211/dist/targeted/modules.conf --- old/selinux-policy-20251208/dist/targeted/modules.conf 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/dist/targeted/modules.conf 2025-12-11 11:24:54.000000000 +0100 @@ -3100,6 +3100,13 @@ # SUSE specific modules # Layer: contrib +# Module: account-utils +# +# account-utils module +# +account-utils = module + +# Layer: contrib # Module: kanidm_unixd # # Kanidm Unix Integration Daemons and Tools diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/admin/usermanage.te new/selinux-policy-20251211/policy/modules/admin/usermanage.te --- old/selinux-policy-20251208/policy/modules/admin/usermanage.te 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/admin/usermanage.te 2025-12-11 11:24:54.000000000 +0100 @@ -412,6 +412,11 @@ userdom_manage_user_tmp_dirs(passwd_t) optional_policy(` + accountutils_pwaccessd_varlink_socket_connect(passwd_t) + accountutils_pwupdd_varlink_socket_connect(passwd_t) +') + +optional_policy(` gnome_exec_keyringd(passwd_t) gnome_manage_cache_home_dir(passwd_t) gnome_manage_generic_cache_sockets(passwd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/contrib/account-utils.fc new/selinux-policy-20251211/policy/modules/contrib/account-utils.fc --- old/selinux-policy-20251208/policy/modules/contrib/account-utils.fc 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/contrib/account-utils.fc 2025-12-11 11:24:54.000000000 +0100 @@ -0,0 +1,10 @@ +/usr/libexec/newidmapd -- gen_context(system_u:object_r:newidmapd_exec_t,s0) +/usr/libexec/pwaccessd -- gen_context(system_u:object_r:pwaccessd_exec_t,s0) +/usr/libexec/pwupdd -- gen_context(system_u:object_r:pwupdd_exec_t,s0) + +/run/account(/.*)? gen_context(system_u:object_r:accountutils_var_run_t,s0) + +# account-utils varlink sockets +/run/account/pwaccess-socket -s gen_context(system_u:object_r:pwaccessd_var_run_t,s0) +/run/account/pwupd-socket -s gen_context(system_u:object_r:pwupd_var_run_t,s0) +/run/account/newidmapd-socket -s gen_context(system_u:object_r:newidmapd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/contrib/account-utils.if new/selinux-policy-20251211/policy/modules/contrib/account-utils.if --- old/selinux-policy-20251208/policy/modules/contrib/account-utils.if 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/contrib/account-utils.if 2025-12-11 11:24:54.000000000 +0100 @@ -0,0 +1,41 @@ +## <summary>Policy for account-utils.</summary> + +######################################## +## <summary> +## Allow the specified domain to connect to +## pwaccessd_t varlink socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountutils_pwaccessd_varlink_socket_connect',` + gen_require(` + type pwaccessd_t; + type pwaccessd_var_run_t; + ') + + stream_connect_pattern($1, pwaccessd_var_run_t, pwaccessd_var_run_t, pwaccessd_t) +') + +######################################## +## <summary> +## Allow the specified domain to connect to +## pwupdd_t varlink socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountutils_pwupdd_varlink_socket_connect',` + gen_require(` + type pwupdd_t; + type pwupd_var_run_t; + ') + + stream_connect_pattern($1, pwupd_var_run_t, pwupd_var_run_t, pwupdd_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/contrib/account-utils.te new/selinux-policy-20251211/policy/modules/contrib/account-utils.te --- old/selinux-policy-20251208/policy/modules/contrib/account-utils.te 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/contrib/account-utils.te 2025-12-11 11:24:54.000000000 +0100 @@ -0,0 +1,134 @@ +policy_module(account-utils, 0.0.1) + +######################################## +# +# Declarations +# + +type newidmapd_t; +type newidmapd_exec_t; +init_daemon_domain(newidmapd_t, newidmapd_exec_t) +init_nnp_daemon_domain(newidmapd_t) + +type pwaccessd_t; +type pwaccessd_exec_t; +init_daemon_domain(pwaccessd_t, pwaccessd_exec_t) +init_nnp_daemon_domain(pwaccessd_t) + +type pwupdd_t; +type pwupdd_exec_t; +init_daemon_domain(pwupdd_t, pwupdd_exec_t) +init_nnp_daemon_domain(pwupdd_t) + +type accountutils_var_run_t; +files_pid_file(accountutils_var_run_t) + +type newidmapd_var_run_t; +files_pid_file(newidmapd_var_run_t) + +type pwaccessd_var_run_t; +files_pid_file(pwaccessd_var_run_t) + +type pwupd_var_run_t; +files_pid_file(pwupd_var_run_t) + +######################################## +# +# newidmap local policy +# + +# https://github.com/thkukuk/account-utils/blob/bf57c14f254570b4e5ad24925d8e481bff2ab828/src/newidmapd.c#L216 +allow newidmapd_t self:capability { dac_override setgid setuid }; +allow newidmapd_t self:cap_userns sys_admin; + +allow newidmapd_t self:unix_dgram_socket { create getopt setopt write }; + +kernel_dgram_send(newidmapd_t) + +auth_read_passwd_file(newidmapd_t) + +create_dirs_pattern(newidmapd_t, accountutils_var_run_t, accountutils_var_run_t) +rw_dirs_pattern(newidmapd_t, accountutils_var_run_t, accountutils_var_run_t) +files_pid_filetrans(newidmapd_t, accountutils_var_run_t, { dir file fifo_file sock_file }) +filetrans_pattern(newidmapd_t, accountutils_var_run_t, newidmapd_var_run_t, file, "newidmapd-socket") + +fs_getattr_pidfs(newidmapd_t) + +logging_read_syslog_pid(newidmapd_t) +logging_write_syslog_pid_socket(newidmapd_t) + +optional_policy(` + container_write_proc_files(newidmapd_t) + container_read_state(newidmapd_t) +') + +permissive newidmapd_t; + +######################################## +# +# pwaccessd local policy +# + +allow pwaccessd_t self:unix_dgram_socket { create getopt setopt write }; + +kernel_dgram_send(pwaccessd_t) + +auth_read_passwd_file(pwaccessd_t) +auth_read_shadow(pwaccessd_t) + +create_dirs_pattern(pwaccessd_t, accountutils_var_run_t, accountutils_var_run_t) +rw_dirs_pattern(pwaccessd_t, accountutils_var_run_t, accountutils_var_run_t) +files_pid_filetrans(pwaccessd_t, accountutils_var_run_t, { dir file fifo_file sock_file }) +filetrans_pattern(pwaccessd_t, accountutils_var_run_t, pwaccessd_var_run_t, file, "pwaccess-socket") + +fs_getattr_pidfs(pwaccessd_t) + +logging_read_syslog_pid(pwaccessd_t) +logging_write_syslog_pid_socket(pwaccessd_t) + + +optional_policy(` + systemd_userdbd_stream_connect(pwaccessd_t) +') + +permissive pwaccessd_t; + +######################################## +# +# pwupd local policy +# + +allow pwupdd_t self:capability chown; + +# https://github.com/thkukuk/account-utils/pull/13#discussion_r2557314252 +allow pwupdd_t self:capability setuid; + +allow pwupdd_t self:process setfscreate; +allow pwupdd_t self:unix_dgram_socket { create connect getopt setopt write }; + +kernel_dgram_send(pwupdd_t) + +auth_etc_filetrans_shadow(pwupdd_t) +auth_manage_passwd(pwupdd_t) +auth_manage_shadow(pwupdd_t) + +corecmd_check_exec_shell(pwupdd_t) + +create_dirs_pattern(pwupdd_t, accountutils_var_run_t, accountutils_var_run_t) +rw_dirs_pattern(pwupdd_t, accountutils_var_run_t, accountutils_var_run_t) +files_pid_filetrans(pwupdd_t, accountutils_var_run_t, { dir file fifo_file sock_file }) +filetrans_pattern(pwupdd_t, accountutils_var_run_t, pwupd_var_run_t, file, "pwupd-socket") + +fs_getattr_pidfs(pwupdd_t) + +logging_create_devlog_dev(pwupdd_t) +logging_read_syslog_pid(pwupdd_t) +logging_write_syslog_pid_socket(pwupdd_t) + +selinux_compute_access_vector(pwupdd_t) +selinux_read_security_files(pwupdd_t) +selinux_set_enforce_mode(pwupdd_t) + +accountutils_pwaccessd_varlink_socket_connect(pwupdd_t) + +permissive pwupdd_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/contrib/policykit.te new/selinux-policy-20251211/policy/modules/contrib/policykit.te --- old/selinux-policy-20251208/policy/modules/contrib/policykit.te 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/contrib/policykit.te 2025-12-11 11:24:54.000000000 +0100 @@ -223,6 +223,10 @@ userdom_read_admin_home_files(policykit_auth_t) optional_policy(` + accountutils_pwaccessd_varlink_socket_connect(policykit_auth_t) +') + +optional_policy(` dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) dbus_session_bus_client(policykit_auth_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/contrib/virt.te new/selinux-policy-20251211/policy/modules/contrib/virt.te --- old/selinux-policy-20251208/policy/modules/contrib/virt.te 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/contrib/virt.te 2025-12-11 11:24:54.000000000 +0100 @@ -989,7 +989,7 @@ # # virtlogd local policy # -allow virtlogd_t self:capability kill; +allow virtlogd_t self:capability { dac_override kill }; allow virtlogd_t virt_image_t:dir search_dir_perms; allow virtlogd_t svirt_t:process signal; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/system/authlogin.if new/selinux-policy-20251211/policy/modules/system/authlogin.if --- old/selinux-policy-20251208/policy/modules/system/authlogin.if 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/system/authlogin.if 2025-12-11 11:24:54.000000000 +0100 @@ -75,6 +75,10 @@ userdom_search_user_tmp_dirs($1) optional_policy(` + accountutils_pwaccessd_varlink_socket_connect($1) + ') + + optional_policy(` dbus_system_bus_client($1) optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251208/policy/modules/system/init.te new/selinux-policy-20251211/policy/modules/system/init.te --- old/selinux-policy-20251208/policy/modules/system/init.te 2025-12-08 09:29:12.000000000 +0100 +++ new/selinux-policy-20251211/policy/modules/system/init.te 2025-12-11 11:24:54.000000000 +0100 @@ -970,6 +970,10 @@ userdom_rw_stream(init_t) ') +optional_policy(` + accountutils_pwaccessd_varlink_socket_connect(init_t) +') + ######################################## # # Init script local policy
