Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-03-04 20:59:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Mar 4 20:59:27 2026 rev:151 rq:1335972 version:20260302 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-02-27 17:02:45.622339318 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.561/selinux-policy.changes 2026-03-04 20:59:29.410237363 +0100 @@ -1,0 +2,45 @@ +Tue Mar 3 07:05:55 UTC 2026 - Johannes Segitz <[email protected]> + +- Have the selinux-policy package own %{_sharedstatedir}/selinux + until the move to /etc + +------------------------------------------------------------------- +Mon Mar 02 10:32:54 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260302: + * Allow systemd-coredump the kill capability in the user namespace + * Allow NetworkManager list bpf directories + * Allow virtnodedevd the dac_read_search capability + * Allow pkcsslotd read files in /proc and /sys + * Allow pkcsslotd map its private tmpfs files + * Allow dovecoth-auth to connect to systemd-logind over a unix socket + * Allow tlshd write generic certificate dirs + * Allow mdadm to use CAP_BPF during RAID monitoring + * Allow rhsmcertd read anaconda run files + * Allow rpc.mountd setuid and setgid capabilities + * Use kernel_dgram_send() for systemd_notify_t + * Allow lttng-sessiond to use sd_notify + * Label /etc/aliases.cdb with etc_aliases_t + * Add aliases.lmdb to mta_filetrans_named_content() + * Update gpg_role() interface with unix_stream_socket permissions + * Allow systemd-hostnamed to create its Varlink socket + * Allow thumbnailer mount on fonts cache directories + * Support confined users usage of bubblewrap + * Allow vdagent get attributes of the pidfs filesystem + * Allow sshd-session inherit limits from its parent sshd process + * Revert "Allow sshd-session inherit limits from its parent process" + * Allow sshd-session read network sysctls + * Add the fs_write_tmpfs_files() interface + * Update gpg policy for interactions with rhc-playbook-verifier + * Allow rhc_playbook_verifier_t stream connect to itself + * Update policy for rhc-worker-playbook + * Allow sudodomain connect to gkeyringd over a unix stream socket + * Allow tlshd communication to unconfined_t over a tcp socket + * Allow tlshd write generic certificates + * Allow thumbnailer connect to abrt over a unix stream socket +- Syncing with upstream rawhide selinux-policy up to: + * 1f374c68142f647ade9fd043592ce4766803ce46 +- Update embedded container-selinux version to commit: + * 521cf8c56e8df7cd6809571ed9e796b495ceaa71 (v2.246.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260219.tar.xz New: ---- selinux-policy-20260302.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.fhJno1/_old 2026-03-04 20:59:30.790294323 +0100 +++ /var/tmp/diff_new_pack.fhJno1/_new 2026-03-04 20:59:30.790294323 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260219 +Version: 20260302 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -274,6 +274,7 @@ %dir %{_datadir}/selinux %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux +%dir %{_sharedstatedir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fhJno1/_old 2026-03-04 20:59:30.882298120 +0100 +++ /var/tmp/diff_new_pack.fhJno1/_new 2026-03-04 20:59:30.886298285 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">901bdb1cb7753b844e764b2dbf8687db1459b735</param></service></servicedata> + <param name="changesrevision">c6e26f2bdd95f62fab05de0727965b7238ca73dc</param></service></servicedata> (No newline at EOF) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.fhJno1/_old 2026-03-04 20:59:30.938300431 +0100 +++ /var/tmp/diff_new_pack.fhJno1/_new 2026-03-04 20:59:30.942300597 +0100 @@ -418,6 +418,25 @@ ######################################## ## <summary> +## Write container PID fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_write_pid_fifo_files',` + gen_require(` + type container_var_run_t; + ') + + files_search_pids($1) + write_fifo_files_pattern($1, container_var_run_t, container_var_run_t) +') + +######################################## +## <summary> ## Execute container server in the container domain. ## </summary> ## <param name="domain"> @@ -1067,3 +1086,21 @@ files_mountpoint($1) ') +####################################### +## <summary> +## Send null signals to container. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`container_signull',` + gen_require(` + type container_t; + ') + + allow $1 container_t:process signull; +') + ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.fhJno1/_old 2026-03-04 20:59:30.986302413 +0100 +++ /var/tmp/diff_new_pack.fhJno1/_new 2026-03-04 20:59:30.990302578 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.245.0) +policy_module(container, 2.246.0) gen_require(` class passwd rootok; @@ -337,7 +337,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) -files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir fifo_file file lnk_file sock_file }) allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom; allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; @@ -1365,8 +1365,8 @@ allow container_t proc_t:filesystem remount; -# Allow containers to access shared runtime directories for OCI runtime optimizations -allow container_t container_var_run_t:dir list_dir_perms; +# Allow containers to access and mount on shared runtime directories for OCI runtime optimizations +allow container_t container_var_run_t:dir { list_dir_perms mounton }; # Container kvm - Policy for running kata containers container_domain_template(container_kvm, container) @@ -1500,6 +1500,8 @@ term_mount_pty_fs(container_engine_t) term_use_generic_ptys(container_engine_t) +corenet_rw_tun_tap_dev(container_engine_t) + allow container_engine_t container_file_t:chr_file mounton; allow container_engine_t filesystem_type:{dir file} mounton; allow container_engine_t proc_kcore_t:file mounton; ++++++ selinux-policy-20260219.tar.xz -> selinux-policy-20260302.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/admin/sudo.te new/selinux-policy-20260302/policy/modules/admin/sudo.te --- old/selinux-policy-20260219/policy/modules/admin/sudo.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/admin/sudo.te 2026-03-02 11:32:36.000000000 +0100 @@ -135,6 +135,10 @@ ') optional_policy(` + gnome_stream_connect_gkeyringd(sudodomain) +') + +optional_policy(` ssh_signull(sudodomain) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/anaconda.if new/selinux-policy-20260302/policy/modules/contrib/anaconda.if --- old/selinux-policy-20260219/policy/modules/contrib/anaconda.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/anaconda.if 2026-03-02 11:32:36.000000000 +0100 @@ -185,3 +185,21 @@ allow $1 install_t:fd use; ') + +####################################### +## <summary> +## Allow a domain read install /run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`install_read_var_run_files',` + gen_require(` + type install_var_run_t; + ') + + allow $1 install_var_run_t:file read_file_perms; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/dovecot.te new/selinux-policy-20260302/policy/modules/contrib/dovecot.te --- old/selinux-policy-20260219/policy/modules/contrib/dovecot.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/dovecot.te 2026-03-02 11:32:36.000000000 +0100 @@ -279,6 +279,7 @@ files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) +fs_getattr_pidfs(dovecot_auth_t) fs_getattr_xattr_fs(dovecot_auth_t) init_rw_utmp(dovecot_auth_t) @@ -328,6 +329,7 @@ ') optional_policy(` + systemd_logind_stream_connect(dovecot_auth_t) systemd_private_tmp(dovecot_auth_tmp_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/gpg.if new/selinux-policy-20260302/policy/modules/contrib/gpg.if --- old/selinux-policy-20260219/policy/modules/contrib/gpg.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/gpg.if 2026-03-02 11:32:36.000000000 +0100 @@ -64,7 +64,9 @@ gpg_pinentry_dbus_chat($2) ') - allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; + allow $2 gpg_agent_t:unix_stream_socket { connectto create_stream_socket_perms }; + allow gpg_agent_t $2:unix_stream_socket { getattr ioctl }; + ifdef(`hide_broken_symptoms',` #Leaked File Descriptors dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/gpg.te new/selinux-policy-20260302/policy/modules/contrib/gpg.te --- old/selinux-policy-20260219/policy/modules/contrib/gpg.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/gpg.te 2026-03-02 11:32:36.000000000 +0100 @@ -203,6 +203,7 @@ optional_policy(` rhc_playbook_verifier_manage_var_lib_files(gpg_t) + rhc_playbook_verifier_manage_var_lib_sock_files(gpg_t) rhc_worker_playbook_ioctl_fifo_files(gpg_t) rhc_worker_playbook_read_fifo_files(gpg_t) @@ -379,6 +380,7 @@ optional_policy(` rhc_playbook_verifier_manage_var_lib_files(gpg_agent_t) + rhc_playbook_verifier_manage_var_lib_sock_files(gpg_agent_t) rhc_playbook_verifier_manage_var_lib_dirs(gpg_agent_t) rhc_playbook_verifier_watch_var_lib_dirs(gpg_agent_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/ktls.te new/selinux-policy-20260302/policy/modules/contrib/ktls.te --- old/selinux-policy-20260219/policy/modules/contrib/ktls.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/ktls.te 2026-03-02 11:32:36.000000000 +0100 @@ -36,8 +36,14 @@ optional_policy(` miscfiles_read_generic_certs(ktlshd_t) miscfiles_map_generic_certs(ktlshd_t) + miscfiles_write_generic_certs(ktlshd_t) + miscfiles_write_generic_cert_dirs(ktlshd_t) ') optional_policy(` sysnet_read_config(ktlshd_t) ') + +optional_policy(` + unconfined_connected_tcp_sockets(ktlshd_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/lttng-tools.te new/selinux-policy-20260302/policy/modules/contrib/lttng-tools.te --- old/selinux-policy-20260219/policy/modules/contrib/lttng-tools.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/lttng-tools.te 2026-03-02 11:32:36.000000000 +0100 @@ -28,8 +28,16 @@ allow lttng_sessiond_t self:process { setrlimit signal_perms }; allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms; allow lttng_sessiond_t self:tcp_socket listen; +allow lttng_sessiond_t self:unix_dgram_socket create; allow lttng_sessiond_t self:unix_stream_socket { create_stream_socket_perms connectto }; +# FIXME: this is required because of systemd's notify socket is created while +# in the initramfs, hence as kernel_t. Once SELinux permits relabeling socket +# objects created before the policy is loaded, this should be removed and +# systemd fixed to relabel the socket appropriately. +# Tracked by [systemd PR](https://github.com/systemd/systemd/pull/31336). +kernel_dgram_send(lttng_sessiond_t) + manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/mta.fc new/selinux-policy-20260302/policy/modules/contrib/mta.fc --- old/selinux-policy-20260219/policy/modules/contrib/mta.fc 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/mta.fc 2026-03-02 11:32:36.000000000 +0100 @@ -8,6 +8,7 @@ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/aliases\.cdb -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.lmdb -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/mta.if new/selinux-policy-20260302/policy/modules/contrib/mta.if --- old/selinux-policy-20260219/policy/modules/contrib/mta.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/mta.if 2026-03-02 11:32:36.000000000 +0100 @@ -1322,6 +1322,8 @@ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) mta_etc_filetrans_aliases($1, "aliases") mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliases.cdb") + mta_etc_filetrans_aliases($1, "aliases.lmdb") mta_etc_filetrans_aliases($1, "aliasesdb-stamp") mta_etc_filetrans_aliases($1, "__db.aliases.db") mta_etc_filetrans_aliases($1, "virtusertable.db") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/networkmanager.te new/selinux-policy-20260302/policy/modules/contrib/networkmanager.te --- old/selinux-policy-20260219/policy/modules/contrib/networkmanager.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/networkmanager.te 2026-03-02 11:32:36.000000000 +0100 @@ -204,6 +204,7 @@ dev_rw_wireless(NetworkManager_t) fs_getattr_all_fs(NetworkManager_t) +fs_list_bpf_dirs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_read_nsfs_files(NetworkManager_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/pkcs.te new/selinux-policy-20260302/policy/modules/contrib/pkcs.te --- old/selinux-policy-20260219/policy/modules/contrib/pkcs.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/pkcs.te 2026-03-02 11:32:36.000000000 +0100 @@ -80,12 +80,17 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +allow pkcs_slotd_t pkcs_slotd_tmpfs_t:file map; fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir }) can_exec(pkcs_slotd_t, pkcs_slotd_exec_t) +kernel_read_proc_files(pkcs_slotd_t) + auth_use_nsswitch(pkcs_slotd_t) +dev_read_sysfs(pkcs_slotd_t) + files_search_locks(pkcs_slotd_t) logging_send_syslog_msg(pkcs_slotd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/raid.te new/selinux-policy-20260302/policy/modules/contrib/raid.te --- old/selinux-policy-20260219/policy/modules/contrib/raid.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/raid.te 2026-03-02 11:32:36.000000000 +0100 @@ -42,6 +42,7 @@ allow mdadm_t self:capability { dac_read_search dac_override ipc_lock sys_admin sys_ptrace }; dontaudit mdadm_t self:capability { sys_tty_config }; +allow mdadm_t self:capability2 { bpf }; allow mdadm_t self:cap_userns { sys_ptrace }; allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/rhcd.if new/selinux-policy-20260302/policy/modules/contrib/rhcd.if --- old/selinux-policy-20260219/policy/modules/contrib/rhcd.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/rhcd.if 2026-03-02 11:32:36.000000000 +0100 @@ -167,6 +167,25 @@ ###################################### ## <summary> +## Manage rhc_playbook_verifier /var/lib sock files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhc_playbook_verifier_manage_var_lib_sock_files',` + gen_require(` + type rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t; + ') + + files_search_var_lib($1) + manage_sock_files_pattern($1, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) +') + +###################################### +## <summary> ## Manage rhc_playbook_verifier /var/lib dirs ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/rhcd.te new/selinux-policy-20260302/policy/modules/contrib/rhcd.te --- old/selinux-policy-20260219/policy/modules/contrib/rhcd.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/rhcd.te 2026-03-02 11:32:36.000000000 +0100 @@ -257,10 +257,6 @@ allow rhc_worker_playbook_t self:udp_socket { connect connected_socket_perms }; allow rhc_worker_playbook_t self:unix_dgram_socket create_socket_perms; -#allow rhc_worker_playbook_t file_type:file read_file_perms; -#allow rhc_worker_playbook_t file_type:dir list_dir_perms; -#allow rhc_worker_playbook_t file_type:lnk_file read_lnk_file_perms; - manage_files_pattern(rhc_worker_playbook_t, rhc_worker_playbook_log_t, rhc_worker_playbook_log_t) create_dirs_pattern(rhc_worker_playbook_t, rhc_worker_playbook_log_t, rhc_worker_playbook_log_t) @@ -272,7 +268,12 @@ fs_tmpfs_filetrans(rhc_worker_playbook_t, rhc_worker_playbook_tmpfs_t, file) allow rhc_worker_playbook_t rhc_worker_playbook_tmpfs_t:file map; +kernel_read_all_sysctls(rhc_worker_playbook_t) kernel_read_net_sysctls(rhc_worker_playbook_t) +kernel_read_network_state(rhc_worker_playbook_t) +kernel_read_security_state(rhc_worker_playbook_t) +kernel_read_software_raid_state(rhc_worker_playbook_t) +kernel_read_system_state(rhc_worker_playbook_t) corecmd_exec_bin(rhc_worker_playbook_t) corecmd_exec_shell(rhc_worker_playbook_t) @@ -280,14 +281,37 @@ corenet_tcp_bind_generic_node(rhc_worker_playbook_t) dev_getattr_all(rhc_worker_playbook_t) +dev_read_cpuid(rhc_worker_playbook_t) +dev_read_kmsg(rhc_worker_playbook_t) +dev_read_netcontrol(rhc_worker_playbook_t) +dev_read_raw_memory(rhc_worker_playbook_t) +dev_read_vsock(rhc_worker_playbook_t) +dev_read_sysfs(rhc_worker_playbook_t) + +domain_connect_all_stream_sockets(rhc_worker_playbook_t) +domain_getattr_all_domains(rhc_worker_playbook_t) +domain_getattr_all_sockets(rhc_worker_playbook_t) +domain_getattr_all_pipes(rhc_worker_playbook_t) +domain_read_all_domains_state(rhc_worker_playbook_t) +domain_signal_all_domains(rhc_worker_playbook_t) +domain_signull_all_domains(rhc_worker_playbook_t) +domain_unix_read_all_semaphores(rhc_worker_playbook_t) files_read_all_files(rhc_worker_playbook_t) files_read_all_symlinks(rhc_worker_playbook_t) files_list_all(rhc_worker_playbook_t) -fs_getattr_xattr_fs(rhc_worker_playbook_t) +fs_getattr_all_fs(rhc_worker_playbook_t) +fs_getattr_all_files(rhc_worker_playbook_t) +fs_get_all_fs_quotas(rhc_worker_playbook_t) +fs_read_configfs_dirs(rhc_worker_playbook_t) + +selinux_compute_access_vector(rhc_worker_playbook_t) + +seutil_domtrans_semanage(rhc_worker_playbook_t) +seutil_read_config(rhc_worker_playbook_t) +seutil_read_module_store(rhc_worker_playbook_t) -#storage_raw_read_fixed_disk_blk_device(rhc_worker_playbook_t) storage_raw_read_fixed_disk(rhc_worker_playbook_t) optional_policy(` @@ -300,10 +324,16 @@ optional_policy(` init_read_state(rhc_worker_playbook_t) + init_stream_connect(rhc_worker_playbook_t) + init_view_key(rhc_worker_playbook_t) ') optional_policy(` - logging_send_syslog_msg(rhc_worker_playbook_t) + insights_client_domtrans(rhc_worker_playbook_t) +') + +optional_policy(` + journalctl_domtrans(rhc_worker_playbook_t) ') optional_policy(` @@ -311,7 +341,62 @@ ') optional_policy(` + logging_domtrans_auditctl(rhc_worker_playbook_t) + logging_manage_all_logs(rhc_worker_playbook_t) + logging_mmap_generic_logs(rhc_worker_playbook_t) + logging_mmap_journal(rhc_worker_playbook_t) + logging_read_audit_config(rhc_worker_playbook_t) + logging_read_audit_log(rhc_worker_playbook_t) + logging_send_syslog_msg(rhc_worker_playbook_t) +') + +optional_policy(` + lpd_domtrans_lpr(rhc_worker_playbook_t) +') + +optional_policy(` lvm_domtrans(rhc_worker_playbook_t) + lvm_manage_metadata(rhc_worker_playbook_t) +') + +optional_policy(` + miscfiles_read_all_certs(rhc_worker_playbook_t) + miscfiles_read_localization(rhc_worker_playbook_t) +') + +optional_policy(` + mount_domtrans(rhc_worker_playbook_t) +') + +optional_policy(` + mysql_stream_connect(rhc_worker_playbook_t) +') + +optional_policy(` + modutils_domtrans_kmod(rhc_worker_playbook_t) + modutils_read_module_deps_files(rhc_worker_playbook_t) +') + +optional_policy(` + networkmanager_dbus_chat(rhc_worker_playbook_t) + networkmanager_stream_connect(rhc_worker_playbook_t) +') + +optional_policy(` + openvswitch_stream_connect(rhc_worker_playbook_t) +') + +optional_policy(` + pcp_filetrans_named_content(rhc_worker_playbook_t) + pcp_write_pid_sock_file(rhc_worker_playbook_t) +') + +optional_policy(` + postgresql_stream_connect(rhc_worker_playbook_t) +') + +optional_policy(` + redis_stream_connect(rhc_worker_playbook_t) ') optional_policy(` @@ -323,6 +408,11 @@ ') optional_policy(` + systemd_read_unit_files(rhc_worker_playbook_t) + systemd_config_all_services(rhc_worker_playbook_t) +') + +optional_policy(` term_use_generic_ptys(rhc_worker_playbook_t) ') @@ -330,6 +420,16 @@ udev_domtrans(rhc_worker_playbook_t) ') +optional_policy(` + #unconfined_domain(rhc_worker_playbook_t) + unconfined_server_create_shm(rhc_worker_playbook_t) + unconfined_server_read_semaphores(rhc_worker_playbook_t) +') + +optional_policy(` + virt_stream_connect(rhc_worker_playbook_t) +') + # interactions with other types from this module allow rhc_worker_playbook_t rhcd_t:unix_stream_socket connectto; allow rhcd_t rhc_worker_playbook_t:unix_stream_socket connectto; @@ -342,12 +442,12 @@ domtrans_pattern(rhc_worker_playbook_t, rhc_playbook_verifier_exec_t, rhc_playbook_verifier_t) permissive rhc_playbook_verifier_t; -allow rhc_playbook_verifier_t self:unix_stream_socket connectto; - manage_files_pattern(rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) manage_dirs_pattern(rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t) allow rhc_playbook_verifier_t rhc_playbook_verifier_var_lib_t:dir watch; +stream_connect_pattern(rhc_playbook_verifier_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_var_lib_t, rhc_playbook_verifier_t) + corecmd_exec_bin(rhc_playbook_verifier_t) optional_policy(` @@ -356,8 +456,8 @@ optional_policy(` gpg_domtrans(rhc_playbook_verifier_t) - gpg_domtrans_agent(rhc_playbook_verifier_t) + gpg_domtrans_agent(rhc_playbook_verifier_t) gpg_agent_stream_connect(rhc_playbook_verifier_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/rhsmcertd.te new/selinux-policy-20260302/policy/modules/contrib/rhsmcertd.te --- old/selinux-policy-20260219/policy/modules/contrib/rhsmcertd.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/rhsmcertd.te 2026-03-02 11:32:36.000000000 +0100 @@ -171,6 +171,10 @@ #') optional_policy(` + install_read_var_run_files(rhsmcertd_t) +') + +optional_policy(` kpatch_domtrans(rhsmcertd_t) kpatch_read_lib_files(rhsmcertd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/rpc.te new/selinux-policy-20260302/policy/modules/contrib/rpc.te --- old/selinux-policy-20260219/policy/modules/contrib/rpc.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/rpc.te 2026-03-02 11:32:36.000000000 +0100 @@ -237,7 +237,7 @@ # NFSD local policy # -allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_chroot sys_rawio sys_resource }; +allow nfsd_t self:capability { dac_read_search dac_override setgid setuid sys_admin sys_chroot sys_rawio sys_resource }; allow nfsd_t self:process { setcap }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/thumb.te new/selinux-policy-20260302/policy/modules/contrib/thumb.te --- old/selinux-policy-20260219/policy/modules/contrib/thumb.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/thumb.te 2026-03-02 11:32:36.000000000 +0100 @@ -157,6 +157,10 @@ xserver_use_user_fonts(thumb_t) optional_policy(` + abrt_stream_connect(thumb_t) +') + +optional_policy(` bumblebee_stream_connect(thumb_t) ') @@ -192,6 +196,10 @@ ') optional_policy(` + miscfiles_mounton_fonts_cache_dirs(thumb_t) +') + +optional_policy(` nscd_dontaudit_write_sock_file(thumb_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/vdagent.te new/selinux-policy-20260302/policy/modules/contrib/vdagent.te --- old/selinux-policy-20260219/policy/modules/contrib/vdagent.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/vdagent.te 2026-03-02 11:32:36.000000000 +0100 @@ -49,6 +49,7 @@ fs_getattr_cgroup(vdagent_t) fs_search_cgroup_dirs(vdagent_t) +fs_getattr_pidfs(vdagent_t) fs_getattr_tmpfs(vdagent_t) term_use_virtio_console(vdagent_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/contrib/virt.te new/selinux-policy-20260302/policy/modules/contrib/virt.te --- old/selinux-policy-20260219/policy/modules/contrib/virt.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/contrib/virt.te 2026-03-02 11:32:36.000000000 +0100 @@ -2053,7 +2053,7 @@ # # virtnodedevd local policy # -allow virtnodedevd_t self:capability { net_admin sys_admin }; +allow virtnodedevd_t self:capability { dac_read_search net_admin sys_admin }; allow virtnodedevd_t self:capability2 perfmon; allow virtnodedevd_t self:netlink_generic_socket create_socket_perms; allow virtnodedevd_t self:process { setsched }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/kernel/filesystem.if new/selinux-policy-20260302/policy/modules/kernel/filesystem.if --- old/selinux-policy-20260219/policy/modules/kernel/filesystem.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/kernel/filesystem.if 2026-03-02 11:32:36.000000000 +0100 @@ -6124,6 +6124,24 @@ ######################################## ## <summary> +## Write generic tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_write_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + write_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## <summary> ## Read and write generic tmpfs files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/roles/staff.te new/selinux-policy-20260302/policy/modules/roles/staff.te --- old/selinux-policy-20260219/policy/modules/roles/staff.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/roles/staff.te 2026-03-02 11:32:36.000000000 +0100 @@ -44,6 +44,10 @@ files_dontaudit_manage_boot_dirs(staff_t) fs_read_tmpfs_files(staff_t) fs_read_binfmt_misc(staff_t) +fs_mount_tmpfs(staff_t) +fs_unmount_tmpfs(staff_t) +fs_remount_xattr_fs(staff_t) +fs_unmount_xattr_fs(staff_t) dev_read_cpuid(staff_t) dev_read_kmsg(staff_t) @@ -58,6 +62,8 @@ domain_obj_id_change_exemption(staff_t) files_read_kernel_modules(staff_t) +files_mounton_rootfs(staff_t) +files_mounton_generic_tmp_dirs(staff_t) seutil_read_module_store(staff_t) seutil_run_newrole(staff_t, staff_r) @@ -67,6 +73,7 @@ storage_read_scsi_generic(staff_t) storage_write_scsi_generic(staff_t) +term_mount_pty_fs(staff_t) term_use_unallocated_ttys(staff_t) term_use_generic_ptys(staff_t) @@ -235,6 +242,10 @@ ') optional_policy(` + miscfiles_mounton_fonts_cache_dirs(staff_t) +') + +optional_policy(` mock_role(staff_r, staff_t) ') @@ -313,6 +324,7 @@ sysadm_role_change(staff_r) userdom_dontaudit_use_user_terminals(staff_t) userdom_dontaudit_read_admin_home_files(staff_t) + userdom_mounton_tmp_files(staff_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/roles/unconfineduser.if new/selinux-policy-20260302/policy/modules/roles/unconfineduser.if --- old/selinux-policy-20260219/policy/modules/roles/unconfineduser.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/roles/unconfineduser.if 2026-03-02 11:32:36.000000000 +0100 @@ -442,6 +442,25 @@ ######################################## ## <summary> +## Read/write/other permissions from connected_socket_perms +## to unconfined domain tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_connected_tcp_sockets',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:tcp_socket connected_socket_perms; +') + +######################################## +## <summary> ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/services/ssh.te new/selinux-policy-20260302/policy/modules/services/ssh.te --- old/selinux-policy-20260219/policy/modules/services/ssh.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/services/ssh.te 2026-03-02 11:32:36.000000000 +0100 @@ -85,12 +85,12 @@ ssh_session_dyntransition_to(sshd_net_t) allow sshd_session_t self:capability { audit_write chown dac_read_search setgid setuid sys_resource }; -allow sshd_session_t self:process { rlimitinh setcurrent setexec setkeycreate setrlimit setsched }; +allow sshd_session_t self:process { setcurrent setexec setkeycreate setrlimit setsched }; allow sshd_session_t self:netlink_audit_socket { create nlmsg_relay }; allow sshd_session_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow sshd_session_t self:udp_socket { connect create getattr }; -allow sshd_t sshd_session_t:process noatsecure; +allow sshd_t sshd_session_t:process { noatsecure rlimitinh }; allow sshd_net_t sshd_t:vsock_socket { read write }; allow sshd_net_t sshd_session_t:fifo_file write; allow sshd_net_t sshd_session_t:unix_stream_socket { ioctl read write }; @@ -104,6 +104,7 @@ manage_files_pattern(sshd_session_t, ssh_home_t, ssh_home_t) kernel_stream_connect(sshd_session_t) +kernel_read_net_sysctls(sshd_session_t) fs_getattr_all_fs(sshd_session_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/system/miscfiles.if new/selinux-policy-20260302/policy/modules/system/miscfiles.if --- old/selinux-policy-20260219/policy/modules/system/miscfiles.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/system/miscfiles.if 2026-03-02 11:32:36.000000000 +0100 @@ -147,6 +147,44 @@ ######################################## ## <summary> +## Write generic SSL certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`miscfiles_write_generic_certs',` + gen_require(` + type cert_t; + ') + + allow $1 cert_t:dir list_dir_perms; + write_files_pattern($1, cert_t, cert_t) +') + +######################################## +## <summary> +## Write generic SSL certificate dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_write_generic_cert_dirs',` + gen_require(` + type cert_t; + ') + + allow $1 cert_t:dir write; +') + +######################################## +## <summary> ## Manage generic SSL certificates. ## </summary> ## <param name="domain"> @@ -375,6 +413,24 @@ ') ######################################## +## <summary> +## Mount on fonts cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_mounton_fonts_cache_dirs', ` + gen_require(` + type fonts_cache_t; + ') + + allow $1 fonts_cache_t:dir mounton; +') + +######################################## ## <summary> ## Do not audit attempts to set the attributes ## on a fonts directory. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/system/systemd.te new/selinux-policy-20260302/policy/modules/system/systemd.te --- old/selinux-policy-20260219/policy/modules/system/systemd.te 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/system/systemd.te 2026-03-02 11:32:36.000000000 +0100 @@ -949,7 +949,7 @@ # objects created before the policy is loaded, this should be removed and # systemd fixed to relabel the socket appropriately. # Tracked by [systemd PR](https://github.com/systemd/systemd/pull/31336). -allow systemd_notify_t kernel_t:unix_dgram_socket sendto; +kernel_dgram_send(systemd_notify_t) dev_write_kmsg(systemd_notify_t) @@ -1077,6 +1077,8 @@ init_status(systemd_hostnamed_t) init_stream_connect(systemd_hostnamed_t) +init_create_pid_socket(systemd_hostnamed_t) + logging_send_syslog_msg(systemd_hostnamed_t) systemd_read_efivarfs(systemd_hostnamed_t) @@ -1345,7 +1347,7 @@ # setpcap - to drop capabilities allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_admin sys_chroot sys_ptrace }; dontaudit systemd_coredump_t self:capability sys_resource; -allow systemd_coredump_t self:cap_userns { dac_read_search dac_override setgid setuid sys_admin sys_chroot sys_ptrace }; +allow systemd_coredump_t self:cap_userns { dac_read_search dac_override kill setgid setuid sys_admin sys_chroot sys_ptrace }; # To set its capability set allow systemd_coredump_t self:process setcap; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260219/policy/modules/system/userdomain.if new/selinux-policy-20260302/policy/modules/system/userdomain.if --- old/selinux-policy-20260219/policy/modules/system/userdomain.if 2026-02-19 13:50:04.000000000 +0100 +++ new/selinux-policy-20260302/policy/modules/system/userdomain.if 2026-03-02 11:32:36.000000000 +0100 @@ -461,7 +461,7 @@ ####################################### ## <summary> -## Manage user temporary directories +## Mounton user temporary directories ## </summary> ## <param name="domain"> ## <summary> @@ -479,6 +479,25 @@ ') ####################################### +## <summary> +## Mounton user temporary files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolebase/> +# +interface(`userdom_mounton_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file mounton; +') + +####################################### ## <summary> ## Mounton user temporary socket files ## </summary>
