Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-08-20 16:12:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Tue Aug 20 16:12:40 2024 rev:71 rq:1194650 version:20240816
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-08-15 09:57:42.725431423 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2698/selinux-policy.changes
2024-08-20 16:12:47.844676201 +0200
@@ -1,0 +2,6 @@
+Fri Aug 16 12:27:10 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240816:
+ * Initial policy for syslog-ng (bsc#1229153)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240814.tar.xz
New:
----
selinux-policy-20240816.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.3J6c1r/_old 2024-08-20 16:12:48.796715747 +0200
+++ /var/tmp/diff_new_pack.3J6c1r/_new 2024-08-20 16:12:48.796715747 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240814
+Version: 20240816
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.3J6c1r/_old 2024-08-20 16:12:48.868718737 +0200
+++ /var/tmp/diff_new_pack.3J6c1r/_new 2024-08-20 16:12:48.872718904 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">e9e6076cfc96d33de1645e596ab0061c755c95b2</param></service><service
name="tar_scm">
+ <param
name="changesrevision">84399ca46a72cf2fc4683b033fdb9c98383457f7</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20240814.tar.xz -> selinux-policy-20240816.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240814/policy/modules/kernel/devices.if
new/selinux-policy-20240816/policy/modules/kernel/devices.if
--- old/selinux-policy-20240814/policy/modules/kernel/devices.if
2024-08-14 14:05:47.000000000 +0200
+++ new/selinux-policy-20240816/policy/modules/kernel/devices.if
2024-08-16 14:26:42.000000000 +0200
@@ -537,6 +537,43 @@
########################################
## <summary>
+## Allow read write on generic pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ rw_fifo_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Allow setattr on generic pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ setattr_fifo_files_pattern($1, device_t, device_t)
+')
+
+
+########################################
+## <summary>
## Write generic socket files in /dev.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240814/policy/modules/system/logging.fc
new/selinux-policy-20240816/policy/modules/system/logging.fc
--- old/selinux-policy-20240814/policy/modules/system/logging.fc
2024-08-14 14:05:47.000000000 +0200
+++ new/selinux-policy-20240816/policy/modules/system/logging.fc
2024-08-16 14:26:42.000000000 +0200
@@ -4,6 +4,7 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
/run/rsyslog/additional-log-sockets.conf --
gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog-ng(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)?
gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd --
gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog --
gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20240814/policy/modules/system/logging.te
new/selinux-policy-20240816/policy/modules/system/logging.te
--- old/selinux-policy-20240814/policy/modules/system/logging.te
2024-08-14 14:05:47.000000000 +0200
+++ new/selinux-policy-20240816/policy/modules/system/logging.te
2024-08-16 14:26:42.000000000 +0200
@@ -496,6 +496,7 @@
allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override
sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice
chown fsetid setuid setgid setpcap net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+dontaudit syslogd_t self:process execmem;
allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
# setrlimit for syslog-ng
@@ -639,6 +640,9 @@
# relating to systemd-kmsg-syslogd
dev_write_kmsg(syslogd_t)
dev_read_kmsg(syslogd_t)
+# for syslog-ng
+dev_rw_generic_pipes(syslogd_t)
+dev_setattr_generic_pipes(syslogd_t)
domain_read_all_domains_state(syslogd_t)
domain_getattr_all_domains(syslogd_t)
