commit selinux-policy for openSUSE:Factory

Sun, 20 Oct 2024 01:09:57 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2024-10-20 10:08:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.26871 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Sun Oct 20 10:08:57 2024 rev:82 rq:1208868 version:20241018

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2024-10-01 17:11:27.828841389 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.26871/selinux-policy.changes 
2024-10-20 10:09:08.447602727 +0200
@@ -1,0 +2,8 @@
+Fri Oct 18 12:34:06 UTC 2024 - cathy...@suse.com
+
+- Update to version 20241018:
+  * Allow slpd to create TCPDIAG netlink socket (bsc#1231491)
+  * Allow slpd to use sys_chroot (bsc#1231491)
+  * Allow openvswitch-ipsec use strongswan (bsc#1231493)
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20240930.tar.xz

New:
----
  selinux-policy-20241018.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.oxrTTq/_old  2024-10-20 10:09:09.547648333 +0200
+++ /var/tmp/diff_new_pack.oxrTTq/_new  2024-10-20 10:09:09.547648333 +0200
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240930
+Version:        20241018
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.oxrTTq/_old  2024-10-20 10:09:09.651652644 +0200
+++ /var/tmp/diff_new_pack.oxrTTq/_new  2024-10-20 10:09:09.655652810 +0200
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">ce2f393284de8ea7a3a76e76196b13e8b98770b2</param></service><service
 name="tar_scm">
+              <param 
name="changesrevision">0f42d9d86addd3d512c65c9a866649f2be1d3c86</param></service><service
 name="tar_scm">
                 <param 
name="url">https://github.com/containers/container-selinux.git</param>
               <param 
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
 name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>


++++++ selinux-policy-20240930.tar.xz -> selinux-policy-20241018.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20240930/policy/modules/contrib/openvswitch.te 
new/selinux-policy-20241018/policy/modules/contrib/openvswitch.te
--- old/selinux-policy-20240930/policy/modules/contrib/openvswitch.te   
2024-09-30 09:14:51.000000000 +0200
+++ new/selinux-policy-20241018/policy/modules/contrib/openvswitch.te   
2024-10-18 14:33:42.000000000 +0200
@@ -141,6 +141,13 @@
 ')
 
 optional_policy(`
+    ipsec_domtrans(openvswitch_t)
+    ipsec_domtrans_mgmt(openvswitch_t)
+    ipsec_manage_conf_files(openvswitch_t)
+    ipsec_manage_key_file(openvswitch_t)
+')
+
+optional_policy(`
        iptables_domtrans(openvswitch_t)
 ')
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20240930/policy/modules/contrib/slpd.te 
new/selinux-policy-20241018/policy/modules/contrib/slpd.te
--- old/selinux-policy-20240930/policy/modules/contrib/slpd.te  2024-09-30 
09:14:51.000000000 +0200
+++ new/selinux-policy-20241018/policy/modules/contrib/slpd.te  2024-10-18 
14:33:42.000000000 +0200
@@ -24,6 +24,13 @@
 #
 
 allow slpd_t self:capability { kill net_admin setgid setuid };
+
+# SUSE specific patch "extensions.diff" in openslp needs chroot()
+allow slpd_t self:capability sys_chroot;
+
+# SUSE specific patch "openslp.netlink.diff" in openslp uses TCPDIAG_GETSOCK
+allow slpd_t self:netlink_tcpdiag_socket create;
+
 allow slpd_t self:process signal;
 allow slpd_t self:fifo_file rw_fifo_file_perms;
 allow slpd_t self:tcp_socket { accept listen };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20240930/policy/modules/system/ipsec.fc 
new/selinux-policy-20241018/policy/modules/system/ipsec.fc
--- old/selinux-policy-20240930/policy/modules/system/ipsec.fc  2024-09-30 
09:14:51.000000000 +0200
+++ new/selinux-policy-20241018/policy/modules/system/ipsec.fc  2024-10-18 
14:33:42.000000000 +0200
@@ -9,6 +9,8 @@
 
 /etc/ipsec\.secrets.*          --      
gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/ipsec\.conf               --      
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/strongswan.conf           --      
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/strongswan.d(/.*)?                        
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 /etc/strongswan/ipsec\.secrets.*               --      
gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/strongswan/ipsec\.conf            --      
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 /etc/strongswan/swanctl/bliss/(/.*)?   
gen_context(system_u:object_r:ipsec_key_file_t,s0)
@@ -38,6 +40,7 @@
 
 /usr/libexec/ipsec/_plutoload  --      
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/libexec/ipsec/_plutorun   --      
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/charon      --      
gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/eroute      --      
gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/klipsdebug  --      
gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto       --      
gen_context(system_u:object_r:ipsec_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20240930/policy/modules/system/ipsec.if 
new/selinux-policy-20241018/policy/modules/system/ipsec.if
--- old/selinux-policy-20240930/policy/modules/system/ipsec.if  2024-09-30 
09:14:51.000000000 +0200
+++ new/selinux-policy-20241018/policy/modules/system/ipsec.if  2024-10-18 
14:33:42.000000000 +0200
@@ -355,6 +355,27 @@
        allow $1 ipsec_conf_file_t:dir list_dir_perms;
 ')
 
+
+#######################################
+## <summary>
+##     Allow to manage ipsec conf files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ipsec_manage_conf_files',`
+       gen_require(`
+               type ipsec_conf_file_t;
+       ')
+
+       manage_files_pattern($1, ipsec_conf_file_t, ipsec_conf_file_t)
+       files_etc_filetrans($1, ipsec_conf_file_t, file, "ipsec.conf")
+')
+
+
 ########################################
 ## <summary>
 ##     Match the default SPD entry.

Reply via email to