Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-12-04 15:26:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.28523 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Dec 4 15:26:40 2024 rev:88 rq:1228002 version:20241118 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-12-02 16:58:39.596006832 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.28523/selinux-policy.changes 2024-12-04 15:26:42.616186301 +0100 @@ -1,0 +2,113 @@ +Tue Dec 3 14:25:28 UTC 2024 - Cathy Hu <cathy...@suse.com> + +- Fix minimum policy by readding snapper module (bsc#1234037) + +------------------------------------------------------------------- +Mon Nov 25 09:06:36 UTC 2024 - cathy...@suse.com + +- Update to version 20241118: + * Add workaround for /run/rpmdb lockfile (bsc#1231127) + * Add dedicated health-checker module (bsc#1231127) + +------------------------------------------------------------------- +Thu Nov 07 12:06:01 UTC 2024 - cathy...@suse.com + +- Packaging rework: moving all config files to git repository + https://gitlab.suse.de/selinux/selinux-policy + - Moved booleans to dist/*/booleans.conf and dropped from package: + * booleans-minimum.conf + - user facing change: boolean settings are now the same as in upstream + * booleans-mls.conf + - user facing change: boolean settings are now the same as in upstream + * booleans-targeted.conf + - user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled + - Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package + - Moved customizable_types to dist/customizable_types and dropped from package + - user facing change: using upstream version + - Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package + - user facing change: changed systemd entries in file_contexts.subs_dist: + /run/systemd/system -> dropped from file + /run/systemd/generator.early /run/systemd/generator + /run/systemd/generator.late /run/systemd/generator + - Moved modules config to dist/<policytype>/modules.conf and dropped from package: + - user facing change: minimum policy: modules base and contrib are merged into modules.lst + and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst + * modules-minimum-base.conf + * modules-minimum-contrib.conf + * modules-minimum-disable.lst + * Added: modules-minimum.lst + - user facing change: mls policy: modules base + contrib are merged into modules.lst + * modules-mls-base.conf + * modules-mls-contrib.conf + - user facing change: targeted policy: modules base + contrib are merged into modules.lst: + * modules-targeted-base.conf + * modules-targeted-contrib.conf + - Moved securetty config to config/appconfig-<policytype>/securetty_types and dropped from package + - user facing change: using upstream version for all policy types + * securetty_types-minimum + * securetty_types-mls + * securetty_types-targeted + - Moved setrans config to dist/<policytype>/setrans.conf and dropped from package + * setrans-minimum.conf + * setrans-mls.conf + * setrans-targeted.conf + - Moved users config to dist/<policytype>/users and dropped from package + * users-minimum + - user facing change: added guest_u and xguest_u + * users-mls + * users-targeted +- Fix debug-build.sh to follow symlinks when creating + the tarball +- Update embedded container-selinux version to commit: + * 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0 +- Update to version 20241107: + * Re-add kanidm module to dist/targeted/modules.conf + * Add SUSE-specific file contexts to file_contexts.subs_dist + * Disallow execstack in dist/minimum/booleans.conf + * Add SUSE-specific booleans to dist/targeted/booleans.conf + * Add SUSE specific modules to targeted modules.conf + * Label /var/cache/systemd/home with systemd_homed_cache_t + * Allow login_userdomain connect to systemd-homed over a unix socket + * Allow boothd connect to systemd-homed over a unix socket + * Allow systemd-homed get attributes of a tmpfs filesystem + * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket + * Allow aide connect to systemd-homed over a unix socket + * Label /dev/hfi1_[0-9]+ devices + * Remove the openct module sources + * Remove the timidity module sources + * Enable the slrn module + * Remove i18n_input module sources + * Enable the distcc module + * Remove the ddcprobe module sources + * Remove the timedatex module sources + * Remove the djbdns module sources + * Confine iio-sensor-proxy + * Allow staff user nlmsg_write + * Update policy for xdm with confined users + * Allow virtnodedev watch mdevctl config dirs + * Allow ssh watch home config dirs + * Allow ssh map home configs files + * Allow ssh read network sysctls + * Allow chronyc sendto to chronyd-restricted + * Allow cups sys_ptrace capability in the user namespace + * Add policy for systemd-homed + * Remove fc entry for /usr/bin/pump + * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t + * Allow accountsd read gnome-initial-setup tmp files + * Allow xdm write to gnome-initial-setup fifo files + * Allow rngd read and write generic usb devices + * Allow qatlib search the content of the kernel debugging filesystem + * Allow qatlib connect to systemd-machined over a unix socket + * mls/modules.conf - fix typo + * Use dist/targeted/modules.conf in build workflow + * Fix default and dist config files + * Allow unprivileged user watch /run/systemd + * CI: update to actions/checkout@v4 + * Allow boothd connect to kernel over a unix socket + * Clean up and sync securetty_types + * Bring config files from dist-git into the source repo + * Confine gnome-remote-desktop + * Allow virtstoraged execute mount programs in the mount domain + * Make mdevctl_conf_t member of the file_type attribute + +------------------------------------------------------------------- Old: ---- booleans-minimum.conf booleans-mls.conf booleans-targeted.conf booleans.subs_dist customizable_types file_contexts.subs_dist modules-minimum-base.conf modules-minimum-contrib.conf modules-minimum-disable.lst modules-mls-base.conf modules-mls-contrib.conf modules-targeted-base.conf modules-targeted-contrib.conf securetty_types-minimum securetty_types-mls securetty_types-targeted selinux-policy-20241105.tar.xz setrans-minimum.conf setrans-mls.conf setrans-targeted.conf users-minimum users-mls users-targeted New: ---- modules-minimum.lst selinux-policy-20241118.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.356217332 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.360217499 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20241105 +Version: 20241118 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -47,37 +47,11 @@ Source6: update.sh Source7: debug-build.sh -Source10: modules-targeted-base.conf -Source11: modules-targeted-contrib.conf -Source12: modules-mls-base.conf -Source13: modules-mls-contrib.conf -Source14: modules-minimum-base.conf -Source15: modules-minimum-contrib.conf -Source18: modules-minimum-disable.lst - -Source20: booleans-targeted.conf -Source21: booleans-mls.conf -Source22: booleans-minimum.conf -Source23: booleans.subs_dist - -Source30: setrans-targeted.conf -Source31: setrans-mls.conf -Source32: setrans-minimum.conf - -Source40: securetty_types-targeted -Source41: securetty_types-mls -Source42: securetty_types-minimum - -Source50: users-targeted -Source51: users-mls -Source52: users-minimum +Source18: modules-minimum.lst Source60: selinux-policy.conf Source91: Makefile.devel -Source92: customizable_types -#Source93: config.tgz -Source94: file_contexts.subs_dist Source95: macros.selinux-policy URL: https://github.com/fedora-selinux/selinux-policy.git @@ -116,17 +90,11 @@ %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ -cp -f selinux_config/users-%1 ./policy/users \ -#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ +install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ +install -p -m0644 ./dist/%1/users ./policy/users \ %define makeModulesConf() \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ -if [ %3 == "contrib" ];then \ - cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ - cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ -fi; \ +install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ @@ -137,14 +105,13 @@ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ %{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ -install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ +install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ @@ -207,8 +174,7 @@ %dir %{_datadir}/selinux/%1 \ %dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ -%{_datadir}/selinux/%1/modules-base.lst \ -%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/modules.lst \ %{_datadir}/selinux/%1/nonbasemodules.lst \ %dir %{_sharedstatedir}/selinux/%1 \ %{_sharedstatedir}/selinux/%1/active/commit_num \ @@ -285,16 +251,12 @@ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ -if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ -fi; +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ %define nonBaseModulesList() \ -contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ -base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ -for i in $contrib_modules $base_modules; do \ +modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ +for i in $modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ fi; \ @@ -375,15 +337,10 @@ mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ -mkdir selinux_config -for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do - cp $i selinux_config -done - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow -%makeModulesConf targeted base contrib +%makeModulesConf targeted %installCmds targeted mcs allow # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox @@ -395,19 +352,19 @@ %if %{BUILD_MINIMUM} %makeCmds minimum mcs allow -%makeModulesConf targeted base contrib +%makeModulesConf targeted %installCmds minimum mcs allow -install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst # Sandbox is only targeted rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst %modulesList minimum %nonBaseModulesList minimum %endif %if %{BUILD_MLS} %makeCmds mls mls deny -%makeModulesConf mls base contrib +%makeModulesConf mls %installCmds mls mls deny %modulesList mls %nonBaseModulesList mls @@ -420,7 +377,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include -install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} @@ -579,16 +536,19 @@ fi %post minimum -contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` -basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` -mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null +modules=`cat %{_datadir}/selinux/minimum/modules.lst` +basemodules=`cat %{_datadir}/selinux/minimum/base.lst` +enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst` +if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled +fi if [ $1 -eq 1 ]; then - for p in $contribpackages; do +for p in $modules; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p - done - for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do +done +for p in $basemodules $enabledmodules; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p - done +done %{_sbindir}/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root @@ -597,7 +557,7 @@ %{_sbindir}/semodule -B -s minimum else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` - for p in $contribpackages; do + for p in $packages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages snapper dbus kerberos nscd rtkit; do @@ -614,7 +574,7 @@ %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u -%{_datadir}/selinux/minimum/modules-minimum-disable.lst +%{_datadir}/selinux/minimum/modules-enabled.lst %fileList minimum %endif ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.424220183 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.424220183 +0100 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">6e8cf2b0a771eddc3ae1bee3be0042bd3d9d8ba1</param></service><service name="tar_scm"> + <param name="changesrevision">8fe12e2d8c9c84620be4418dab55ad2cf91b3653</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ container.fc ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.448221189 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.452221357 +0100 @@ -131,7 +131,7 @@ /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) @@ -162,6 +162,7 @@ /run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) +/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.472222196 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.476222363 +0100 @@ -512,6 +512,7 @@ files_pid_filetrans($1, container_var_run_t, dir, "containers") files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") + logging_log_filetrans($1, container_log_t, dir, "kube-apiserver") logging_log_filetrans($1, container_log_t, dir, "lxc") files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") files_var_lib_filetrans($1, container_file_t, dir, "origin") ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.500223370 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.504223538 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.232.1) +policy_module(container, 2.234.0) gen_require(` class passwd rootok; @@ -757,6 +757,7 @@ # allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; +dontaudit spc_t self:memprotect mmap_zero; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) @@ -1450,11 +1451,14 @@ allow container_engine_t fusefs_t:dir { relabelfrom relabelto }; allow container_engine_t fusefs_t:file relabelto; allow container_engine_t kernel_t:system module_request; -allow container_engine_t null_device_t:chr_file mounton; +allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; allow container_engine_t random_device_t:chr_file mounton; allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; allow container_engine_t urandom_device_t:chr_file mounton; allow container_engine_t zero_device_t:chr_file mounton; +allow container_engine_t container_file_t:sock_file mounton; +allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms }; +allow container_engine_t devpts_t:chr_file setattr; manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) @@ -1483,6 +1487,17 @@ can_exec(container_runtime_t, kubelet_exec_t) allow kubelet_t kubelet_exec_t:file entrypoint; +type kubelet_var_lib_t; +files_type(kubelet_var_lib_t) + +manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) + +files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources") +filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources") + ifdef(`enable_mcs',` init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) ') @@ -1516,10 +1531,12 @@ # Standard container which needs to be allowed to use any device and # communicate with kubelet container_domain_template(container_device_plugin, container) +typeattribute container_device_plugin_t container_net_domain; allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; dev_rw_sysfs(container_device_plugin_t) kernel_read_debugfs(container_device_plugin_t) container_kubelet_stream_connect(container_device_plugin_t) +stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t) # Standard container which needs to be allowed to use any device and # modify kubelet configuration ++++++ debug-build.sh ++++++ --- /var/tmp/diff_new_pack.MmJK8j/_old 2024-12-04 15:26:43.528224544 +0100 +++ /var/tmp/diff_new_pack.MmJK8j/_new 2024-12-04 15:26:43.532224712 +0100 @@ -23,7 +23,7 @@ # Create tar file with name like selinux-policy-<current-version>.tar.xz TAR_NAME=$REPO_NAME-$VERSION.tar.xz echo "Creating tar file: $TAR_NAME" -tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME . +tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME . # Some helpful prompts if test $? -eq 0; then ++++++ modules-minimum-disable.lst -> modules-minimum.lst ++++++ --- /work/SRC/openSUSE:Factory/selinux-policy/modules-minimum-disable.lst 2024-12-02 16:58:39.528003979 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.28523/modules-minimum.lst 2024-12-04 15:26:42.600185630 +0100 @@ -1 +1,51 @@ -abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev log rotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp t gtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs +apache +application +auditadm +authlogin +base +bootloader +clock +dbus +dmesg +fstools +getty +hostname +inetd +init +ipsec +iptables +kerberos +libraries +locallogin +logadm +logging +lvm +miscfiles +modutils +mount +mta +netlabel +netutils +nis +postgresql +secadm +selinuxutil +setrans +seunshare +snapper +ssh +staff +su +sudo +sysadm +sysadm_secadm +sysnetwork +systemd +udev +unconfined +unconfineduser +unlabelednet +unprivuser +userdomain +usermanage +xserver ++++++ selinux-policy-20241105.tar.xz -> selinux-policy-20241118.tar.xz ++++++ ++++ 11137 lines of diff (skipped)
