Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2025-01-12 11:09:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1881 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Sun Jan 12 11:09:17 2025 rev:93 rq:1236909 version:20250109
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2025-01-09 15:05:26.983342085 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1881/selinux-policy.changes
2025-01-12 11:09:25.434754205 +0100
@@ -1,0 +2,26 @@
+Fri Jan 10 10:04:01 UTC 2025 - rfr...@suse.com
+
+- Update to version 20250109:
+ * Update virtqemud policy regarding the svirt_tcg_t domain
+ * Allow virtqemud domain transition on numad execution
+ * Support virt live migration using ssh
+ * Allow virtqemud permissions needed for live migration
+ * Allow virtqemud the getpgid process permission
+ * Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
+ * Allow virtqemud relabelfrom virt_log_t files
+ * Allow virtqemud relabel tun_socket
+ * Add policy for systemd-import-generator
+ * Confine vsftpd systemd system generator
+ * Allow virtqemud read and write sgx_vepc devices
+ * Allow systemd-networkd list cgroup directories
+ * Allow xdm dbus chat with power-profiles-daemon
+ * Allow ssh_t read systemd config files
+ * Add Valkey rules to Redis module
+ * Update ktlsh policy
+ * Allow request-key to read /etc/passwd
+ * Allow request-key to manage all domains' keys
+ * Add support for the KVM guest memfd anon inodes
+- Update embedded container-selinux version to commit:
+ * 7fdbd0e8c428c335406969878f28e14f335f2e7e
+
+-------------------------------------------------------------------
@@ -161,0 +188,5 @@
+
+-------------------------------------------------------------------
+Mon Dec 16 09:59:30 UTC 2024 - Johannes Segitz <jseg...@suse.com>
+
+- Explain third possible value in selinux config file (disabled)
Old:
----
selinux-policy-20241220.tar.xz
New:
----
selinux-policy-20250109.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.3xcnzW/_old 2025-01-12 11:09:26.182784898 +0100
+++ /var/tmp/diff_new_pack.3xcnzW/_new 2025-01-12 11:09:26.186785062 +0100
@@ -1,7 +1,7 @@
#
# spec file for package selinux-policy
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20241220
+Version: 20250109
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -402,6 +402,7 @@
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
+# disabled - SELinux is disabled
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.3xcnzW/_old 2025-01-12 11:09:26.262788180 +0100
+++ /var/tmp/diff_new_pack.3xcnzW/_new 2025-01-12 11:09:26.266788344 +0100
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">33c703587e800be11fca3101b7caf2d4a5c77117</param></service><service
name="tar_scm">
+ <param
name="changesrevision">e706802b7bfd75c30c10bbe66e23019e5514dc34</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ container.fc ++++++
--- /var/tmp/diff_new_pack.3xcnzW/_old 2025-01-12 11:09:26.298789657 +0100
+++ /var/tmp/diff_new_pack.3xcnzW/_new 2025-01-12 11:09:26.306789985 +0100
@@ -92,6 +92,7 @@
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the
"executor" directory inside it.
/var/lib/buildkit/containerd-.*(/.*?)
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/ramalama(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
++++++ container.if ++++++
--- /var/tmp/diff_new_pack.3xcnzW/_old 2025-01-12 11:09:26.326790806 +0100
+++ /var/tmp/diff_new_pack.3xcnzW/_new 2025-01-12 11:09:26.330790971 +0100
@@ -562,6 +562,7 @@
# Third-party snapshotters
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-soci")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-layers")
++++++ container.te ++++++
--- /var/tmp/diff_new_pack.3xcnzW/_old 2025-01-12 11:09:26.362792283 +0100
+++ /var/tmp/diff_new_pack.3xcnzW/_new 2025-01-12 11:09:26.366792448 +0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.234.0)
+policy_module(container, 2.234.2)
gen_require(`
class passwd rootok;
++++++ selinux-policy-20241220.tar.xz -> selinux-policy-20250109.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/keyutils.te
new/selinux-policy-20250109/policy/modules/contrib/keyutils.te
--- old/selinux-policy-20241220/policy/modules/contrib/keyutils.te
2024-12-20 13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/keyutils.te
2025-01-09 17:58:38.000000000 +0100
@@ -22,9 +22,11 @@
corecmd_exec_bin(keyutils_request_t)
-domain_read_view_all_domains_keyrings(keyutils_request_t)
+domain_manage_all_domains_keyrings(keyutils_request_t)
-init_write_key(keyutils_request_t)
+optional_policy(`
+ auth_read_passwd(keyutils_request_t)
+')
optional_policy(`
init_search_pid_dirs(keyutils_request_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/ktls.te
new/selinux-policy-20250109/policy/modules/contrib/ktls.te
--- old/selinux-policy-20241220/policy/modules/contrib/ktls.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/ktls.te 2025-01-09
17:58:38.000000000 +0100
@@ -11,3 +11,9 @@
permissive ktlshd_t;
+allow ktlshd_t self:netlink_generic_socket create_socket_perms;
+allow ktlshd_t self:unix_dgram_socket create_socket_perms;
+
+optional_policy(`
+ logging_send_syslog_msg(ktlshd_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/powerprofiles.te
new/selinux-policy-20250109/policy/modules/contrib/powerprofiles.te
--- old/selinux-policy-20241220/policy/modules/contrib/powerprofiles.te
2024-12-20 13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/powerprofiles.te
2025-01-09 17:58:38.000000000 +0100
@@ -30,6 +30,10 @@
optional_policy(`
policykit_dbus_chat(powerprofiles_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(powerprofiles_t)
+ ')
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/redis.fc
new/selinux-policy-20250109/policy/modules/contrib/redis.fc
--- old/selinux-policy-20241220/policy/modules/contrib/redis.fc 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/redis.fc 2025-01-09
17:58:38.000000000 +0100
@@ -1,18 +1,25 @@
/etc/rc\.d/init\.d/redis --
gen_context(system_u:object_r:redis_initrc_exec_t,s0)
/etc/redis\.conf --
gen_context(system_u:object_r:redis_conf_t,s0)
+/etc/valkey\.conf --
gen_context(system_u:object_r:redis_conf_t,s0)
/etc/redis(/.*)?
gen_context(system_u:object_r:redis_conf_t,s0)
+/etc/valkey(/.*)?
gen_context(system_u:object_r:redis_conf_t,s0)
/etc/redis-sentinel.* --
gen_context(system_u:object_r:redis_conf_t,s0)
/usr/lib/systemd/system/redis.* --
gen_context(system_u:object_r:redis_unit_file_t,s0)
+/usr/lib/systemd/system/valkey.* --
gen_context(system_u:object_r:redis_unit_file_t,s0)
/usr/bin/redis-server --
gen_context(system_u:object_r:redis_exec_t,s0)
+/usr/bin/valkey-server --
gen_context(system_u:object_r:redis_exec_t,s0)
/var/lib/redis(/.*)?
gen_context(system_u:object_r:redis_var_lib_t,s0)
+/var/lib/valkey(/.*)?
gen_context(system_u:object_r:redis_var_lib_t,s0)
/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+/var/log/valkey(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
/run/redis(/.*)?
gen_context(system_u:object_r:redis_var_run_t,s0)
+/run/valkey(/.*)?
gen_context(system_u:object_r:redis_var_run_t,s0)
/var/opt/rh/rh-redis32/redis(/.*)? --
gen_context(system_u:object_r:redis_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/virt.if
new/selinux-policy-20250109/policy/modules/contrib/virt.if
--- old/selinux-policy-20241220/policy/modules/contrib/virt.if 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/virt.if 2025-01-09
17:58:38.000000000 +0100
@@ -2200,3 +2200,22 @@
list_dirs_pattern($1, virtqemud_var_run_t, virtqemud_var_run_t)
read_files_pattern($1, virtqemud_var_run_t, virtqemud_var_run_t)
')
+
+########################################
+## <summary>
+## Allow the specified domain to ioctl
+## virtqemud over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_virtqemud_ioctl_stream_sockets',`
+ gen_require(`
+ type virtqemud_t;
+ ')
+
+ allow $1 virtqemud_t:unix_stream_socket ioctl;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/contrib/virt.te
new/selinux-policy-20250109/policy/modules/contrib/virt.te
--- old/selinux-policy-20241220/policy/modules/contrib/virt.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/contrib/virt.te 2025-01-09
17:58:38.000000000 +0100
@@ -1086,6 +1086,7 @@
# qemu uses userfaultfd to implement live post-copy migration
# https://wiki.qemu.org/Features/PostCopyLiveMigration
kernel_userfaultfd_use(virt_domain)
+kernel_kvm_gmem_use(virt_domain)
userdom_search_user_home_content(virt_domain)
userdom_read_user_home_content_symlinks(virt_domain)
@@ -2137,20 +2138,22 @@
allow virtqemud_t self:capability { audit_write chown dac_override
dac_read_search fowner fsetid kill net_admin setpcap setgid setuid sys_admin
sys_chroot sys_ptrace sys_rawio sys_resource };
allow virtqemud_t self:capability2 { bpf perfmon };
allow virtqemud_t self:cap_userns kill;
-
allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
-allow virtqemud_t self:process { setcap setexec setrlimit setsched
setsockcreate };
+allow virtqemud_t self:process { getpgid setcap setexec setrlimit setsched
setsockcreate };
allow virtqemud_t self:tcp_socket create_socket_perms;
-allow virtqemud_t self:tun_socket create;
+allow virtqemud_t self:tun_socket { create relabelfrom relabelto };
allow virtqemud_t self:udp_socket { connect create getattr };
allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom;
-allow virtqemud_t svirt_t:process { getattr setsched signal signull transition
};
+allow virtqemud_t svirt_t:netlink_route_socket create_netlink_socket_perms;
+allow virtqemud_t svirt_t:process { getattr getrlimit setsched signal signull
transition };
+allow virtqemud_t svirt_t:tcp_socket create_stream_socket_perms;
+allow virtqemud_t svirt_t:udp_socket create_socket_perms;
allow virtqemud_t svirt_t:unix_stream_socket { connectto
create_stream_socket_perms };
allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
-allow virtqemud_t svirt_tcg_t: process { setsched signal signull transition };
-allow virtqemud_t svirt_tcg_t: unix_stream_socket { connectto
create_stream_socket_perms };
+allow virtqemud_t svirt_tcg_t:process { getrlimit getsched setsched signal
signull transition };
+allow virtqemud_t svirt_tcg_t:unix_stream_socket { connectto
create_stream_socket_perms };
allow virtqemud_t svirt_devpts_t:chr_file open;
allow virtqemud_t svirt_tmpfs_t:file { map write };
@@ -2179,7 +2182,7 @@
allow virtqemud_t virtqemud_var_run_t:dir relabelfrom;
allow virtqemud_t virtqemud_var_run_t:sock_file relabelfrom;
-allow virtqemud_t virt_log_t:file relabelfrom;
+allow virtqemud_t virt_log_t:file relabel_file_perms;
manage_dirs_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t)
@@ -2207,6 +2210,7 @@
read_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)
+read_lnk_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)
manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t)
@@ -2239,9 +2243,9 @@
dev_delete_urand(virtqemud_t)
dev_read_cpuid(virtqemud_t)
-dev_read_sgx_vepc(virtqemud_t)
dev_read_sysfs(virtqemud_t)
dev_read_urand(virtqemud_t)
+dev_rw_sgx_vepc(virtqemud_t)
dev_rw_vfio_dev(virtqemud_t)
dev_relabel_all_dev_nodes(virtqemud_t)
dev_rw_kvm(virtqemud_t)
@@ -2295,7 +2299,10 @@
')
tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtqemud_t)
fs_manage_nfs_files(virtqemud_t)
+ fs_read_nfs_symlinks(virtqemud_t)
+ fs_mmap_nfs_files(virtqemud_t)
')
optional_policy(`
@@ -2307,6 +2314,10 @@
')
optional_policy(`
+ numad_domtrans(virtqemud_t)
+')
+
+optional_policy(`
qemu_exec(virtqemud_t)
')
@@ -2326,6 +2337,7 @@
optional_policy(`
ssh_domtrans_ssh(virtqemud_t)
+ ssh_signal(virtqemud_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/kernel/devices.if
new/selinux-policy-20250109/policy/modules/kernel/devices.if
--- old/selinux-policy-20241220/policy/modules/kernel/devices.if
2024-12-20 13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/kernel/devices.if
2025-01-09 17:58:38.000000000 +0100
@@ -6828,6 +6828,24 @@
########################################
## <summary>
+## Allow read and write the sgx_vepc devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_sgx_vepc',`
+ gen_require(`
+ type device_t, sgx_vepc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, sgx_vepc_device_t)
+')
+
+########################################
+## <summary>
## Allow read the hfi1_[0-9]+ devices
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/kernel/domain.te
new/selinux-policy-20250109/policy/modules/kernel/domain.te
--- old/selinux-policy-20241220/policy/modules/kernel/domain.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/kernel/domain.te 2025-01-09
17:58:38.000000000 +0100
@@ -132,6 +132,7 @@
kernel_userfaultfd_domtrans(domain)
kernel_io_uring_domtrans(domain)
kernel_secretmem_domtrans(domain)
+kernel_kvm_gmem_domtrans(domain)
kernel_getattr_proc(domain)
kernel_read_proc_symlinks(domain)
@@ -315,6 +316,7 @@
kernel_userfaultfd_use(unconfined_domain_type)
kernel_io_uring_use(unconfined_domain_type)
kernel_secretmem_use(unconfined_domain_type)
+kernel_kvm_gmem_use(unconfined_domain_type)
corenet_filetrans_all_named_dev(named_filetrans_domain)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/kernel/kernel.if
new/selinux-policy-20250109/policy/modules/kernel/kernel.if
--- old/selinux-policy-20241220/policy/modules/kernel/kernel.if 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/kernel/kernel.if 2025-01-09
17:58:38.000000000 +0100
@@ -4662,3 +4662,58 @@
')
allow $1 secretmem_t:anon_inode create;
')
+
+########################################
+## <summary>
+## Set up type transition for KVM guest memfd anon inodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to receive the type transition.
+## </summary>
+## </param>
+#
+interface(`kernel_kvm_gmem_domtrans',`
+ gen_require(`
+ type kvm_gmem_t;
+ ')
+ type_transition $1 self:anon_inode kvm_gmem_t "[kvm-gmem]";
+')
+
+########################################
+## <summary>
+## Allow the domain to use the KVM guest memfd interface via an
+## inherited file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_kvm_gmem_use_inherited',`
+ gen_require(`
+ type kvm_gmem_t;
+ ')
+ # Not sure about the set of reachable permissions here -
+ # may be refined in the future to a smaller/bigger set.
+ allow $1 kvm_gmem_t:anon_inode { getattr read write map };
+')
+
+########################################
+## <summary>
+## Allow the domain to use the KVM guest memfd interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_kvm_gmem_use',`
+ gen_require(`
+ type kvm_gmem_t;
+ ')
+ kernel_kvm_gmem_use_inherited($1)
+ allow $1 kvm_gmem_t:anon_inode create;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/kernel/kernel.te
new/selinux-policy-20250109/policy/modules/kernel/kernel.te
--- old/selinux-policy-20241220/policy/modules/kernel/kernel.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/kernel/kernel.te 2025-01-09
17:58:38.000000000 +0100
@@ -238,6 +238,7 @@
type userfaultfd_t;
type io_uring_t;
type secretmem_t;
+type kvm_gmem_t;
# These initial sids are no longer used, and can be removed:
sid any_socket
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/roles/sysadm.te
new/selinux-policy-20250109/policy/modules/roles/sysadm.te
--- old/selinux-policy-20241220/policy/modules/roles/sysadm.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/roles/sysadm.te 2025-01-09
17:58:38.000000000 +0100
@@ -30,6 +30,7 @@
kernel_read_fs_sysctls(sysadm_t)
kernel_read_all_proc(sysadm_t)
kernel_secretmem_use(sysadm_t)
+kernel_kvm_gmem_use(sysadm_t)
kernel_unconfined(sysadm_t)
auth_manage_shadow(sysadm_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/services/ssh.te
new/selinux-policy-20250109/policy/modules/services/ssh.te
--- old/selinux-policy-20241220/policy/modules/services/ssh.te 2024-12-20
13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/services/ssh.te 2025-01-09
17:58:38.000000000 +0100
@@ -268,6 +268,14 @@
')
optional_policy(`
+ systemd_read_conf_files(ssh_t)
+')
+
+optional_policy(`
+ virt_virtqemud_ioctl_stream_sockets(ssh_t)
+')
+
+optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
xserver_map_user_fonts(ssh_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/system/systemd.fc
new/selinux-policy-20250109/policy/modules/system/systemd.fc
--- old/selinux-policy-20241220/policy/modules/system/systemd.fc
2024-12-20 13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/system/systemd.fc
2025-01-09 17:58:38.000000000 +0100
@@ -87,12 +87,14 @@
/usr/lib/systemd/system-generators/systemd-fstab-generator --
gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-getty-generator --
gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator --
gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-import-generator --
gen_context(system_u:object_r:systemd_import_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-rc-local-generator --
gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-ssh-generator --
gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0)
/usr/lib/systemd/system-generators/status-mail-generator.sh --
gen_context(system_u:object_r:systemd_status_mail_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-sysv-generator --
gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-tpm2-generator --
gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0)
/usr/lib/systemd/system-generators/udev-trigger-generator --
gen_context(system_u:object_r:systemd_udev_trigger_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/vsftpd-generator --
gen_context(system_u:object_r:systemd_vsftpd_generator_exec_t,s0)
/usr/lib/systemd/system-generators/zram-generator --
gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
/usr/lib/systemd/system-generators/.+ --
gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)
/usr/lib/systemd/zram-generator.conf --
gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20241220/policy/modules/system/systemd.te
new/selinux-policy-20250109/policy/modules/system/systemd.te
--- old/selinux-policy-20241220/policy/modules/system/systemd.te
2024-12-20 13:51:36.000000000 +0100
+++ new/selinux-policy-20250109/policy/modules/system/systemd.te
2025-01-09 17:58:38.000000000 +0100
@@ -214,6 +214,8 @@
systemd_generator_template(systemd_growpart_generator)
# ibft-rule-generator
systemd_generator_template(systemd_ibft_rule_generator)
+# import-generator
+systemd_generator_template(systemd_import_generator)
# rc-local-generator
systemd_generator_template(systemd_rc_local_generator)
# systemd-status-mail
@@ -226,6 +228,8 @@
systemd_generator_template(systemd_tpm2_generator)
# udev-trigger-generator
systemd_generator_template(systemd_udev_trigger_generator)
+# vsftpd-generator
+systemd_generator_template(systemd_vsftpd_generator)
# zram-generator
systemd_generator_template(systemd_zram_generator)
type systemd_zram_generator_conf_t;
@@ -646,6 +650,7 @@
corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
+fs_list_cgroup_dirs(systemd_networkd_t)
fs_read_xenfs_files(systemd_networkd_t)
fs_read_nsfs_files(systemd_networkd_t)
fs_cgroup_write_memory_pressure(systemd_networkd_t)
@@ -1452,6 +1457,9 @@
permissive systemd_status_mail_generator_t;
+### systemd import generator
+permissive systemd_import_generator_t;
+
### ssh generator
allow systemd_ssh_generator_t self:vsock_socket create;
allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms };
@@ -1485,6 +1493,16 @@
permissive systemd_udev_trigger_generator_t;
+### vsftpd generator
+permissive systemd_vsftpd_generator_t;
+
+corecmd_exec_bin(systemd_vsftpd_generator_t)
+corecmd_exec_shell(systemd_vsftpd_generator_t)
+
+optional_policy(`
+ auth_dontaudit_read_passwd_file(systemd_vsftpd_generator_t)
+')
+
### zram generator
allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file
write_file_perms;
permissive systemd_zram_generator_t;
