Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2025-01-21 21:09:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.5589 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Tue Jan 21 21:09:50 2025 rev:94 rq:1239232 version:20250121
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2025-01-12 11:09:25.434754205 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.5589/selinux-policy.changes
2025-01-21 21:10:09.470192365 +0100
@@ -1,0 +2,21 @@
+Tue Jan 21 09:33:04 UTC 2025 - cathy...@suse.com
+
+- Update to version 20250121:
+ * wtmpdbd systemd service uses NoNewPrivileges (bsc#1235660)
+ * Transition samba-dcerpcd pid file from smbd_var_run_t to winbind_var_run_t
(bsc#1235801)
+ * /run/samba/samba-dcerpcd.pid needs fc type winbind_rpcd_var_run_t
(bsc#1235801)
+ * Adjust rpcd_lsad, samba-bgqd, samba-dcerpcd to SUSE-specific part
(bsc#1235801)
+ * Transition nmbd pid file from smbd_var_run_t to nmbd_var_run_t
(bsc#1235801)
+
+-------------------------------------------------------------------
+Mon Jan 20 08:43:53 UTC 2025 - cathy...@suse.com
+
+- Update to version 20250120:
+ * Allow database rotation for wtmpdbd_t
+ * Allow wtmpdbd to send messages notifications
+ * Introduce policy for wtmpdbd (bsc#1235660)
+ * Label xrdp scripts in /etc as bin_t (bsc#1233738)
+ * introduce unconfined_service_transition_to_unconfined_user boolean
(bsc#1233738)
+ * Allow init to manage DOS files (bsc#1232527)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20250109.tar.xz
New:
----
selinux-policy-20250121.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.yGNBLR/_old 2025-01-21 21:10:10.078217463 +0100
+++ /var/tmp/diff_new_pack.yGNBLR/_new 2025-01-21 21:10:10.078217463 +0100
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20250109
+Version: 20250121
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.yGNBLR/_old 2025-01-21 21:10:10.174221425 +0100
+++ /var/tmp/diff_new_pack.yGNBLR/_new 2025-01-21 21:10:10.182221756 +0100
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">e706802b7bfd75c30c10bbe66e23019e5514dc34</param></service><service
name="tar_scm">
+ <param
name="changesrevision">0cb2a7bb54aadca23c8fb6c94099afd1bc58946a</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
++++++ selinux-policy-20250109.tar.xz -> selinux-policy-20250121.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250109/dist/minimum/booleans.conf
new/selinux-policy-20250121/dist/minimum/booleans.conf
--- old/selinux-policy-20250109/dist/minimum/booleans.conf 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/dist/minimum/booleans.conf 2025-01-21
10:32:40.000000000 +0100
@@ -246,3 +246,6 @@
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
+
+# Allows unconfined_service_t to transition to unconfined_t
+unconfined_service_transition_to_unconfined_user = false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250109/dist/targeted/booleans.conf
new/selinux-policy-20250121/dist/targeted/booleans.conf
--- old/selinux-policy-20250109/dist/targeted/booleans.conf 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/dist/targeted/booleans.conf 2025-01-21
10:32:40.000000000 +0100
@@ -57,3 +57,4 @@
xguest_exec_content = false
xserver_execmem = false
zebra_write_config = false
+unconfined_service_transition_to_unconfined_user = false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/contrib/samba.fc
new/selinux-policy-20250121/policy/modules/contrib/samba.fc
--- old/selinux-policy-20250109/policy/modules/contrib/samba.fc 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/contrib/samba.fc 2025-01-21
10:32:40.000000000 +0100
@@ -18,9 +18,9 @@
/usr/lib/systemd/system/nmb.* --
gen_context(system_u:object_r:samba_unit_file_t,s0)
/usr/lib/systemd/system/winbind.* --
gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/libexec/samba/rpcd_lsad --
gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
-/usr/libexec/samba/samba-bgqd --
gen_context(system_u:object_r:samba_bgqd_exec_t,s0)
-/usr/libexec/samba/samba-dcerpcd --
gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
+/usr/lib/samba/rpcd_lsad --
gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
+/usr/lib/samba/samba-bgqd --
gen_context(system_u:object_r:samba_bgqd_exec_t,s0)
+/usr/lib/samba/samba-dcerpcd --
gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
/usr/bin/net --
gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth --
gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -66,6 +66,8 @@
/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/run/samba/unexpected\.tdb --
gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/run/samba/samba-dcerpcd.pid --
gen_context(system_u:object_r:winbind_rpcd_var_run_t,s0)
+
/run/samba/winbindd(/.*)?
gen_context(system_u:object_r:winbind_var_run_t,s0)
/run/winbindd(/.*)?
gen_context(system_u:object_r:winbind_var_run_t,s0)
/run/samba-bgqd.pid --
gen_context(system_u:object_r:samba_bgqd_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/contrib/samba.te
new/selinux-policy-20250121/policy/modules/contrib/samba.te
--- old/selinux-policy-20250109/policy/modules/contrib/samba.te 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/contrib/samba.te 2025-01-21
10:32:40.000000000 +0100
@@ -731,7 +731,7 @@
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { file dir })
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -1272,6 +1272,7 @@
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t,
winbind_rpcd_var_run_t)
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
+filetrans_pattern(winbind_rpcd_t, smbd_var_run_t, winbind_rpcd_var_run_t, file)
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_tmp_t, winbind_rpcd_tmp_t)
files_tmp_filetrans(winbind_rpcd_t, winbind_rpcd_tmp_t, file)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/kernel/corecommands.fc
new/selinux-policy-20250121/policy/modules/kernel/corecommands.fc
--- old/selinux-policy-20250109/policy/modules/kernel/corecommands.fc
2025-01-09 17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/kernel/corecommands.fc
2025-01-21 10:32:40.000000000 +0100
@@ -122,6 +122,9 @@
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/xrdp/startwm.sh -- gen_context(system_u:object_r:bin_t,s0)
+/etc/xrdp/reconnectwm.sh -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/services/ssh.te
new/selinux-policy-20250121/policy/modules/services/ssh.te
--- old/selinux-policy-20250109/policy/modules/services/ssh.te 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/services/ssh.te 2025-01-21
10:32:40.000000000 +0100
@@ -504,6 +504,10 @@
')
optional_policy(`
+ auth_use_wtmpdbd_varlink_sockets(sshd_t)
+')
+
+optional_policy(`
tunable_policy(`ssh_use_tcpd',`
tcpd_wrapped_domain(sshd_t,sshd_exec_t)
tcpd_rw_tcp_sockets(sshd_net_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/system/authlogin.fc
new/selinux-policy-20250121/policy/modules/system/authlogin.fc
--- old/selinux-policy-20250109/policy/modules/system/authlogin.fc
2025-01-09 17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/system/authlogin.fc
2025-01-21 10:32:40.000000000 +0100
@@ -71,6 +71,8 @@
/var/lib/wtmpdb(/.*)? gen_context(system_u:object_r:wtmpdb_t,s0)
/var/lib/wtmpdb/wtmp.db-journal --
gen_context(system_u:object_r:wtmpdb_journal_t,s0)
+/run/wtmpdb(/.*)?
gen_context(system_u:object_r:wtmpdbd_var_run_t,s0)
+/usr/libexec/wtmpdbd -- gen_context(system_u:object_r:wtmpdbd_exec_t,s0)
/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/system/authlogin.if
new/selinux-policy-20250121/policy/modules/system/authlogin.if
--- old/selinux-policy-20250109/policy/modules/system/authlogin.if
2025-01-09 17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/system/authlogin.if
2025-01-21 10:32:40.000000000 +0100
@@ -2067,6 +2067,26 @@
########################################
## <summary>
+## Use wtmpdbd varlink sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_use_wtmpdbd_varlink_sockets',`
+ gen_require(`
+ type wtmpdbd_var_run_t;
+ type wtmpdbd_t;
+ ')
+
+ allow $1 wtmpdbd_var_run_t:sock_file write;
+ allow $1 wtmpdbd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## Read access to the authlogin module.
## </summary>
## <desc>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/system/authlogin.te
new/selinux-policy-20250121/policy/modules/system/authlogin.te
--- old/selinux-policy-20250109/policy/modules/system/authlogin.te
2025-01-09 17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/system/authlogin.te
2025-01-21 10:32:40.000000000 +0100
@@ -119,6 +119,14 @@
type wtmpdb_journal_t;
logging_log_file(wtmpdb_journal_t)
+type wtmpdbd_t;
+type wtmpdbd_exec_t;
+init_daemon_domain(wtmpdbd_t, wtmpdbd_exec_t)
+init_nnp_daemon_domain(wtmpdbd_t)
+
+type wtmpdbd_var_run_t;
+files_pid_file(wtmpdbd_var_run_t)
+
########################################
#
# Check password local policy
@@ -724,3 +732,19 @@
ssh_agent_exec(login_pgm)
ssh_read_user_home_files(login_pgm)
')
+
+#######################################
+#
+# wtmpdb Program local policy
+#
+
+allow wtmpdbd_t self:unix_dgram_socket { create write getopt setopt };
+allow wtmpdbd_t wtmpdbd_var_run_t:dir getattr;
+allow wtmpdbd_t wtmpdb_t:file manage_file_perms;
+
+kernel_dgram_send(wtmpdbd_t)
+
+auth_rw_wtmpdb_login_records(wtmpdbd_t)
+logging_dgram_send(wtmpdbd_t)
+logging_read_syslog_pid(wtmpdbd_t)
+logging_write_syslog_pid_socket(wtmpdbd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/system/init.te
new/selinux-policy-20250121/policy/modules/system/init.te
--- old/selinux-policy-20250109/policy/modules/system/init.te 2025-01-09
17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/system/init.te 2025-01-21
10:32:40.000000000 +0100
@@ -698,6 +698,7 @@
fs_manage_cgroup_files(init_t)
fs_manage_bpf_dirs(init_t)
fs_manage_bpf_files(init_t)
+fs_manage_dos_files(init_t)
fs_manage_hugetlbfs_dirs(init_t)
fs_manage_tmpfs_dirs(init_t)
fs_relabel_tmpfs_blk_file(init_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250109/policy/modules/system/unconfined.te
new/selinux-policy-20250121/policy/modules/system/unconfined.te
--- old/selinux-policy-20250109/policy/modules/system/unconfined.te
2025-01-09 17:58:38.000000000 +0100
+++ new/selinux-policy-20250121/policy/modules/system/unconfined.te
2025-01-21 10:32:40.000000000 +0100
@@ -11,6 +11,13 @@
#
attribute unconfined_services;
+## <desc>
+## <p>
+## allow unconfined_service_t transition to the unconfined user domain
+## </p>
+## </desc>
+gen_tunable(unconfined_service_transition_to_unconfined_user, false)
+
type unconfined_service_t;
domain_type(unconfined_service_t)
role system_r types unconfined_service_t;
@@ -57,3 +64,9 @@
optional_policy(`
gpg_manage_admin_home_content(unconfined_service_t)
')
+
+optional_policy(`
+ tunable_policy(`unconfined_service_transition_to_unconfined_user',`
+ unconfined_domtrans(unconfined_service_t)
+ ')
+')
