commit selinux-policy for openSUSE:Factory

Sat, 05 Apr 2025 10:31:12 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2025-03-20 19:24:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.2696 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Thu Mar 20 19:24:27 2025 rev:106 rq:1254134 version:20250318

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2025-03-13 15:04:50.286784107 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2696/selinux-policy.changes  
2025-03-20 19:24:43.176962112 +0100
@@ -1,0 +2,16 @@
+Tue Mar 18 13:03:40 UTC 2025 - rfr...@suse.com
+
+- Update to version 20250318:
+  * rebootmgr: Handle config under /etc/rebootmgr (bsc#1239720)
+
+-------------------------------------------------------------------
+Thu Mar 13 12:50:00 UTC 2025 - rfr...@suse.com
+
+- Update to version 20250313:
+  * health-checker-plugin: Move from dbus to varlink for rebootmgr 
communication (bsc#1237273)
+  * Introduce rebootmgr_var_run_t for files under run (bsc#1237273)
+  * Adjust to correct new binary path (bsc#1237273)
+  * health-checker: allow snapshot rollback (bsc#1235860)
+  * snapper: add interface to select the next boot snapshot
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20250312.tar.xz

New:
----
  selinux-policy-20250318.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.8cbHpa/_old  2025-03-20 19:24:43.900992036 +0100
+++ /var/tmp/diff_new_pack.8cbHpa/_new  2025-03-20 19:24:43.900992036 +0100
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20250312
+Version:        20250318
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.8cbHpa/_old  2025-03-20 19:24:43.996996004 +0100
+++ /var/tmp/diff_new_pack.8cbHpa/_new  2025-03-20 19:24:44.000996169 +0100
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">99cf931c4d3c525d9c63784e4674b4058d1baaaa</param></service></servicedata>
+              <param 
name="changesrevision">ea5f57baf3149d2bc58fd87fbd73e9bc59956112</param></service></servicedata>
 (No newline at EOF)
 


++++++ selinux-policy-20250312.tar.xz -> selinux-policy-20250318.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250312/policy/modules/contrib/health-checker.te 
new/selinux-policy-20250318/policy/modules/contrib/health-checker.te
--- old/selinux-policy-20250312/policy/modules/contrib/health-checker.te        
2025-03-12 11:44:12.000000000 +0100
+++ new/selinux-policy-20250318/policy/modules/contrib/health-checker.te        
2025-03-18 14:02:53.000000000 +0100
@@ -51,6 +51,23 @@
 
 fs_getattr_xattr_fs(health_checker_t)
 
+# permissions for health checker: rollback()
+## to execute 'mount'
+mount_exec(health_checker_t)
+mount_manage_pid_files(health_checker_t)
+## mount accessing block device information 
+storage_getattr_fixed_disk_dev(health_checker_t)
+## mount able to remount
+fs_remount_xattr_fs(health_checker_t)
+## for 'systemctl reboot'
+dbus_connect_system_bus(health_checker_t)
+dbus_system_bus_client(health_checker_t)
+systemd_dbus_chat_logind(health_checker_t)
+## for 'btrfs subvolume set-default ${LAST_WORKING_BTRFS_ID} /.snapshots'
+optional_policy(`
+       snapper_select_boot_snapshot(health_checker_t)
+')
+
 optional_policy(`
        # ignore #!/bin/bash reading passwd file
        auth_dontaudit_read_passwd_file(health_checker_t)
@@ -85,11 +102,9 @@
        bootloader_run(health_checker_plugin_t, health_checker_roles)
 ')
 
-# Allow health-checker plugins to talk to rebootmgr over dbus
+# Allow health-checker plugins to talk to rebootmgr over varlink
 optional_policy(`
-       dbus_connect_system_bus(health_checker_plugin_t)
-       dbus_system_bus_client(health_checker_plugin_t)
-       rebootmgr_dbus_chat(health_checker_plugin_t)
+       rebootmgr_varlink_chat(health_checker_plugin_t)
 ')
 
 manage_files_pattern(health_checker_plugin_t, health_checker_tmp_t, 
health_checker_tmp_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.fc 
new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.fc
--- old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.fc     
2025-03-12 11:44:12.000000000 +0100
+++ new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.fc     
2025-03-18 14:02:53.000000000 +0100
@@ -1 +1,3 @@
-/usr/bin/rebootmgrd            --      
gen_context(system_u:object_r:rebootmgr_exec_t,s0)
+/usr/libexec/rebootmgrd                --      
gen_context(system_u:object_r:rebootmgr_exec_t,s0)
+/etc/rebootmgr(/.*)?                   
gen_context(system_u:object_r:rebootmgr_conf_t,s0)
+/run/rebootmgr(/.*)?                   
gen_context(system_u:object_r:rebootmgr_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.if 
new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.if
--- old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.if     
2025-03-12 11:44:12.000000000 +0100
+++ new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.if     
2025-03-18 14:02:53.000000000 +0100
@@ -41,21 +41,20 @@
 
 ########################################
 ## <summary>
-##     Send and receive messages from
-##     rebootmgr over dbus.
+##      Use rebootmgr varlink socket to talk to the daemon.
 ## </summary>
 ## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
+##      <summary>
+##      Domain allowed access.
+##      </summary>
 ## </param>
 #
-interface(`rebootmgr_dbus_chat',`
-       gen_require(`
-               type rebootmgr_t;
-               class dbus send_msg;
-       ')
+interface(`rebootmgr_varlink_chat',`
+        gen_require(`
+                type rebootmgr_var_run_t;
+                type rebootmgr_t;
+        ')
 
-       allow $1 rebootmgr_t:dbus send_msg;
-       allow rebootmgr_t $1:dbus send_msg;
+       allow $1 rebootmgr_var_run_t:sock_file write;
+       allow $1 rebootmgr_t:unix_stream_socket connectto;
 ')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.te 
new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.te
--- old/selinux-policy-20250312/policy/modules/contrib/rebootmgr.te     
2025-03-12 11:44:12.000000000 +0100
+++ new/selinux-policy-20250318/policy/modules/contrib/rebootmgr.te     
2025-03-18 14:02:53.000000000 +0100
@@ -9,6 +9,12 @@
 type rebootmgr_exec_t;
 init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
 
+type rebootmgr_conf_t;
+files_config_file(rebootmgr_conf_t)
+
+type rebootmgr_var_run_t;
+files_pid_file(rebootmgr_var_run_t)
+
 ########################################
 #
 # rebootmgr local policy
@@ -17,9 +23,13 @@
 allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
 allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
 
-domain_use_interactive_fds(rebootmgr_t)
+# handling files/folders in /etc/rebootmgr
+create_dirs_pattern(rebootmgr_t, rebootmgr_conf_t, rebootmgr_conf_t)
+manage_files_pattern(rebootmgr_t, rebootmgr_conf_t, rebootmgr_conf_t)
+read_lnk_files_pattern(rebootmgr_t, rebootmgr_conf_t, rebootmgr_conf_t)
+files_etc_filetrans(rebootmgr_t, rebootmgr_conf_t, dir, "rebootmgr")
 
-files_manage_etc_files(rebootmgr_t)
+domain_use_interactive_fds(rebootmgr_t)
 
 logging_send_syslog_msg(rebootmgr_t)
 
@@ -37,3 +47,12 @@
        dbus_system_bus_client(rebootmgr_t)
        dbus_connect_system_bus(rebootmgr_t)
 ')
+
+# filetrans for /run/rebootmgr
+files_pid_filetrans(rebootmgr_t, rebootmgr_var_run_t, dir, "rebootmgr")
+# explicit for known files (i.e. sock_file, rest will inherit)
+files_pid_filetrans(rebootmgr_t, rebootmgr_var_run_t, sock_file)
+# allow the domain to manage rebootmgr_var_run_t
+create_dirs_pattern(rebootmgr_t, rebootmgr_var_run_t, rebootmgr_var_run_t)
+manage_files_pattern(rebootmgr_t, rebootmgr_var_run_t, rebootmgr_var_run_t)
+manage_sock_files_pattern(rebootmgr_t, rebootmgr_var_run_t, 
rebootmgr_var_run_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250312/policy/modules/contrib/snapper.if 
new/selinux-policy-20250318/policy/modules/contrib/snapper.if
--- old/selinux-policy-20250312/policy/modules/contrib/snapper.if       
2025-03-12 11:44:12.000000000 +0100
+++ new/selinux-policy-20250318/policy/modules/contrib/snapper.if       
2025-03-18 14:02:53.000000000 +0100
@@ -97,6 +97,26 @@
 
 ########################################
 ## <summary>
+##     Allow a domain to select the boot snapshot
+##
+##  Warning: should only be used for direct btrfs invocation
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`snapper_select_boot_snapshot',`
+       gen_require(`
+               type snapperd_data_t;
+       ')
+
+       allow $1 snapperd_data_t:dir { ioctl read };
+')
+
+########################################
+## <summary>
 ##     Allow a domain to relabel snapshots to snapperd_data_t 
 ## </summary>
 ## <param name="domain">

Reply via email to