Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2025-04-15 20:46:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Tue Apr 15 20:46:42 2025 rev:110 rq:1269261 version:20250411
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2025-04-11 16:46:22.070187012 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1907/selinux-policy.changes
2025-04-15 20:46:43.944220351 +0200
@@ -1,0 +2,9 @@
+Fri Apr 11 16:24:01 UTC 2025 - Filippo Bonazzi <filippo.bona...@suse.com>
+
+- Update to version 20250411:
+ * Introduce unconfined mysqld_systemd_helper_t (bsc#1240949)
+ * Set mysqld_t permissive until we have tested it thorougly (bsc#1240949)
+ * Fix label of mysqld (bsc#1240949)
+ * Initial policy for snapper 50-etc plugin (bsc#1236671)
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20250410.tar.xz
New:
----
selinux-policy-20250411.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.c6xxhZ/_old 2025-04-15 20:46:46.604330740 +0200
+++ /var/tmp/diff_new_pack.c6xxhZ/_new 2025-04-15 20:46:46.612331073 +0200
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20250410
+Version: 20250411
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.c6xxhZ/_old 2025-04-15 20:46:47.084350661 +0200
+++ /var/tmp/diff_new_pack.c6xxhZ/_new 2025-04-15 20:46:47.124352321 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">4885ef4570aad09521e8e4a4ae28fb377820eb7f</param></service></servicedata>
+ <param
name="changesrevision">e366edc39ad8370b702f680d376476413a5bfd98</param></service></servicedata>
(No newline at EOF)
++++++ selinux-policy-20250410.tar.xz -> selinux-policy-20250411.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250410/policy/modules/contrib/mysql.fc
new/selinux-policy-20250411/policy/modules/contrib/mysql.fc
--- old/selinux-policy-20250410/policy/modules/contrib/mysql.fc 2025-04-10
15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/mysql.fc 2025-04-11
18:14:24.000000000 +0200
@@ -7,6 +7,8 @@
/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
/usr/lib/systemd/system/mysqld.* --
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+# (open)SUSE-only
+/usr/lib/systemd/system/mysql.* --
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
/usr/lib/systemd/system/mariadb.* --
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
#
@@ -21,6 +23,7 @@
#
# /usr
#
+/usr/bin/mysqld --
gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysqld_safe --
gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysqld_safe_helper --
gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -28,6 +31,8 @@
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld_safe-scl-helper --
gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+# (open)SUSE-only
+/usr/libexec/mysql/mysql-systemd-helper --
gen_context(system_u:object_r:mysqld_systemd_helper_exec_t,s0)
/usr/bin/mysqld(-max|-debug)? --
gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysqlmanager --
gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250410/policy/modules/contrib/mysql.te
new/selinux-policy-20250411/policy/modules/contrib/mysql.te
--- old/selinux-policy-20250410/policy/modules/contrib/mysql.te 2025-04-10
15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/mysql.te 2025-04-11
18:14:24.000000000 +0200
@@ -62,6 +62,11 @@
type mysqlmanagerd_var_run_t;
files_pid_file(mysqlmanagerd_var_run_t)
+# (open)SUSE only
+type mysqld_systemd_helper_exec_t;
+type mysqld_systemd_helper_t;
+init_daemon_domain(mysqld_systemd_helper_t, mysqld_systemd_helper_exec_t)
+
########################################
#
# Local policy
@@ -198,6 +203,8 @@
rsync_exec(mysqld_t)
')
+permissive mysqld_t;
+
#######################################
#
# Local mysqld_safe policy
@@ -302,3 +309,14 @@
dev_read_urand(mysqlmanagerd_t)
userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+
+########################################
+#
+# MySQL systemd helper script Policy (open)SUSE only
+#
+
+domtrans_pattern(mysqld_systemd_helper_t, mysqld_exec_t, mysqld_t)
+
+optional_policy(`
+ unconfined_domain(mysqld_systemd_helper_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250410/policy/modules/contrib/snapper.fc
new/selinux-policy-20250411/policy/modules/contrib/snapper.fc
--- old/selinux-policy-20250410/policy/modules/contrib/snapper.fc
2025-04-10 15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/snapper.fc
2025-04-11 18:14:24.000000000 +0200
@@ -1,6 +1,7 @@
/usr/bin/snapperd --
gen_context(system_u:object_r:snapperd_exec_t,s0)
/usr/lib/snapper/systemd-helper --
gen_context(system_u:object_r:snapperd_exec_t,s0)
+/usr/lib/snapper/plugins/50-etc --
gen_context(system_u:object_r:snapper_tu_etc_plugin_exec_t,s0)
/usr/lib/snapper/plugins/grub --
gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0)
/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250410/policy/modules/contrib/snapper.te
new/selinux-policy-20250411/policy/modules/contrib/snapper.te
--- old/selinux-policy-20250410/policy/modules/contrib/snapper.te
2025-04-10 15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/snapper.te
2025-04-11 18:14:24.000000000 +0200
@@ -140,6 +140,7 @@
attribute snapper_plugin;
snapper_plugin_template(grub);
+snapper_plugin_template(tu_etc);
### snapper grub plugin
bootloader_exec(snapper_grub_plugin_t)
@@ -157,3 +158,32 @@
auth_dontaudit_read_passwd_file(snapper_grub_plugin_t)
nscd_dontaudit_search_pid(snapper_grub_plugin_t)
')
+
+
+### snapper transactional-update 50-etc plugin
+allow snapper_tu_etc_plugin_t self:capability { chown fsetid sys_admin };
+allow snapper_tu_etc_plugin_t self:process setfscreate;
+
+# needed because its a shell script
+corecmd_exec_bin(snapper_tu_etc_plugin_t)
+optional_policy(`
+ auth_dontaudit_read_passwd_file(snapper_tu_etc_plugin_t)
+')
+
+# needed for copying different file types and setting labels correctly during
migration
+admin_pattern(snapper_tu_etc_plugin_t, file_type)
+domain_obj_id_change_exemption(snapper_tu_etc_plugin_t)
+fs_getattr_xattr_fs(snapper_tu_etc_plugin_t)
+
+# exception for neverallow rules, since we need to copy and relabel shadow_t
and semanage_conf_t as well
+auth_rw_shadow(snapper_tu_etc_plugin_t)
+auth_relabelto_shadow(snapper_tu_etc_plugin_t)
+seutil_relabelto_bin_policy(snapper_tu_etc_plugin_t)
+
+# needed for mount
+mount_domtrans(snapper_tu_etc_plugin_t)
+mount_rw_pid_files(snapper_tu_etc_plugin_t)
+files_mounton_etc(snapper_tu_etc_plugin_t)
+
+# needed for systemd dynamicuser
+kernel_stream_connect(snapper_tu_etc_plugin_t)
