Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-04-15 20:46:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1907 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Apr 15 20:46:42 2025 rev:110 rq:1269261 version:20250411 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-04-11 16:46:22.070187012 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1907/selinux-policy.changes 2025-04-15 20:46:43.944220351 +0200 @@ -1,0 +2,9 @@ +Fri Apr 11 16:24:01 UTC 2025 - Filippo Bonazzi <filippo.bona...@suse.com> + +- Update to version 20250411: + * Introduce unconfined mysqld_systemd_helper_t (bsc#1240949) + * Set mysqld_t permissive until we have tested it thorougly (bsc#1240949) + * Fix label of mysqld (bsc#1240949) + * Initial policy for snapper 50-etc plugin (bsc#1236671) + +------------------------------------------------------------------- Old: ---- selinux-policy-20250410.tar.xz New: ---- selinux-policy-20250411.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.c6xxhZ/_old 2025-04-15 20:46:46.604330740 +0200 +++ /var/tmp/diff_new_pack.c6xxhZ/_new 2025-04-15 20:46:46.612331073 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20250410 +Version: 20250411 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.c6xxhZ/_old 2025-04-15 20:46:47.084350661 +0200 +++ /var/tmp/diff_new_pack.c6xxhZ/_new 2025-04-15 20:46:47.124352321 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">4885ef4570aad09521e8e4a4ae28fb377820eb7f</param></service></servicedata> + <param name="changesrevision">e366edc39ad8370b702f680d376476413a5bfd98</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20250410.tar.xz -> selinux-policy-20250411.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250410/policy/modules/contrib/mysql.fc new/selinux-policy-20250411/policy/modules/contrib/mysql.fc --- old/selinux-policy-20250410/policy/modules/contrib/mysql.fc 2025-04-10 15:07:59.000000000 +0200 +++ new/selinux-policy-20250411/policy/modules/contrib/mysql.fc 2025-04-11 18:14:24.000000000 +0200 @@ -7,6 +7,8 @@ /root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) /usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) +# (open)SUSE-only +/usr/lib/systemd/system/mysql.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) /usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) # @@ -21,6 +23,7 @@ # # /usr # +/usr/bin/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysqld_safe_helper -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) @@ -28,6 +31,8 @@ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) +# (open)SUSE-only +/usr/libexec/mysql/mysql-systemd-helper -- gen_context(system_u:object_r:mysqld_systemd_helper_exec_t,s0) /usr/bin/mysqld(-max|-debug)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250410/policy/modules/contrib/mysql.te new/selinux-policy-20250411/policy/modules/contrib/mysql.te --- old/selinux-policy-20250410/policy/modules/contrib/mysql.te 2025-04-10 15:07:59.000000000 +0200 +++ new/selinux-policy-20250411/policy/modules/contrib/mysql.te 2025-04-11 18:14:24.000000000 +0200 @@ -62,6 +62,11 @@ type mysqlmanagerd_var_run_t; files_pid_file(mysqlmanagerd_var_run_t) +# (open)SUSE only +type mysqld_systemd_helper_exec_t; +type mysqld_systemd_helper_t; +init_daemon_domain(mysqld_systemd_helper_t, mysqld_systemd_helper_exec_t) + ######################################## # # Local policy @@ -198,6 +203,8 @@ rsync_exec(mysqld_t) ') +permissive mysqld_t; + ####################################### # # Local mysqld_safe policy @@ -302,3 +309,14 @@ dev_read_urand(mysqlmanagerd_t) userdom_getattr_user_home_dirs(mysqlmanagerd_t) + +######################################## +# +# MySQL systemd helper script Policy (open)SUSE only +# + +domtrans_pattern(mysqld_systemd_helper_t, mysqld_exec_t, mysqld_t) + +optional_policy(` + unconfined_domain(mysqld_systemd_helper_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250410/policy/modules/contrib/snapper.fc new/selinux-policy-20250411/policy/modules/contrib/snapper.fc --- old/selinux-policy-20250410/policy/modules/contrib/snapper.fc 2025-04-10 15:07:59.000000000 +0200 +++ new/selinux-policy-20250411/policy/modules/contrib/snapper.fc 2025-04-11 18:14:24.000000000 +0200 @@ -1,6 +1,7 @@ /usr/bin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) /usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0) +/usr/lib/snapper/plugins/50-etc -- gen_context(system_u:object_r:snapper_tu_etc_plugin_exec_t,s0) /usr/lib/snapper/plugins/grub -- gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0) /etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20250410/policy/modules/contrib/snapper.te new/selinux-policy-20250411/policy/modules/contrib/snapper.te --- old/selinux-policy-20250410/policy/modules/contrib/snapper.te 2025-04-10 15:07:59.000000000 +0200 +++ new/selinux-policy-20250411/policy/modules/contrib/snapper.te 2025-04-11 18:14:24.000000000 +0200 @@ -140,6 +140,7 @@ attribute snapper_plugin; snapper_plugin_template(grub); +snapper_plugin_template(tu_etc); ### snapper grub plugin bootloader_exec(snapper_grub_plugin_t) @@ -157,3 +158,32 @@ auth_dontaudit_read_passwd_file(snapper_grub_plugin_t) nscd_dontaudit_search_pid(snapper_grub_plugin_t) ') + + +### snapper transactional-update 50-etc plugin +allow snapper_tu_etc_plugin_t self:capability { chown fsetid sys_admin }; +allow snapper_tu_etc_plugin_t self:process setfscreate; + +# needed because its a shell script +corecmd_exec_bin(snapper_tu_etc_plugin_t) +optional_policy(` + auth_dontaudit_read_passwd_file(snapper_tu_etc_plugin_t) +') + +# needed for copying different file types and setting labels correctly during migration +admin_pattern(snapper_tu_etc_plugin_t, file_type) +domain_obj_id_change_exemption(snapper_tu_etc_plugin_t) +fs_getattr_xattr_fs(snapper_tu_etc_plugin_t) + +# exception for neverallow rules, since we need to copy and relabel shadow_t and semanage_conf_t as well +auth_rw_shadow(snapper_tu_etc_plugin_t) +auth_relabelto_shadow(snapper_tu_etc_plugin_t) +seutil_relabelto_bin_policy(snapper_tu_etc_plugin_t) + +# needed for mount +mount_domtrans(snapper_tu_etc_plugin_t) +mount_rw_pid_files(snapper_tu_etc_plugin_t) +files_mounton_etc(snapper_tu_etc_plugin_t) + +# needed for systemd dynamicuser +kernel_stream_connect(snapper_tu_etc_plugin_t)