Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2025-04-15 20:46:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Tue Apr 15 20:46:42 2025 rev:110 rq:1269261 version:20250411

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2025-04-11 16:46:22.070187012 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1907/selinux-policy.changes  
2025-04-15 20:46:43.944220351 +0200
@@ -1,0 +2,9 @@
+Fri Apr 11 16:24:01 UTC 2025 - Filippo Bonazzi <filippo.bona...@suse.com>
+
+- Update to version 20250411:
+  * Introduce unconfined mysqld_systemd_helper_t (bsc#1240949)
+  * Set mysqld_t permissive until we have tested it thorougly (bsc#1240949)
+  * Fix label of mysqld (bsc#1240949)
+  * Initial policy for snapper 50-etc plugin (bsc#1236671)
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20250410.tar.xz

New:
----
  selinux-policy-20250411.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.c6xxhZ/_old  2025-04-15 20:46:46.604330740 +0200
+++ /var/tmp/diff_new_pack.c6xxhZ/_new  2025-04-15 20:46:46.612331073 +0200
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20250410
+Version:        20250411
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.c6xxhZ/_old  2025-04-15 20:46:47.084350661 +0200
+++ /var/tmp/diff_new_pack.c6xxhZ/_new  2025-04-15 20:46:47.124352321 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">4885ef4570aad09521e8e4a4ae28fb377820eb7f</param></service></servicedata>
+              <param 
name="changesrevision">e366edc39ad8370b702f680d376476413a5bfd98</param></service></servicedata>
 (No newline at EOF)
 


++++++ selinux-policy-20250410.tar.xz -> selinux-policy-20250411.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250410/policy/modules/contrib/mysql.fc 
new/selinux-policy-20250411/policy/modules/contrib/mysql.fc
--- old/selinux-policy-20250410/policy/modules/contrib/mysql.fc 2025-04-10 
15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/mysql.fc 2025-04-11 
18:14:24.000000000 +0200
@@ -7,6 +7,8 @@
 /root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
 
 /usr/lib/systemd/system/mysqld.*       --      
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+# (open)SUSE-only
+/usr/lib/systemd/system/mysql.*        --              
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
 /usr/lib/systemd/system/mariadb.*   --  
gen_context(system_u:object_r:mysqld_unit_file_t,s0)
 
 #
@@ -21,6 +23,7 @@
 #
 # /usr
 #
+/usr/bin/mysqld                --              
gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysqld_safe   --      
gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
 /usr/bin/mysqld_safe_helper    --      
gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysql_upgrade --      gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -28,6 +31,8 @@
 /usr/libexec/mysqld    --      gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/libexec/mysqld_safe-scl-helper --  
gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
 
+# (open)SUSE-only
+/usr/libexec/mysql/mysql-systemd-helper        --      
gen_context(system_u:object_r:mysqld_systemd_helper_exec_t,s0)
 
 /usr/bin/mysqld(-max|-debug)?  --      
gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysqlmanager  --      
gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250410/policy/modules/contrib/mysql.te 
new/selinux-policy-20250411/policy/modules/contrib/mysql.te
--- old/selinux-policy-20250410/policy/modules/contrib/mysql.te 2025-04-10 
15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/mysql.te 2025-04-11 
18:14:24.000000000 +0200
@@ -62,6 +62,11 @@
 type mysqlmanagerd_var_run_t;
 files_pid_file(mysqlmanagerd_var_run_t)
 
+# (open)SUSE only
+type mysqld_systemd_helper_exec_t;
+type mysqld_systemd_helper_t;
+init_daemon_domain(mysqld_systemd_helper_t, mysqld_systemd_helper_exec_t)
+
 ########################################
 #
 # Local policy
@@ -198,6 +203,8 @@
        rsync_exec(mysqld_t)
 ')
 
+permissive mysqld_t;
+
 #######################################
 #
 # Local mysqld_safe policy
@@ -302,3 +309,14 @@
 dev_read_urand(mysqlmanagerd_t)
 
 userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+
+########################################
+#
+# MySQL systemd helper script Policy (open)SUSE only
+#
+
+domtrans_pattern(mysqld_systemd_helper_t, mysqld_exec_t, mysqld_t)
+
+optional_policy(`
+       unconfined_domain(mysqld_systemd_helper_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250410/policy/modules/contrib/snapper.fc 
new/selinux-policy-20250411/policy/modules/contrib/snapper.fc
--- old/selinux-policy-20250410/policy/modules/contrib/snapper.fc       
2025-04-10 15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/snapper.fc       
2025-04-11 18:14:24.000000000 +0200
@@ -1,6 +1,7 @@
 /usr/bin/snapperd              --      
gen_context(system_u:object_r:snapperd_exec_t,s0)
 
 /usr/lib/snapper/systemd-helper                --      
gen_context(system_u:object_r:snapperd_exec_t,s0)
+/usr/lib/snapper/plugins/50-etc                --      
gen_context(system_u:object_r:snapper_tu_etc_plugin_exec_t,s0)
 /usr/lib/snapper/plugins/grub          --      
gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0)
 
 /etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250410/policy/modules/contrib/snapper.te 
new/selinux-policy-20250411/policy/modules/contrib/snapper.te
--- old/selinux-policy-20250410/policy/modules/contrib/snapper.te       
2025-04-10 15:07:59.000000000 +0200
+++ new/selinux-policy-20250411/policy/modules/contrib/snapper.te       
2025-04-11 18:14:24.000000000 +0200
@@ -140,6 +140,7 @@
 attribute snapper_plugin;
 
 snapper_plugin_template(grub);
+snapper_plugin_template(tu_etc);
 
 ### snapper grub plugin
 bootloader_exec(snapper_grub_plugin_t)
@@ -157,3 +158,32 @@
        auth_dontaudit_read_passwd_file(snapper_grub_plugin_t)
        nscd_dontaudit_search_pid(snapper_grub_plugin_t)
 ')
+
+
+### snapper transactional-update 50-etc plugin
+allow snapper_tu_etc_plugin_t self:capability { chown fsetid sys_admin };
+allow snapper_tu_etc_plugin_t self:process setfscreate;
+
+# needed because its a shell script
+corecmd_exec_bin(snapper_tu_etc_plugin_t)
+optional_policy(`
+       auth_dontaudit_read_passwd_file(snapper_tu_etc_plugin_t)
+')
+
+# needed for copying different file types and setting labels correctly during 
migration
+admin_pattern(snapper_tu_etc_plugin_t, file_type)
+domain_obj_id_change_exemption(snapper_tu_etc_plugin_t)
+fs_getattr_xattr_fs(snapper_tu_etc_plugin_t)
+
+# exception for neverallow rules, since we need to copy and relabel shadow_t 
and semanage_conf_t as well
+auth_rw_shadow(snapper_tu_etc_plugin_t)
+auth_relabelto_shadow(snapper_tu_etc_plugin_t)
+seutil_relabelto_bin_policy(snapper_tu_etc_plugin_t)
+
+# needed for mount
+mount_domtrans(snapper_tu_etc_plugin_t)
+mount_rw_pid_files(snapper_tu_etc_plugin_t)
+files_mounton_etc(snapper_tu_etc_plugin_t)
+
+# needed for systemd dynamicuser
+kernel_stream_connect(snapper_tu_etc_plugin_t)

Reply via email to