commit selinux-policy for openSUSE:Factory

Source-Sync Wed, 14 May 2025 08:02:15 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2025-05-14 17:01:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "selinux-policy"

Wed May 14 17:01:01 2025 rev:113 rq:1276888 version:20250512

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2025-05-07 19:16:36.979585074 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.30101/selinux-policy.changes 
2025-05-14 17:01:05.014932338 +0200
@@ -1,0 +2,21 @@
+Mon May 12 14:26:14 UTC 2025 - Robert Frohl <rfr...@suse.com>
+
+- Update to version 20250512:
+  * healthchecker: allow capability sys_admin (bsc#1240138)
+  * slapd needs dac_override for ldapi socket (bsc#1242252)
+  * Allow slapd_t nnp_transition for NoNewPrivileges (bsc#1242252)
+
+-------------------------------------------------------------------
+Mon May 12 07:35:48 UTC 2025 - Samuel Cabrero <scabr...@suse.de>
+
+- Move manpages to selinux-policy-doc package (bsc#1241391)
+
+-------------------------------------------------------------------
+Thu May 08 14:28:52 UTC 2025 - cathy...@suse.com
+
+- Update to version 20250508:
+  * Enable mysql_run_under_different_user for (open)SUSE (bsc#1240949)
+  * Introduce mysql_run_under_different_user boolean (bsc#1240949)
+  * Revert "Set mysqld_t permissive until we have tested it thorougly 
(bsc#1240949)"
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20250507.tar.xz

New:
----
  selinux-policy-20250512.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.8jAco3/_old  2025-05-14 17:01:08.331070850 +0200
+++ /var/tmp/diff_new_pack.8jAco3/_new  2025-05-14 17:01:08.347071518 +0200
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20250507
+Version:        20250512
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
@@ -475,12 +475,10 @@
 Requires:       m4
 
 %description devel
-SELinux policy development and man page package
+SELinux policy development package
 
 %files devel
 %defattr(-,root,root,-)
-%doc %{_datadir}/man/ru/man8/*
-%doc %{_datadir}/man/man8/*
 %dir %{_datadir}/selinux/devel
 %dir %{_datadir}/selinux/devel/html/
 %doc %{_datadir}/selinux/devel/html/*
@@ -496,11 +494,13 @@
 Requires:       /usr/bin/xdg-open
 
 %description doc
-SELinux policy documentation package
+SELinux policy documentation and man page package
 
 %files doc
 %defattr(-,root,root,-)
 %doc %{_datadir}/doc/%{name}
+%doc %{_datadir}/man/ru/man8/*
+%doc %{_datadir}/man/man8/*
 %{_datadir}/selinux/devel/policy.*
 
 %if %{BUILD_TARGETED}

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.8jAco3/_old  2025-05-14 17:01:08.655084383 +0200
+++ /var/tmp/diff_new_pack.8jAco3/_new  2025-05-14 17:01:08.691085887 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">9f8311c54cd72220a7d548f252d09b231df84571</param></service></servicedata>
+              <param 
name="changesrevision">0f073b4992028a118f7124e19430b2259a68efb7</param></service></servicedata>
 (No newline at EOF)
 


++++++ selinux-policy-20250507.tar.xz -> selinux-policy-20250512.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/selinux-policy-20250507/dist/targeted/booleans.conf 
new/selinux-policy-20250512/dist/targeted/booleans.conf
--- old/selinux-policy-20250507/dist/targeted/booleans.conf     2025-05-07 
16:08:40.000000000 +0200
+++ new/selinux-policy-20250512/dist/targeted/booleans.conf     2025-05-12 
11:06:48.000000000 +0200
@@ -26,6 +26,7 @@
 init_upstart = true
 kerberos_enabled = true
 mount_anyfile = true
+mysql_run_under_different_user = true
 named_write_master_zones = true
 nfs_export_all_ro = true
 nfs_export_all_rw = true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250507/policy/modules/contrib/health-checker.te 
new/selinux-policy-20250512/policy/modules/contrib/health-checker.te
--- old/selinux-policy-20250507/policy/modules/contrib/health-checker.te        
2025-05-07 16:08:40.000000000 +0200
+++ new/selinux-policy-20250512/policy/modules/contrib/health-checker.te        
2025-05-12 11:06:48.000000000 +0200
@@ -32,6 +32,9 @@
 # health-checker policy
 #
 
+# needed for 'btrfs subvolume'
+allow health_checker_t self:capability sys_admin;
+
 # Allow health-checker to execute plugins under /usr/libexec/health-checker/
 domtrans_pattern(health_checker_t, health_checker_plugin_exec_t, 
health_checker_plugin_t)
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250507/policy/modules/contrib/ldap.te 
new/selinux-policy-20250512/policy/modules/contrib/ldap.te
--- old/selinux-policy-20250507/policy/modules/contrib/ldap.te  2025-05-07 
16:08:40.000000000 +0200
+++ new/selinux-policy-20250512/policy/modules/contrib/ldap.te  2025-05-12 
11:06:48.000000000 +0200
@@ -8,6 +8,7 @@
 type slapd_t;
 type slapd_exec_t;
 init_daemon_domain(slapd_t, slapd_exec_t)
+init_nnp_daemon_domain(slapd_t)
 
 type slapd_cert_t;
 miscfiles_cert_type(slapd_cert_t)
@@ -50,7 +51,7 @@
 # Local policy
 #
 
-allow slapd_t self:capability { kill setgid setuid net_raw  dac_read_search };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override 
dac_read_search };
 dontaudit slapd_t self:capability sys_tty_config;
 dontaudit slapd_t self:capability2 block_suspend;
 allow slapd_t self:process { setsched signal } ;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/selinux-policy-20250507/policy/modules/contrib/mysql.te 
new/selinux-policy-20250512/policy/modules/contrib/mysql.te
--- old/selinux-policy-20250507/policy/modules/contrib/mysql.te 2025-05-07 
16:08:40.000000000 +0200
+++ new/selinux-policy-20250512/policy/modules/contrib/mysql.te 2025-05-12 
11:06:48.000000000 +0200
@@ -19,6 +19,14 @@
 ## </desc>
 gen_tunable(mysql_connect_http, false)
 
+## <desc>
+## <p>
+## Allow mysqld to run under a different user
+## via --user
+## </p>
+## </desc>
+gen_tunable(mysql_run_under_different_user, false)
+
 type mysqld_t;
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -179,6 +187,12 @@
        corenet_tcp_connect_http_port(mysqld_t)
 ')
 
+tunable_policy(`mysql_run_under_different_user',`
+       # needs setuid/setgid to privilege drop from root to specified user
+       # needs dac_override to write into 700 mysql:root folders
+       allow mysqld_t self:capability { dac_override setgid setuid };
+')
+
 optional_policy(`
        daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
@@ -203,8 +217,6 @@
        rsync_exec(mysqld_t)
 ')
 
-permissive mysqld_t;
-
 #######################################
 #
 # Local mysqld_safe policy

commit selinux-policy for openSUSE:Factory

Reply via email to