Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2025-05-30 14:26:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.25440 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Fri May 30 14:26:17 2025 rev:115 rq:1280948 version:20250528
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2025-05-26 18:32:50.656636009 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.25440/selinux-policy.changes
2025-05-30 17:27:14.580019676 +0200
@@ -1,0 +2,36 @@
+Wed May 28 14:12:57 UTC 2025 - Robert Frohl <rfr...@suse.com>
+
+- Update to version 20250528:
+ * Move 'logging_mounton_syslog_pid_socket' to end of file
+ * Revert "Allow init_t create syslog files (bsc#1230134)"
+ * Allow mdadm nosuid_transition
+ * Label plasma user service files as xdm_unit_file_t.
+ * Revert "Allow systemd-homed to start services."
+ * Allow virtstoraged write qemu runtime files
+ * Allow virtqemud read/write/setattr input event devices
+ * Allow systemd create journal pid files
+ * Allow networkmanager send a general signal to iptables
+ * Allow syslogd watch syslog_conf_t directories
+ * Allow systemd-machined work with its private tmp and tmpfs files
+ * Allow geoclue read virt lib files
+ * Fix files_dontaudit_delete_all_files()
+ * Label /run/polkit-1 with policykit_var_run_t
+ * Label /dev/diag as diagnostic_device_t
+ * Allow systemd-homed to start services.
+ * Allow named_t to read NetworkManager's runtime files
+ * Improve README* documentation
+ * Add missing permissions for ftpd_anon_write to manage NFS directories
+ * Add missing permissions for ftpd_anon_write to manage CIFS directories
+ * Allow nut-upsmon write systemd inhibit pipes
+ * Allow systemd-user-runtime-dir connect to systemd-userdbd over a unix
socket
+ * Remove permissive domain for systemd_vsftpd_generator_t
+ * Change generator-specific rules to apply to systemd_generator
+ * Define file equivalency for /var/etc
+ * Allow tuned-ppd create ppd_base_profile with a file transition
+ * Allow lldpd connect to systemd-homed over a unix socket
+ * Allow sysadm_sudo_t signal rpm script
+ * Fix the "/var/cache/systemd/home(/.*)?" regex
+- Syncing with upstream rawhide selinux-policy up to:
+ * 45d07f4abe86d31efabdff15ed3c99645f5ccefd
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20250512.tar.xz
New:
----
selinux-policy-20250528.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.uXzB9X/_old 2025-05-30 17:27:15.552060046 +0200
+++ /var/tmp/diff_new_pack.uXzB9X/_new 2025-05-30 17:27:15.556060212 +0200
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20250512
+Version: 20250528
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -54,7 +54,7 @@
Source91: Makefile.devel
Source95: macros.selinux-policy
-URL: https://github.com/fedora-selinux/selinux-policy.git
+URL: https://github.com/openSUSE/selinux-policy
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%if 0%{?suse_version} < 1600
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.uXzB9X/_old 2025-05-30 17:27:15.640063701 +0200
+++ /var/tmp/diff_new_pack.uXzB9X/_new 2025-05-30 17:27:15.644063867 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">0f073b4992028a118f7124e19430b2259a68efb7</param></service></servicedata>
+ <param
name="changesrevision">a40fd8bd79c04771c7747f473a4dff5dd68a54c5</param></service></servicedata>
(No newline at EOF)
++++++ selinux-policy-20250512.tar.xz -> selinux-policy-20250528.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250512/INSTALL
new/selinux-policy-20250528/INSTALL
--- old/selinux-policy-20250512/INSTALL 2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/INSTALL 2025-05-28 11:49:57.000000000 +0200
@@ -48,4 +48,4 @@
make checklabels
make restorelabels
-See the README for more information on available make targets.
+See the [README.build.md](README.build.md) for more information on available
make targets.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250512/README
new/selinux-policy-20250528/README
--- old/selinux-policy-20250512/README 2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/README 1970-01-01 01:00:00.000000000 +0100
@@ -1,264 +0,0 @@
-1) Reference Policy make targets:
-
-General Make targets:
-
-install-src Install the policy sources into
- /etc/selinux/NAME/src/policy, where NAME is defined in
- the Makefile. If not defined, the TYPE, as defined in
- the Makefile, is used. The default NAME is refpolicy.
- A pre-existing source policy will be moved to
- /etc/selinux/NAME/src/policy.bak.
-
-conf Regenerate policy.xml, and update/create modules.conf
- and booleans.conf. This should be done after adding
- or removing modules, or after running the bare target.
- If the configuration files exist, their settings will
- be preserved. This must be ran on policy sources that
- are checked out from the CVS repository before they can
- be used.
-
-clean Delete all temporary files, compiled policies,
- and file_contexts. Configuration files are left intact.
-
-bare Do the clean make target and also delete configuration
- files, web page documentation, and policy.xml.
-
-html Regenerate policy.xml and create web page documentation
- in the doc/html directory.
-
-Make targets specific to modular (loadable modules) policies:
-
-base Compile and package the base module. This is the
- default target for modular policies.
-
-modules Compile and package all Reference Policy modules
- configured to be built as loadable modules.
-
-MODULENAME.pp Compile and package the MODULENAME Reference Policy
- module.
-
-all Compile and package the base module and all Reference
- Policy modules configured to be built as loadable
- modules.
-
-install Compile, package, and install the base module
and
- Reference Policy modules configured to be built as
- loadable modules.
-
-load Compile, package, and install the base module and
- Reference Policy modules configured to be built as
- loadable modules, then insert them into the module
- store.
-
-validate Validate if the configured modules can successfully
- link and expand.
-
-install-headers Install the policy headers into
/usr/share/selinux/NAME.
- The headers are sufficient for building a policy
- module locally, without requiring the complete
- Reference Policy sources. The build.conf settings
- for this policy configuration should be set before
- using this target.
-
-Make targets specific to monolithic policies:
-
-policy Compile a policy locally for development and testing.
- This is the default target for monolithic policies.
-
-install Compile and install the policy and file
contexts.
-
-load Compile and install the policy and file contexts, then
- load the policy.
-
-enableaudit Remove all dontaudit rules from policy.conf.
-
-relabel Relabel the filesystem.
-
-checklabels Check the labels on the filesystem, and report when
- a file would be relabeled, but do not change its label.
-
-restorelabels Relabel the filesystem and report each file that is
- relabeled.
-
-
-2) Reference Policy Build Options (build.conf)
-
-TYPE String. Available options are standard, mls, and mcs.
- For a type enforcement only system, set standard.
- This optionally enables multi-level security (MLS) or
- multi-category security (MCS) features. This option
- controls enable_mls, and enable_mcs policy blocks.
-
-NAME String (optional). Sets the name of the policy; the
- NAME is used when installing files to e.g.,
- /etc/selinux/NAME and /usr/share/selinux/NAME. If not
- set, the policy type (TYPE) is used.
-
-DISTRO String (optional). Enable distribution-specific policy.
- Available options are redhat, rhel4, gentoo, debian,
- and suse. This option controls distro_redhat,
- distro_rhel4, distro_gentoo, distro_debian, and
- distro_suse policy blocks.
-
-MONOLITHIC Boolean. If set, a monolithic policy is built,
- otherwise a modular policy is built.
-
-DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
- run init scripts, instead of requiring the run_init
- tool. This is a build option instead of a tunable since
- role transitions do not work in conditional policy.
- This option controls direct_sysadm_daemon policy
- blocks.
-
-OUTPUT_POLICY Integer. Set the version of the policy created when
- building a monolithic policy. This option has no effect
- on modular policy.
-
-UNK_PERMS String. Set the kernel behavior for handling of
- permissions defined in the kernel but missing from the
- policy. The permissions can either be allowed, denied,
- or the policy loading can be rejected.
-
-UBAC Boolean. If set, the SELinux user will be used
- additionally for approximate role separation.
-
-MLS_SENS Integer. Set the number of sensitivities in the MLS
- policy. Ignored on standard and MCS policies.
-
-MLS_CATS Integer. Set the number of categories in the MLS
- policy. Ignored on standard and MCS policies.
-
-MCS_CATS Integer. Set the number of categories in the MCS
- policy. Ignored on standard and MLS policies.
-
-QUIET Boolean. If set, the build system will only display
- status messages and error messages. This option has no
- effect on policy.
-
-
-3) Reference Policy Files and Directories
-All directories relative to the root of the Reference Policy sources directory.
-
-Makefile General rules for building the policy.
-
-Rules.modular Makefile rules specific to building loadable module
- policies.
-
-Rules.monolithic Makefile rules specific to building monolithic policies.
-
-build.conf Options which influence the building of the policy,
- such as the policy type and distribution.
-
-config/appconfig-* Application configuration files for all configurations
- of the Reference Policy (targeted/strict with or without
- MLS or MCS). These are used by SELinux-aware programs.
-
-config/local.users The file read by load policy for adding SELinux users
- to the policy on the fly.
-
-doc/html/* This contains the contents of the in-policy XML
- documentation, presented in web page form.
-
-doc/policy.dtd The doc/policy.xml file is validated against this DTD.
-
-doc/policy.xml This file is generated/updated by the conf and html make
- targets. It contains the complete XML documentation
- included in the policy.
-
-doc/templates/* Templates used for documentation web pages.
-
-policy/booleans.conf This file is generated/updated by the conf make target.
- It contains the booleans in the policy, and their
- default values. If tunables are implemented as
- booleans, tunables will also be included. This file
- will be installed as the /etc/selinux/NAME/booleans
- file.
-
-policy/constraints This file defines additional constraints on permissions
- in the form of boolean expressions that must be
- satisfied in order for specified permissions to be
- granted. These constraints are used to further refine
- the type enforcement rules and the role allow rules.
- Typically, these constraints are used to restrict
- changes in user identity or role to certain domains.
-
-policy/global_booleans This file defines all booleans that have a global scope,
- their default value, and documentation.
-
-policy/global_tunables This file defines all tunables that have a global scope,
- their default value, and documentation.
-
-policy/flask/initial_sids This file has declarations for each initial SID.
-
-policy/flask/security_classes This file has declarations for each security
class.
-
-policy/flask/access_vectors This file defines the access vectors. Common
- prefixes for access vectors may be defined at the
- beginning of the file. After the common prefixes are
- defined, an access vector may be defined for each
- security class.
-
-policy/mcs The multi-category security (MCS) configuration.
-
-policy/mls The multi-level security (MLS) configuration.
-
-policy/modules/* Each directory represents a layer in Reference Policy
- all of the modules are contained in one of these layers.
-
-policy/modules.conf This file contains a listing of available modules, and
- how they will be used when building Reference Policy. To
- prevent a module from being used, set the module to
- "off". For monolithic policies, modules set to "base"
- and "module" will be included in the policy. For
- modular policies, modules set to "base" will be included
- in the base module; those set to "module" will be
- compiled as individual loadable modules.
-
-policy/support/* Support macros.
-
-policy/users This file defines the users included in the policy.
-
-support/* Tools used in the build process.
-
-
-4) Building policy modules using Reference Policy headers:
-
-The system must first have the Reference Policy headers installed, typically
-by the distribution. Otherwise, the headers can be installed using the
-install-headers target from the full Reference Policy sources.
-
-To set up a directory to build a local module, one must simply place a .te
-file in a directory. A sample Makefile to use in the directory is the
-Makefile.example in the doc directory. This may be installed in
-/usr/share/doc, under the directory for the distribution's policy.
-Alternatively, the primary Makefile in the headers directory (typically
-/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
-option.
-
-Larger projects can set up a structure of layers, just as in Reference
-Policy, by creating policy/modules/LAYERNAME directories. Each layer also
-must have a metadata.xml file which is an XML file with a summary tag and
-optional desc (long description) tag. This should describe the purpose of
-the layer.
-
-Metadata.xml example:
-
-<summary>ABC modules for the XYZ components.</summary>
-
-Make targets for modules built from headers:
-
-MODULENAME.pp Compile and package the MODULENAME local module.
-
-all Compile and package the modules in the current
- directory.
-
-load Compile and package the modules in the current
- directory, then insert them into the module store.
-
-refresh Attempts to reinsert all modules that are
currently
- in the module store from the local and system module
- packages.
-
-xml Build a policy.xml from the XML included with the
- base policy headers and any XML in the modules in
- the current directory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250512/README.build
new/selinux-policy-20250528/README.build
--- old/selinux-policy-20250512/README.build 1970-01-01 01:00:00.000000000
+0100
+++ new/selinux-policy-20250528/README.build 2025-05-28 11:49:57.000000000
+0200
@@ -0,0 +1,264 @@
+1) Reference Policy make targets:
+
+General Make targets:
+
+install-src Install the policy sources into
+ /etc/selinux/NAME/src/policy, where NAME is defined in
+ the Makefile. If not defined, the TYPE, as defined in
+ the Makefile, is used. The default NAME is refpolicy.
+ A pre-existing source policy will be moved to
+ /etc/selinux/NAME/src/policy.bak.
+
+conf Regenerate policy.xml, and update/create modules.conf
+ and booleans.conf. This should be done after adding
+ or removing modules, or after running the bare target.
+ If the configuration files exist, their settings will
+ be preserved. This must be ran on policy sources that
+ are checked out from the CVS repository before they can
+ be used.
+
+clean Delete all temporary files, compiled policies,
+ and file_contexts. Configuration files are left intact.
+
+bare Do the clean make target and also delete configuration
+ files, web page documentation, and policy.xml.
+
+html Regenerate policy.xml and create web page documentation
+ in the doc/html directory.
+
+Make targets specific to modular (loadable modules) policies:
+
+base Compile and package the base module. This is the
+ default target for modular policies.
+
+modules Compile and package all Reference Policy modules
+ configured to be built as loadable modules.
+
+MODULENAME.pp Compile and package the MODULENAME Reference Policy
+ module.
+
+all Compile and package the base module and all Reference
+ Policy modules configured to be built as loadable
+ modules.
+
+install Compile, package, and install the base module
and
+ Reference Policy modules configured to be built as
+ loadable modules.
+
+load Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules, then insert them into the module
+ store.
+
+validate Validate if the configured modules can successfully
+ link and expand.
+
+install-headers Install the policy headers into
/usr/share/selinux/NAME.
+ The headers are sufficient for building a policy
+ module locally, without requiring the complete
+ Reference Policy sources. The build.conf settings
+ for this policy configuration should be set before
+ using this target.
+
+Make targets specific to monolithic policies:
+
+policy Compile a policy locally for development and testing.
+ This is the default target for monolithic policies.
+
+install Compile and install the policy and file
contexts.
+
+load Compile and install the policy and file contexts, then
+ load the policy.
+
+enableaudit Remove all dontaudit rules from policy.conf.
+
+relabel Relabel the filesystem.
+
+checklabels Check the labels on the filesystem, and report when
+ a file would be relabeled, but do not change its label.
+
+restorelabels Relabel the filesystem and report each file that is
+ relabeled.
+
+
+2) Reference Policy Build Options (build.conf)
+
+TYPE String. Available options are standard, mls, and mcs.
+ For a type enforcement only system, set standard.
+ This optionally enables multi-level security (MLS) or
+ multi-category security (MCS) features. This option
+ controls enable_mls, and enable_mcs policy blocks.
+
+NAME String (optional). Sets the name of the policy; the
+ NAME is used when installing files to e.g.,
+ /etc/selinux/NAME and /usr/share/selinux/NAME. If not
+ set, the policy type (TYPE) is used.
+
+DISTRO String (optional). Enable distribution-specific policy.
+ Available options are redhat, rhel4, gentoo, debian,
+ and suse. This option controls distro_redhat,
+ distro_rhel4, distro_gentoo, distro_debian, and
+ distro_suse policy blocks.
+
+MONOLITHIC Boolean. If set, a monolithic policy is built,
+ otherwise a modular policy is built.
+
+DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
+ run init scripts, instead of requiring the run_init
+ tool. This is a build option instead of a tunable since
+ role transitions do not work in conditional policy.
+ This option controls direct_sysadm_daemon policy
+ blocks.
+
+OUTPUT_POLICY Integer. Set the version of the policy created when
+ building a monolithic policy. This option has no effect
+ on modular policy.
+
+UNK_PERMS String. Set the kernel behavior for handling of
+ permissions defined in the kernel but missing from the
+ policy. The permissions can either be allowed, denied,
+ or the policy loading can be rejected.
+
+UBAC Boolean. If set, the SELinux user will be used
+ additionally for approximate role separation.
+
+MLS_SENS Integer. Set the number of sensitivities in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MLS_CATS Integer. Set the number of categories in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MCS_CATS Integer. Set the number of categories in the MCS
+ policy. Ignored on standard and MLS policies.
+
+QUIET Boolean. If set, the build system will only display
+ status messages and error messages. This option has no
+ effect on policy.
+
+
+3) Reference Policy Files and Directories
+All directories relative to the root of the Reference Policy sources directory.
+
+Makefile General rules for building the policy.
+
+Rules.modular Makefile rules specific to building loadable module
+ policies.
+
+Rules.monolithic Makefile rules specific to building monolithic policies.
+
+build.conf Options which influence the building of the policy,
+ such as the policy type and distribution.
+
+config/appconfig-* Application configuration files for all configurations
+ of the Reference Policy (targeted/strict with or without
+ MLS or MCS). These are used by SELinux-aware programs.
+
+config/local.users The file read by load policy for adding SELinux users
+ to the policy on the fly.
+
+doc/html/* This contains the contents of the in-policy XML
+ documentation, presented in web page form.
+
+doc/policy.dtd The doc/policy.xml file is validated against this DTD.
+
+doc/policy.xml This file is generated/updated by the conf and html make
+ targets. It contains the complete XML documentation
+ included in the policy.
+
+doc/templates/* Templates used for documentation web pages.
+
+policy/booleans.conf This file is generated/updated by the conf make target.
+ It contains the booleans in the policy, and their
+ default values. If tunables are implemented as
+ booleans, tunables will also be included. This file
+ will be installed as the /etc/selinux/NAME/booleans
+ file.
+
+policy/constraints This file defines additional constraints on permissions
+ in the form of boolean expressions that must be
+ satisfied in order for specified permissions to be
+ granted. These constraints are used to further refine
+ the type enforcement rules and the role allow rules.
+ Typically, these constraints are used to restrict
+ changes in user identity or role to certain domains.
+
+policy/global_booleans This file defines all booleans that have a global scope,
+ their default value, and documentation.
+
+policy/global_tunables This file defines all tunables that have a global scope,
+ their default value, and documentation.
+
+policy/flask/initial_sids This file has declarations for each initial SID.
+
+policy/flask/security_classes This file has declarations for each security
class.
+
+policy/flask/access_vectors This file defines the access vectors. Common
+ prefixes for access vectors may be defined at the
+ beginning of the file. After the common prefixes are
+ defined, an access vector may be defined for each
+ security class.
+
+policy/mcs The multi-category security (MCS) configuration.
+
+policy/mls The multi-level security (MLS) configuration.
+
+policy/modules/* Each directory represents a layer in Reference Policy
+ all of the modules are contained in one of these layers.
+
+policy/modules.conf This file contains a listing of available modules, and
+ how they will be used when building Reference Policy. To
+ prevent a module from being used, set the module to
+ "off". For monolithic policies, modules set to "base"
+ and "module" will be included in the policy. For
+ modular policies, modules set to "base" will be included
+ in the base module; those set to "module" will be
+ compiled as individual loadable modules.
+
+policy/support/* Support macros.
+
+policy/users This file defines the users included in the policy.
+
+support/* Tools used in the build process.
+
+
+4) Building policy modules using Reference Policy headers:
+
+The system must first have the Reference Policy headers installed, typically
+by the distribution. Otherwise, the headers can be installed using the
+install-headers target from the full Reference Policy sources.
+
+To set up a directory to build a local module, one must simply place a .te
+file in a directory. A sample Makefile to use in the directory is the
+Makefile.example in the doc directory. This may be installed in
+/usr/share/doc, under the directory for the distribution's policy.
+Alternatively, the primary Makefile in the headers directory (typically
+/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
+option.
+
+Larger projects can set up a structure of layers, just as in Reference
+Policy, by creating policy/modules/LAYERNAME directories. Each layer also
+must have a metadata.xml file which is an XML file with a summary tag and
+optional desc (long description) tag. This should describe the purpose of
+the layer.
+
+Metadata.xml example:
+
+<summary>ABC modules for the XYZ components.</summary>
+
+Make targets for modules built from headers:
+
+MODULENAME.pp Compile and package the MODULENAME local module.
+
+all Compile and package the modules in the current
+ directory.
+
+load Compile and package the modules in the current
+ directory, then insert them into the module store.
+
+refresh Attempts to reinsert all modules that are
currently
+ in the module store from the local and system module
+ packages.
+
+xml Build a policy.xml from the XML included with the
+ base policy headers and any XML in the modules in
+ the current directory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250512/README.contrib.md
new/selinux-policy-20250528/README.contrib.md
--- old/selinux-policy-20250512/README.contrib.md 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20250528/README.contrib.md 2025-05-28
11:49:57.000000000 +0200
@@ -0,0 +1,54 @@
+## Merging selinux-policy-contrib repository with selinux-policy
+
+On November 25th, 2020, the selinux-policy-contrib repository was merged with
selinux-policy.
+
+Previously, SELinux policy packages in Fedora used 2 repositories:
+base [1] and contrib [2].
+This division into two repos was merely a historical artifact, being
+now just a source of confusion and made dealing
+with SELinux policy repos more difficult.
+
+From now on, these repos are merged into one, containing sources from both.
+All the changes affect both repos, `rawhide` branches and future branches
+`f34` and newer.
+When working in the rawhide branch, only the base repo is
+now used; the corresponding contrib branch was archived and will not be used
+any longer. The contrib repo's commit history are a part of the base repo.
+Stable branches (`f33`, `f32`, all older ones) remain unchanged.
+
+It mainly is an internal change of where the git repository is stored and
+how it is referenced. There should now be just one notable change
+inside the repo: all files previously accessible from the root directory in the
+selinux-policy-contrib repo are in the selinux-policy base repo, directory
+`policy/modules/contrib/`. No change for working in the selinux-policy base
repo.
+
+### How users are affected?
+There is no change for users.
+
+### How custom selinux-policy developers are affected?
+No change for policy writing other than where to look for modules, previously
found in the contrib repo.
+
+Scripts, data, specfile, etc. in the dist git were updated to use the new
location for builds targeting rawhide or f34+.
+
+### How selinux-policy contributors are affected?
+No change other than where to look for the previous contrib modules and where
to submit pull requests.
+
+Pull requests which have not been merged yet require the submitter to rebase
it and open against the base repo.
+
+### Where to submit pull requests?
+Use the base selinux-policy repository [3].
+
+### How to report issues?
+Use the base selinux-policy repository [4].
+
+### Backporting commits
+Commits to policy/modules/contrib needing backport to stable branches will be
backported to the legacy contrib repo.
+
+### References
+[1] https://github.com/fedora-selinux/selinux-policy/
+
+[2] https://github.com/fedora-selinux/selinux-policy-contrib/
+
+[3] https://github.com/fedora-selinux/selinux-policy/pulls
+
+[4] https://github.com/fedora-selinux/selinux-policy/issues
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250512/README.md
new/selinux-policy-20250528/README.md
--- old/selinux-policy-20250512/README.md 2025-05-12 11:06:48.000000000
+0200
+++ new/selinux-policy-20250528/README.md 2025-05-28 11:49:57.000000000
+0200
@@ -1,54 +1,26 @@
-## Merging selinux-policy-contrib repository with selinux-policy
+# Fedora SELinux policy
-On November 25th, 2020, the selinux-policy-contrib repository was merged with
selinux-policy.
+This is SELinux policy based on
[refpolicy](https://github.com/SELinuxProject/refpolicy) used in Fedora, Red
Hat Enterprise Linux and CentOS Stream.
-Previously, SELinux policy packages in Fedora used 2 repositories:
-base [1] and contrib [2].
-This division into two repos was merely a historical artifact, being
-now just a source of confusion and made dealing
-with SELinux policy repos more difficult.
+## Installation
-From now on, these repos are merged into one, containing sources from both.
-All the changes affect both repos, `rawhide` branches and future branches
-`f34` and newer.
-When working in the rawhide branch, only the base repo is
-now used; the corresponding contrib branch was archived and will not be used
-any longer. The contrib repo's commit history are a part of the base repo.
-Stable branches (`f33`, `f32`, all older ones) remain unchanged.
+The installation process is described in [INSTALL](INSTALL).
-It mainly is an internal change of where the git repository is stored and
-how it is referenced. There should now be just one notable change
-inside the repo: all files previously accessible from the root directory in the
-selinux-policy-contrib repo are in the selinux-policy base repo, directory
-`policy/modules/contrib/`. No change for working in the selinux-policy base
repo.
+The default policy is installed to `/etc/selinux/fedora-selinux` and
`/var/lib/selinux/fedora-selinux`.
-### How users are affected?
-There is no change for users.
+The name and other options can be changed using variables like `NAME`, `TYPE`,
... variables, for more details see [README.build](README.build).
+E.g. Fedora `targeted` policy uses the following options:
-### How custom selinux-policy developers are affected?
-No change for policy writing other than where to look for modules, previously
found in the contrib repo.
+ DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=n MLS_CATS=1024
MCS_CATS=1024 UNK_PERMS=allow NAME=targeted TYPE=mcs
-Scripts, data, specfile, etc. in the dist git were updated to use the new
location for builds targeting rawhide or f34+.
+## Contributing
-### How selinux-policy contributors are affected?
-No change other than where to look for the previous contrib modules and where
to submit pull requests.
+There are several ways how to contribute:
-Pull requests which have not been merged yet require the submitter to rebase
it and open against the base repo.
+### Report bugs
-### Where to submit pull requests?
-Use the base selinux-policy repository [3].
+Either open issue in this project or file a bug in [Fedora
Bugzilla](https://bugzilla.redhat.com)
-### How to report issues?
-Use the base selinux-policy repository [4].
+### Pull requests
-### Backporting commits
-Commits to policy/modules/contrib needing backport to stable branches will be
backported to the legacy contrib repo.
-
-### References
-[1] https://github.com/fedora-selinux/selinux-policy/
-
-[2] https://github.com/fedora-selinux/selinux-policy-contrib/
-
-[3] https://github.com/fedora-selinux/selinux-policy/pulls
-
-[4] https://github.com/fedora-selinux/selinux-policy/issues
+You can fork this repo and open a PR. Please use good practices and use
descriptive commit messages.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/config/file_contexts.subs_dist
new/selinux-policy-20250528/config/file_contexts.subs_dist
--- old/selinux-policy-20250512/config/file_contexts.subs_dist 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/config/file_contexts.subs_dist 2025-05-28
11:49:57.000000000 +0200
@@ -28,6 +28,7 @@
/var/roothome /root
/sbin /usr/bin
/sysroot/tmp /tmp
+/var/etc /etc
/var/usrlocal /usr/local
/var/mnt /mnt
/bin /usr/bin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/bind.te
new/selinux-policy-20250528/policy/modules/contrib/bind.te
--- old/selinux-policy-20250512/policy/modules/contrib/bind.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/bind.te 2025-05-28
11:49:57.000000000 +0200
@@ -238,6 +238,7 @@
')
optional_policy(`
+ networkmanager_read_pid_files(named_t)
networkmanager_rw_udp_sockets(named_t)
networkmanager_rw_packet_sockets(named_t)
networkmanager_rw_routing_sockets(named_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/ftp.te
new/selinux-policy-20250528/policy/modules/contrib/ftp.te
--- old/selinux-policy-20250512/policy/modules/contrib/ftp.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/ftp.te 2025-05-28
11:49:57.000000000 +0200
@@ -249,6 +249,7 @@
tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
+ fs_manage_cifs_dirs(ftpd_t)
')
tunable_policy(`ftpd_use_fusefs',`
@@ -266,6 +267,7 @@
tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
+ fs_manage_nfs_dirs(ftpd_t)
')
tunable_policy(`ftpd_full_access',`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/geoclue.te
new/selinux-policy-20250528/policy/modules/contrib/geoclue.te
--- old/selinux-policy-20250512/policy/modules/contrib/geoclue.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/geoclue.te
2025-05-28 11:49:57.000000000 +0200
@@ -88,3 +88,7 @@
optional_policy(`
pcscd_stream_connect(geoclue_t)
')
+
+optional_policy(`
+ virt_read_lib_files(geoclue_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/lldpad.te
new/selinux-policy-20250528/policy/modules/contrib/lldpad.te
--- old/selinux-policy-20250512/policy/modules/contrib/lldpad.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/lldpad.te
2025-05-28 11:49:57.000000000 +0200
@@ -102,6 +102,10 @@
')
optional_policy(`
+ systemd_homed_stream_connect(lldpad_t)
+')
+
+optional_policy(`
unconfined_dgram_send(lldpad_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/networkmanager.te
new/selinux-policy-20250528/policy/modules/contrib/networkmanager.te
--- old/selinux-policy-20250512/policy/modules/contrib/networkmanager.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/networkmanager.te
2025-05-28 11:49:57.000000000 +0200
@@ -415,6 +415,7 @@
optional_policy(`
iptables_domtrans(NetworkManager_t)
+ iptables_signal(NetworkManager_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/nut.te
new/selinux-policy-20250528/policy/modules/contrib/nut.te
--- old/selinux-policy-20250512/policy/modules/contrib/nut.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/nut.te 2025-05-28
11:49:57.000000000 +0200
@@ -119,6 +119,7 @@
optional_policy(`
systemd_read_logind_sessions_files(nut_upsmon_t)
systemd_start_power_services(nut_upsmon_t)
+ systemd_write_inhibit_pipes(nut_upsmon_t)
')
########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/policykit.fc
new/selinux-policy-20250528/policy/modules/contrib/policykit.fc
--- old/selinux-policy-20250512/policy/modules/contrib/policykit.fc
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/policykit.fc
2025-05-28 11:49:57.000000000 +0200
@@ -19,4 +19,4 @@
/var/lib/polkit-1(/.*)?
gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)?
gen_context(system_u:object_r:policykit_var_lib_t,s0)
/run/PolicyKit(/.*)?
gen_context(system_u:object_r:policykit_var_run_t,s0)
-
+/run/polkit-1(/.*)?
gen_context(system_u:object_r:policykit_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/policykit.te
new/selinux-policy-20250528/policy/modules/contrib/policykit.te
--- old/selinux-policy-20250512/policy/modules/contrib/policykit.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/policykit.te
2025-05-28 11:49:57.000000000 +0200
@@ -76,6 +76,7 @@
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+watch_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/raid.te
new/selinux-policy-20250528/policy/modules/contrib/raid.te
--- old/selinux-policy-20250512/policy/modules/contrib/raid.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/raid.te 2025-05-28
11:49:57.000000000 +0200
@@ -10,6 +10,7 @@
type mdadm_t;
type mdadm_exec_t;
init_daemon_domain(mdadm_t, mdadm_exec_t)
+init_nosuid_domain(mdadm_t)
role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/tuned.te
new/selinux-policy-20250528/policy/modules/contrib/tuned.te
--- old/selinux-policy-20250512/policy/modules/contrib/tuned.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/tuned.te 2025-05-28
11:49:57.000000000 +0200
@@ -173,8 +173,10 @@
allow tuned_ppd_t tuned_exec_t:file getattr;
+allow tuned_ppd_t tuned_rw_etc_t:file create;
read_files_pattern(tuned_ppd_t, tuned_etc_t, tuned_etc_t)
rw_files_pattern(tuned_ppd_t, tuned_etc_t, tuned_rw_etc_t)
+filetrans_pattern(tuned_ppd_t, tuned_etc_t, tuned_rw_etc_t, file,
"ppd_base_profile")
create_files_pattern(tuned_ppd_t, tuned_log_t, tuned_log_t)
write_files_pattern(tuned_ppd_t, tuned_log_t, tuned_log_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/contrib/virt.te
new/selinux-policy-20250528/policy/modules/contrib/virt.te
--- old/selinux-policy-20250512/policy/modules/contrib/virt.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/contrib/virt.te 2025-05-28
11:49:57.000000000 +0200
@@ -2281,10 +2281,12 @@
dev_rw_sgx_vepc(virtqemud_t)
dev_rw_vfio_dev(virtqemud_t)
dev_relabel_all_dev_nodes(virtqemud_t)
+dev_rw_input_dev(virtqemud_t)
dev_rw_kvm(virtqemud_t)
dev_rw_lvm_control(virtqemud_t)
dev_rw_vhost(virtqemud_t)
dev_rw_sev(virtqemud_t)
+dev_setattr_input_dev(virtqemud_t)
dev_setattr_sev(virtqemud_t)
dev_setattr_urand(virtqemud_t)
dev_unmount_fs(virtqemud_t)
@@ -2454,6 +2456,8 @@
manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
+write_files_pattern(virtstoraged_t, qemu_var_run_t, qemu_var_run_t)
+
kernel_get_sysvipc_info(virtstoraged_t)
kernel_io_uring_use(virtstoraged_t)
kernel_read_vm_sysctls(virtstoraged_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/kernel/devices.fc
new/selinux-policy-20250528/policy/modules/kernel/devices.fc
--- old/selinux-policy-20250512/policy/modules/kernel/devices.fc
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/kernel/devices.fc
2025-05-28 11:49:57.000000000 +0200
@@ -24,6 +24,7 @@
/dev/crash -c
gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/crypto/nx-gzip -c
gen_context(system_u:object_r:accelerator_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/diag -c
gen_context(system_u:object_r:diagnostic_device_t,s0)
/dev/dlm.* -c
gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/dma_heap/.+ -c gen_context(system_u:object_r:dma_device_t,s0)
/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/kernel/devices.te
new/selinux-policy-20250528/policy/modules/kernel/devices.te
--- old/selinux-policy-20250512/policy/modules/kernel/devices.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/kernel/devices.te
2025-05-28 11:49:57.000000000 +0200
@@ -105,6 +105,12 @@
dev_node(accelerator_device_t)
#
+# Type for the /dev/diag device
+#
+type diagnostic_device_t;
+dev_node(diagnostic_device_t)
+
+#
# dlm_misc_device_t is the type of /dev/misc/dlm.*
#
type dlm_control_device_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/kernel/files.if
new/selinux-policy-20250528/policy/modules/kernel/files.if
--- old/selinux-policy-20250512/policy/modules/kernel/files.if 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/kernel/files.if 2025-05-28
11:49:57.000000000 +0200
@@ -10562,7 +10562,7 @@
attribute file_type;
')
- dontaudit $1 file_type:dir unlink;
+ dontaudit $1 file_type:dir { remove_name rmdir write };
dontaudit $1 file_type:file unlink;
dontaudit $1 file_type:lnk_file unlink;
dontaudit $1 file_type:fifo_file unlink;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/roles/sysadm.te
new/selinux-policy-20250528/policy/modules/roles/sysadm.te
--- old/selinux-policy-20250512/policy/modules/roles/sysadm.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/roles/sysadm.te 2025-05-28
11:49:57.000000000 +0200
@@ -614,6 +614,10 @@
optional_policy(`
crontab_admin_domtrans(sysadm_sudo_t)
')
+
+ optional_policy(`
+ rpm_script_signal(sysadm_sudo_t)
+ ')
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/services/xserver.fc
new/selinux-policy-20250528/policy/modules/services/xserver.fc
--- old/selinux-policy-20250512/policy/modules/services/xserver.fc
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/services/xserver.fc
2025-05-28 11:49:57.000000000 +0200
@@ -93,6 +93,7 @@
#
/usr/lib/systemd/user/.*gnome.*\.(service|target) --
gen_context(system_u:object_r:xdm_unit_file_t,s0)
+/usr/lib/systemd/user/plasma-.*\.(service|target) --
gen_context(system_u:object_r:xdm_unit_file_t,s0)
/usr/bin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/init.if
new/selinux-policy-20250528/policy/modules/system/init.if
--- old/selinux-policy-20250512/policy/modules/system/init.if 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/init.if 2025-05-28
11:49:57.000000000 +0200
@@ -157,6 +157,24 @@
########################################
## <summary>
+## Allow nosuid_transition from systemd into a confined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_nosuid_domain',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:process2 nosuid_transition;
+')
+
+########################################
+## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/init.te
new/selinux-policy-20250528/policy/modules/system/init.te
--- old/selinux-policy-20250512/policy/modules/system/init.te 2025-05-12
11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/init.te 2025-05-28
11:49:57.000000000 +0200
@@ -401,7 +401,7 @@
libs_rw_ld_so_cache(init_t)
logging_create_devlog_dev(init_t)
-logging_create_journal_files(init_t)
+logging_create_syslog_pid_file(init_t)
logging_send_syslog_msg(init_t)
logging_send_audit_msgs(init_t)
logging_manage_generic_logs(init_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/iptables.if
new/selinux-policy-20250528/policy/modules/system/iptables.if
--- old/selinux-policy-20250512/policy/modules/system/iptables.if
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/iptables.if
2025-05-28 11:49:57.000000000 +0200
@@ -240,3 +240,21 @@
allow $1 iptables_var_run_t:dir list_dir_perms;
read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
')
+
+#####################################
+## <summary>
+## Send iptables a general signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_signal',`
+ gen_require(`
+ type iptables_t;
+ ')
+
+ allow $1 iptables_t:process signal;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/logging.if
new/selinux-policy-20250528/policy/modules/system/logging.if
--- old/selinux-policy-20250512/policy/modules/system/logging.if
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/logging.if
2025-05-28 11:49:57.000000000 +0200
@@ -739,7 +739,7 @@
########################################
## <summary>
-## Use the syslog pid sock_file as mount point.
+## Allow domain to create the syslog pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -747,12 +747,12 @@
## </summary>
## </param>
#
-interface(`logging_mounton_syslog_pid_socket',`
+interface(`logging_create_syslog_pid_file',`
gen_require(`
type syslogd_var_run_t;
')
- allow $1 syslogd_var_run_t:sock_file mounton;
+ create_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
')
########################################
@@ -1809,24 +1809,6 @@
#######################################
## <summary>
-## Create files in /run/log/journal/ directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_create_journal_files',`
- gen_require(`
- type syslogd_var_run_t;
- ')
-
- allow $1 syslogd_var_run_t:file { create };
-')
-
-#######################################
-## <summary>
## Map files in /run/log/journal/ directory.
## </summary>
## <param name="domain">
@@ -1934,3 +1916,21 @@
allow $1 syslogd_t:unix_dgram_socket accept;
')
+
+########################################
+## <summary>
+## Use the syslog pid sock_file as mount point.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_mounton_syslog_pid_socket',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:sock_file mounton;
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/logging.te
new/selinux-policy-20250528/policy/modules/system/logging.te
--- old/selinux-policy-20250512/policy/modules/system/logging.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/logging.te
2025-05-28 11:49:57.000000000 +0200
@@ -516,7 +516,7 @@
allow syslogd_t self:vsock_socket create_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
-allow syslogd_t syslog_conf_t:dir list_dir_perms;
+allow syslogd_t syslog_conf_t:dir { list_dir_perms watch_dir_perms };
# receive messages including a memfd
allow syslogd_t user_tmp_t:file map;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/systemd-homed.fc
new/selinux-policy-20250528/policy/modules/system/systemd-homed.fc
--- old/selinux-policy-20250512/policy/modules/system/systemd-homed.fc
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/systemd-homed.fc
2025-05-28 11:49:57.000000000 +0200
@@ -12,7 +12,7 @@
/usr/lib/systemd/system/systemd-homed-activate\.service --
gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
/usr/lib/systemd/system/systemd-homed\.service --
gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
-/var/cache/systemd/home(//.*)?
gen_context(system_u:object_r:systemd_homed_cache_t,s0)
+/var/cache/systemd/home(/.*)?
gen_context(system_u:object_r:systemd_homed_cache_t,s0)
/var/lib/systemd/home/(.+)\.identity --
gen_context(system_u:object_r:systemd_homed_record_t,s0)
/var/lib/systemd/home/local\.private --
gen_context(system_u:object_r:systemd_homed_record_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250512/policy/modules/system/systemd.te
new/selinux-policy-20250528/policy/modules/system/systemd.te
--- old/selinux-policy-20250512/policy/modules/system/systemd.te
2025-05-12 11:06:48.000000000 +0200
+++ new/selinux-policy-20250528/policy/modules/system/systemd.te
2025-05-28 11:49:57.000000000 +0200
@@ -258,6 +258,11 @@
type systemd_machined_unit_file_t;
systemd_unit_file(systemd_machined_unit_file_t)
+type systemd_machined_tmp_t;
+files_tmp_file(systemd_machined_tmp_t)
+type systemd_machined_tmpfs_t;
+files_tmpfs_file(systemd_machined_tmpfs_t)
+
# /run/systemd/machines
type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
@@ -536,11 +541,17 @@
# systemd_machined local policy
#
-allow systemd_machined_t self:capability { dac_read_search dac_override setgid
sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t self:capability { chown dac_read_search dac_override
fowner fsetid setgid sys_admin sys_chroot sys_ptrace kill };
allow systemd_machined_t systemd_unit_file_t:service { status start stop };
allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
allow systemd_machined_t self:cap_userns { kill setgid setuid sys_admin
sys_chroot sys_ptrace };
+allow systemd_machined_t systemd_machined_tmp_t:file { create setattr
write_file_perms };
+files_tmp_filetrans(systemd_machined_t, systemd_machined_tmp_t, file)
+
+allow systemd_machined_t systemd_machined_tmpfs_t:file { create setattr
write_file_perms };
+fs_tmpfs_filetrans(systemd_machined_t, systemd_machined_tmpfs_t, file)
+
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t,
systemd_machined_var_run_t)
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t,
systemd_machined_var_run_t)
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t,
systemd_machined_var_run_t)
@@ -1352,8 +1363,12 @@
allow systemd_generator systemd_unit_file_type:lnk_file getattr_lnk_file_perms;
kernel_read_proc_files(systemd_generator)
+kernel_read_sysctl(systemd_generator)
+kernel_read_net_sysctls(systemd_generator)
dev_write_kmsg(systemd_generator)
+corecmd_exec_bin(systemd_generator)
+dev_read_sysfs(systemd_generator)
dev_write_kmsg(systemd_generator)
files_map_read_etc_files(systemd_generator)
fs_getattr_all_fs(systemd_generator)
@@ -1362,9 +1377,17 @@
init_read_state(systemd_generator)
optional_policy(`
+ auth_dontaudit_read_passwd_file(systemd_generator)
+')
+
+optional_policy(`
logging_stream_connect_syslog(systemd_generator)
')
+optional_policy(`
+ sssd_dontaudit_search_lib(systemd_generator)
+')
+
### Rules for individual systemd generator domains
### bless-boot generator
@@ -1435,7 +1458,6 @@
dontaudit systemd_gpt_generator_t self:capability sys_admin;
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket
create_socket_perms;
-dev_read_sysfs(systemd_gpt_generator_t)
dev_read_rand(systemd_gpt_generator_t)
files_list_boot(systemd_gpt_generator_t)
@@ -1529,7 +1551,7 @@
init_read_script_files(systemd_sysv_generator_t)
### tpm2 generator
-dev_read_sysfs(systemd_tpm2_generator_t)
+permissive systemd_tpm2_generator_t;
### udev trigger generator
corecmd_exec_bin(systemd_udev_trigger_generator_t)
@@ -1545,15 +1567,8 @@
permissive systemd_udev_trigger_generator_t;
### vsftpd generator
-permissive systemd_vsftpd_generator_t;
-
-corecmd_exec_bin(systemd_vsftpd_generator_t)
corecmd_exec_shell(systemd_vsftpd_generator_t)
-optional_policy(`
- auth_dontaudit_read_passwd_file(systemd_vsftpd_generator_t)
-')
-
### zram generator
allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file
write_file_perms;
permissive systemd_zram_generator_t;
@@ -1563,9 +1578,6 @@
dev_create_sysfs_files(systemd_zram_generator_t)
dev_rw_sysfs(systemd_zram_generator_t)
-# for systemd-detect-virt - needs to be confined
-corecmd_exec_bin(systemd_zram_generator_t)
-dev_read_sysfs(systemd_zram_generator_t)
storage_getattr_fixed_disk_dev(systemd_zram_generator_t)
optional_policy(`
@@ -2085,6 +2097,7 @@
systemd_dbus_chat_logind(systemd_user_runtimedir_t)
kernel_dgram_send(systemd_user_runtimedir_t)
+kernel_stream_connect(systemd_user_runtimedir_t)
domain_obj_id_change_exemption(systemd_user_runtimedir_t)
