commit selinux-policy for openSUSE:Factory

Wed, 13 Aug 2025 07:29:15 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2025-08-13 16:23:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1085 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Wed Aug 13 16:23:09 2025 rev:122 rq:1299076 version:20250812

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2025-07-31 17:45:43.286959282 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1085/selinux-policy.changes  
2025-08-13 16:28:25.667198177 +0200
@@ -1,0 +2,95 @@
+Tue Aug 12 10:34:11 UTC 2025 - Cathy Hu <cathy...@suse.com>
+
+- Update to version 20250812 (bsc#1247772):
+  * Fix selinux-autorelabel-generator label after upstream changes
+  * Revert "Remove the mysql module sources"
+  * Revert "Allow rasdaemon write access to sysfs (bsc#1229587)"
+  * Reset postfix.fc to upstream, add alias instead
+  * Allow systemd-networkd to create leases directory
+  * Apply generator template to selinux-autorelabel generator
+  * Support virtqemud handle hotplug hostdev devices
+  * Allow virtstoraged create qemu /var/run files
+  * Allow unconfined_domain_type cap2_userns capabilities
+  * Label /usr/libexec/postfix/tlsproxy with postfix_smtp_exec_t
+  * Remove the mysql module sources
+  * dist/targeted/modules.conf: Enable kmscon module (bsc#1238137)
+  * Update kmscon policy module to kmscon version 9 (bsc#1238137)
+  * Allow login to getattr pidfs
+  * Allow systemd to map files under /sys
+  * systemd: drop duplicate init_nnp_daemon_domain lines
+  * Fix typo
+  * Allow logwatch stream connect to opensmtpd
+  * Allow geoclue read NetworkManager pid files
+  * Allow unconfined user a file transition for creating sudo log directory
+  * Allow virtqemud read/write inherited dri devices
+  * Allow xdm_t create user namespaces
+  * Update policy for login_userdomain
+  * Add ppd_base_profile to file transition to get tuned_rw_etc_t type
+  * Update policy for bootupd
+  * Allow logwatch work with opensmtpd
+  * Update dovecot policy for dovecot 2.4.1
+  * Allow ras-mc-ctl write to sysfs files
+
+-------------------------------------------------------------------
+Tue Aug  5 14:25:13 UTC 2025 - Cathy Hu <cathy...@suse.com>
+
+- Update embedded container-selinux version to commit:
+  * 10cc7ecacd631368e23691a77dbfe63ac6ca855f (version 2.240.0)
+  The 2.239.0 was tagged incorrectly by upstream, syncing again
+  with new tag
+
+-------------------------------------------------------------------
+Mon Aug 04 08:26:43 UTC 2025 - Cathy Hu <cathy...@suse.com>
+
+- Update to version 20250804:
+  * Allow anaconda-generator get attributes of all filesystems
+  * Add the rhcd_rw_fifo_files() interface
+  * Allow systemd-coredump the sys_chroot capability
+  * Allow hostapd write to socket files in /tmp
+  * Recognize /var/home as an alternate path for /home
+  * Label /var/lib/lastlog with lastlog_t
+  * Allow virtqemud write to sysfs files
+  * Allow irqbalance search sssd lib directories
+  * Allow samba-dcerpcd send sigkills to passwd
+  * Allow systemd-oomd watch dbus pid sock files
+  * Allow some confined users read and map generic log files
+  * Allow login_userdomain watch the /run/log/journal directory
+  * Allow login_userdomain dbus chat with tuned-ppd
+  * Allow login_userdomain dbus chat with switcheroo-control
+  * Allow userdomain to connect to systemd-oomd over a unix socket
+  * Add insights_client_delete_lib_dirs() interface
+  * Allow virtqemud_t use its private tmpfs files (bsc#1242998)
+  * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998)
+  * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998)
+  * Extend virtqemud_t tcp_socket permissions (bsc#1242998)
+  * Allow virtqemud_t to read and write generic pty (bsc#1242998)
+  * Allow systemd-importd create and unlink init pid socket
+  * Allow virtqemud handle virt_content_t chr files
+  * Allow svirt read virtqemud fifo files
+  * All sblim-sfcbd the dac_read_search capability
+  * Allow sblim domain read systemd session files
+  * Allow sblim-sfcbd execute dnsdomainname
+  * Confine nfs-server generator
+  * Allow systemd-timedated start/stop timemaster services
+  * Allow "hostapd_cli ping" run as a systemd service
+  * Allow power-profiles-daemon get attributes of filesystems with extended 
attributes
+  * Allow 'oomctl dump' to interact with systemd-oomd
+  * Basic functionality for systemd-oomd
+  * Basic enablement for systemd-oomd
+  * Allow samba-bgqd send to smbd over a unix datagram socket
+  * Update kernel_secretmem_use()
+  * Add the file/watch_mountns permission
+  * Update systemd-generators policy
+  * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470)
+  * Allow insights-client file transition for files in /var/tmp
+  * Allow tuned-ppd manage tuned log files
+  * Allow systemd-coredump mount on tmpfs filesystems
+  * Update sssd_dontaudit_read_public_files()
+  * Allow zram-generator raw read fixed disk device
+  * Add fs_write_cgroup_dirs() and fs_setattr_cgroup_dirs() interfaces
+- Syncing with upstream rawhide selinux-policy up to:
+  * 1de2b642cba24f493578d4c944ea8db5535e8956
+- Update embedded container-selinux version to commit:
+  * 9693071320e1f931ff825ea376926f816380873d (version 2.239.0)
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20250730.tar.xz

New:
----
  selinux-policy-20250812.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.LQwMQi/_old  2025-08-13 16:28:32.315474807 +0200
+++ /var/tmp/diff_new_pack.LQwMQi/_new  2025-08-13 16:28:32.315474807 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20250730
+Version:        20250812
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.LQwMQi/_old  2025-08-13 16:28:32.383477637 +0200
+++ /var/tmp/diff_new_pack.LQwMQi/_new  2025-08-13 16:28:32.387477803 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">15675827ab60cadbfa09c9c74505ad34032ffe33</param></service></servicedata>
+              <param 
name="changesrevision">23289c57c31a08f3e9ba3e0ea8cc5c735e50c08d</param></service></servicedata>
 (No newline at EOF)
 


++++++ container.te ++++++
--- /var/tmp/diff_new_pack.LQwMQi/_old  2025-08-13 16:28:32.435479801 +0200
+++ /var/tmp/diff_new_pack.LQwMQi/_new  2025-08-13 16:28:32.439479967 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.238.0)
+policy_module(container, 2.240.0)
 
 gen_require(`
        class passwd rootok;
@@ -61,6 +61,13 @@
 gen_tunable(container_manage_cgroup, false)
 
 ## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
+## <desc>
 ##  <p>
 ##  Determine whether container can
 ##  use ceph file system
@@ -458,6 +465,7 @@
        container_append_file(iptables_t)
        allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
        allow iptables_t container_file_type:dir list_dir_perms;
+       dontaudit iptables_t self:cap_userns dac_override;
 ')
 
 optional_policy(`
@@ -577,6 +585,10 @@
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr 
lock write append getopt };
 
+tunable_policy(`container_modify_selinux_labels',`
+       allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
        fs_manage_nfs_dirs(container_runtime_domain)
        fs_manage_nfs_files(container_runtime_domain)
@@ -708,6 +720,14 @@
 ')
 
 optional_policy(`
+       require {
+               type hsa_device_t;
+       }
+
+       allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
+')
+
+optional_policy(`
        gen_require(`
                role unconfined_r;
        ')
@@ -928,7 +948,7 @@
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap 
getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill 
signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap 
getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill 
signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;

++++++ selinux-policy-20250730.tar.xz -> selinux-policy-20250812.tar.xz ++++++
++++ 1655 lines of diff (skipped)

Reply via email to