Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-10-15 12:45:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.18484 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Oct 15 12:45:06 2025 rev:131 rq:1311365 version:20251014 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-10-13 15:36:17.531627173 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.18484/selinux-policy.changes 2025-10-15 12:45:26.965070500 +0200 @@ -1,0 +2,32 @@ +Tue Oct 14 11:51:42 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251014: + * Make wicked script backwards compatible (bsc#1251923) + * Allow snapper grub plugin to domtrans to bootloader_t (bsc#1251862) + * Allow salt_t transition to rpm_script_t (bsc#1250696) + +------------------------------------------------------------------- +Thu Oct 09 09:14:57 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251009: + * grub snapper plugin is now named 00-grub (bsc#1251793) + +------------------------------------------------------------------- +Wed Oct 08 09:43:33 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251008: + * Assign alts_exec_t exec_file attribute (bsc#1250974) + * Introduce unconfined wicked_script_t (bsc#1205770, bsc#1250661) + +------------------------------------------------------------------- +Tue Oct 07 13:00:09 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251007: + * Add equivalency between /srv/tomcat and /var/lib/tomcat (bsc#1251227) + +------------------------------------------------------------------- +Tue Oct 7 08:43:14 UTC 2025 - Johannes Segitz <[email protected]> + +- Fixed typo in /etc/selinux/config + +------------------------------------------------------------------- Old: ---- selinux-policy-20251006.tar.xz New: ---- selinux-policy-20251014.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.7Koxct/_old 2025-10-15 12:45:30.133202997 +0200 +++ /var/tmp/diff_new_pack.7Koxct/_new 2025-10-15 12:45:30.145203499 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251006 +Version: 20251014 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -405,7 +405,7 @@ # permissive - SELinux prints warnings instead of enforcing. # Previously SELinux could be disabled by changing the value to # 'disabled'. This is deprecated and should not be used anymore. -# If you want to disable linux add 'selinux=0' to the kernel +# If you want to disable SELinux add 'selinux=0' to the kernel # command line. For details see # https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable SELINUX=enforcing ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.7Koxct/_old 2025-10-15 12:45:30.701226753 +0200 +++ /var/tmp/diff_new_pack.7Koxct/_new 2025-10-15 12:45:30.737228259 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">c16609aa4486bfb14529bae9b85ad378999d0ed6</param></service></servicedata> + <param name="changesrevision">106498ef5e0035f6d9be932fc5b465d73e4bac56</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20251006.tar.xz -> selinux-policy-20251014.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/config/file_contexts.subs_dist new/selinux-policy-20251014/config/file_contexts.subs_dist --- old/selinux-policy-20251006/config/file_contexts.subs_dist 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/config/file_contexts.subs_dist 2025-10-14 13:51:09.000000000 +0200 @@ -46,6 +46,9 @@ ## for apache /srv/www /var/www +## for tomcat +/srv/tomcat /var/lib/tomcat + ## for netconfig /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/libalternatives.te new/selinux-policy-20251014/policy/modules/contrib/libalternatives.te --- old/selinux-policy-20251006/policy/modules/contrib/libalternatives.te 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/libalternatives.te 2025-10-14 13:51:09.000000000 +0200 @@ -2,5 +2,5 @@ # All processes should be able to execute libalternatives /bin/alts in the caller domain type alts_exec_t; -files_type(alts_exec_t) +corecmd_executable_file(alts_exec_t) domain_can_exec(alts_exec_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/salt.te new/selinux-policy-20251014/policy/modules/contrib/salt.te --- old/selinux-policy-20251006/policy/modules/contrib/salt.te 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/salt.te 2025-10-14 13:51:09.000000000 +0200 @@ -18,3 +18,6 @@ # unconfined_domain(salt_t) + +# Allow the Salt to execute scripts +rpm_domtrans_script(salt_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/snapper.fc new/selinux-policy-20251014/policy/modules/contrib/snapper.fc --- old/selinux-policy-20251006/policy/modules/contrib/snapper.fc 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/snapper.fc 2025-10-14 13:51:09.000000000 +0200 @@ -2,7 +2,7 @@ /usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0) /usr/lib/snapper/plugins/50-etc -- gen_context(system_u:object_r:snapper_tu_etc_plugin_exec_t,s0) -/usr/lib/snapper/plugins/grub -- gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0) +/usr/lib/snapper/plugins/(00-)?grub -- gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0) /etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) /etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/snapper.te new/selinux-policy-20251014/policy/modules/contrib/snapper.te --- old/selinux-policy-20251006/policy/modules/contrib/snapper.te 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/snapper.te 2025-10-14 13:51:09.000000000 +0200 @@ -143,7 +143,7 @@ snapper_plugin_template(tu_etc); ### snapper grub plugin -bootloader_exec(snapper_grub_plugin_t) +bootloader_domtrans(snapper_grub_plugin_t) corecmd_exec_bin(snapper_grub_plugin_t) files_manage_isid_type_dirs(snapper_grub_plugin_t) files_manage_isid_type_files(snapper_grub_plugin_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/wicked.fc new/selinux-policy-20251014/policy/modules/contrib/wicked.fc --- old/selinux-policy-20251006/policy/modules/contrib/wicked.fc 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/wicked.fc 2025-10-14 13:51:09.000000000 +0200 @@ -28,6 +28,7 @@ #/usr/share/wicked/schema/wireless.xml /var/lib/wicked(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) #/etc/sysconfig/network/ifcfg-lo +/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:wicked_script_t,s0) #/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) #/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:wicked_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/contrib/wicked.te new/selinux-policy-20251014/policy/modules/contrib/wicked.te --- old/selinux-policy-20251006/policy/modules/contrib/wicked.te 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/contrib/wicked.te 2025-10-14 13:51:09.000000000 +0200 @@ -24,6 +24,12 @@ #type wicked_log_t; #logging_log_file(wicked_log_t) +type wicked_script_t; +type wicked_custom_t; +application_domain(wicked_custom_t, wicked_script_t) +role system_r types wicked_custom_t; +domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t) + type wicked_tmp_t; files_tmp_file(wicked_tmp_t) @@ -110,6 +116,10 @@ #setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t) #logging_log_filetrans(wicked_t, wicked_log_t, file) +list_dirs_pattern(wicked_t, wicked_script_t, wicked_script_t) +read_files_pattern(wicked_t, wicked_script_t, wicked_script_t) +read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script_t) + can_exec(wicked_t, wicked_tmp_t) manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) @@ -513,6 +523,10 @@ #fs_manage_ecryptfs_files(wicked_t) #') +optional_policy(` + unconfined_domain(wicked_custom_t) +') + ######################################## # # wpa_cli local policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251006/policy/modules/system/sysnetwork.fc new/selinux-policy-20251014/policy/modules/system/sysnetwork.fc --- old/selinux-policy-20251006/policy/modules/system/sysnetwork.fc 2025-10-06 17:22:16.000000000 +0200 +++ new/selinux-policy-20251014/policy/modules/system/sysnetwork.fc 2025-10-14 13:51:09.000000000 +0200 @@ -34,6 +34,7 @@ /run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) /run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) ') +/etc/sysconfig/network/scripts/functions.netconfig gen_context(system_u:object_r:net_conf_t,s0) /run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /run/NetworkManager/no-stub-resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
