Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package drbd-utils for openSUSE:Factory checked in at 2025-11-17 12:20:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/drbd-utils (Old) and /work/SRC/openSUSE:Factory/.drbd-utils.new.2061 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "drbd-utils" Mon Nov 17 12:20:12 2025 rev:68 rq:1318206 version:9.29.0 Changes: -------- --- /work/SRC/openSUSE:Factory/drbd-utils/drbd-utils.changes 2025-08-19 16:49:27.371199167 +0200 +++ /work/SRC/openSUSE:Factory/.drbd-utils.new.2061/drbd-utils.changes 2025-11-17 12:25:57.520299258 +0100 @@ -1,0 +2,7 @@ +Fri Nov 14 11:10:58 UTC 2025 - Cathy Hu <[email protected]> + +- Allow domtrans from kernel_t to drbd_t (bsc#1252991) + * add patch + - 1252991-selinux-domtrans-from-kernel.patch + +------------------------------------------------------------------- New: ---- 1252991-selinux-domtrans-from-kernel.patch ----------(New B)---------- New: * add patch - 1252991-selinux-domtrans-from-kernel.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ drbd-utils.spec ++++++ --- /var/tmp/diff_new_pack.upJkyc/_old 2025-11-17 12:26:01.396463334 +0100 +++ /var/tmp/diff_new_pack.upJkyc/_new 2025-11-17 12:26:01.408463842 +0100 @@ -1,7 +1,7 @@ # # spec file for package drbd-utils # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -74,6 +74,7 @@ Patch1007: bsc-1233273_drbd.ocf-update-for-OCF-1.1.patch Patch1008: rpmlint-build-error.patch Patch1009: bsc-1247534_drbd-didnt-start-due-to-drbd_rules-returning-err.patch +Patch1010: 1252991-selinux-domtrans-from-kernel.patch ############################################# Provides: drbd-bash-completion = %{version} ++++++ 1252991-selinux-domtrans-from-kernel.patch ++++++ >From c2a3e3ea3de7eb7b9e0a8cf78cdb3bb7f56d52f3 Mon Sep 17 00:00:00 2001 From: Cathy Hu <[email protected]> Date: Fri, 14 Nov 2025 11:38:23 +0100 Subject: [PATCH] selinux: Allow domtrans from kernel_t to drbd_t /usr/lib/drbd/crm-fence-peer.9.sh is labelled drbd_exec_t, however the domain lands in kernel_generic_helper_t as it is not allowed to transition from kernel_t to drbd_t. Additionally, when the domtrans succeeds, crm-fence-peer.9.sh will create entries in /proc with drbd_t label, so allowing that. --- selinux/drbd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/selinux/drbd.te b/selinux/drbd.te index 8aa2c573..5b2e9861 100644 --- a/selinux/drbd.te +++ b/selinux/drbd.te @@ -50,6 +50,7 @@ require { #============= drbd_t ============== allow drbd_t self:capability { dac_read_search kill net_admin sys_admin }; dontaudit drbd_t self:capability sys_tty_config; +allow drbd_t self:dir rw_dir_perms; allow drbd_t self:fifo_file rw_fifo_file_perms; allow drbd_t self:unix_stream_socket create_stream_socket_perms; allow drbd_t self:netlink_socket create_socket_perms; @@ -72,6 +73,7 @@ manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir}) +kernel_domtrans_to(drbd_t, drbd_exec_t) kernel_read_system_state(drbd_t) kernel_load_module(drbd_t) @@ -91,6 +93,7 @@ files_read_kernel_modules(drbd_t) logging_send_syslog_msg(drbd_t) +fs_associate_proc(drbd_t) fs_getattr_xattr_fs(drbd_t) modutils_read_module_config(drbd_t) -- 2.51.1
