Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-12-01 11:11:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.14147 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Mon Dec 1 11:11:26 2025 rev:138 rq:1320434 version:20251128 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-11-11 19:18:32.936458963 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.14147/selinux-policy.changes 2025-12-01 11:11:36.070140949 +0100 @@ -1,0 +2,40 @@ +Fri Nov 28 09:55:32 UTC 2025 - Robert Frohl <[email protected]> + +- Update to version 20251128: + * update support for polkit agent helper (bsc#1251931) + * Allow system_mail_t read apache system content conditionally + * Allow login_userdomain read lastlog + * Allow sshd-net read and write to sshd vsock socket + * Update ktls policy + * Add comprehensive SELinux policy module for bwrap thumbnail generation + * Revert "Allow thumb_t create permission in the user namespace" + * Allow systemd-machined read svirt process state + * Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992) + * Allow sysadm access to TPM + * Allow tlp get the attributes of the pidfs filesystem + * Allow kmscon to read netlink_kobject_uevent_socket + * Allow systemd-ssh-issue read kernel sysctls + * fix: bz2279215 Allow speech-dispatcher access to user home/cache files + * Allow create kerberos files in postgresql db home + * Fix files_delete_boot_symlinks() to contain delete_lnk_files_pattern + * Allow shell comamnds in locate systemd service (bsc#1246559) + * Introduce initrc_nnp_daemon_domain interface + * Label /var/lib/cosmic-greeter with xdm_var_lib_t + * Allow setroubleshoot-fixit get attributes of xattr fs + * Allow insights-client manage /etc symlinks + * Allow insights-client get attributes of the rpm executable + * Allow nfsidmapd search virt lib directories + * Allow iotop stream connect to systemd-userdbd + * Allow gnome-remote-desktop read sssd public files + * Allow thumb_t stream connect to systemd-userdbd + * Add auth_nnp_domtrans_chkpwd() + * Allow bluez dbus API passing unix domain sockets + * Allow bluez dbus api pass sockets over dbus + * Dontaudit systemd-generator connect to sssd over a unix stream socket + * Allow init watch/watch_reads systemd-machined user ptys +- Syncing with upstream rawhide selinux-policy up to: + * 874e36c884fc9e31ae12428338a38b14db65f554 +- Update embedded container-selinux version to commit: + * efdee4df4e98b5f5fe826b83db5ff4a9239e54bb (version 2.243.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20251111.tar.xz New: ---- selinux-policy-20251128.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.aLWht6/_old 2025-12-01 11:11:37.338194588 +0100 +++ /var/tmp/diff_new_pack.aLWht6/_new 2025-12-01 11:11:37.338194588 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251111 +Version: 20251128 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.aLWht6/_old 2025-12-01 11:11:37.410197634 +0100 +++ /var/tmp/diff_new_pack.aLWht6/_new 2025-12-01 11:11:37.414197803 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">5bcc6c387ee56dd5097142633c211a35b1409e24</param></service></servicedata> + <param name="changesrevision">a823f1191db2371700f18dff914d43ce49f577c0</param></service></servicedata> (No newline at EOF) ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.aLWht6/_old 2025-12-01 11:11:37.462199834 +0100 +++ /var/tmp/diff_new_pack.aLWht6/_new 2025-12-01 11:11:37.470200172 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.242.0) +policy_module(container, 2.243.0) gen_require(` class passwd rootok; @@ -1487,6 +1487,7 @@ allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; allow container_engine_t random_device_t:chr_file mounton; allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; +allow container_engine_t self:netlink_audit_socket nlmsg_relay; allow container_engine_t urandom_device_t:chr_file mounton; allow container_engine_t zero_device_t:chr_file mounton; allow container_engine_t container_file_t:sock_file mounton; ++++++ selinux-policy-20251111.tar.xz -> selinux-policy-20251128.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/bluetooth.if new/selinux-policy-20251128/policy/modules/contrib/bluetooth.if --- old/selinux-policy-20251111/policy/modules/contrib/bluetooth.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/bluetooth.if 2025-11-28 10:54:24.000000000 +0100 @@ -86,6 +86,26 @@ ######################################## ## <summary> +## Allow read and write bluetooth domain stream. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_rw_stream',` + gen_require(` + type bluetooth_t; + ') + + tunable_policy(`deny_bluetooth',`',` + allow $1 bluetooth_t:unix_stream_socket { read write }; + ') +') + +######################################## +## <summary> ## Execute bluetooth in the bluetooth domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/bluetooth.te new/selinux-policy-20251128/policy/modules/contrib/bluetooth.te --- old/selinux-policy-20251111/policy/modules/contrib/bluetooth.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/bluetooth.te 2025-11-28 10:54:24.000000000 +0100 @@ -194,6 +194,10 @@ ') optional_policy(` + unconfined_rw_stream(bluetooth_t) +') + +optional_policy(` ppp_domtrans(bluetooth_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/dbus.te new/selinux-policy-20251128/policy/modules/contrib/dbus.te --- old/selinux-policy-20251111/policy/modules/contrib/dbus.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/dbus.te 2025-11-28 10:54:24.000000000 +0100 @@ -186,6 +186,10 @@ ') optional_policy(` + bluetooth_rw_stream(system_dbusd_t) +') + +optional_policy(` boltd_write_var_run_pipes(system_dbusd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/gnome_remote_desktop.te new/selinux-policy-20251128/policy/modules/contrib/gnome_remote_desktop.te --- old/selinux-policy-20251111/policy/modules/contrib/gnome_remote_desktop.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/gnome_remote_desktop.te 2025-11-28 10:54:24.000000000 +0100 @@ -70,6 +70,10 @@ ') optional_policy(` + sssd_read_public_files(gnome_remote_desktop_t) +') + +optional_policy(` sysnet_read_config(gnome_remote_desktop_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/insights_client.te new/selinux-policy-20251128/policy/modules/contrib/insights_client.te --- old/selinux-policy-20251111/policy/modules/contrib/insights_client.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/insights_client.te 2025-11-28 10:54:24.000000000 +0100 @@ -161,7 +161,7 @@ #files_getattr_all_file_type_fs(insights_client_t) #files_getattr_all_pipes(insights_client_t) #files_getattr_all_sockets(insights_client_t) -#files_manage_etc_symlinks(insights_client_t) +files_manage_etc_symlinks(insights_client_t) #files_manage_generic_locks(insights_client_t) #files_map_non_security_files(insights_client_t) #files_map_read_etc_files(insights_client_t) @@ -379,15 +379,10 @@ # rhsmcertd_manage_log(insights_client_t) ') -#optional_policy(` -# rpm_domtrans(insights_client_t) -# rpm_manage_db(insights_client_t) -# rpm_manage_cache(insights_client_t) -# rpm_named_filetrans(insights_client_t) -# rpm_read_db(insights_client_t) -# rpm_signull(insights_client_t) -#') -# +optional_policy(` + rpm_getattr_exec(insights_client_t) +') + #optional_policy(` # rtas_errd_dontaudit_write_lock(insights_client_t) #') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/iotop.te new/selinux-policy-20251128/policy/modules/contrib/iotop.te --- old/selinux-policy-20251111/policy/modules/contrib/iotop.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/iotop.te 2025-11-28 10:54:24.000000000 +0100 @@ -36,6 +36,8 @@ corecmd_exec_bin(iotop_t) +init_stream_connectto(iotop_t) + miscfiles_read_localization(iotop_t) userdom_use_user_terminals(iotop_t) @@ -44,3 +46,6 @@ libs_exec_ldconfig(iotop_t) ') +optional_policy(` + systemd_userdbd_stream_connect(iotop_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/kerberos.if new/selinux-policy-20251128/policy/modules/contrib/kerberos.if --- old/selinux-policy-20251111/policy/modules/contrib/kerberos.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/kerberos.if 2025-11-28 10:54:24.000000000 +0100 @@ -635,6 +635,10 @@ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") kerberos_tmp_filetrans_host_rcache($1, "ldap_487") kerberos_tmp_filetrans_host_rcache($1, "ldap_55") + + postgresql_db_filetrans($1, krb5_home_t, file, ".k5identity") + postgresql_db_filetrans($1, krb5_home_t, file, ".k5login") + postgresql_db_filetrans($1, krb5_home_t, file, ".k5users") ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/kmscon.te new/selinux-policy-20251128/policy/modules/contrib/kmscon.te --- old/selinux-policy-20251111/policy/modules/contrib/kmscon.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/kmscon.te 2025-11-28 10:54:24.000000000 +0100 @@ -37,7 +37,7 @@ domain_dontaudit_read_all_domains_state(kmscon_t) # Create an udev monitor -allow kmscon_t self:netlink_kobject_uevent_socket { bind create getopt setopt getattr }; +allow kmscon_t self:netlink_kobject_uevent_socket { bind create getopt read setopt getattr }; allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(kmscon_t, kmscon_devpts_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/ktls.te new/selinux-policy-20251128/policy/modules/contrib/ktls.te --- old/selinux-policy-20251111/policy/modules/contrib/ktls.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/ktls.te 2025-11-28 10:54:24.000000000 +0100 @@ -11,6 +11,7 @@ permissive ktlshd_t; +allow ktlshd_t self:capability net_admin; allow ktlshd_t self:key write; allow ktlshd_t self:netlink_generic_socket create_socket_perms; allow ktlshd_t self:netlink_route_socket r_netlink_socket_perms; @@ -18,7 +19,9 @@ allow ktlshd_t self:unix_dgram_socket create_socket_perms; kernel_read_net_sysctls(ktlshd_t) +kernel_read_network_state_symlinks(ktlshd_t) kernel_read_proc_files(ktlshd_t) +kernel_rw_key(ktlshd_t) domain_read_view_all_domains_keyrings(ktlshd_t) @@ -32,6 +35,7 @@ optional_policy(` miscfiles_read_generic_certs(ktlshd_t) + miscfiles_map_generic_certs(ktlshd_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/mta.te new/selinux-policy-20251128/policy/modules/contrib/mta.te --- old/selinux-policy-20251111/policy/modules/contrib/mta.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/mta.te 2025-11-28 10:54:24.000000000 +0100 @@ -225,6 +225,7 @@ optional_policy(` tunable_policy(`httpd_can_sendmail',` + apache_read_sys_content(system_mail_t) apache_read_inherited_sys_content_rw_files(system_mail_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/policykit.fc new/selinux-policy-20251128/policy/modules/contrib/policykit.fc --- old/selinux-policy-20251111/policy/modules/contrib/policykit.fc 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/policykit.fc 2025-11-28 10:54:24.000000000 +0100 @@ -20,3 +20,4 @@ /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) /run/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +/run/polkit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/policykit.te new/selinux-policy-20251128/policy/modules/contrib/policykit.te --- old/selinux-policy-20251111/policy/modules/contrib/policykit.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/policykit.te 2025-11-28 10:54:24.000000000 +0100 @@ -15,6 +15,7 @@ type policykit_auth_t, policykit_domain; type policykit_auth_exec_t; init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) +init_nnp_daemon_domain(policykit_auth_t) type policykit_grant_t, policykit_domain; type policykit_grant_exec_t; @@ -209,6 +210,7 @@ auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) +auth_nnp_domtrans_chkpwd(policykit_auth_t) logging_send_syslog_msg(policykit_auth_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/rpc.te new/selinux-policy-20251128/policy/modules/contrib/rpc.te --- old/selinux-policy-20251111/policy/modules/contrib/rpc.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/rpc.te 2025-11-28 10:54:24.000000000 +0100 @@ -478,3 +478,7 @@ optional_policy(` systemd_homed_stream_connect(nfsidmap_t) ') + +optional_policy(` + virt_search_lib(nfsidmap_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/rpm.if new/selinux-policy-20251128/policy/modules/contrib/rpm.if --- old/selinux-policy-20251111/policy/modules/contrib/rpm.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/rpm.if 2025-11-28 10:54:24.000000000 +0100 @@ -177,6 +177,24 @@ ######################################## ## <summary> +## Get attributes of the rpm executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_getattr_exec',` + gen_require(` + type rpm_exec_t; + ') + + allow $1 rpm_exec_t:file getattr; +') + +######################################## +## <summary> ## Send a kill signal to rpm. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/setroubleshoot.te new/selinux-policy-20251128/policy/modules/contrib/setroubleshoot.te --- old/selinux-policy-20251111/policy/modules/contrib/setroubleshoot.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/setroubleshoot.te 2025-11-28 10:54:24.000000000 +0100 @@ -226,6 +226,8 @@ dev_read_sysfs(setroubleshoot_fixit_t) dev_read_urand(setroubleshoot_fixit_t) +fs_getattr_xattr_fs(setroubleshoot_fixit_t) + selinux_read_policy(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/slocate.te new/selinux-policy-20251128/policy/modules/contrib/slocate.te --- old/selinux-policy-20251111/policy/modules/contrib/slocate.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/slocate.te 2025-11-28 10:54:24.000000000 +0100 @@ -9,6 +9,7 @@ type locate_exec_t; init_system_domain(locate_t, locate_exec_t) init_nnp_daemon_domain(locate_t) +initrc_nnp_daemon_domain(locate_t) type locate_var_lib_t; files_type(locate_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/speech-dispatcher.te new/selinux-policy-20251128/policy/modules/contrib/speech-dispatcher.te --- old/selinux-policy-20251111/policy/modules/contrib/speech-dispatcher.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/speech-dispatcher.te 2025-11-28 10:54:24.000000000 +0100 @@ -43,6 +43,7 @@ allow speech_dispatcher_t self:unix_stream_socket create_stream_socket_perms; allow speech_dispatcher_t self:tcp_socket create_socket_perms; + manage_dirs_pattern(speech_dispatcher_t, speech_dispatcher_log_t, speech_dispatcher_log_t) manage_files_pattern(speech_dispatcher_t, speech_dispatcher_log_t, speech_dispatcher_log_t) logging_log_filetrans(speech_dispatcher_t, speech_dispatcher_log_t, { dir }) @@ -52,6 +53,7 @@ manage_files_pattern(speech_dispatcher_t, speech_dispatcher_tmpfs_t, speech_dispatcher_tmpfs_t) fs_tmpfs_filetrans(speech_dispatcher_t, speech_dispatcher_tmpfs_t, { file }) +allow speech_dispatcher_t speech_dispatcher_tmpfs_t:file map; manage_files_pattern(speech_dispatcher_t, speech_dispatcher_home_t, speech_dispatcher_home_t) manage_dirs_pattern(speech_dispatcher_t, speech_dispatcher_home_t, speech_dispatcher_home_t) @@ -66,3 +68,19 @@ dev_read_urand(speech_dispatcher_t) + +files_manage_generic_tmp_dirs(speech_dispatcher_t) + +libs_exec_lib_files(speech_dispatcher_t) + +optional_policy(` + gnome_create_home_config_dirs(speech_dispatcher_t) + gnome_create_generic_cache_dir(speech_dispatcher_t) + gnome_manage_generic_cache_files(speech_dispatcher_t) + gnome_manage_generic_cache_sockets(speech_dispatcher_t) +') + +optional_policy(` + pulseaudio_manage_home_dirs(speech_dispatcher_t) + pulseaudio_manage_home_symlinks(speech_dispatcher_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/thumb.te new/selinux-policy-20251128/policy/modules/contrib/thumb.te --- old/selinux-policy-20251111/policy/modules/contrib/thumb.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/thumb.te 2025-11-28 10:54:24.000000000 +0100 @@ -37,12 +37,14 @@ allow thumb_t self:fifo_file manage_fifo_file_perms; allow thumb_t self:unix_stream_socket create_stream_socket_perms; allow thumb_t self:unix_dgram_socket create_socket_perms; -allow thumb_t self:netlink_route_socket r_netlink_socket_perms; +allow thumb_t self:netlink_route_socket rw_netlink_socket_perms; allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms; allow thumb_t self:udp_socket create_socket_perms; allow thumb_t self:tcp_socket create_socket_perms; allow thumb_t self:shm create_shm_perms; allow thumb_t self:sem create_sem_perms; +allow thumb_t self:cap_userns { net_admin setpcap sys_admin sys_ptrace }; +allow thumb_t self:process setcap; allow thumb_t self:user_namespace create; manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) @@ -63,7 +65,9 @@ manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) -fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file }) +create_lnk_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) +fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file lnk_file }) +allow thumb_t thumb_tmpfs_t:dir mounton; allow thumb_t thumb_tmpfs_t:file { execute mounton }; can_exec(thumb_t, thumb_exec_t) @@ -92,6 +96,7 @@ files_read_non_security_files(thumb_t) files_map_non_security_files(thumb_t) +files_mounton_rootfs(thumb_t) files_watch_etc_dirs(thumb_t) files_watch_usr_dirs(thumb_t) @@ -101,6 +106,8 @@ fs_map_dos_files(thumb_t) fs_mmap_removable_files(thumb_t) fs_dontaudit_getattr_nsfs_files(thumb_t) +fs_mounton_tmpfs(thumb_t) +fs_all_mount_fs_perms_xattr_fs(thumb_t) auth_read_passwd(thumb_t) @@ -109,6 +116,7 @@ ') init_append_stream_sockets(thumb_t) +init_stream_connectto(thumb_t) libs_dontaudit_setattr_lib_dirs(thumb_t) @@ -200,3 +208,7 @@ optional_policy(` storage_getattr_fixed_disk_dev(thumb_t) ') + +optional_policy(` + systemd_userdbd_stream_connect(thumb_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/tlp.te new/selinux-policy-20251128/policy/modules/contrib/tlp.te --- old/selinux-policy-20251111/policy/modules/contrib/tlp.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/tlp.te 2025-11-28 10:54:24.000000000 +0100 @@ -64,6 +64,8 @@ files_map_kernel_modules(tlp_t) files_load_kernel_modules(tlp_t) +fs_getattr_pidfs(tlp_t) + init_status(tlp_t) init_stream_connectto(tlp_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/contrib/virt.if new/selinux-policy-20251128/policy/modules/contrib/virt.if --- old/selinux-policy-20251111/policy/modules/contrib/virt.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/contrib/virt.if 2025-11-28 10:54:24.000000000 +0100 @@ -2259,6 +2259,25 @@ ######################################## ## <summary> +## Read the svirt process state. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_svirt_read_state',` + gen_require(` + type svirt_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, svirt_t) +') + +######################################## +## <summary> ## Execute virsh in the caller domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/kernel/files.if new/selinux-policy-20251128/policy/modules/kernel/files.if --- old/selinux-policy-20251111/policy/modules/kernel/files.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/kernel/files.if 2025-11-28 10:54:24.000000000 +0100 @@ -3637,7 +3637,7 @@ type boot_t; ') - delete_files_pattern($1, boot_t, boot_t) + delete_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/roles/sysadm.te new/selinux-policy-20251128/policy/modules/roles/sysadm.te --- old/selinux-policy-20251111/policy/modules/roles/sysadm.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/roles/sysadm.te 2025-11-28 10:54:24.000000000 +0100 @@ -29,6 +29,7 @@ kernel_prog_run_bpf(sysadm_t) kernel_read_fs_sysctls(sysadm_t) kernel_read_all_proc(sysadm_t) +kernel_rw_key(sysadm_t) kernel_secretmem_use(sysadm_t) kernel_kvm_gmem_use(sysadm_t) kernel_unconfined(sysadm_t) @@ -38,6 +39,7 @@ corecmd_exec_shell(sysadm_t) dev_filetrans_all_named_dev(sysadm_t) +dev_read_tpm(sysadm_t) dev_rw_ipmi_dev(sysadm_t) dev_rw_autofs(sysadm_t) dev_rw_lvm_control(sysadm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/roles/unconfineduser.if new/selinux-policy-20251128/policy/modules/roles/unconfineduser.if --- old/selinux-policy-20251111/policy/modules/roles/unconfineduser.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/roles/unconfineduser.if 2025-11-28 10:54:24.000000000 +0100 @@ -386,6 +386,24 @@ ######################################## ## <summary> +## Allow read and write unconfined domain stream. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`unconfined_rw_stream',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> ## Do not audit attempts to read and write ## unconfined domain stream. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/services/postgresql.fc new/selinux-policy-20251128/policy/modules/services/postgresql.fc --- old/selinux-policy-20251111/policy/modules/services/postgresql.fc 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/services/postgresql.fc 2025-11-28 10:54:24.000000000 +0100 @@ -35,6 +35,10 @@ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) +/var/lib/pgsql/\.k5identity gen_context(system_u:object_r:krb5_home_t,s0) +/var/lib/pgsql/\.k5login gen_context(system_u:object_r:krb5_home_t,s0) +/var/lib/pgsql/\.k5users gen_context(system_u:object_r:krb5_home_t,s0) + /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) /var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/services/postgresql.if new/selinux-policy-20251128/policy/modules/services/postgresql.if --- old/selinux-policy-20251111/policy/modules/services/postgresql.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/services/postgresql.if 2025-11-28 10:54:24.000000000 +0100 @@ -490,6 +490,39 @@ ######################################## ## <summary> +## Create private objects at postgresql db directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`postgresql_db_filetrans',` + gen_require(` + type postgresql_db_t; + ') + + filetrans_pattern($1, postgresql_db_t, $2, $3, $4) +') + +######################################## +## <summary> ## All of the rules required to administrate an postgresql environment ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/services/ssh.te new/selinux-policy-20251128/policy/modules/services/ssh.te --- old/selinux-policy-20251111/policy/modules/services/ssh.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/services/ssh.te 2025-11-28 10:54:24.000000000 +0100 @@ -90,6 +90,7 @@ allow sshd_session_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow sshd_session_t self:udp_socket { connect create getattr }; +allow sshd_net_t sshd_t:vsock_socket { read write }; allow sshd_net_t sshd_session_t:fifo_file write; allow sshd_net_t sshd_session_t:unix_stream_socket { read write }; allow sshd_session_t sshd_t:tcp_socket { getattr getopt read setopt write }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/services/xserver.fc new/selinux-policy-20251128/policy/modules/services/xserver.fc --- old/selinux-policy-20251111/policy/modules/services/xserver.fc 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/services/xserver.fc 2025-11-28 10:54:24.000000000 +0100 @@ -154,6 +154,7 @@ /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/lib/cosmic-greeter(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/authlogin.if new/selinux-policy-20251128/policy/modules/system/authlogin.if --- old/selinux-policy-20251111/policy/modules/system/authlogin.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/authlogin.if 2025-11-28 10:54:24.000000000 +0100 @@ -493,6 +493,23 @@ ######################################## ## <summary> +## Allow caller to transition to chkpwd_t with NoNewPrivileges +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`auth_nnp_domtrans_chkpwd',` + gen_require(` + type chkpwd_t; + ') + allow $1 chkpwd_t:process2 nnp_transition; +') + +######################################## +## <summary> ## Execute chkpwd in the caller domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/init.if new/selinux-policy-20251128/policy/modules/system/init.if --- old/selinux-policy-20251111/policy/modules/system/init.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/init.if 2025-11-28 10:54:24.000000000 +0100 @@ -135,9 +135,10 @@ ') ') ') + ######################################## ## <summary> -## Allow SELinux Domain trasition from sytemd +## Allow SELinux Domain trasition from sytemd ## into confined domain with NoNewPrivileges ## Systemd Security feature. ## </summary> @@ -156,6 +157,28 @@ ') ######################################## +## <summary> +## Allow SELinux Domain trasition from sytemd +## into confined domain with NoNewPrivileges +## Systemd Security feature. +## Useful if you have shell scripting in your +## ExecStart statement +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`initrc_nnp_daemon_domain',` + gen_require(` + type initrc_t; + ') + + allow initrc_t $1:process2 { nnp_transition nosuid_transition }; +') + +######################################## ## <summary> ## Allow nosuid_transition from systemd into a confined domain. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/init.te new/selinux-policy-20251128/policy/modules/system/init.te --- old/selinux-policy-20251111/policy/modules/system/init.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/init.te 2025-11-28 10:54:24.000000000 +0100 @@ -595,6 +595,8 @@ systemd_hostnamed_delete_config(init_t) systemd_manage_conf_files(init_t) systemd_rw_networkd_tmpfs_files(init_t) + systemd_machined_watch_user_ptys(init_t) + systemd_machined_watch_reads_user_ptys(init_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/systemd.if new/selinux-policy-20251128/policy/modules/system/systemd.if --- old/selinux-policy-20251111/policy/modules/system/systemd.if 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/systemd.if 2025-11-28 10:54:24.000000000 +0100 @@ -2632,6 +2632,42 @@ ######################################## ## <summary> +## Watch systemd-machined user pty. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_machined_watch_user_ptys',` + gen_require(` + type systemd_machined_devpts_t; + ') + + allow $1 systemd_machined_devpts_t:chr_file watch_chr_file_perms; +') + +######################################## +## <summary> +## Watch_reads systemd-machined user pty. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_machined_watch_reads_user_ptys',` + gen_require(` + type systemd_machined_devpts_t; + ') + + allow $1 systemd_machined_devpts_t:chr_file watch_reads_chr_file_perms; +') + +######################################## +## <summary> ## Allow the specified domain to connect to ## systemd_machined with a unix socket. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/systemd.te new/selinux-policy-20251128/policy/modules/system/systemd.te --- old/selinux-policy-20251111/policy/modules/system/systemd.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/systemd.te 2025-11-28 10:54:24.000000000 +0100 @@ -654,6 +654,7 @@ virt_rw_svirt_dev(systemd_machined_t) virt_getattr_sandbox_filesystem(systemd_machined_t) virt_read_sandbox_files(systemd_machined_t) + virt_svirt_read_state(systemd_machined_t) ') ####################################### @@ -1182,6 +1183,7 @@ files_pid_filetrans(systemd_ssh_issue_t, systemd_ssh_issue_var_run_t, dir) kernel_dgram_send(systemd_ssh_issue_t) +kernel_read_sysctl(systemd_ssh_issue_t) dev_read_sysfs(systemd_ssh_issue_t) dev_read_vsock(systemd_ssh_issue_t); @@ -1444,8 +1446,7 @@ ') optional_policy(` - sssd_dontaudit_read_public_files(systemd_generator) - sssd_dontaudit_search_lib(systemd_generator) + sssd_dontaudit_stream_connect(systemd_generator) ') ### Rules for individual systemd generator domains diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251111/policy/modules/system/userdomain.te new/selinux-policy-20251128/policy/modules/system/userdomain.te --- old/selinux-policy-20251111/policy/modules/system/userdomain.te 2025-11-11 15:19:00.000000000 +0100 +++ new/selinux-policy-20251128/policy/modules/system/userdomain.te 2025-11-28 10:54:24.000000000 +0100 @@ -383,8 +383,6 @@ kernel_watch_unlabeled_dirs(login_userdomain) kernel_read_psi(login_userdomain) -auth_watch_passwd(login_userdomain) - corecmd_watch_bin_dirs(login_userdomain) dev_watch_generic_dirs(login_userdomain) @@ -423,6 +421,11 @@ mount_watch_reads_pid_files(login_userdomain) optional_policy(` + auth_read_lastlog(login_userdomain) + auth_watch_passwd(login_userdomain) +') + +optional_policy(` init_mmap_read_var_lib_files(login_userdomain) init_read_pid_files(login_userdomain) ')
