Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-12-09 12:45:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Dec 9 12:45:42 2025 rev:139 rq:1321532 version:20251208 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-12-01 11:11:36.070140949 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1939/selinux-policy.changes 2025-12-09 12:45:56.784766770 +0100 @@ -1,0 +2,16 @@ +Mon Dec 08 08:29:51 UTC 2025 - Cathy Hu <[email protected]> + +- Update to version 20251208: + * Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) + * Allow virtqemud_t to read/write device_t (bsc#1251789) + * Introduce sap_service_transition_to_unconfined_user boolean + * allow init to read sap symlinks + * Allow SAP domain to relocation text in all files + +------------------------------------------------------------------- +Mon Dec 8 08:21:59 UTC 2025 - Cathy Hu <[email protected]> + +- Update embedded container-selinux version to commit: + - 9017e1f8074db9b7ae026670b0e0216cf53f18d9 (version 2.244.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20251128.tar.xz New: ---- selinux-policy-20251208.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.CHtfxG/_old 2025-12-09 12:46:14.613520279 +0100 +++ /var/tmp/diff_new_pack.CHtfxG/_new 2025-12-09 12:46:14.629520956 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251128 +Version: 20251208 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.CHtfxG/_old 2025-12-09 12:46:14.957534819 +0100 +++ /var/tmp/diff_new_pack.CHtfxG/_new 2025-12-09 12:46:14.977535664 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">a823f1191db2371700f18dff914d43ce49f577c0</param></service></servicedata> + <param name="changesrevision">88ac5853a00190c20d1bb9fd61e8b86bf7fa177c</param></service></servicedata> (No newline at EOF) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.CHtfxG/_old 2025-12-09 12:46:15.113541412 +0100 +++ /var/tmp/diff_new_pack.CHtfxG/_new 2025-12-09 12:46:15.141542596 +0100 @@ -89,6 +89,25 @@ ######################################## ## <summary> +## Write to /proc/PID of container runtime. +## This is needed e.g. to set uid_map or gid_map +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_write_proc_files',` + gen_require(` + type container_runtime_t; + ') + + allow $1 container_runtime_t:file { open write }; +') + +######################################## +## <summary> ## Search container lib directories. ## </summary> ## <param name="domain"> ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.CHtfxG/_old 2025-12-09 12:46:15.273548175 +0100 +++ /var/tmp/diff_new_pack.CHtfxG/_new 2025-12-09 12:46:15.297549189 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.243.0) +policy_module(container, 2.244.0) gen_require(` class passwd rootok; ++++++ selinux-policy-20251128.tar.xz -> selinux-policy-20251208.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/dist/minimum/booleans.conf new/selinux-policy-20251208/dist/minimum/booleans.conf --- old/selinux-policy-20251128/dist/minimum/booleans.conf 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/dist/minimum/booleans.conf 2025-12-08 09:29:12.000000000 +0100 @@ -249,3 +249,6 @@ # Allows unconfined_service_t to transition to unconfined_t unconfined_service_transition_to_unconfined_user = false + +# Allows sap_unconfined_t to transition to unconfined_t +sap_service_transition_to_unconfined_user = false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/dist/targeted/booleans.conf new/selinux-policy-20251208/dist/targeted/booleans.conf --- old/selinux-policy-20251128/dist/targeted/booleans.conf 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/dist/targeted/booleans.conf 2025-12-08 09:29:12.000000000 +0100 @@ -59,3 +59,4 @@ zebra_write_config = false unconfined_service_transition_to_unconfined_user = false xenstored_use_store_type_domain = true +sap_service_transition_to_unconfined_user = false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/policy/modules/contrib/sap.if new/selinux-policy-20251208/policy/modules/contrib/sap.if --- old/selinux-policy-20251128/policy/modules/contrib/sap.if 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/policy/modules/contrib/sap.if 2025-12-08 09:29:12.000000000 +0100 @@ -37,3 +37,21 @@ corecmd_search_bin($1) domtrans_pattern($1, sap_exec_t, sap_unconfined_t) ') + +####################################### +## <summary> +## Read SAP lnk_files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sap_read_lnk_files',` + gen_require(` + type sap_exec_t; + ') + + read_lnk_files_pattern($1, sap_exec_t, sap_exec_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/policy/modules/contrib/sap.te new/selinux-policy-20251208/policy/modules/contrib/sap.te --- old/selinux-policy-20251128/policy/modules/contrib/sap.te 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/policy/modules/contrib/sap.te 2025-12-08 09:29:12.000000000 +0100 @@ -1,5 +1,12 @@ policy_module(sap, 1.0) +## <desc> +## <p> +## allow unconfined_service_t transition to the unconfined user domain +## </p> +## </desc> +gen_tunable(sap_service_transition_to_unconfined_user, false) + type sap_unconfined_t; type sap_exec_t; files_type(sap_exec_t); @@ -11,8 +18,16 @@ #manage_files_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t) #files_tmp_filetrans(sap_unconfined_t, sap_tmp_t, { dir file }) +files_execmod_all_files(sap_unconfined_t) + libs_legacy_use_shared_libs(sap_unconfined_t) optional_policy(` unconfined_domain(sap_unconfined_t) ') + +optional_policy(` + tunable_policy(`sap_service_transition_to_unconfined_user',` + unconfined_domtrans(sap_unconfined_t) + ') +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/policy/modules/contrib/virt.te new/selinux-policy-20251208/policy/modules/contrib/virt.te --- old/selinux-policy-20251128/policy/modules/contrib/virt.te 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/policy/modules/contrib/virt.te 2025-12-08 09:29:12.000000000 +0100 @@ -2301,6 +2301,7 @@ dev_rw_sgx_vepc(virtqemud_t) dev_rw_vfio_dev(virtqemud_t) dev_relabel_all_dev_nodes(virtqemud_t) +dev_rw_generic_chr_files(virtqemud_t) dev_rw_input_dev(virtqemud_t) dev_rw_kvm(virtqemud_t) dev_rw_lvm_control(virtqemud_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/policy/modules/system/init.te new/selinux-policy-20251208/policy/modules/system/init.te --- old/selinux-policy-20251128/policy/modules/system/init.te 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/policy/modules/system/init.te 2025-12-08 09:29:12.000000000 +0100 @@ -915,6 +915,10 @@ ') optional_policy(` + sap_read_lnk_files(init_t) +') + +optional_policy(` stratisd_data_read_lnk_files(init_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251128/policy/modules/system/systemd.te new/selinux-policy-20251208/policy/modules/system/systemd.te --- old/selinux-policy-20251128/policy/modules/system/systemd.te 2025-11-28 10:54:24.000000000 +0100 +++ new/selinux-policy-20251208/policy/modules/system/systemd.te 2025-12-08 09:29:12.000000000 +0100 @@ -1479,6 +1479,15 @@ #manage_files_pattern(systemd_cryptsetup_generator_t, systemd_fstab_generator_unit_file_t, systemd_fstab_generator_unit_file_t) +type systemd_cryptsetup_generator_var_run_t; +files_type(systemd_cryptsetup_generator_var_run_t) + +init_pid_filetrans(systemd_cryptsetup_generator_t, systemd_cryptsetup_generator_var_run_t, dir, "cryptsetup") + +allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:dir manage_dir_perms; +allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:file manage_file_perms; +allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:lnk_file manage_lnk_file_perms; + ### debug generator fs_read_tmpfs_files(systemd_debug_generator_t)
