Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2025-12-17 17:30:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1939 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Wed Dec 17 17:30:46 2025 rev:35 rq:1322982 version:2.245.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2025-12-09 12:45:42.600167278 +0100
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1939/container-selinux.changes
2025-12-17 17:34:10.854134591 +0100
@@ -1,0 +2,11 @@
+Mon Dec 15 15:58:25 UTC 2025 - Cathy Hu <[email protected]>
+
+- Update to version 2.245.0:
+ * bump to v2.245.0
+ * Fix typo in container_selinux(8) man page
+ * Add new booleans to container_selinux(8) man page
+ * Allow containers to access shared public content
+ * Add support for Incus
+ * Add ~/.local/share/containers/storage/overlay-containers to .fc
(bsc#1253682)
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.244.0.tar.xz
New:
----
container-selinux-2.245.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.Ync3cO/_old 2025-12-17 17:34:12.406199773 +0100
+++ /var/tmp/diff_new_pack.Ync3cO/_new 2025-12-17 17:34:12.418200277 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.244.0
+Version: 2.245.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Ync3cO/_old 2025-12-17 17:34:12.722213044 +0100
+++ /var/tmp/diff_new_pack.Ync3cO/_new 2025-12-17 17:34:12.770215060 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
- <param
name="changesrevision">9017e1f8074db9b7ae026670b0e0216cf53f18d9</param></service></servicedata>
+ <param
name="changesrevision">3f7c37e93e172f531de233f40a58a1b8ec6ff17d</param></service></servicedata>
(No newline at EOF)
++++++ container-selinux-2.244.0.tar.xz -> container-selinux-2.245.0.tar.xz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.244.0/container.fc
new/container-selinux-2.245.0/container.fc
--- old/container-selinux-2.244.0/container.fc 2025-12-01 15:54:18.000000000
+0100
+++ new/container-selinux-2.245.0/container.fc 2025-12-15 16:33:19.000000000
+0100
@@ -20,11 +20,14 @@
/usr/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/incus-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/incus --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/fuidshift --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/incus/.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxc/.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxd/.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/podman --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -53,6 +56,7 @@
/usr/local/lib/docker/[^/]*plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/lib/systemd/system/docker.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/incus.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/lxd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/containerd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/buildkit.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
@@ -66,6 +70,7 @@
/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/registry(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/incus(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -100,6 +105,8 @@
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containers(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -127,6 +134,8 @@
/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/var/cache/incus(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+
/var/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/opt/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
@@ -164,9 +173,14 @@
/srv/containers(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/srv/containers(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/run/incus/unix.socket(.*)? -s
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/incus(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/run/lock/lxc(/.*)?
gen_context(system_u:object_r:container_lock_t,s0)
/var/log/kube-apiserver(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
+
+/var/log/incus(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxc(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
+
/etc/kubernetes(/.*)?
gen_context(system_u:object_r:kubernetes_file_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.244.0/container.te
new/container-selinux-2.245.0/container.te
--- old/container-selinux-2.244.0/container.te 2025-12-01 15:54:18.000000000
+0100
+++ new/container-selinux-2.245.0/container.te 2025-12-15 16:33:19.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.244.0)
+policy_module(container, 2.245.0)
gen_require(`
class passwd rootok;
@@ -83,6 +83,22 @@
## </desc>
gen_tunable(container_use_ecryptfs, false)
+## <desc>
+## <p>
+## Allow containers to read shared public files
+## (public_content_t & public_content_rw_t)
+## </p>
+## </desc>
+gen_tunable(container_read_public_content, false)
+
+## <desc>
+## <p>
+## Allow containers to read and write shared public
+## files (public_content_rw_t)
+## </p>
+## </desc>
+gen_tunable(container_manage_public_content, false)
+
attribute container_runtime_domain;
container_runtime_domain_template(container_runtime)
typealias container_runtime_t alias docker_t;
@@ -1452,6 +1468,14 @@
allow container_init_t self:cap_userns sys_admin;
')
+tunable_policy(`container_read_public_content',`
+ miscfiles_read_public_files(container_domain)
+')
+
+tunable_policy(`container_manage_public_content',`
+ miscfiles_manage_public_files(container_domain)
+')
+
allow container_init_domain self:netlink_audit_socket nlmsg_relay;
# container_engine_t is for running a container engine within a container
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.244.0/container_selinux.8
new/container-selinux-2.245.0/container_selinux.8
--- old/container-selinux-2.244.0/container_selinux.8 2025-12-01
15:54:18.000000000 +0100
+++ new/container-selinux-2.245.0/container_selinux.8 2025-12-15
16:33:19.000000000 +0100
@@ -87,6 +87,22 @@
.EE
+.PP
+If you want to allow containers to read shared public files (public_content_t
and public_content_rw_t), set the container_read_public_content boolean.
Disabled by default.
+
+.EX
+.B setsebool -P container_read_public_content 1
+
+.EE
+
+.PP
+If you want to allow containers to read and write shared public files
(public_content_rw_t), set the container_manage_public_content boolean.
Disabled by default.
+
+.EX
+.B setsebool -P container_manage_public_content 1
+
+.EE
+
.SH PORT TYPES
SELinux defines port types to represent TCP and UDP ports.
.PP
@@ -461,4 +477,4 @@
.B "sepolicy manpage".
.SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
setsebool(8), container_auth_selinux(8), container_auth_selinux(8),
container_device_selinux(8), container_device_selinux(8),
container_device_plugin_selinux(8), container_device_plugin_selinux(8),
container_device_plugin_init_selinux(8),
container_device_plugin_init_selinux(8), container_engine_selinux(8),
container_engine_selinux(8), container_init_selinux(8),
container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8),
container_logreader_selinux(8), container_logreader_selinux(8),
container_logwriter_selinux(8), container_logwriter_selinux(8),
container_runtime_selinux(8), container_runtime_selinux(8),
container_user_selinux(8), container_user_selinux(8),
container_userns_selinux(8), container_userns_selinux(8)
\ No newline at end of file
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
setsebool(8), container_auth_selinux(8), container_auth_selinux(8),
container_device_selinux(8), container_device_selinux(8),
container_device_plugin_selinux(8), container_device_plugin_selinux(8),
container_device_plugin_init_selinux(8),
container_device_plugin_init_selinux(8), container_engine_selinux(8),
container_engine_selinux(8), container_init_selinux(8),
container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8),
container_logreader_selinux(8), container_logreader_selinux(8),
container_logwriter_selinux(8), container_logwriter_selinux(8),
container_runtime_selinux(8), container_runtime_selinux(8),
container_user_selinux(8), container_user_selinux(8),
container_userns_selinux(8), container_userns_selinux(8)
