Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-03-06 18:16:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Fri Mar 6 18:16:13 2026 rev:152 rq:1336792 version:20260303 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-03-04 20:59:29.410237363 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.561/selinux-policy.changes 2026-03-06 18:16:18.774472145 +0100 @@ -1,0 +2,8 @@ +Tue Mar 03 15:50:01 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260303: + * Enable init_server_no_new_privs during build (bsc#1253047) + * Add init_server_no_new_privs where no domtrans pattern was used (bsc#1253047) + * Allow nnp_transition in domtrans pattern (bsc#1253047) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260302.tar.xz New: ---- selinux-policy-20260303.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.YEHlvH/_old 2026-03-06 18:16:19.738512345 +0100 +++ /var/tmp/diff_new_pack.YEHlvH/_new 2026-03-06 18:16:19.742512512 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260302 +Version: 20260303 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.YEHlvH/_old 2026-03-06 18:16:19.826516014 +0100 +++ /var/tmp/diff_new_pack.YEHlvH/_new 2026-03-06 18:16:19.834516348 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">c6e26f2bdd95f62fab05de0727965b7238ca73dc</param></service></servicedata> + <param name="changesrevision">58ead04f5dca1f1de85000f74b95d8bfda9881b5</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260302.tar.xz -> selinux-policy-20260303.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/build.conf new/selinux-policy-20260303/build.conf --- old/selinux-policy-20260302/build.conf 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/build.conf 2026-03-03 14:32:40.000000000 +0100 @@ -56,7 +56,7 @@ # build options. Putting foo here will enable # build option blocks named foo. Options should be # separated by spaces. -CUSTOM_BUILDOPT = +CUSTOM_BUILDOPT = init_server_no_new_privs # Number of MLS Sensitivities # The sensitivities will be s0 to s(MLS_SENS-1). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/cron.if new/selinux-policy-20260303/policy/modules/contrib/cron.if --- old/selinux-policy-20260302/policy/modules/contrib/cron.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/cron.if 2026-03-03 14:32:40.000000000 +0100 @@ -101,6 +101,9 @@ tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + allow crond_t $2_t:process2 nnp_transition; + ') allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; @@ -113,6 +116,9 @@ ps_process_pattern($2_t, cronjob_t) ',` dontaudit crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + dontaudit crond_t $2_t:process2 nnp_transition; + ') dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; @@ -191,6 +197,9 @@ tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + allow crond_t $2_t:process2 nnp_transition; + ') allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; @@ -199,6 +208,9 @@ allow $2_t crond_t:fifo_file rw_fifo_file_perms; ',` dontaudit crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + dontaudit crond_t $2_t:process2 nnp_transition; + ') dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; @@ -282,6 +294,9 @@ tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + allow crond_t $2_t:process2 nnp_transition; + ') allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; @@ -293,6 +308,9 @@ ps_process_pattern($2_t, cronjob_t) ',` dontaudit crond_t $2_t:process transition; + ifdef(`init_server_no_new_privs',` + dontaudit crond_t $2_t:process2 nnp_transition; + ') dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/cron.te new/selinux-policy-20260303/policy/modules/contrib/cron.te --- old/selinux-policy-20260302/policy/modules/contrib/cron.te 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/cron.te 2026-03-03 14:32:40.000000000 +0100 @@ -432,6 +432,9 @@ # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. allow crond_t system_cronjob_t:process transition; +ifdef(`init_server_no_new_privs',` + allow crond_t system_cronjob_t:process2 nnp_transition; +') dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; @@ -730,6 +733,9 @@ # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. allow crond_t cronjob_t:process transition; +ifdef(`init_server_no_new_privs',` + allow crond_t cronjob_t:process2 nnp_transition; +') dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; allow crond_t cronjob_t:fd use; allow cronjob_t crond_t:fd use; @@ -900,10 +906,16 @@ tunable_policy(`cron_userdomain_transition',` dontaudit crond_t unconfined_cronjob_t:process transition; + ifdef(`init_server_no_new_privs',` + dontaudit crond_t unconfined_cronjob_t:process2 nnp_transition; + ') dontaudit crond_t unconfined_cronjob_t:fd use; dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; ',` allow crond_t unconfined_cronjob_t:process transition; + ifdef(`init_server_no_new_privs',` + allow crond_t unconfined_cronjob_t:process2 nnp_transition; + ') allow crond_t unconfined_cronjob_t:fd use; allow crond_t unconfined_cronjob_t:key manage_key_perms; ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/gnome.if new/selinux-policy-20260303/policy/modules/contrib/gnome.if --- old/selinux-policy-20260302/policy/modules/contrib/gnome.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/gnome.if 2026-03-03 14:32:40.000000000 +0100 @@ -1841,6 +1841,9 @@ ') allow $1 gkeyringd_domain:process transition; + ifdef(`init_server_no_new_privs',` + allow $1 gkeyringd_domain:process2 nnp_transition; + ') dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; allow gkeyringd_domain $1:process { sigchld signull }; allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/rpm.if new/selinux-policy-20260303/policy/modules/contrib/rpm.if --- old/selinux-policy-20260302/policy/modules/contrib/rpm.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/rpm.if 2026-03-03 14:32:40.000000000 +0100 @@ -1006,6 +1006,9 @@ typeattribute $1 rpm_transition_domain; allow $1 rpm_script_t:process transition; + ifdef(`init_server_no_new_privs',` + allow $1 rpm_script_t:process2 nnp_transition; + ') roleattribute $2 rpm_script_roles; allow $1 rpm_script_t:fd use; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/virt.if new/selinux-policy-20260303/policy/modules/contrib/virt.if --- old/selinux-policy-20260302/policy/modules/contrib/virt.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/virt.if 2026-03-03 14:32:40.000000000 +0100 @@ -1331,6 +1331,9 @@ ') allow $1 virt_domain:process transition; + ifdef(`init_server_no_new_privs',` + allow $1 virt_domain:process2 nnp_transition; + ') role $2 types virt_domain; role $2 types svirt_socket_t; optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/contrib/virt.te new/selinux-policy-20260303/policy/modules/contrib/virt.te --- old/selinux-policy-20260302/policy/modules/contrib/virt.te 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/contrib/virt.te 2026-03-03 14:32:40.000000000 +0100 @@ -2613,6 +2613,10 @@ tunable_policy(`virt_transition_userdomain',` userdom_transition(virtd_t) userdom_transition(virtd_lxc_t) + ifdef(`init_server_no_new_privs',` + userdom_nnp_transition(virtd_t) + userdom_nnp_transition(virtd_lxc_t) + ') ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/kernel/domain.if new/selinux-policy-20260303/policy/modules/kernel/domain.if --- old/selinux-policy-20260302/policy/modules/kernel/domain.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/kernel/domain.if 2026-03-03 14:32:40.000000000 +0100 @@ -1836,6 +1836,24 @@ ######################################## ## <summary> +## Allow caller to nnp_transition to any domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`domain_nnp_transition_all',` + gen_require(` + attribute domain; + ') + + allow $1 domain:process2 nnp_transition; +') + +######################################## +## <summary> ## Do not audit attempts to access check /proc ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/roles/unconfineduser.te new/selinux-policy-20260303/policy/modules/roles/unconfineduser.te --- old/selinux-policy-20260302/policy/modules/roles/unconfineduser.te 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/roles/unconfineduser.te 2026-03-03 14:32:40.000000000 +0100 @@ -94,6 +94,9 @@ unconfined_domain_noaudit(unconfined_t) domain_named_filetrans(unconfined_t) domain_transition_all(unconfined_t) +ifdef(`init_server_no_new_privs',` + domain_nnp_transition_all(unconfined_t) +') usermanage_run_passwd(unconfined_t, unconfined_r) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/services/postgresql.te new/selinux-policy-20260303/policy/modules/services/postgresql.te --- old/selinux-policy-20260302/policy/modules/services/postgresql.te 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/services/postgresql.te 2026-03-03 14:32:40.000000000 +0100 @@ -534,10 +534,16 @@ type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; +ifdef(`init_server_no_new_privs',` + allow sepgsql_client_type sepgsql_ranged_proc_t:process2 nnp_transition; +') type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; +ifdef(`init_server_no_new_privs',` + allow sepgsql_client_type sepgsql_trusted_proc_t:process2 nnp_transition; +') type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; tunable_policy(`postgresql_selinux_users_ddl',` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/system/init.te new/selinux-policy-20260303/policy/modules/system/init.te --- old/selinux-policy-20260302/policy/modules/system/init.te 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/system/init.te 2026-03-03 14:32:40.000000000 +0100 @@ -2025,6 +2025,9 @@ #') allow initrc_domain daemon:process transition; +ifdef(`init_server_no_new_privs',` + allow initrc_domain daemon:process2 nnp_transition; +') allow daemon initrc_domain:fd use; allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms; allow daemon initrc_domain:process sigchld; @@ -2035,6 +2038,9 @@ allow systemprocess initrc_domain:process sigchld; allow initrc_domain systemprocess_entry:file { getattr open read execute map }; allow initrc_domain systemprocess:process transition; +ifdef(`init_server_no_new_privs',` + allow initrc_domain systemprocess:process2 nnp_transition; +') optional_policy(` systemd_getattr_unit_dirs(daemon) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/modules/system/userdomain.if new/selinux-policy-20260303/policy/modules/system/userdomain.if --- old/selinux-policy-20260302/policy/modules/system/userdomain.if 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/modules/system/userdomain.if 2026-03-03 14:32:40.000000000 +0100 @@ -6798,6 +6798,24 @@ ######################################## ## <summary> +## Allow caller to nnp_transition to any userdomain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_nnp_transition',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process2 nnp_transition; +') + +######################################## +## <summary> ## Allow caller to nnp_transition to login userdomain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260302/policy/support/misc_patterns.spt new/selinux-policy-20260303/policy/support/misc_patterns.spt --- old/selinux-policy-20260302/policy/support/misc_patterns.spt 2026-03-02 11:32:36.000000000 +0100 +++ new/selinux-policy-20260303/policy/support/misc_patterns.spt 2026-03-03 14:32:40.000000000 +0100 @@ -4,6 +4,9 @@ define(`domain_transition_pattern',` allow $1 $2:file mmap_exec_file_perms; allow $1 $3:process transition; + ifdef(`init_server_no_new_privs',` + allow $1 $3:process2 nnp_transition; + ') # dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ')
