Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-03-10 20:35:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Mar 10 20:35:13 2026 rev:153 rq:1338077 version:20260310 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-03-06 18:16:18.774472145 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.8177/selinux-policy.changes 2026-03-10 20:37:08.456048244 +0100 @@ -1,0 +2,20 @@ +Tue Mar 10 17:22:53 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260310: + * Allow wtmpdbd to read pidfs (bsc#1259444) + * Allow systemd-mountfsd the perfmon capability + * Allow lttng tracing in default configuration + * Allow rtkit-daemon write systemd inhibit pipes + * Apply the systemd system generator template to the kdump-dep generator + * Apply the systemd system generator template to the anaconda generator + * Dontaudit ps permissions that tlp_t does not need (bsc#1257527) + * TLP uses ps aux to check for different services (bsc#1257527) + * Introduce separate types for generic systemd generators. + * Confine system generator nm-initrd-generator.sh (bsc#1257754) + * Allow rtkit-daemon dbus chat with systemd-logind + * ecryptfs uses /home/.ecryptfs for full homedir encryption (bsc#1258350) + * Dontaudit tlshd write generic certificate dirs +- Syncing with upstream rawhide selinux-policy up to: + * 8507a66c816a382439d4933cfff14c8ee8a83d1e + +------------------------------------------------------------------- Old: ---- selinux-policy-20260303.tar.xz New: ---- selinux-policy-20260310.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.tYtWzd/_old 2026-03-10 20:37:09.356085831 +0100 +++ /var/tmp/diff_new_pack.tYtWzd/_new 2026-03-10 20:37:09.356085831 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260303 +Version: 20260310 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.tYtWzd/_old 2026-03-10 20:37:09.436089172 +0100 +++ /var/tmp/diff_new_pack.tYtWzd/_new 2026-03-10 20:37:09.444089506 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">58ead04f5dca1f1de85000f74b95d8bfda9881b5</param></service></servicedata> + <param name="changesrevision">0378402079a8c5e42936ef9e8f079c531088a936</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260303.tar.xz -> selinux-policy-20260310.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/anaconda.fc new/selinux-policy-20260310/policy/modules/contrib/anaconda.fc --- old/selinux-policy-20260303/policy/modules/contrib/anaconda.fc 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/anaconda.fc 2026-03-10 18:22:30.000000000 +0100 @@ -9,8 +9,6 @@ /usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0) /usr/libexec/rpm-ostreed -- gen_context(system_u:object_r:install_exec_t,s0) -/usr/lib/systemd/system-generators/anaconda-generator -- gen_context(system_u:object_r:anaconda_generator_exec_t,s0) - /usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0) /var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) /var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/anaconda.te new/selinux-policy-20260310/policy/modules/contrib/anaconda.te --- old/selinux-policy-20260303/policy/modules/contrib/anaconda.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/anaconda.te 2026-03-10 18:22:30.000000000 +0100 @@ -20,12 +20,6 @@ domain_obj_id_change_exemption(anaconda_t) role system_r types anaconda_t; -type anaconda_generator_t; -type anaconda_generator_exec_t; -init_system_domain(anaconda_generator_t, anaconda_generator_exec_t) -type anaconda_generator_unit_file_t; -files_type(anaconda_generator_unit_file_t) - attribute_role install_roles; roleattribute system_r install_roles; @@ -86,36 +80,6 @@ ######################################## # -# anaconda-generator local policy -# - -corecmd_exec_bin(anaconda_generator_t) -corecmd_exec_shell(anaconda_generator_t) -permissive anaconda_generator_t; - -kernel_read_proc_files(anaconda_generator_t) - -fs_getattr_all_fs(anaconda_generator_t) - -optional_policy(` - auth_dontaudit_read_passwd_file(anaconda_generator_t) -') - -optional_policy(` - type anaconda_unit_file_t; - systemd_unit_file(anaconda_unit_file_t) - - allow anaconda_generator_t anaconda_unit_file_t:dir manage_dir_perms; - allow anaconda_generator_t anaconda_unit_file_t:file manage_file_perms; - allow anaconda_generator_t anaconda_unit_file_t:lnk_file manage_lnk_file_perms; - systemd_read_generic_unit_lnk_files(anaconda_generator_t) - systemd_unit_file_filetrans(anaconda_generator_t, anaconda_unit_file_t, { dir file lnk_file }) -') - - - -######################################## -# # Local policy # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/kdump.fc new/selinux-policy-20260310/policy/modules/contrib/kdump.fc --- old/selinux-policy-20260303/policy/modules/contrib/kdump.fc 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/kdump.fc 2026-03-10 18:22:30.000000000 +0100 @@ -1,8 +1,6 @@ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - -/usr/lib/systemd/system-generators/kdump-dep-generator\.sh -- gen_context(system_u:object_r:kdump_dep_generator_exec_t,s0) /usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0) /usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/kdump.te new/selinux-policy-20260310/policy/modules/contrib/kdump.te --- old/selinux-policy-20260303/policy/modules/contrib/kdump.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/kdump.te 2026-03-10 18:22:30.000000000 +0100 @@ -25,12 +25,6 @@ type kdump_unit_file_t alias kdumpctl_unit_file_t; systemd_unit_file(kdump_unit_file_t) -type kdump_dep_generator_t; -type kdump_dep_generator_exec_t; -init_system_domain(kdump_dep_generator_t, kdump_dep_generator_exec_t) -type kdump_dep_generator_unit_file_t; -files_type(kdump_dep_generator_unit_file_t) - type kdump_lock_t; files_lock_file(kdump_lock_t) @@ -100,30 +94,6 @@ term_use_console(kdump_t) -##################################### -# -# kdump-dep-generator local policy -# - -allow kdump_dep_generator_t kdump_etc_t:file read_file_perms; - -corecmd_exec_bin(kdump_dep_generator_t) -corecmd_exec_shell(kdump_dep_generator_t) - -optional_policy(` - auth_dontaudit_read_passwd_file(kdump_dep_generator_t) -') - -optional_policy(` - type kdump_dep_unit_file_t; - systemd_unit_file(kdump_dep_unit_file_t) - - allow kdump_dep_generator_t kdump_dep_unit_file_t:dir manage_dir_perms; - allow kdump_dep_generator_t kdump_dep_unit_file_t:file manage_file_perms; - allow kdump_dep_generator_t kdump_dep_unit_file_t:lnk_file manage_lnk_file_perms; - systemd_unit_file_filetrans(kdump_dep_generator_t, kdump_dep_unit_file_t, { dir file lnk_file }) -') - ####################################### # # kdumpctl local policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/ktls.te new/selinux-policy-20260310/policy/modules/contrib/ktls.te --- old/selinux-policy-20260303/policy/modules/contrib/ktls.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/ktls.te 2026-03-10 18:22:30.000000000 +0100 @@ -37,7 +37,7 @@ miscfiles_read_generic_certs(ktlshd_t) miscfiles_map_generic_certs(ktlshd_t) miscfiles_write_generic_certs(ktlshd_t) - miscfiles_write_generic_cert_dirs(ktlshd_t) + miscfiles_dontaudit_write_generic_cert_dirs(ktlshd_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/lttng-tools.fc new/selinux-policy-20260310/policy/modules/contrib/lttng-tools.fc --- old/selinux-policy-20260303/policy/modules/contrib/lttng-tools.fc 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/lttng-tools.fc 2026-03-10 18:22:30.000000000 +0100 @@ -1,4 +1,12 @@ +HOME_DIR/\.lttng(/.*)? gen_context(system_u:object_r:lttng_home_t,s0) +HOME_DIR/lttng-traces(/.*)? gen_context(system_u:object_r:lttng_home_t,s0) +/root/\.lttng(/.*)? gen_context(system_u:object_r:lttng_home_t,s0) +/root/lttng-traces(/.*)? gen_context(system_u:object_r:lttng_home_t,s0) + +/etc/lttng/(/.*)? gen_context(system_u:object_r:lttng_conf_t,s0) + /usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0) +/usr/lib/lttng/libexec/lttng-consumerd -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0) /usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/lttng-tools.te new/selinux-policy-20260310/policy/modules/contrib/lttng-tools.te --- old/selinux-policy-20260303/policy/modules/contrib/lttng-tools.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/lttng-tools.te 2026-03-10 18:22:30.000000000 +0100 @@ -18,6 +18,12 @@ type lttng_sessiond_unit_file_t; systemd_unit_file(lttng_sessiond_unit_file_t) +type lttng_home_t; +userdom_user_home_content(lttng_home_t) + +type lttng_conf_t; +files_config_file(lttng_conf_t) + ######################################## # # lttng_sessiond local policy @@ -30,6 +36,8 @@ allow lttng_sessiond_t self:tcp_socket listen; allow lttng_sessiond_t self:unix_dgram_socket create; allow lttng_sessiond_t self:unix_stream_socket { create_stream_socket_perms connectto }; +# Allow lttng-sessiond to exec lttng-consumerd +allow lttng_sessiond_t lttng_sessiond_exec_t:file execute_no_trans; # FIXME: this is required because of systemd's notify socket is created while # in the initramfs, hence as kernel_t. Once SELinux permits relabeling socket @@ -38,17 +46,31 @@ # Tracked by [systemd PR](https://github.com/systemd/systemd/pull/31336). kernel_dgram_send(lttng_sessiond_t) +# Allow lttng-sessiond to manage the app sockets, lock files and pid files in /run/lttng manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir }) +# Allow lttng-sessiond to manage and map the tracing buffers in shared memory allow lttng_sessiond_t lttng_sessiond_tmpfs_t:file map; manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file }) +# Allow lttng-sessiond to manage the config and traces in the user home dir +userdom_user_home_dir_filetrans(lttng_sessiond_t, lttng_home_t, dir, ".lttng") +userdom_user_home_dir_filetrans(lttng_sessiond_t, lttng_home_t, dir, "lttng-traces") +manage_dirs_pattern(lttng_sessiond_t, lttng_home_t, lttng_home_t) +manage_files_pattern(lttng_sessiond_t, lttng_home_t, lttng_home_t) +manage_lnk_files_pattern(lttng_sessiond_t, lttng_home_t, lttng_home_t) + +# Allow lttng-sessiond to read the system config in /etc/lttng +list_dirs_pattern(lttng_sessiond_t, lttng_conf_t, lttng_conf_t) +read_files_pattern(lttng_sessiond_t, lttng_conf_t, lttng_conf_t) +read_lnk_files_pattern(lttng_sessiond_t, lttng_conf_t, lttng_conf_t) + kernel_read_system_state(lttng_sessiond_t) kernel_read_net_sysctls(lttng_sessiond_t) kernel_read_fs_sysctls(lttng_sessiond_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/powerprofiles.if new/selinux-policy-20260310/policy/modules/contrib/powerprofiles.if --- old/selinux-policy-20260303/policy/modules/contrib/powerprofiles.if 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/powerprofiles.if 2026-03-10 18:22:30.000000000 +0100 @@ -1 +1,19 @@ ## <summary>Power profiles handling over D-Bus</summary> + +######################################## +## <summary> +## Allow the domain to read powerprofiles state files in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`powerprofiles_read_state',` + gen_require(` + type powerprofiles_t; + ') + + ps_process_pattern($1, powerprofiles_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/rtkit.te new/selinux-policy-20260310/policy/modules/contrib/rtkit.te --- old/selinux-policy-20260303/policy/modules/contrib/rtkit.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/rtkit.te 2026-03-10 18:22:30.000000000 +0100 @@ -36,4 +36,11 @@ optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') + optional_policy(` + systemd_dbus_chat_logind(rtkit_daemon_t) + ') +') + +optional_policy(` + systemd_write_inhibit_pipes(rtkit_daemon_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/tlp.te new/selinux-policy-20260310/policy/modules/contrib/tlp.te --- old/selinux-policy-20260303/policy/modules/contrib/tlp.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/tlp.te 2026-03-10 18:22:30.000000000 +0100 @@ -29,6 +29,12 @@ allow tlp_t self:unix_dgram_socket create_socket_perms; allow tlp_t self:netlink_generic_socket create_socket_perms; +# tlp uses ps aux to check the process list and then +# greps for only tuned-ppd, power-profiles-daemon and +# tlp-pd. ps does not need those two necessarily to work: +dontaudit tlp_t self:cap_userns sys_ptrace; +dontaudit tlp_t self:capability2 perfmon; + allow tlp_t tlp_unit_file_t:file read_file_perms; manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) @@ -60,6 +66,11 @@ dev_rw_cpu_microcode(tlp_t) dev_rw_wireless(tlp_t) +# tlp uses ps aux to check the process list and then +# greps for only tuned-ppd, power-profiles-daemon and +# tlp-pd. Dontauditing the rest. +domain_dontaudit_search_all_domains_state(tlp_t) + files_read_kernel_modules(tlp_t) files_map_kernel_modules(tlp_t) files_load_kernel_modules(tlp_t) @@ -106,6 +117,10 @@ ') optional_policy(` + powerprofiles_read_state(tlp_t) +') + +optional_policy(` sssd_read_public_files(tlp_t) sssd_stream_connect(tlp_t) ') @@ -119,5 +134,14 @@ ') optional_policy(` + tuned_ppd_read_state(tlp_t) +') + +optional_policy(` udev_domtrans(tlp_t) ') + +optional_policy(` + # tlp-pd is not confined ATM + unconfined_server_read_state(tlp_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/contrib/tuned.if new/selinux-policy-20260310/policy/modules/contrib/tuned.if --- old/selinux-policy-20260303/policy/modules/contrib/tuned.if 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/contrib/tuned.if 2026-03-10 18:22:30.000000000 +0100 @@ -199,3 +199,21 @@ allow $1 tuned_ppd_t:dbus send_msg; allow tuned_ppd_t $1:dbus send_msg; ') + +######################################## +## <summary> +## Allow the domain to read tuned state files in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_ppd_read_state',` + gen_require(` + type tuned_ppd_t; + ') + + ps_process_pattern($1, tuned_ppd_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/kernel/filesystem.fc new/selinux-policy-20260310/policy/modules/kernel/filesystem.fc --- old/selinux-policy-20260303/policy/modules/kernel/filesystem.fc 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/kernel/filesystem.fc 2026-03-10 18:22:30.000000000 +0100 @@ -1,6 +1,7 @@ # ecryptfs does not support xattr HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_ROOT/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) /dev/hugepages(/.*)? <<none>> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/system/authlogin.te new/selinux-policy-20260310/policy/modules/system/authlogin.te --- old/selinux-policy-20260303/policy/modules/system/authlogin.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/system/authlogin.te 2026-03-10 18:22:30.000000000 +0100 @@ -764,6 +764,7 @@ kernel_dgram_send(wtmpdbd_t) auth_rw_wtmpdb_login_records(wtmpdbd_t) +fs_getattr_pidfs(wtmpdbd_t) logging_dgram_send(wtmpdbd_t) logging_read_syslog_pid(wtmpdbd_t) logging_write_syslog_pid_socket(wtmpdbd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/system/miscfiles.if new/selinux-policy-20260310/policy/modules/system/miscfiles.if --- old/selinux-policy-20260303/policy/modules/system/miscfiles.if 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/system/miscfiles.if 2026-03-10 18:22:30.000000000 +0100 @@ -185,6 +185,24 @@ ######################################## ## <summary> +## Do not audit attempts to write generic SSL certificate dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_dontaudit_write_generic_cert_dirs',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:dir write; +') + +######################################## +## <summary> ## Manage generic SSL certificates. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/system/systemd.fc new/selinux-policy-20260310/policy/modules/system/systemd.fc --- old/selinux-policy-20260303/policy/modules/system/systemd.fc 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/system/systemd.fc 2026-03-10 18:22:30.000000000 +0100 @@ -81,12 +81,15 @@ /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_network_generator_exec_t,s0) +/usr/lib/systemd/system-generators/anaconda-generator -- gen_context(system_u:object_r:systemd_anaconda_generator_exec_t,s0) /usr/lib/systemd/system-generators/btrfs-soft-reboot-generator -- gen_context(system_u:object_r:systemd_btrfs_soft_reboot_generator_exec_t,s0) /usr/lib/systemd/system-generators/growpart-generator.sh -- gen_context(system_u:object_r:systemd_growpart_generator_exec_t,s0) /usr/lib/systemd/system-generators/ibft-rule-generator -- gen_context(system_u:object_r:systemd_ibft_rule_generator_exec_t,s0) /usr/lib/systemd/system-generators/bootc-systemd-generator -- gen_context(system_u:object_r:systemd_bootc_generator_exec_t,s0) +/usr/lib/systemd/system-generators/kdump-dep-generator\.sh -- gen_context(system_u:object_r:systemd_kdump_dep_generator_exec_t,s0) /usr/lib/systemd/system-generators/nfsroot-generator -- gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0) /usr/lib/systemd/system-generators/nfs-server-generator -- gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0) +/usr/lib/systemd/system-generators/nm-initrd-generator.sh -- gen_context(system_u:object_r:systemd_nm_initrd_generator_exec_t,s0) /usr/lib/systemd/system-generators/rpc-pipefs-generator -- gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0) /usr/lib/systemd/system-generators/selinux-autorelabel-generator(\.sh)? -- gen_context(system_u:object_r:systemd_selinux_autorelabel_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-bless-boot-generator -- gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0) @@ -96,14 +99,19 @@ /usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-getty-generator -- gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-hibernate-resume-generator -- gen_context(system_u:object_r:systemd_hibernate_resume_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-import-generator -- gen_context(system_u:object_r:systemd_import_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-integritysetup-generator -- gen_context(system_u:object_r:systemd_integritysetup_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-rc-local-generator -- gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-run-generator -- gen_context(system_u:object_r:systemd_run_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-ssh-generator -- gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0) -/usr/lib/systemd/system-generators/status-mail-generator.sh -- gen_context(system_u:object_r:systemd_status_mail_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-system-update-generator -- gen_context(system_u:object_r:systemd_system_update_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-veritysetup-generator -- gen_context(system_u:object_r:systemd_veritysetup_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-tpm2-generator -- gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0) -/usr/lib/systemd/system-generators/udev-trigger-generator -- gen_context(system_u:object_r:systemd_udev_trigger_generator_exec_t,s0) /usr/lib/systemd/system-generators/vsftpd-generator -- gen_context(system_u:object_r:systemd_vsftpd_generator_exec_t,s0) +/usr/lib/systemd/system-generators/status-mail-generator.sh -- gen_context(system_u:object_r:systemd_status_mail_generator_exec_t,s0) +/usr/lib/systemd/system-generators/udev-trigger-generator -- gen_context(system_u:object_r:systemd_udev_trigger_generator_exec_t,s0) /usr/lib/systemd/system-generators/zram-generator -- gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0) /usr/lib/systemd/system-generators/.+ -- gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0) /usr/lib/systemd/zram-generator.conf -- gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260303/policy/modules/system/systemd.te new/selinux-policy-20260310/policy/modules/system/systemd.te --- old/selinux-policy-20260303/policy/modules/system/systemd.te 2026-03-03 14:32:40.000000000 +0100 +++ new/selinux-policy-20260310/policy/modules/system/systemd.te 2026-03-10 18:22:30.000000000 +0100 @@ -202,6 +202,8 @@ ### domains and file types for systemd generators +# anaconda-generator +systemd_generator_template(systemd_anaconda_generator) # bless-boot-generator systemd_generator_template(systemd_bless_boot_generator) # bootc-generator @@ -222,28 +224,42 @@ systemd_generator_template(systemd_gpt_generator) # growpart-generator systemd_generator_template(systemd_growpart_generator) +# hibernate-resume-generator +systemd_generator_template(systemd_hibernate_resume_generator) # ibft-rule-generator systemd_generator_template(systemd_ibft_rule_generator) # import-generator systemd_generator_template(systemd_import_generator) +# integritysetup-generator +systemd_generator_template(systemd_integritysetup_generator) +# kdump-dep generator +systemd_generator_template(systemd_kdump_dep_generator) # nfs generator systemd_generator_template(systemd_nfs_generator) +# nm-initrd-generator +systemd_generator_template(systemd_nm_initrd_generator) # rc-local-generator systemd_generator_template(systemd_rc_local_generator) -# systemd-status-mail -systemd_generator_template(systemd_status_mail_generator) +# systemd-run-generator +systemd_generator_template(systemd_run_generator) # selinux_autorelabel generator systemd_generator_template(systemd_selinux_autorelabel_generator) # ssh-generator systemd_generator_template(systemd_ssh_generator) +# system-update-generator +systemd_generator_template(systemd_system_update_generator) # sysv-generator systemd_generator_template(systemd_sysv_generator) # tpm2-generator systemd_generator_template(systemd_tpm2_generator) -# udev-trigger-generator -systemd_generator_template(systemd_udev_trigger_generator) +# veritysetup-generator +systemd_generator_template(systemd_veritysetup_generator) # vsftpd-generator systemd_generator_template(systemd_vsftpd_generator) +# systemd-status-mail +systemd_generator_template(systemd_status_mail_generator) +# udev-trigger-generator +systemd_generator_template(systemd_udev_trigger_generator) # zram-generator systemd_generator_template(systemd_zram_generator) type systemd_zram_generator_conf_t; @@ -1454,6 +1470,10 @@ ### Rules for individual systemd generator domains +### anaconda generator +corecmd_exec_shell(systemd_anaconda_generator_t) +kernel_read_proc_files(systemd_anaconda_generator_t) + ### bless-boot generator fs_read_efivarfs_files(systemd_bless_boot_generator_t) @@ -1590,32 +1610,39 @@ permissive systemd_ibft_rule_generator_t; +### kdump-dep generator +corecmd_exec_shell(systemd_kdump_dep_generator_t) + ### nfs generator permissive systemd_nfs_generator_t; allow systemd_nfs_generator_t self:udp_socket create_socket_perms; allow systemd_nfs_generator_t self:netlink_route_socket { create_netlink_socket_perms }; -### systemd rc_local generator -init_exec_script_files(systemd_rc_local_generator_t) +### nm-initrd-generator +allow systemd_nm_initrd_generator_t self:capability sys_resource; -### status-mail generator (from os-update package) -corecmd_exec_bin(systemd_status_mail_generator_t) +permissive systemd_nm_initrd_generator_t; -optional_policy(` - # ignore #!/bin/bash reading passwd file - auth_dontaudit_read_passwd_file(systemd_status_mail_generator_t) -') +### systemd rc_local generator +init_exec_script_files(systemd_rc_local_generator_t) -permissive systemd_status_mail_generator_t; +### run generator +permissive systemd_run_generator_t; ### selinux_autorelabel generator optional_policy(` seutil_read_config(systemd_selinux_autorelabel_generator_t) ') +### hibernate-resume-generator +permissive systemd_hibernate_resume_generator_t; + ### systemd import generator permissive systemd_import_generator_t; +### integritysetup-generator +permissive systemd_integritysetup_generator_t; + ### ssh generator allow systemd_ssh_generator_t self:vsock_socket create; allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms }; @@ -1630,12 +1657,31 @@ ssh_getattr_unit_file(systemd_ssh_generator_t) ') +### system-update-generator +permissive systemd_system_update_generator_t; + ### sysv generator init_read_script_files(systemd_sysv_generator_t) ### tpm2 generator permissive systemd_tpm2_generator_t; +### veritysetup generator +permissive systemd_veritysetup_generator_t; + +### vsftpd generator +corecmd_exec_shell(systemd_vsftpd_generator_t) + +### status-mail generator (from os-update package) +corecmd_exec_bin(systemd_status_mail_generator_t) + +optional_policy(` + # ignore #!/bin/bash reading passwd file + auth_dontaudit_read_passwd_file(systemd_status_mail_generator_t) +') + +permissive systemd_status_mail_generator_t; + ### udev trigger generator allow systemd_udev_trigger_generator_t self:capability sys_resource; @@ -1651,9 +1697,6 @@ permissive systemd_udev_trigger_generator_t; -### vsftpd generator -corecmd_exec_shell(systemd_vsftpd_generator_t) - ### zram generator #allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file write_file_perms; permissive systemd_zram_generator_t; @@ -2090,6 +2133,7 @@ # allow systemd_mountfsd_t self:capability { sys_ptrace sys_resource }; +allow systemd_mountfsd_t self:capability2 { perfmon }; allow systemd_mountfsd_t systemd_mountfsd_exec_t:file execute_no_trans; permissive systemd_mountfsd_t;
