Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-04-14 17:48:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Apr 14 17:48:44 2026 rev:155 rq:1345818 version:20260410 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-03-11 20:50:15.809471636 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.21863/selinux-policy.changes 2026-04-14 17:49:03.149357470 +0200 @@ -1,0 +2,56 @@ +Fri Apr 10 12:02:19 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260410: + * Add missing Nextcloud file contexts (bsc#1261535) + * openSUSE uses /var/lib/php8 (bsc#1239177) + * /srv/www/htdocs is DocumentRoot of apache (bsc#1261535) + * Allow cloud init to domtrans into ssh keygen (bsc#1249964) + * Allow accountsd dbus chat with systemd-homed + * Allow accountsd read accountsd_share_t files + * Fix file context specification for /usr/share/accountsservice + * Allow xdm_exec_t be an entrypoint of login_userdomain + * Allow sshd-session send a generic signal to sshd-auth + * Allow virtnetworkd get attributes of filesystems with extended attributes + * Allow Polkit to get attributes of user terminals + * Allow nfsidmap connect to xdm over a unix stream socket + * Label /usr/share/accountsservice with accountsd_share_t + * Allow systemd-resolved write to systemd-networkd socket + * Dontaudit setroubleshootd read root's home files like .rpmmacros + * Support sandboxing features for sysadm_t + * Allow unconfined_t mounton on itself (bsc#1261035) + * update support for polkit agent helper (bsc#1251931) + * Add auth_nnp_domtrans_chkpwd() + * Allow staff_sudo_t read PID1's process state + * Allow staff_sudo_t read logind sessions files + * Allow nfs-server system generator the dac_read_search capability + * Allow snmpd create and use netlink tcpdiag socket + * Allow systemd-coredump signull containers + * Allow named_filetrans_domain filetrans flatpak homedir (bsc#1253682) + * Dontaudit logrotate perfmon and sys_admin capabilities + * Allow samba-bgqd sendto over a unix dgram socket + * Allow snapper sdbootutil plugin read kernel modules (bsc#1259867) + * Move interfaces from other modules to optional block + * Allow fedoratp_exec_t be an entrypoint of unconfined_t + * Allow rasdaemon_t to list pstore (bsc#1259742) + * Allow virtqemud_t send kill signal to svirt_tcg_t + * Allow virtqemud_t get priority of a svirt_t process + * Allow sysadm user connect to lvm over a unix stream socket + * Allow staff user delete thump_tmp_t files + * Allow staff user connect to systemd-logind over a unix stream socket + * Allow staff user mount /proc + * Allow virtqemud map vhost net device + * Dontaudit ps to read proc (bsc#1257527) + * Revert "Define file equivalency for /var/opt" (bsc#1259704) + * Allow dovecot_deliver_t map its private tmp files + * Allow rpcbind get attributes of the pidfs filesystem + * Fix names in mysql.if + * Allow create kerberos files in mysql db home + * Allow systemd-resolved connect to systemd-networkd over a unix stream socket + * Introduce local_login_allow_accountutils_fallback_mode boolean (bsc#1259119) + * Make stalld stalld_var_run_t labeling rules more generic (bsc#1259438) +- Syncing with upstream rawhide selinux-policy up to: + * d3068ffe2a211a7e959bb1d0ad9dd434c2d7da5b +- Update embedded container-selinux version to commit: + * f336064bb5a086cab121c02acf285a68fa4b8352 (v2.247.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260311.tar.xz New: ---- selinux-policy-20260410.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.BxFFBF/_old 2026-04-14 17:49:04.421410049 +0200 +++ /var/tmp/diff_new_pack.BxFFBF/_new 2026-04-14 17:49:04.421410049 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260311 +Version: 20260410 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.BxFFBF/_old 2026-04-14 17:49:04.513413853 +0200 +++ /var/tmp/diff_new_pack.BxFFBF/_new 2026-04-14 17:49:04.517414017 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">98ea6e7f0280ea85501ca008907550c2cd221946</param></service></servicedata> + <param name="changesrevision">252e324412345c586a2ce66d38fa88979dc91c56</param></service></servicedata> (No newline at EOF) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.BxFFBF/_old 2026-04-14 17:49:04.557415671 +0200 +++ /var/tmp/diff_new_pack.BxFFBF/_new 2026-04-14 17:49:04.561415836 +0200 @@ -607,9 +607,11 @@ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-containers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-containers") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") @@ -681,7 +683,10 @@ type container_file_t; ') - allow $1 container_runtime_t:process { ptrace signal_perms }; + allow $1 container_runtime_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $1 container_runtime_t:process ptrace; + ') ps_process_pattern($1, container_runtime_t) admin_pattern($1, container_config_t) ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.BxFFBF/_old 2026-04-14 17:49:04.593417159 +0200 +++ /var/tmp/diff_new_pack.BxFFBF/_new 2026-04-14 17:49:04.597417325 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.246.0) +policy_module(container, 2.247.0) gen_require(` class passwd rootok; @@ -99,6 +99,15 @@ ## </desc> gen_tunable(container_manage_public_content, false) +## <desc> +## <p> +## Allow user_t confined users to run podman containers. +## Disabled by default since user_t is the most restricted +## confined user type. +## </p> +## </desc> +gen_tunable(user_t_run_containers, false) + attribute container_runtime_domain; container_runtime_domain_template(container_runtime) typealias container_runtime_t alias docker_t; @@ -838,7 +847,9 @@ optional_policy(` unconfined_domain_noaudit(spc_t) - domain_ptrace_all_domains(spc_t) + tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(spc_t) + ') # This should eventually be in upstream policy. # https://github.com/fedora-selinux/selinux-policy/pull/806 allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run }; @@ -1135,6 +1146,7 @@ allow container_net_domain self:sctp_socket listen; allow container_net_domain self:packet_socket create_socket_perms; allow container_net_domain self:socket create_socket_perms; +allow container_net_domain self:smc_socket listen; allow container_net_domain self:rawip_socket create_stream_socket_perms; allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; allow container_net_domain self:netlink_tcpdiag_socket nlmsg_read; @@ -1333,13 +1345,26 @@ allow userdomain self:cap_userns ~{ sys_module }; container_read_state(userdomain) allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; - container_runtime_run(user_t, user_r) + role user_r types container_runtime_t; role user_r types container_user_domain; staff_role_change_to(system_r) + unprivuser_role_change_to(system_r) allow staff_t container_runtime_t:process signal_perms; allow staff_t container_domain:process signal_perms; + + # Allow confined user systemd instances to create and manage sockets + # for podman.socket activation (user-level systemd pre-labels the + # socket as container_runtime_t via setsockcreatecon) + allow { staff_t user_t } container_runtime_t:unix_stream_socket { create bind listen getattr setopt }; + + tunable_policy(`user_t_run_containers',` + container_runtime_domtrans(user_t) + allow user_t container_runtime_t:process signal_perms; + allow user_t container_domain:process signal_perms; + ') + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; ') ++++++ selinux-policy-20260311.tar.xz -> selinux-policy-20260410.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/config/file_contexts.subs_dist new/selinux-policy-20260410/config/file_contexts.subs_dist --- old/selinux-policy-20260311/config/file_contexts.subs_dist 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/config/file_contexts.subs_dist 2026-04-10 10:20:33.000000000 +0200 @@ -35,7 +35,6 @@ /bin /usr/bin /usr/etc /etc /usr/sbin /usr/bin -/var/opt /opt # SUSE-specific section /var/run/lock /var/lock @@ -46,6 +45,7 @@ ## for apache /srv/www /var/www +/srv/www/htdocs /var/www/html ## for tomcat /srv/tomcat /var/lib/tomcat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/accountsd.fc new/selinux-policy-20260410/policy/modules/contrib/accountsd.fc --- old/selinux-policy-20260311/policy/modules/contrib/accountsd.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/accountsd.fc 2026-04-10 10:20:33.000000000 +0200 @@ -5,4 +5,6 @@ /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) +/usr/share/accountsservice(/.*)? gen_context(system_u:object_r:accountsd_share_t,s0) + /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/accountsd.te new/selinux-policy-20260410/policy/modules/contrib/accountsd.te --- old/selinux-policy-20260311/policy/modules/contrib/accountsd.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/accountsd.te 2026-04-10 10:20:33.000000000 +0200 @@ -18,6 +18,9 @@ init_daemon_domain(accountsd_t, accountsd_exec_t) role system_r types accountsd_t; +type accountsd_share_t; +files_type(accountsd_share_t) + type accountsd_var_lib_t; files_type(accountsd_var_lib_t) @@ -34,6 +37,9 @@ allow accountsd_t self:fifo_file rw_fifo_file_perms; allow accountsd_t self:passwd { rootok passwd chfn chsh }; +read_files_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) +watch_dirs_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) + manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) @@ -102,6 +108,10 @@ ') optional_policy(` + systemd_homed_dbus_chat(accountsd_t) +') + +optional_policy(` xserver_read_xdm_tmp_files(accountsd_t) xserver_read_state_xdm(accountsd_t) xserver_dbus_chat_xdm(accountsd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/antivirus.fc new/selinux-policy-20260410/policy/modules/contrib/antivirus.fc --- old/selinux-policy-20260311/policy/modules/contrib/antivirus.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/antivirus.fc 2026-04-10 10:20:33.000000000 +0200 @@ -27,6 +27,7 @@ /var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) +/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/spool/amavisd?(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/apache.fc new/selinux-policy-20260410/policy/modules/contrib/apache.fc --- old/selinux-policy-20260311/policy/modules/contrib/apache.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/apache.fc 2026-04-10 10:20:33.000000000 +0200 @@ -121,7 +121,7 @@ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php[0-9]*(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -133,6 +133,7 @@ /var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -161,7 +162,7 @@ /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - +/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/php-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -182,6 +183,7 @@ /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) /run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) /run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -203,6 +205,8 @@ /var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/nextcloud/apps(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/nextcloud/config(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/cloudform.te new/selinux-policy-20260410/policy/modules/contrib/cloudform.te --- old/selinux-policy-20260311/policy/modules/contrib/cloudform.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/cloudform.te 2026-04-10 10:20:33.000000000 +0200 @@ -161,8 +161,9 @@ ') optional_policy(` - ssh_exec_keygen(cloud_init_t) ssh_read_user_home_files(cloud_init_t) + ssh_domtrans_keygen(cloud_init_t) + ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/dovecot.te new/selinux-policy-20260410/policy/modules/contrib/dovecot.te --- old/selinux-policy-20260311/policy/modules/contrib/dovecot.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/dovecot.te 2026-04-10 10:20:33.000000000 +0200 @@ -362,6 +362,7 @@ manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) +allow dovecot_deliver_t dovecot_deliver_tmp_t:file map; allow dovecot_deliver_t dovecot_var_run_t:fifo_file write_fifo_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/fedoratp.if new/selinux-policy-20260410/policy/modules/contrib/fedoratp.if --- old/selinux-policy-20260311/policy/modules/contrib/fedoratp.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/fedoratp.if 2026-04-10 10:20:33.000000000 +0200 @@ -18,3 +18,21 @@ corecmd_search_bin($1) domtrans_pattern($1, fedoratp_exec_t, fedoratp_t) ') + +######################################## +## <summary> +## Allow fedoratp_exec_t be an entrypoint of the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fedoratp_entrypoint',` + gen_require(` + type fedoratp_exec_t; + ') + + allow $1 fedoratp_exec_t:file entrypoint; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/flatpak.if new/selinux-policy-20260410/policy/modules/contrib/flatpak.if --- old/selinux-policy-20260311/policy/modules/contrib/flatpak.if 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/flatpak.if 2026-04-10 10:20:33.000000000 +0200 @@ -0,0 +1,23 @@ +## <summary></summary> + +######################################### +## <summary> +## Transition to flatpak named content in user home +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`flatpak_named_filetrans_home_content',` + interface(`flatpak_named_filetrans_home_content',` + gen_require(` + type flatpak_home_t; + ') + + optional_policy(` + gnome_data_filetrans($1, flatpak_home_t, dir, "flatpak") + ') + ') +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/kerberos.if new/selinux-policy-20260410/policy/modules/contrib/kerberos.if --- old/selinux-policy-20260311/policy/modules/contrib/kerberos.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/kerberos.if 2026-04-10 10:20:33.000000000 +0200 @@ -636,9 +636,17 @@ kerberos_tmp_filetrans_host_rcache($1, "ldap_487") kerberos_tmp_filetrans_host_rcache($1, "ldap_55") - postgresql_db_filetrans($1, krb5_home_t, file, ".k5identity") - postgresql_db_filetrans($1, krb5_home_t, file, ".k5login") - postgresql_db_filetrans($1, krb5_home_t, file, ".k5users") + optional_policy(` + mysql_db_filetrans($1, krb5_home_t, file, ".k5identity") + mysql_db_filetrans($1, krb5_home_t, file, ".k5login") + mysql_db_filetrans($1, krb5_home_t, file, ".k5users") + ') + + optional_policy(` + postgresql_db_filetrans($1, krb5_home_t, file, ".k5identity") + postgresql_db_filetrans($1, krb5_home_t, file, ".k5login") + postgresql_db_filetrans($1, krb5_home_t, file, ".k5users") + ') ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/logrotate.te new/selinux-policy-20260410/policy/modules/contrib/logrotate.te --- old/selinux-policy-20260311/policy/modules/contrib/logrotate.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/logrotate.te 2026-04-10 10:20:33.000000000 +0200 @@ -64,7 +64,8 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_read_search dac_override kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -dontaudit logrotate_t self:capability { sys_resource net_admin }; +dontaudit logrotate_t self:capability { sys_admin sys_resource net_admin }; +dontaudit logrotate_t self:capability2 { perfmon }; dontaudit logrotate_t self:cap_userns { sys_ptrace }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/mysql.if new/selinux-policy-20260410/policy/modules/contrib/mysql.if --- old/selinux-policy-20260311/policy/modules/contrib/mysql.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/mysql.if 2026-04-10 10:20:33.000000000 +0200 @@ -74,7 +74,7 @@ ######################################## ## <summary> -## Allow the specified domain to connect to postgresql with a tcp socket. +## Allow the specified domain to connect to mysql with a tcp socket. ## </summary> ## <param name="domain"> ## <summary> @@ -588,6 +588,39 @@ ') ######################################## +## <summary> +## Create private objects at mysql db directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mysql_db_filetrans',` + gen_require(` + type mysqld_db_t; + ') + + filetrans_pattern($1, mysqld_db_t, $2, $3, $4) +') + +######################################## ## <summary> ## All of the rules required to administrate an mysql environment ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/policykit.te new/selinux-policy-20260410/policy/modules/contrib/policykit.te --- old/selinux-policy-20260311/policy/modules/contrib/policykit.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/policykit.te 2026-04-10 10:20:33.000000000 +0200 @@ -105,6 +105,7 @@ systemd_read_logind_sessions_files(policykit_t) userdom_getattr_all_users(policykit_t) +userdom_getattr_user_terminals(policykit_t) userdom_read_all_users_state(policykit_t) userdom_dontaudit_search_admin_dir(policykit_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/rasdaemon.te new/selinux-policy-20260410/policy/modules/contrib/rasdaemon.te --- old/selinux-policy-20260311/policy/modules/contrib/rasdaemon.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/rasdaemon.te 2026-04-10 10:20:33.000000000 +0200 @@ -37,6 +37,7 @@ corecmd_exec_bin(rasdaemon_t) +fs_list_pstore(rasdaemon_t) fs_rw_tracefs_files(rasdaemon_t) fs_manage_tracefs_dirs(rasdaemon_t) fs_mount_tracefs(rasdaemon_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/redis.fc new/selinux-policy-20260410/policy/modules/contrib/redis.fc --- old/selinux-policy-20260311/policy/modules/contrib/redis.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/redis.fc 2026-04-10 10:20:33.000000000 +0200 @@ -20,3 +20,6 @@ /run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) /run/valkey(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) + + +/var/opt/rh/rh-redis32/redis(/.*)? -- gen_context(system_u:object_r:redis_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/rpc.te new/selinux-policy-20260410/policy/modules/contrib/rpc.te --- old/selinux-policy-20260311/policy/modules/contrib/rpc.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/rpc.te 2026-04-10 10:20:33.000000000 +0200 @@ -482,3 +482,7 @@ optional_policy(` virt_search_lib(nfsidmap_t) ') + +optional_policy(` + xserver_stream_connect_xdm(nfsidmap_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/rpcbind.te new/selinux-policy-20260410/policy/modules/contrib/rpcbind.te --- old/selinux-policy-20260311/policy/modules/contrib/rpcbind.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/rpcbind.te 2026-04-10 10:20:33.000000000 +0200 @@ -75,6 +75,8 @@ files_read_etc_runtime_files(rpcbind_t) +fs_getattr_pidfs(rpcbind_t) + auth_use_nsswitch(rpcbind_t) logging_send_syslog_msg(rpcbind_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/samba.te new/selinux-policy-20260410/policy/modules/contrib/samba.te --- old/selinux-policy-20260311/policy/modules/contrib/samba.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/samba.te 2026-04-10 10:20:33.000000000 +0200 @@ -321,7 +321,7 @@ allow samba_bgqd_t self:netlink_route_socket r_netlink_socket_perms; allow samba_bgqd_t self:tcp_socket create_stream_socket_perms; allow samba_bgqd_t self:udp_socket create_socket_perms; -allow samba_bgqd_t self:unix_dgram_socket create_socket_perms; +allow samba_bgqd_t self:unix_dgram_socket { create_socket_perms sendto }; read_files_pattern(samba_bgqd_t, samba_etc_t, samba_etc_t) allow samba_bgqd_t samba_log_t:dir create_dir_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/setroubleshoot.te new/selinux-policy-20260410/policy/modules/contrib/setroubleshoot.te --- old/selinux-policy-20260311/policy/modules/contrib/setroubleshoot.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/setroubleshoot.te 2026-04-10 10:20:33.000000000 +0200 @@ -165,6 +165,7 @@ seutil_read_default_contexts(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) +userdom_dontaudit_read_admin_home_files(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/snapper.te new/selinux-policy-20260410/policy/modules/contrib/snapper.te --- old/selinux-policy-20260311/policy/modules/contrib/snapper.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/snapper.te 2026-04-10 10:20:33.000000000 +0200 @@ -219,6 +219,7 @@ files_delete_etc_files(snapper_sdbootutil_plugin_t) files_list_kernel_modules(snapper_sdbootutil_plugin_t) +files_read_kernel_modules(snapper_sdbootutil_plugin_t) # grep through /var/lib/sdbootutil, maybe label it in the future # and then this would be better diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/snmp.te new/selinux-policy-20260410/policy/modules/contrib/snmp.te --- old/selinux-policy-20260311/policy/modules/contrib/snmp.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/snmp.te 2026-04-10 10:20:33.000000000 +0200 @@ -34,6 +34,8 @@ allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow snmpd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/stalld.fc new/selinux-policy-20260410/policy/modules/contrib/stalld.fc --- old/selinux-policy-20260311/policy/modules/contrib/stalld.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/stalld.fc 2026-04-10 10:20:33.000000000 +0200 @@ -2,4 +2,4 @@ /usr/lib/systemd/system/stalld.* -- gen_context(system_u:object_r:stalld_unit_file_t,s0) -/run/stalld.pid -- gen_context(system_u:object_r:stalld_var_run_t,s0) +/run/stalld(/.*)? gen_context(system_u:object_r:stalld_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/thumb.if new/selinux-policy-20260410/policy/modules/contrib/thumb.if --- old/selinux-policy-20260311/policy/modules/contrib/thumb.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/thumb.if 2026-04-10 10:20:33.000000000 +0200 @@ -172,3 +172,22 @@ files_search_tmp($1) allow $1 thumb_tmp_t:file read_file_perms; ') + +######################################## +## <summary> +## Allow the specified domain to delete thumb tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`thumb_delete_tmp_files',` + gen_require(` + type thumb_tmp_t; + ') + + files_search_tmp($1) + allow $1 thumb_tmp_t:file delete_file_perms; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/tlp.te new/selinux-policy-20260410/policy/modules/contrib/tlp.te --- old/selinux-policy-20260311/policy/modules/contrib/tlp.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/tlp.te 2026-04-10 10:20:33.000000000 +0200 @@ -69,7 +69,7 @@ # tlp uses ps aux to check the process list and then # greps for only tuned-ppd, power-profiles-daemon and # tlp-pd. Dontauditing the rest. -domain_dontaudit_search_all_domains_state(tlp_t) +domain_dontaudit_read_all_domains_state(tlp_t) files_read_kernel_modules(tlp_t) files_map_kernel_modules(tlp_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/contrib/virt.te new/selinux-policy-20260410/policy/modules/contrib/virt.te --- old/selinux-policy-20260311/policy/modules/contrib/virt.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/contrib/virt.te 2026-04-10 10:20:33.000000000 +0200 @@ -2022,6 +2022,8 @@ dev_rw_sysfs(virtnetworkd_t) +fs_getattr_xattr_fs(virtnetworkd_t) + sysnet_domtrans_ifconfig(virtnetworkd_t) sysnet_read_config(virtnetworkd_t) @@ -2189,12 +2191,12 @@ allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom; allow virtqemud_t svirt_t:netlink_route_socket create_netlink_socket_perms; -allow virtqemud_t svirt_t:process { getattr getrlimit setrlimit setsched signal signull transition }; +allow virtqemud_t svirt_t:process { getattr getrlimit getsched setrlimit setsched signal signull transition }; allow virtqemud_t svirt_t:tcp_socket create_stream_socket_perms; allow virtqemud_t svirt_t:udp_socket create_socket_perms; allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms }; allow virtqemud_t svirt_socket_t:unix_stream_socket connectto; -allow virtqemud_t svirt_tcg_t:process { getrlimit getsched setsched signal signull transition }; +allow virtqemud_t svirt_tcg_t:process { getrlimit getsched setsched sigkill signal signull transition }; allow virtqemud_t svirt_tcg_t:unix_stream_socket { connectto create_stream_socket_perms }; allow virtqemud_t svirt_devpts_t:chr_file open; @@ -2306,7 +2308,7 @@ dev_rw_input_dev(virtqemud_t) dev_rw_kvm(virtqemud_t) dev_rw_lvm_control(virtqemud_t) -dev_rw_vhost(virtqemud_t) +dev_rw_map_vhost(virtqemud_t) dev_rw_sev(virtqemud_t) dev_setattr_input_dev(virtqemud_t) dev_setattr_sev(virtqemud_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/kernel/devices.if new/selinux-policy-20260410/policy/modules/kernel/devices.if --- old/selinux-policy-20260311/policy/modules/kernel/devices.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/kernel/devices.if 2026-04-10 10:20:33.000000000 +0200 @@ -6253,6 +6253,25 @@ ######################################## ## <summary> +## Allow read/write/map the vhost net device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_map_vhost',` + gen_require(` + type device_t, vhost_device_t; + ') + + rw_chr_files_pattern($1, device_t, vhost_device_t) + allow $1 vhost_device_t:chr_file map; +') + +######################################## +## <summary> ## Allow read/write inheretid the vhost net device ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/kernel/domain.te new/selinux-policy-20260410/policy/modules/kernel/domain.te --- old/selinux-policy-20260311/policy/modules/kernel/domain.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/kernel/domain.te 2026-04-10 10:20:33.000000000 +0200 @@ -354,6 +354,10 @@ ') optional_policy(` + flatpak_named_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` ipa_filetrans_named_content(named_filetrans_domain) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/kernel/files.if new/selinux-policy-20260410/policy/modules/kernel/files.if --- old/selinux-policy-20260311/policy/modules/kernel/files.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/kernel/files.if 2026-04-10 10:20:33.000000000 +0200 @@ -10152,7 +10152,7 @@ # namespace.init files_search_tmp($1) files_search_home($1) - corecmd_exec_bin($1) + #corecmd_exec_bin($1) seutil_domtrans_setfiles($1) ') ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/roles/staff.te new/selinux-policy-20260410/policy/modules/roles/staff.te --- old/selinux-policy-20260311/policy/modules/roles/staff.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/roles/staff.te 2026-04-10 10:20:33.000000000 +0200 @@ -34,6 +34,7 @@ kernel_read_ring_buffer(staff_t) kernel_getattr_core_if(staff_t) kernel_getattr_message_if(staff_t) +kernel_mount_proc(staff_t) kernel_read_software_raid_state(staff_t) kernel_read_fs_sysctls(staff_t) kernel_read_numa_state(staff_t) @@ -334,6 +335,8 @@ systemd_hwdb_mmap_config(staff_t) systemd_manage_all_unit_files(staff_t) systemd_manage_unit_dirs(staff_t) + + systemd_logind_stream_connect(staff_t) ') optional_policy(` @@ -352,9 +355,19 @@ optional_policy(` sudo_role_template(staff, staff_r, staff_t) + + init_read_state(staff_sudo_t) + optional_policy(` crontab_domtrans(staff_sudo_t) ') + optional_policy(` + systemd_read_logind_sessions_files(staff_sudo_t) + ') +') + +optional_policy(` + thumb_delete_tmp_files(staff_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/roles/sysadm.te new/selinux-policy-20260410/policy/modules/roles/sysadm.te --- old/selinux-policy-20260311/policy/modules/roles/sysadm.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/roles/sysadm.te 2026-04-10 10:20:33.000000000 +0200 @@ -9,6 +9,7 @@ userdom_admin_user_template(sysadm) allow sysadm_t self:socket { accept listen }; +allow sysadm_t self:netlink_route_socket nlmsg_write; allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms; allow sysadm_t self:netlink_selinux_socket create_socket_perms; allow sysadm_t self:netlink_generic_socket create_socket_perms; @@ -40,6 +41,7 @@ dev_filetrans_all_named_dev(sysadm_t) dev_read_tpm(sysadm_t) +dev_rw_dma_dev(sysadm_t) dev_rw_ipmi_dev(sysadm_t) dev_rw_autofs(sysadm_t) dev_rw_lvm_control(sysadm_t) @@ -63,6 +65,8 @@ fs_rw_tracefs_files(sysadm_t) fs_mount_tracefs(sysadm_t) fs_read_nsfs_files(sysadm_t) +fs_remount_xattr_fs(sysadm_t) +fs_unmount_xattr_fs(sysadm_t) storage_filetrans_all_named_dev(sysadm_t) storage_read_scsi_generic(sysadm_t) @@ -101,6 +105,7 @@ init_ioctl_stream_sockets(sysadm_t) init_prog_run_bpf(sysadm_t) init_run_script(sysadm_t, sysadm_r) +init_rw_stream_sockets(sysadm_t) logging_filetrans_named_content(sysadm_t) logging_map_audit_config(sysadm_t) @@ -408,6 +413,7 @@ optional_policy(` lvm_run(sysadm_t, sysadm_r) + lvm_stream_connect(sysadm_t) ') optional_policy(` @@ -549,6 +555,7 @@ optional_policy(` rtkit_daemon_dbus_chat(sysadm_t) + rtkit_scheduled(sysadm_t) ') optional_policy(` @@ -725,6 +732,7 @@ optional_policy(` xserver_role(sysadm_r, sysadm_t) + xserver_rw_xdm_stream_sockets(sysadm_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/roles/unconfineduser.te new/selinux-policy-20260410/policy/modules/roles/unconfineduser.te --- old/selinux-policy-20260311/policy/modules/roles/unconfineduser.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/roles/unconfineduser.te 2026-04-10 10:20:33.000000000 +0200 @@ -62,6 +62,7 @@ # Local policy # +allow unconfined_t self:{dir file} mounton; dontaudit unconfined_t self:dir write; dontaudit unconfined_t self:file setattr; @@ -158,6 +159,10 @@ ') optional_policy(` + fedoratp_entrypoint(unconfined_t) + ') + + optional_policy(` gpg_filetrans_admin_home_content(unconfined_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/services/ssh.te new/selinux-policy-20260410/policy/modules/services/ssh.te --- old/selinux-policy-20260311/policy/modules/services/ssh.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/services/ssh.te 2026-04-10 10:20:33.000000000 +0200 @@ -98,6 +98,8 @@ allow sshd_session_t sshd_t:unix_stream_socket { read write }; allow sshd_session_t sshd_t:vsock_socket { getattr }; +allow sshd_session_t sshd_auth_t:process signal; + allow sshd_session_t ssh_home_t:dir relabelto; allow sshd_session_t ssh_home_t:file relabelto; manage_dirs_pattern(sshd_session_t, ssh_home_t, ssh_home_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/services/xserver.if new/selinux-policy-20260410/policy/modules/services/xserver.if --- old/selinux-policy-20260311/policy/modules/services/xserver.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/services/xserver.if 2026-04-10 10:20:33.000000000 +0200 @@ -940,6 +940,24 @@ ######################################## ## <summary> +## Allow xdm_exec_t be an entrypoint of the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_entrypoint_xdm',` + gen_require(` + type xdm_exec_t; + ') + + allow $1 xdm_exec_t:file entrypoint; +') + +######################################## +## <summary> ## Read xserver configuration files. ## </summary> ## <param name="domain"> @@ -1698,6 +1716,24 @@ ') ######################################## +## <summary> +## Read and write xdm unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_rw_xdm_stream_sockets',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:unix_stream_socket { read write }; +') + +######################################## ## <summary> ## Do not audit attempts to read and write xdm ## unix domain stream sockets. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/system/authlogin.fc new/selinux-policy-20260410/policy/modules/system/authlogin.fc --- old/selinux-policy-20260311/policy/modules/system/authlogin.fc 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/system/authlogin.fc 2026-04-10 10:20:33.000000000 +0200 @@ -48,6 +48,8 @@ /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/system/authlogin.if new/selinux-policy-20260410/policy/modules/system/authlogin.if --- old/selinux-policy-20260311/policy/modules/system/authlogin.if 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/system/authlogin.if 2026-04-10 10:20:33.000000000 +0200 @@ -132,6 +132,8 @@ typeattribute $1 polydomain; typeattribute $1 login_pgm; + corecmd_exec_bin($1) + domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/system/locallogin.te new/selinux-policy-20260410/policy/modules/system/locallogin.te --- old/selinux-policy-20260311/policy/modules/system/locallogin.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/system/locallogin.te 2026-04-10 10:20:33.000000000 +0200 @@ -6,6 +6,16 @@ # ## <desc> +## <p> +## Allow accountutils fallback to be able to directly access /etc/shadow. +## This will cause older pam_unix to fail the login as they are checking +## if an caller's domain is confined by checking the access to /etc/shadow. +## See also: https://github.com/linux-pam/linux-pam/blob/d74c4294d32cffcf5dbc7a4491142877471b98a0/modules/pam_unix/passverify.c#L557 +## </p> +## </desc> +gen_tunable(local_login_allow_accountutils_fallback_mode, true) + +## <desc> ## <p> ## Allow login console run podman ## </p> @@ -171,6 +181,13 @@ userdom_manage_tmp_files(local_login_t) userdom_tmp_filetrans_user_tmp(local_login_t, file) +# This needs to be outside the "local_login_allow_accountutils_fallback_mode" +# tunable as we can not assign attributes to domains in a tunable +auth_can_read_shadow_passwords(local_login_t) +tunable_policy(`local_login_allow_accountutils_fallback_mode',` + auth_tunable_read_shadow(local_login_t) +') + tunable_policy(`login_console_enabled',` term_use_console(local_login_t) # Able to relabel /dev/console to user tty types. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/system/systemd.te new/selinux-policy-20260410/policy/modules/system/systemd.te --- old/selinux-policy-20260311/policy/modules/system/systemd.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/system/systemd.te 2026-04-10 10:20:33.000000000 +0200 @@ -1408,6 +1408,10 @@ fs_mounton_tmpfs(systemd_coredump_t) optional_policy(` + container_signull(systemd_coredump_t) +') + +optional_policy(` logging_send_syslog_msg(systemd_coredump_t) ') @@ -1625,6 +1629,7 @@ ### nfs generator permissive systemd_nfs_generator_t; +allow systemd_nfs_generator_t self:capability dac_read_search; allow systemd_nfs_generator_t self:udp_socket create_socket_perms; allow systemd_nfs_generator_t self:netlink_route_socket { create_netlink_socket_perms }; @@ -1769,9 +1774,12 @@ manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) +allow systemd_resolved_t systemd_machined_var_run_t:sock_file write; + list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) allow systemd_resolved_t systemd_networkd_var_run_t:sock_file write; +allow systemd_resolved_t systemd_networkd_t:unix_stream_socket connectto; allow systemd_resolved_t systemd_networkd_var_run_t:dir watch_dir_perms; kernel_dgram_send(systemd_resolved_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260311/policy/modules/system/userdomain.te new/selinux-policy-20260410/policy/modules/system/userdomain.te --- old/selinux-policy-20260311/policy/modules/system/userdomain.te 2026-03-11 09:19:42.000000000 +0100 +++ new/selinux-policy-20260410/policy/modules/system/userdomain.te 2026-04-10 10:20:33.000000000 +0200 @@ -515,6 +515,7 @@ ') optional_policy(` + xserver_entrypoint_xdm(login_userdomain) xserver_stream_accept_xdm(login_userdomain) ')
