Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-04-16 18:45:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Thu Apr 16 18:45:21 2026 rev:156 rq:1347140 version:20260414 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-04-14 17:49:03.149357470 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.11940/selinux-policy.changes 2026-04-16 18:46:30.508226404 +0200 @@ -1,0 +2,7 @@ +Wed Apr 15 15:18:29 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260414: + * Allow snapper_sdbootutil_plugin_t linux_immutable (bsc#1261945) + * allow unconfined services to read VM state (bsc#1251789) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260410.tar.xz New: ---- selinux-policy-20260414.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.ssRq75/_old 2026-04-16 18:46:31.672273869 +0200 +++ /var/tmp/diff_new_pack.ssRq75/_new 2026-04-16 18:46:31.676274032 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260410 +Version: 20260414 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ssRq75/_old 2026-04-16 18:46:31.764277620 +0200 +++ /var/tmp/diff_new_pack.ssRq75/_new 2026-04-16 18:46:31.768277783 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">252e324412345c586a2ce66d38fa88979dc91c56</param></service></servicedata> + <param name="changesrevision">8ccf71e134fe4abf3548618c2cf9355af242c5d6</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260410.tar.xz -> selinux-policy-20260414.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260410/policy/modules/contrib/snapper.te new/selinux-policy-20260414/policy/modules/contrib/snapper.te --- old/selinux-policy-20260410/policy/modules/contrib/snapper.te 2026-04-10 10:20:33.000000000 +0200 +++ new/selinux-policy-20260414/policy/modules/contrib/snapper.te 2026-04-14 10:05:26.000000000 +0200 @@ -187,8 +187,9 @@ ### snapper sdbootutil plugin # for btrfs -allow snapper_sdbootutil_plugin_t self:capability sys_admin; +allow snapper_sdbootutil_plugin_t self:capability { linux_immutable sys_admin }; allow snapper_sdbootutil_plugin_t self:process { setfscreate }; + # PCRE JIT for grep, not needed, has a fallback if it's denied dontaudit snapper_sdbootutil_plugin_t self:process execmem; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260410/policy/modules/contrib/virt.te new/selinux-policy-20260414/policy/modules/contrib/virt.te --- old/selinux-policy-20260410/policy/modules/contrib/virt.te 2026-04-10 10:20:33.000000000 +0200 +++ new/selinux-policy-20260414/policy/modules/contrib/virt.te 2026-04-14 10:05:26.000000000 +0200 @@ -2447,6 +2447,10 @@ ') optional_policy(` + unconfined_server_read_state(virtqemud_t) +') + +optional_policy(` userdom_manage_tmp_files(virtqemud_t) userdom_manage_tmp_sockets(virtqemud_t) userdom_read_all_users_state(virtqemud_t)
