commit container-selinux for openSUSE:Factory

Source-Sync Sat, 16 May 2026 10:24:50 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2026-05-16 19:23:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "container-selinux"

Sat May 16 19:23:52 2026 rev:38 rq:1353353 version:2.248.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2026-03-17 19:03:57.811343855 +0100
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.1966/container-selinux.changes
    2026-05-16 19:24:17.065446090 +0200
@@ -0,0 +1,6 @@
+-------------------------------------------------------------------
+Fri May 15 09:19:15 UTC 2026 - Johannes Segitz <[email protected]>
+
+- Update to version 2.248.0:
+  * Condition ptrace permission on deny_ptrace boolean
+

Old:
----
  container-selinux-2.247.0.tar.xz

New:
----
  container-selinux-2.248.0.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.IbtVVf/_old  2026-05-16 19:24:17.909480633 +0200
+++ /var/tmp/diff_new_pack.IbtVVf/_new  2026-05-16 19:24:17.913480797 +0200
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.247.0
+Version:        2.248.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.IbtVVf/_old  2026-05-16 19:24:17.961482761 +0200
+++ /var/tmp/diff_new_pack.IbtVVf/_new  2026-05-16 19:24:17.965482924 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/containers/container-selinux.git</param>
-              <param 
name="changesrevision">f336064bb5a086cab121c02acf285a68fa4b8352</param></service></servicedata>
+              <param 
name="changesrevision">e659fc8858d2e34781cc1640ac1658ba484cb3f5</param></service></servicedata>
 (No newline at EOF)
 

++++++ container-selinux-2.247.0.tar.xz -> container-selinux-2.248.0.tar.xz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.247.0/NOTICE 
new/container-selinux-2.248.0/NOTICE
--- old/container-selinux-2.247.0/NOTICE        2026-03-13 14:58:55.000000000 
+0100
+++ new/container-selinux-2.248.0/NOTICE        1970-01-01 01:00:00.000000000 
+0100
@@ -1,15 +0,0 @@
-Copyright (c) 2015, 2020, Free Software Foundation, Inc.
-
-This program is free software; you can redistribute it and/or
-modify it under the terms of the GNU General Public License
-as published by the Free Software Foundation; either version 2
-of the License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.247.0/SECURITY.md 
new/container-selinux-2.248.0/SECURITY.md
--- old/container-selinux-2.247.0/SECURITY.md   2026-03-13 14:58:55.000000000 
+0100
+++ new/container-selinux-2.248.0/SECURITY.md   2026-05-14 17:04:49.000000000 
+0200
@@ -1,3 +1,27 @@
 ## Security and Disclosure Information Policy for the container-selinux Project
 
-The container-selinux Project follows the [Security and Disclosure Information 
Policy](https://github.com/containers/container-libs/blob/main/SECURITY.md) for 
the Containers Projects.
+## Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in container-selinux, please report 
it through GitHub's Security Advisory system. This allows us to coordinate a 
fix and disclosure process that protects users.
+
+Please DO NOT report the issue publicly via the GitHub issue tracker,
+mailing list, or Matrix.
+
+### How to Report
+
+1. Go to [our security advisory 
page](https://github.com/containers/container-selinux/security/advisories/new) 
to privately report the vulnerability.
+2. Provide detailed information about the vulnerability, including:
+   - Description of the issue
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if available)
+
+Your report will be reviewed by the maintainers, and we will work with you to 
understand and address the issue promptly.
+
+### What to Expect
+
+- **Acknowledgment**: We will acknowledge receipt of your vulnerability report 
within 48 hours.
+- **Updates**: We will keep you informed about our progress in addressing the 
vulnerability.
+- **Credit**: We will credit you for the discovery when we publish the fix 
(unless you prefer to remain anonymous).
+
+Thank you for helping keep container-selinux and its users secure!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.247.0/container.te 
new/container-selinux-2.248.0/container.te
--- old/container-selinux-2.247.0/container.te  2026-03-13 14:58:55.000000000 
+0100
+++ new/container-selinux-2.248.0/container.te  2026-05-14 17:04:49.000000000 
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.247.0)
+policy_module(container, 2.248.0)
 
 gen_require(`
        class passwd rootok;
@@ -207,7 +207,7 @@
 #
 allow container_runtime_domain self:capability { chown kill fowner fsetid 
mknod net_admin net_bind_service net_raw setfcap sys_resource };
 allow container_runtime_domain self:tun_socket { create_socket_perms relabelto 
};
-allow container_runtime_domain self:process ~setcurrent;
+allow container_runtime_domain self:process ~{ ptrace setcurrent };
 allow container_runtime_domain self:passwd rootok;
 allow container_runtime_domain self:fd use;
 allow container_runtime_domain self:dir mounton;
@@ -1046,6 +1046,10 @@
 kernel_read_irq_sysctls(container_domain)
 kernel_get_sysvipc_info(container_domain)
 
+ifdef(`kernel_userfaultfd_use',`
+       kernel_userfaultfd_use(container_domain)
+')
+
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
 fs_dontaudit_remount_tmpfs(container_domain)
@@ -1702,6 +1706,7 @@
 
 tunable_policy(`deny_ptrace',`',`
        allow container_domain self:process ptrace;
+       allow container_runtime_domain self:process ptrace;
        allow spc_t self:process ptrace;
 ')
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.247.0/plans/main.fmf 
new/container-selinux-2.248.0/plans/main.fmf
--- old/container-selinux-2.247.0/plans/main.fmf        2026-03-13 
14:58:55.000000000 +0100
+++ new/container-selinux-2.248.0/plans/main.fmf        2026-05-14 
17:04:49.000000000 +0200
@@ -15,6 +15,7 @@
         COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
         if compgen -G $COPR_REPO_FILE > /dev/null; then
             sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+            dnf upgrade -y --exclude=container-selinux || true
         fi
 
 /basic_check:

commit container-selinux for openSUSE:Factory

Reply via email to