Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-05-24 19:34:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Sun May 24 19:34:57 2026 rev:159 rq:1354709 version:20260522 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-05-16 19:24:10.117161725 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2084/selinux-policy.changes 2026-05-24 19:35:56.219972674 +0200 @@ -1,0 +2,30 @@ +Fri May 22 11:01:00 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260522: + * Fix build by switching to corecmd_exec_bin_noattr() + * Split using dirsrv_ and dirsrvadmin_ interfaces into separate blocks + * Allow virtqemud execute kmod in the kmod domain + * Allow qatlib map kernel modules + * Allow sys_resource on execution of generic executables conditionally + * Label bootloader-migrate-generator with coreos_bootloader_migrate_generator_exec_t + * Label /run/coreos with coreos_installer_var_run_t + * Add systemd_create_generator_unit_file() and systemd_write_generator_unit_file() + * Allow virtnwfilterd_t r/w on packet_socket (bsc#1264273) + * Update fstools swap interfaces with dir search + * Allow go-fdo-server to read system information + * Change README to openSUSE specific README + * Add missing fc rule for org.gnome.DisplayManager (bsc#1264182) + * config: make /etc/systemd/user same as /usr/lib/systemd/user + * Do not audit iptables attempts to read other process state + * Policy for go-fdo-server + * Allow setroubleshoot_fixit_t to touch /.autorelabel and reboot + * Allow init nnp domain transition do dirsrv_t and dirsrv_snmp_t + * Allow NetworkManager_dispatcher_nvme_t check status of systemd services + * Allow iptables_t read state of some processes + * Label /dev/HID-SENSOR-.* with hid_sensor_device_t +- Syncing with upstream rawhide selinux-policy up to: + * 190ed3591e0004c395409dd62acea41c8a684fc1 +- Update embedded container-selinux version to commit: + * e659fc8858d2e34781cc1640ac1658ba484cb3f5 (v2.248.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260508.tar.xz New: ---- selinux-policy-20260522.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.OSIe8s/_old 2026-05-24 19:35:57.180011955 +0200 +++ /var/tmp/diff_new_pack.OSIe8s/_new 2026-05-24 19:35:57.180011955 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260508 +Version: 20260522 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.OSIe8s/_old 2026-05-24 19:35:57.252014901 +0200 +++ /var/tmp/diff_new_pack.OSIe8s/_new 2026-05-24 19:35:57.256015065 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">fe697f497b48735dcd1335b50baf1aa5c2b009ff</param></service></servicedata> + <param name="changesrevision">301440cf688535bae18eec52504568535a7b10e8</param></service></servicedata> (No newline at EOF) ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.OSIe8s/_old 2026-05-24 19:35:57.332018175 +0200 +++ /var/tmp/diff_new_pack.OSIe8s/_new 2026-05-24 19:35:57.336018338 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.247.0) +policy_module(container, 2.248.0) gen_require(` class passwd rootok; @@ -207,7 +207,7 @@ # allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; -allow container_runtime_domain self:process ~setcurrent; +allow container_runtime_domain self:process ~{ ptrace setcurrent }; allow container_runtime_domain self:passwd rootok; allow container_runtime_domain self:fd use; allow container_runtime_domain self:dir mounton; @@ -1046,6 +1046,10 @@ kernel_read_irq_sysctls(container_domain) kernel_get_sysvipc_info(container_domain) +ifdef(`kernel_userfaultfd_use',` + kernel_userfaultfd_use(container_domain) +') + fs_dontaudit_getattr_all_dirs(container_domain) fs_dontaudit_getattr_all_files(container_domain) fs_dontaudit_remount_tmpfs(container_domain) @@ -1702,6 +1706,7 @@ tunable_policy(`deny_ptrace',`',` allow container_domain self:process ptrace; + allow container_runtime_domain self:process ptrace; allow spc_t self:process ptrace; ') ++++++ selinux-policy-20260508.tar.xz -> selinux-policy-20260522.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/README.md new/selinux-policy-20260522/README.md --- old/selinux-policy-20260508/README.md 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/README.md 2026-05-22 13:00:19.000000000 +0200 @@ -1,26 +1,54 @@ -# Fedora SELinux policy +# openSUSE SELinux policy -This is SELinux policy based on [refpolicy](https://github.com/SELinuxProject/refpolicy) used in Fedora, Red Hat Enterprise Linux and CentOS Stream. +This repository contains the openSUSE SELinux policy. -## Installation +The openSUSE SELinux policy is a downstream of the [Fedora SELinux policy](https://github.com/fedora-selinux/selinux-policy) with additional openSUSE specific changes. -The installation process is described in [INSTALL](INSTALL). +## How this is developed -The default policy is installed to `/etc/selinux/fedora-selinux` and `/var/lib/selinux/fedora-selinux`. +- Monthly policy update: Every month the openSUSE SELinux group fetches the new updates in the Fedora `rawhide` branch into the openSUSE `factory` branch of this repository. Those changes will be submitted then to openSUSE Tumbleweed. + Please check the changelog in OBS for details of those updates. +- Additionally, openSUSE only policies and fixes are added to this repository during the month and submitted by the team. -The name and other options can be changed using variables like `NAME`, `TYPE`, ... variables, for more details see [README.build](README.build). -E.g. Fedora `targeted` policy uses the following options: +Branches: +- `factory`: Development branch for all openSUSE rolling release distros (openSUSE Tumbleweed, openSUSE MicroOS, Aeon, SLFO:Main,...) +- `slfo-1.2`: Maintenance branch SLE 16.0 and SL Micro 6.2 +- `slfo-1.1`: Maintenance branch SL Micro 6.1 +- `alp-1.0`: Maintenance branch SL Micro 6.0 +- `sle-micro-5.x`: Maintenance branch for respective SLE Micro 5.x - DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=n MLS_CATS=1024 MCS_CATS=1024 UNK_PERMS=allow NAME=targeted TYPE=mcs +For selinux-policy package build related docs: https://src.opensuse.org/pool/selinux-policy -## Contributing +## Development + +Add devel project: +``` +zypper addrepo https://download.opensuse.org/repositories/security:SELinux/openSUSE_Tumbleweed/security:SELinux.repo +zypper refresh +``` + +Install dependencies: +``` +zypper si selinux-policy selinux-policy-targeted +``` + +Then follow the [INSTALL](INSTALL) documentation. -There are several ways how to contribute: +## Documentation -### Report bugs +A comprehensive documentation regarding the processes and differences to the fedora policy can be found in the openSUSE Wiki: +https://en.opensuse.org/Portal:SELinux -Either open issue in this project or file a bug in [Fedora Bugzilla](https://bugzilla.redhat.com) -### Pull requests +## Reporting Bugs + +Please report bugs in the openSUSE Bugzilla. A guide on gathering all required information can be found here: +https://en.opensuse.org/openSUSE:Bugreport_SELinux + +## Contributing + +Please contribute general fixes to the [Fedora SELinux policy](https://github.com/fedora-selinux/selinux-policy). -You can fork this repo and open a PR. Please use good practices and use descriptive commit messages. +If you have a openSUSE specific fixes you can either: +- open a PR on GitHub: https://github.com/openSUSE/selinux-policy/pulls +- or: send patches via email to: https://lists.opensuse.org/archives/list/[email protected]/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/config/file_contexts.subs_dist new/selinux-policy-20260522/config/file_contexts.subs_dist --- old/selinux-policy-20260508/config/file_contexts.subs_dist 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/config/file_contexts.subs_dist 2026-05-22 13:00:19.000000000 +0200 @@ -19,6 +19,7 @@ /usr/local/lib64 /usr/lib /usr/local/lib32 /usr/lib /etc/systemd/system /usr/lib/systemd/system +/etc/systemd/user /usr/lib/systemd/user /var/lib/xguest/home /home /var/named/chroot/usr/lib64 /usr/lib /var/named/chroot/lib64 /usr/lib diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/dist/targeted/modules.conf new/selinux-policy-20260522/dist/targeted/modules.conf --- old/selinux-policy-20260508/dist/targeted/modules.conf 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/dist/targeted/modules.conf 2026-05-22 13:00:19.000000000 +0200 @@ -3105,6 +3105,13 @@ # redfish-finder = module +# Layer: contrib +# Module: go_fdo_server +# +# Policy for go_fdo_server: Run an FDO Manufacturing, Rendezvous, or Owner server. +# +go_fdo_server = module + # SUSE specific modules # Layer: contrib diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/global_tunables new/selinux-policy-20260522/policy/global_tunables --- old/selinux-policy-20260508/policy/global_tunables 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/global_tunables 2026-05-22 13:00:19.000000000 +0200 @@ -153,3 +153,10 @@ ## </p> ## </desc> gen_tunable(deny_bluetooth,false) + +## <desc> +## <p> +## Allow the sys_resource capability to all domains allowed to execute bin_t +## </p> +## </desc> +gen_tunable(corecmd_bin_sys_resource, false) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/apache.te new/selinux-policy-20260522/policy/modules/contrib/apache.te --- old/selinux-policy-20260508/policy/modules/contrib/apache.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/apache.te 2026-05-22 13:00:19.000000000 +0200 @@ -986,11 +986,6 @@ ') optional_policy(` - #needed by FreeIPA - dirsrv_stream_connect(httpd_t) -') - -optional_policy(` dirsrv_getattr_unit_files(httpd_t) dirsrv_manage_config(httpd_t) dirsrv_manage_log(httpd_t) @@ -998,6 +993,12 @@ dirsrv_read_share(httpd_t) dirsrv_signal(httpd_t) dirsrv_signull(httpd_t) + + #needed by FreeIPA + dirsrv_stream_connect(httpd_t) +') + +optional_policy(` dirsrvadmin_manage_config(httpd_t) dirsrvadmin_manage_tmp(httpd_t) dirsrvadmin_domtrans_unconfined_script_t(httpd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/conntrackd.if new/selinux-policy-20260522/policy/modules/contrib/conntrackd.if --- old/selinux-policy-20260508/policy/modules/contrib/conntrackd.if 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/conntrackd.if 2026-05-22 13:00:19.000000000 +0200 @@ -24,6 +24,26 @@ ######################################## ## <summary> +## Read conntrackd process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`conntrackd_read_state',` + gen_require(` + type conntrackd_t; + ') + + allow $1 conntrackd_t:dir { search_dir_perms read }; + allow $1 conntrackd_t:file read_file_perms; + allow $1 conntrackd_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Connect to conntrackd over an unix stream socket. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/coreos_installer.fc new/selinux-policy-20260522/policy/modules/contrib/coreos_installer.fc --- old/selinux-policy-20260508/policy/modules/contrib/coreos_installer.fc 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/coreos_installer.fc 2026-05-22 13:00:19.000000000 +0200 @@ -3,11 +3,13 @@ /usr/libexec/coreos-installer-disable-device-auto-activation -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) /usr/libexec/coreos-installer-service -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/lib/systemd/system-generators/bootloader-migrate-generator -- gen_context(system_u:object_r:coreos_bootloader_migrate_generator_exec_t,s0) /usr/lib/systemd/system-generators/coreos-boot-mount-generator -- gen_context(system_u:object_r:coreos_boot_mount_generator_exec_t,s0) /usr/lib/systemd/system-generators/coreos-installer-generator -- gen_context(system_u:object_r:coreos_installer_generator_exec_t,s0) /usr/lib/systemd/system-generators/coreos-liveiso-autologin-generator -- gen_context(system_u:object_r:coreos_liveiso_autologin_generator_exec_t,s0) /usr/lib/systemd/system-generators/coreos-sulogin-force-generator -- gen_context(system_u:object_r:coreos_sulogin_force_generator_exec_t,s0) /usr/lib/systemd/system/coreos-installer.* -- gen_context(system_u:object_r:coreos_installer_unit_file_t,s0) +/run/coreos(/.*) gen_context(system_u:object_r:coreos_installer_var_run_t,s0) /run/coreos-installer-reboot -- gen_context(system_u:object_r:coreos_installer_var_run_t,s0) /run/ostree-live -- gen_context(system_u:object_r:coreos_installer_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/coreos_installer.te new/selinux-policy-20260522/policy/modules/contrib/coreos_installer.te --- old/selinux-policy-20260508/policy/modules/contrib/coreos_installer.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/coreos_installer.te 2026-05-22 13:00:19.000000000 +0200 @@ -12,6 +12,12 @@ type coreos_installer_unit_file_t; systemd_unit_file(coreos_installer_unit_file_t) +type coreos_bootloader_migrate_generator_t; +type coreos_bootloader_migrate_generator_exec_t; +init_system_domain(coreos_bootloader_migrate_generator_t, coreos_bootloader_migrate_generator_exec_t) +type coreos_bootloader_migrate_generator_unit_file_t; +files_type(coreos_bootloader_migrate_generator_unit_file_t) + type coreos_boot_mount_generator_t; type coreos_boot_mount_generator_exec_t; init_system_domain(coreos_boot_mount_generator_t, coreos_boot_mount_generator_exec_t) @@ -49,7 +55,7 @@ allow coreos_installer_t self:unix_stream_socket create_stream_socket_perms; allow coreos_installer_t coreos_installer_var_run_t:file manage_file_perms; -files_pid_filetrans(coreos_installer_t, coreos_installer_var_run_t, file) +files_pid_filetrans(coreos_installer_t, coreos_installer_var_run_t, { dir file }) kernel_read_proc_files(coreos_installer_t) @@ -84,20 +90,29 @@ ######################################## # +# coreos_bootloader_migrate_generator # coreos_boot_mount_generator # coreos_installer_generator # coreos_liveiso_autologin_generator # coreos_sulogin_force_generator local policy # +permissive coreos_bootloader_migrate_generator_t; + +optional_policy(` + anaconda_domtrans_install(coreos_bootloader_migrate_generator_t) +') + +permissive coreos_boot_mount_generator_t; + +read_files_pattern(coreos_boot_mount_generator_t, coreos_installer_var_run_t, coreos_installer_var_run_t) + kernel_read_proc_files(coreos_boot_mount_generator_t) corecmd_exec_bin(coreos_boot_mount_generator_t) corecmd_exec_shell(coreos_boot_mount_generator_t) dev_write_kmsg(coreos_boot_mount_generator_t) -permissive coreos_boot_mount_generator_t; - optional_policy(` auth_dontaudit_read_passwd_file(coreos_boot_mount_generator_t) ') @@ -105,6 +120,9 @@ optional_policy(` systemd_unit_file(coreos_boot_mount_generator_unit_file_t) + systemd_create_generator_unit_file(coreos_boot_mount_generator_t) + systemd_write_generator_unit_file(coreos_boot_mount_generator_t) + systemd_unit_file_filetrans(coreos_boot_mount_generator_t, coreos_boot_mount_generator_unit_file_t, file, "boot.mount") manage_files_pattern(coreos_boot_mount_generator_t, coreos_boot_mount_generator_unit_file_t, coreos_boot_mount_generator_unit_file_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/dirsrv.te new/selinux-policy-20260522/policy/modules/contrib/dirsrv.te --- old/selinux-policy-20260508/policy/modules/contrib/dirsrv.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/dirsrv.te 2026-05-22 13:00:19.000000000 +0200 @@ -14,11 +14,13 @@ domain_type(dirsrv_t) init_daemon_domain(dirsrv_t, dirsrv_exec_t) +init_nnp_daemon_domain(dirsrv_t) type dirsrv_snmp_t; type dirsrv_snmp_exec_t; domain_type(dirsrv_snmp_t) init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) +init_nnp_daemon_domain(dirsrv_snmp_t) type dirsrv_var_lib_t; files_type(dirsrv_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.fc new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.fc --- old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.fc 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.fc 2026-05-22 13:00:19.000000000 +0200 @@ -0,0 +1,18 @@ +/usr/bin/go-fdo-server -- gen_context(system_u:object_r:go_fdo_server_exec_t,s0) + +# Helper scripts +/usr/libexec/go-fdo-server(/.*)? gen_context(system_u:object_r:go_fdo_server_exec_t,s0) + +# Configuration directories +/etc/go-fdo-server(/.*)? gen_context(system_u:object_r:go_fdo_server_etc_t,s0) + +# PKI/Certificates +/etc/pki/go-fdo-server(/.*)? gen_context(system_u:object_r:go_fdo_server_cert_t,s0) + +# Database and state files (created at runtime) +/var/lib/go-fdo-server-manufacturer(/.*)? gen_context(system_u:object_r:go_fdo_server_var_lib_t,s0) +/var/lib/go-fdo-server-rendezvous(/.*)? gen_context(system_u:object_r:go_fdo_server_var_lib_t,s0) +/var/lib/go-fdo-server-owner(/.*)? gen_context(system_u:object_r:go_fdo_server_var_lib_t,s0) + +# Systemd unit files +/usr/lib/systemd/system/go-fdo-server-.*\.service gen_context(system_u:object_r:go_fdo_server_unit_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.if new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.if --- old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.if 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.if 2026-05-22 13:00:19.000000000 +0200 @@ -0,0 +1,39 @@ +## <summary>policy for go_fdo_server</summary> + +######################################## +## <summary> +## Execute go_fdo_server_exec_t in the go_fdo_server domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`go_fdo_server_domtrans',` + gen_require(` + type go_fdo_server_t, go_fdo_server_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, go_fdo_server_exec_t, go_fdo_server_t) +') + +###################################### +## <summary> +## Execute go_fdo_server in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`go_fdo_server_exec',` + gen_require(` + type go_fdo_server_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, go_fdo_server_exec_t) +') \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.te new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.te --- old/selinux-policy-20260508/policy/modules/contrib/go_fdo_server.te 1970-01-01 01:00:00.000000000 +0100 +++ new/selinux-policy-20260522/policy/modules/contrib/go_fdo_server.te 2026-05-22 13:00:19.000000000 +0200 @@ -0,0 +1,62 @@ +policy_module(go_fdo_server, 1.0.0) + +######################################## +# +# Declarations +# + +type go_fdo_server_t; +type go_fdo_server_exec_t; +init_daemon_domain(go_fdo_server_t, go_fdo_server_exec_t) + +type go_fdo_server_cert_t; +miscfiles_cert_type(go_fdo_server_cert_t) + +type go_fdo_server_etc_t; +files_config_file(go_fdo_server_etc_t) + +type go_fdo_server_var_lib_t; +files_type(go_fdo_server_var_lib_t) + +type go_fdo_server_unit_t; +systemd_unit_file(go_fdo_server_unit_t) + +permissive go_fdo_server_t; + +######################################## +# +# go_fdo_server local policy +# +allow go_fdo_server_t self:capability { setgid setuid }; +allow go_fdo_server_t self:fifo_file rw_fifo_file_perms; +allow go_fdo_server_t self:tcp_socket create_stream_socket_perms; +allow go_fdo_server_t self:udp_socket create_socket_perms; +allow go_fdo_server_t self:unix_stream_socket create_stream_socket_perms; + +# Patterns +manage_dirs_pattern(go_fdo_server_t, go_fdo_server_var_lib_t, go_fdo_server_var_lib_t) +manage_files_pattern(go_fdo_server_t, go_fdo_server_var_lib_t, go_fdo_server_var_lib_t) +read_files_pattern(go_fdo_server_t, go_fdo_server_cert_t, go_fdo_server_cert_t) +read_files_pattern(go_fdo_server_t, go_fdo_server_etc_t, go_fdo_server_etc_t) + +#Kernel +kernel_read_net_sysctls(go_fdo_server_t) + +# Base system interfaces +corenet_tcp_bind_generic_port(go_fdo_server_t) +dev_read_sysfs(go_fdo_server_t) +domain_use_interactive_fds(go_fdo_server_t) +files_read_etc_files(go_fdo_server_t) + +# Module interfaces +optional_policy(` + auth_use_nsswitch(go_fdo_server_t) +') + +optional_policy(` + miscfiles_read_localization(go_fdo_server_t) +') + +optional_policy(` + sysnet_dns_name_resolve(go_fdo_server_t) +') \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/mcelog.te new/selinux-policy-20260522/policy/modules/contrib/mcelog.te --- old/selinux-policy-20260508/policy/modules/contrib/mcelog.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/mcelog.te 2026-05-22 13:00:19.000000000 +0200 @@ -77,9 +77,6 @@ kernel_read_system_state(mcelog_t) -corecmd_exec_shell(mcelog_t) -corecmd_exec_bin(mcelog_t) - dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) dev_rw_sysfs(mcelog_t) @@ -99,10 +96,14 @@ tunable_policy(`mcelog_exec_scripts',` allow mcelog_t self:fifo_file rw_fifo_file_perms; - corecmd_exec_bin(mcelog_t) + corecmd_exec_bin_noattr(mcelog_t) corecmd_exec_shell(mcelog_t) ') +tunable_policy(`mcelog_exec_scripts && corecmd_bin_sys_resource',` + allow mcelog_t self:capability sys_resource; +') + tunable_policy(`mcelog_foreground',` userdom_use_user_terminals(mcelog_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/networkmanager.te new/selinux-policy-20260522/policy/modules/contrib/networkmanager.te --- old/selinux-policy-20260508/policy/modules/contrib/networkmanager.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/networkmanager.te 2026-05-22 13:00:19.000000000 +0200 @@ -741,6 +741,7 @@ systemd_start_systemd_services(NetworkManager_dispatcher_sendmail_t) systemd_status_systemd_services(NetworkManager_dispatcher_sendmail_t) systemd_start_systemd_services(NetworkManager_dispatcher_nvme_t) + systemd_status_systemd_services(NetworkManager_dispatcher_nvme_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/qatlib.te new/selinux-policy-20260522/policy/modules/contrib/qatlib.te --- old/selinux-policy-20260508/policy/modules/contrib/qatlib.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/qatlib.te 2026-05-22 13:00:19.000000000 +0200 @@ -56,6 +56,7 @@ domain_use_interactive_fds(qatlib_t) +files_map_kernel_modules(qatlib_t) files_read_kernel_modules(qatlib_t) optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/redis.te new/selinux-policy-20260522/policy/modules/contrib/redis.te --- old/selinux-policy-20260508/policy/modules/contrib/redis.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/redis.te 2026-05-22 13:00:19.000000000 +0200 @@ -100,13 +100,17 @@ corenet_tcp_connect_pop_port(redis_t) corenet_sendrecv_pop_client_packets(redis_t) - corecmd_exec_bin(redis_t) + corecmd_exec_bin_noattr(redis_t) corecmd_exec_shell(redis_t) fs_getattr_tmpfs(redis_t) fs_getattr_xattr_fs(redis_t) ') +tunable_policy(`redis_enable_notify && corecmd_bin_sys_resource',` + allow redis_t self:capability sys_resource; +') + optional_policy(` tunable_policy(`redis_enable_notify',` auth_read_passwd_file(redis_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/rsync.te new/selinux-policy-20260522/policy/modules/contrib/rsync.te --- old/selinux-policy-20260508/policy/modules/contrib/rsync.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/rsync.te 2026-05-22 13:00:19.000000000 +0200 @@ -209,5 +209,5 @@ tunable_policy(`rsync_exec_commands',` corecmd_exec_shell(rsync_t) - corecmd_exec_bin(rsync_t) + corecmd_exec_bin_noattr(rsync_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/rtorrent.te new/selinux-policy-20260522/policy/modules/contrib/rtorrent.te --- old/selinux-policy-20260508/policy/modules/contrib/rtorrent.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/rtorrent.te 2026-05-22 13:00:19.000000000 +0200 @@ -96,6 +96,6 @@ tunable_policy(`rtorrent_exec_scripts',` # execute helper scripts - corecmd_exec_bin(rtorrent_t) + corecmd_exec_bin_noattr(rtorrent_t) userdom_exec_user_bin_files(rtorrent_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/setroubleshoot.te new/selinux-policy-20260522/policy/modules/contrib/setroubleshoot.te --- old/selinux-policy-20260508/policy/modules/contrib/setroubleshoot.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/setroubleshoot.te 2026-05-22 13:00:19.000000000 +0200 @@ -205,7 +205,8 @@ # setroubleshoot_fixit local policy # -allow setroubleshoot_fixit_t self:capability sys_nice; +# dac_override is needed for "touch /.autorelabel" / "fixfiles onboot" +allow setroubleshoot_fixit_t self:capability { sys_nice dac_override}; allow setroubleshoot_fixit_t self:process { setsched getsched }; dontaudit setroubleshoot_fixit_t self:process execmem; allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; @@ -227,6 +228,10 @@ dev_read_sysfs(setroubleshoot_fixit_t) dev_read_urand(setroubleshoot_fixit_t) +files_list_tmp(setroubleshoot_fixit_t) +# needed for "touch /.autorelabel" / "fixfiles onboot" +files_manage_root_files(setroubleshoot_fixit_t) + fs_getattr_xattr_fs(setroubleshoot_fixit_t) selinux_read_policy(setroubleshoot_fixit_t) @@ -235,7 +240,10 @@ seutil_domtrans_setsebool(setroubleshoot_fixit_t) seutil_read_module_store(setroubleshoot_fixit_t) -files_list_tmp(setroubleshoot_fixit_t) +# needed for reboot +optional_policy(` + systemd_exec_systemctl(setroubleshoot_fixit_t) +') auth_use_nsswitch(setroubleshoot_fixit_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/contrib/virt.te new/selinux-policy-20260522/policy/modules/contrib/virt.te --- old/selinux-policy-20260508/policy/modules/contrib/virt.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/contrib/virt.te 2026-05-22 13:00:19.000000000 +0200 @@ -2106,7 +2106,7 @@ allow virtnwfilterd_t self:netlink_generic_socket create_socket_perms; allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms; allow virtnwfilterd_t self:netlink_rdma_socket create_socket_perms; -allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt }; +allow virtnwfilterd_t self:packet_socket create_socket_perms; allow virtnwfilterd_t self:rawip_socket create_socket_perms; manage_dirs_pattern(virtnwfilterd_t, virt_var_run_t, virt_var_run_t) @@ -2392,6 +2392,10 @@ ') optional_policy(` + modutils_domtrans_kmod(virtqemud_t) +') + +optional_policy(` nbdkit_domtrans(virtqemud_t) nbdkit_signal(virtqemud_t) nbdkit_signull(virtqemud_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/kernel/corecommands.if new/selinux-policy-20260522/policy/modules/kernel/corecommands.if --- old/selinux-policy-20260508/policy/modules/kernel/corecommands.if 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/kernel/corecommands.if 2026-05-22 13:00:19.000000000 +0200 @@ -398,6 +398,46 @@ # interface(`corecmd_exec_bin',` gen_require(` + attribute sys_resource_type; + type bin_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) + list_dirs_pattern($1, bin_t, bin_t) + can_exec($1, bin_t) + + ifdef(`enable_mls',`',` + files_exec_all_base_ro_files($1) + ') + + typeattribute $1 sys_resource_type; +') + +######################################## +## <summary> +## Execute generic programs in bin directories in the caller domain. +## </summary> +## <desc> +## <p> +## Allow the specified domain to execute generic programs +## in system bin directories without a domain transition. +## Unlike in corecmd_exec_bin(), do not assign the sys_resource_type attribute. +## </p> +## <p> +## Related interface: +## </p> +## <ul> +## <li>corecmd_exec_bin()</li> +## </ul> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corecmd_exec_bin_noattr',` + gen_require(` type bin_t; ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/kernel/corecommands.te new/selinux-policy-20260522/policy/modules/kernel/corecommands.te --- old/selinux-policy-20260508/policy/modules/kernel/corecommands.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/kernel/corecommands.te 2026-05-22 13:00:19.000000000 +0200 @@ -6,6 +6,11 @@ # # +# Types with the sys_resource_type attribute are allowed the sys_resource capability. +# +attribute sys_resource_type; + +# # Types with the exec_type attribute are executable files. # attribute exec_type; @@ -27,3 +32,8 @@ type chroot_exec_t; corecmd_executable_file(chroot_exec_t) + +dontaudit sys_resource_type self:capability sys_resource; +tunable_policy(`corecmd_bin_sys_resource',` + allow sys_resource_type self:capability sys_resource; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/kernel/devices.fc new/selinux-policy-20260522/policy/modules/kernel/devices.fc --- old/selinux-policy-20260508/policy/modules/kernel/devices.fc 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/kernel/devices.fc 2026-05-22 13:00:19.000000000 +0200 @@ -50,6 +50,7 @@ /dev/hfi1_[0-9]+ -c gen_context(system_u:object_r:hfi1_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/HID-SENSOR-.* -c gen_context(system_u:object_r:hid_sensor_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/kernel/devices.te new/selinux-policy-20260522/policy/modules/kernel/devices.te --- old/selinux-policy-20260508/policy/modules/kernel/devices.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/kernel/devices.te 2026-05-22 13:00:19.000000000 +0200 @@ -125,6 +125,10 @@ type dri_device_t; dev_node(dri_device_t) +# Type for /dev/HID-SENSOR-%s-%s and /dev/HID-SENSOR-%x devices +type hid_sensor_device_t; +dev_node(hid_sensor_device_t) + type hsa_device_t; dev_node(hsa_device_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/services/xserver.fc new/selinux-policy-20260522/policy/modules/services/xserver.fc --- old/selinux-policy-20260508/policy/modules/services/xserver.fc 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/services/xserver.fc 2026-05-22 13:00:19.000000000 +0200 @@ -213,6 +213,7 @@ /run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) /run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) /run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/run/systemd/userdb/org\.gnome\.DisplayManager -s gen_context(system_u:object_r:xdm_var_run_t,s0) ifdef(`distro_redhat',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/system/fstools.if new/selinux-policy-20260522/policy/modules/system/fstools.if --- old/selinux-policy-20260508/policy/modules/system/fstools.if 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/system/fstools.if 2026-05-22 13:00:19.000000000 +0200 @@ -170,6 +170,7 @@ type swapfile_t; ') + allow $1 swapfile_t:dir search; allow $1 swapfile_t:file getattr; ') @@ -188,6 +189,7 @@ type swapfile_t; ') + allow $1 swapfile_t:dir search; allow $1 swapfile_t:file read_file_perms; ') @@ -206,6 +208,7 @@ type swapfile_t; ') + allow $1 swapfile_t:dir search; allow $1 swapfile_t:file rw_file_perms; ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/system/init.te new/selinux-policy-20260522/policy/modules/system/init.te --- old/selinux-policy-20260508/policy/modules/system/init.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/system/init.te 2026-05-22 13:00:19.000000000 +0200 @@ -1352,11 +1352,14 @@ ') optional_policy(` - dirsrvadmin_read_config(initrc_t) dirsrv_manage_var_run(initrc_t) ') optional_policy(` + dirsrvadmin_read_config(initrc_t) + ') + + optional_policy(` gnome_manage_gconf_config(initrc_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/system/iptables.te new/selinux-policy-20260522/policy/modules/system/iptables.te --- old/selinux-policy-20260508/policy/modules/system/iptables.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/system/iptables.te 2026-05-22 13:00:19.000000000 +0200 @@ -92,6 +92,8 @@ dev_read_urand(iptables_t) dev_read_rand(iptables_t) +domain_dontaudit_read_all_domains_state(iptables_t) + fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) fs_read_nsfs_files(iptables_t) @@ -129,6 +131,10 @@ ') optional_policy(` + conntrackd_read_state(iptables_t) +') + +optional_policy(` container_read_state(iptables_t) ') @@ -214,6 +220,9 @@ ') optional_policy(` - wireguard_read_fifo_files(iptables_t) + virt_virtd_read_state(iptables_t) ') +optional_policy(` + wireguard_read_fifo_files(iptables_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/system/systemd.if new/selinux-policy-20260522/policy/modules/system/systemd.if --- old/selinux-policy-20260508/policy/modules/system/systemd.if 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/system/systemd.if 2026-05-22 13:00:19.000000000 +0200 @@ -1924,6 +1924,43 @@ ####################################### ## <summary> +## Create a file in a generators directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_create_generator_unit_file',` + gen_require(` + type systemd_generator_unit_file_t; + ') + + create_files_pattern($1, systemd_generator_unit_file_t, systemd_generator_unit_file_t) + create_lnk_files_pattern($1, systemd_generator_unit_file_t, systemd_generator_unit_file_t) +') + +####################################### +## <summary> +## Write to a generator unit file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_write_generator_unit_file',` + gen_require(` + type systemd_generator_unit_file_t; + ') + + write_files_pattern($1, systemd_generator_unit_file_t, systemd_generator_unit_file_t) +') + +####################################### +## <summary> ## Create a directory in the /usr/lib/systemd/system directory. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260508/policy/modules/system/systemd.te new/selinux-policy-20260522/policy/modules/system/systemd.te --- old/selinux-policy-20260508/policy/modules/system/systemd.te 2026-05-08 10:15:50.000000000 +0200 +++ new/selinux-policy-20260522/policy/modules/system/systemd.te 2026-05-22 13:00:19.000000000 +0200 @@ -564,6 +564,11 @@ ') optional_policy(` + # needed for "reboot" in "fix" command of setroubleshoot + setroubleshoot_dbus_chat_fixit(systemd_logind_t) +') + +optional_policy(` sosreport_dbus_chat(systemd_logind_t) ')
