Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-06-08 14:05:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Mon Jun 8 14:05:13 2026 rev:161 rq:1357545 version:20260605 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-05-28 23:08:46.847607010 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2375/selinux-policy.changes 2026-06-08 14:05:31.375807519 +0200 @@ -1,0 +2,25 @@ +Fri Jun 05 13:22:02 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260605: + * Update dbus_role_template() with communication over unix dgram socket + * Allow staff user read nsfs files + * Allow staff user additional sandboxing permissions + * Dontaudit sa-update perfmon and sys_admin capabilities + * packit: Stop notifying martinpitt for Cockpit test failures + * Allow the kernel to execute also special files + * Bring back execmem permission for svirt_tcg_t + * Dontaudit tlp_t requesting dac_read_search (bsc#1265386) + * Leave content of virtqemud_use_execmem empty + * Dontaudit libvirt-daemons execmem + * Allow virtstoraged to setattr fixed disk devices + * Dontaudit ksmtuned dac_read_search and dac_override capabilities + * Remove unused hypervkvp_unit_file_t + * Allow mock create and use its private tmpfs files + * Allow samba-bgqd send to nmbd over a unix datagram socket + * Vibecode Gitlab CI smoke test for Leap 16.0+ +- Syncing with upstream rawhide selinux-policy up to: + * 443befa43872b63a5c1d7773fca159fda2abf772 +- Update embedded container-selinux version to commit: + * d3e0ce57e97c38e1403c0eb5a29b10d5d6dd82c6 (v2.249.0) + +------------------------------------------------------------------- Old: ---- selinux-policy-20260526.tar.xz New: ---- selinux-policy-20260605.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.gLBPLv/_old 2026-06-08 14:05:32.611858766 +0200 +++ /var/tmp/diff_new_pack.gLBPLv/_new 2026-06-08 14:05:32.611858766 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260526 +Version: 20260605 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.gLBPLv/_old 2026-06-08 14:05:32.719863244 +0200 +++ /var/tmp/diff_new_pack.gLBPLv/_new 2026-06-08 14:05:32.723863410 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">d498294bada924dabc106aed9b3463e2d93be002</param></service></servicedata> + <param name="changesrevision">5aaf83f76fe73ede585eb034261da37b8b25dd11</param></service></servicedata> (No newline at EOF) ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.gLBPLv/_old 2026-06-08 14:05:32.815867225 +0200 +++ /var/tmp/diff_new_pack.gLBPLv/_new 2026-06-08 14:05:32.819867390 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.248.0) +policy_module(container, 2.249.0) gen_require(` class passwd rootok; @@ -1181,6 +1181,18 @@ ') optional_policy(` + gen_require(` + type rpmdb_t, container_file_t; + ') + domain_obj_id_change_exemption(rpmdb_t) + container_search_lib(rpmdb_t) + container_read_share_files(rpmdb_t) + container_manage_files(rpmdb_t) + container_manage_dirs(rpmdb_t) + allow rpmdb_t container_file_t:file map; +') + +optional_policy(` sssd_stream_connect(container_domain) ') ++++++ selinux-policy-20260526.tar.xz -> selinux-policy-20260605.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/.gitlab-ci.yml new/selinux-policy-20260605/.gitlab-ci.yml --- old/selinux-policy-20260526/.gitlab-ci.yml 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/.gitlab-ci.yml 2026-06-05 15:21:53.000000000 +0200 @@ -1,20 +1,62 @@ workflow: rules: - # Only trigger for merge requests to factory. As the pipeline is currently only setup for factory. + # Trigger for merge requests to factory or any slfo-* maintenance branch. - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'factory' + ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'factory' || + $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^slfo-/) # Or trigger manually in the web client under 'Build > Pipelines'. - if: $CI_PIPELINE_SOURCE == 'web' -image: registry.opensuse.org/opensuse/tumbleweed:latest - stages: - build - rpmbuild - test +# ============================================================================ +# Codestream config templates +# ---------------------------------------------------------------------------- +# One template per codestream. Each defines: +# - rules: which MR target branch / web ref triggers it +# - SLFO_BRANCH: packaging branch on src.opensuse.org/pool/selinux-policy +# - LEAP_VERSION: Leap container tag to build/rpmbuild in +# - VM_IMAGE_URL: minimal-VM image to boot in the test stage +# +# To add a new codestream (e.g. SLE 16.1 / slfo-1.3): +# 1. Copy the .slfo-1.2 block, swap "1.2" -> "1.3" and "16.0" -> "16.1". +# 2. Copy the three slfo-1.2 concrete-job stubs at the bottom and do the same. +# Nothing else in this file needs to change. +# ============================================================================ +.factory: + image: registry.opensuse.org/opensuse/tumbleweed:latest + variables: + VM_IMAGE_URL: https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen.qcow2 + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && + $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'factory' + # Web triggers on anything that isn't an slfo-* branch fall through to factory. + - if: $CI_PIPELINE_SOURCE == 'web' && + $CI_COMMIT_REF_NAME !~ /^slfo-/ + +.slfo-1.2: + variables: + SLFO_BRANCH: slfo-1.2 + LEAP_VERSION: "16.0" + VM_IMAGE_URL: https://download.opensuse.org/distribution/leap/16.0/appliances/Leap-16.0-Minimal-VM.x86_64-kvm-and-xen.qcow2 + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && + $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'slfo-1.2' + - if: $CI_PIPELINE_SOURCE == 'web' && + $CI_COMMIT_REF_NAME == 'slfo-1.2' + +# ============================================================================ +# Stage templates — codestream-agnostic; reference $SLFO_BRANCH / $LEAP_VERSION. +# ============================================================================ + +# ---- Factory (Tumbleweed) ---- +# Pulls the spec from the security:SELinux/openSUSE_Factory src.rpm and +# container.* straight from upstream container-selinux. # Based on https://github.com/fedora-selinux/selinux-policy/blob/6063934d9591589ad25b58adf8a54e97dbcded3f/.github/workflows/build.yml -build: +.factory-build: stage: build script: - zypper install -y git-core checkpolicy policycoreutils-devel make m4 findutils @@ -25,7 +67,7 @@ - make -j $(nproc) validate - make -j $(nproc) container.pp -rpmbuild: +.factory-rpmbuild: stage: rpmbuild script: - zypper ar -p 98 https://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/ selinux @@ -53,8 +95,59 @@ paths: - artifacts/ -test: +# ---- Leap / slfo-* ---- +# Pulls the spec + container.* from src.opensuse.org/pool/selinux-policy on +# the matching $SLFO_BRANCH, builds inside registry.opensuse.org/opensuse/leap:$LEAP_VERSION. +.leap-build: + stage: build + image: registry.opensuse.org/opensuse/leap:$LEAP_VERSION + script: + - zypper install -y git-core checkpolicy policycoreutils-devel make m4 findutils python3 + - git clone --depth=1 --branch="$SLFO_BRANCH" https://src.opensuse.org/pool/selinux-policy.git /tmp/selinux-policy + - cp /tmp/selinux-policy/container.* policy/modules/contrib + - cp dist/targeted/modules.conf policy + - make -j $(nproc) policy + - make -j $(nproc) validate + - make -j $(nproc) container.pp + +.leap-rpmbuild: + stage: rpmbuild + image: registry.opensuse.org/opensuse/leap:$LEAP_VERSION + script: + - zypper --non-interactive dup + # Install build helpers. + - zypper --non-interactive install git-core wget rpm-build python-rpm-macros + # Fetch packaging sources (spec + container.* + macros + ...) from the SLFO pool repo. + - cd .. + - git clone --depth=1 --branch="$SLFO_BRANCH" https://src.opensuse.org/pool/selinux-policy /tmp/pool-selinux-policy + # Lay out an rpmbuild tree. + - echo "%_topdir %(pwd)/rpmbuild" > ~/.rpmmacros + - mkdir -p rpmbuild/SOURCES rpmbuild/SPECS + - cp /tmp/pool-selinux-policy/selinux-policy.spec rpmbuild/SPECS/ + # Copy every Source* except the upstream tarball, which we'll replace with the current git state. + - find /tmp/pool-selinux-policy -maxdepth 1 -type f ! -name "*.tar.*" ! -name "*.spec" ! -name "_service*" ! -name ".*" -exec cp {} rpmbuild/SOURCES/ \; + # Make %setup happy: spec extracts %{name}-%{version}, we want the unversioned dir. + - sed -i 's/%{name}-%{version}/%{name}/g' rpmbuild/SPECS/selinux-policy.spec + # Replace the source tarball with the current git state. + - tar -cJf rpmbuild/SOURCES/selinux-policy.tar.xz selinux-policy + # Generate a src.rpm so zypper can resolve BuildRequires (the spec uses + # %{python_module ...} which zypper can't grok straight from rpmspec). + - rpmbuild -bs rpmbuild/SPECS/selinux-policy.spec + - zypper -n source-install -d rpmbuild/SRPMS/selinux-policy-*.src.rpm + # Build binary RPMs and move them into the artifacts dir. + - rpmbuild -bb rpmbuild/SPECS/selinux-policy.spec + - mkdir selinux-policy/artifacts + - mv rpmbuild/RPMS/noarch/* selinux-policy/artifacts + artifacts: + paths: + - artifacts/ + +# ---- Test (shared across all codestreams) ---- +# qemu/combustion boots whatever VM_IMAGE_URL the codestream points at; the +# container runtime itself doesn't have to match the guest, so Tumbleweed is fine. +.test-vm: stage: test + image: registry.opensuse.org/opensuse/tumbleweed:latest script: - set +e - zypper --non-interactive --quiet install qemu-img qemu-x86 rpm-devel wget diffutils @@ -62,3 +155,27 @@ allow_failure: exit_codes: - 100 + +# ============================================================================ +# Concrete jobs — each = (codestream template) + (stage template). +# ============================================================================ + +# ---- Tumbleweed / factory ---- +build: + extends: [.factory, .factory-build] + +rpmbuild: + extends: [.factory, .factory-rpmbuild] + +test: + extends: [.factory, .test-vm] + +# ---- Leap 16.0 / slfo-1.2 (SLE 16.0 / SLFO 1.2) ---- +build-leap16.0: + extends: [.slfo-1.2, .leap-build] + +rpmbuild-leap16.0: + extends: [.slfo-1.2, .leap-rpmbuild] + +test-leap16.0: + extends: [.slfo-1.2, .test-vm] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/packit.yaml new/selinux-policy-20260605/packit.yaml --- old/selinux-policy-20260526/packit.yaml 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/packit.yaml 2026-06-05 15:21:53.000000000 +0200 @@ -22,7 +22,7 @@ trigger: pull_request notifications: failure_comment: - message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check." + message: "Cockpit tests failed for commit {commit_sha}. @jelly, @mvollmer please check." targets: - fedora-development tf_extra_params: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/plans/cockpit.fmf new/selinux-policy-20260605/plans/cockpit.fmf --- old/selinux-policy-20260526/plans/cockpit.fmf 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/plans/cockpit.fmf 2026-06-05 15:21:53.000000000 +0200 @@ -1,6 +1,6 @@ # reverse dependency test for https://github.com/cockpit-project/cockpit # packit should automatically notify the cockpit maintainers on failures. -# For questions, please contact @martinpitt, @jelly, @mvollmer +# For questions, please contact @jelly or @mvollmer enabled: false adjust+: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/dbus.if new/selinux-policy-20260605/policy/modules/contrib/dbus.if --- old/selinux-policy-20260526/policy/modules/contrib/dbus.if 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/dbus.if 2026-06-05 15:21:53.000000000 +0200 @@ -87,7 +87,8 @@ # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket { accept connectto listen rw_socket_perms create }; allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write }; - allow $1_dbusd_t $3:unix_dgram_socket sendto; + allow $3 $1_dbusd_t:unix_dgram_socket ioctl; + allow $1_dbusd_t $3:unix_dgram_socket sendto; # SE-DBus specific permissions allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/hypervkvp.if new/selinux-policy-20260605/policy/modules/contrib/hypervkvp.if --- old/selinux-policy-20260526/policy/modules/contrib/hypervkvp.if 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/hypervkvp.if 2026-06-05 15:21:53.000000000 +0200 @@ -81,7 +81,7 @@ ####################################### ## <summary> -## Execute hypervkvp server in the hypervkvp domain. +## Execute hypervkvp server in the hypervkvp domain. (Deprecated) ## </summary> ## <param name="domain"> ## <summary> @@ -90,18 +90,8 @@ ## </param> # interface(`hypervkvp_systemctl',` - gen_require(` - type hypervkvp_t; - type hypervkvp_unit_file_t; - ') - - systemd_exec_systemctl($1) - init_reload_services($1) - allow $1 hypervkvp_unit_file_t:file read_file_perms; - allow $1 hypervkvp_unit_file_t:service manage_service_perms; - - ps_process_pattern($1, hypervkvp_t) - ') + refpolicywarn(`$0($*) has been deprecated.') +') ######################################## ## <summary> @@ -117,7 +107,6 @@ interface(`hypervkvp_admin',` gen_require(` type hypervkvp_t; - type hypervkvp_unit_file_t; ') allow $1 hypervkvp_t:process signal_perms; @@ -128,8 +117,4 @@ ') hypervkvp_manage_lib_files($1) - - hypervkvp_systemctl($1) - admin_pattern($1, hypervkvp_unit_file_t) - allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/hypervkvp.te new/selinux-policy-20260605/policy/modules/contrib/hypervkvp.te --- old/selinux-policy-20260526/policy/modules/contrib/hypervkvp.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/hypervkvp.te 2026-06-05 15:21:53.000000000 +0200 @@ -14,9 +14,6 @@ type hypervkvp_initrc_exec_t; init_script_file(hypervkvp_initrc_exec_t) -type hypervkvp_unit_file_t; -systemd_unit_file(hypervkvp_unit_file_t) - type hypervkvp_var_lib_t; files_type(hypervkvp_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/ksmtuned.te new/selinux-policy-20260605/policy/modules/contrib/ksmtuned.te --- old/selinux-policy-20260526/policy/modules/contrib/ksmtuned.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/ksmtuned.te 2026-06-05 15:21:53.000000000 +0200 @@ -48,6 +48,7 @@ # allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +dontaudit ksmtuned_t self:capability { dac_override dac_read_search }; allow ksmtuned_t self:cap_userns { sys_ptrace }; allow ksmtuned_t self:fifo_file rw_fifo_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/mock.te new/selinux-policy-20260605/policy/modules/contrib/mock.te --- old/selinux-policy-20260526/policy/modules/contrib/mock.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/mock.te 2026-06-05 15:21:53.000000000 +0200 @@ -30,6 +30,9 @@ type mock_tmp_t; files_tmp_file(mock_tmp_t) +type mock_tmpfs_t; +files_tmpfs_file(mock_tmpfs_t) + type mock_var_lib_t; files_type(mock_var_lib_t) @@ -69,6 +72,9 @@ manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file }) +allow mock_t mock_tmpfs_t:file { manage_file_perms map }; +fs_tmpfs_filetrans(mock_t, mock_tmpfs_t, file) + manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/samba.te new/selinux-policy-20260605/policy/modules/contrib/samba.te --- old/selinux-policy-20260526/policy/modules/contrib/samba.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/samba.te 2026-06-05 15:21:53.000000000 +0200 @@ -1389,6 +1389,7 @@ allow smbd_t samba_dcerpcd_t:process noatsecure; allow smbd_t samba_dcerpcd_t:unix_stream_socket connectto; allow winbind_t samba_dcerpcd_t:unix_stream_socket connectto; +allow samba_bgqd_t nmbd_t: unix_dgram_socket sendto; allow samba_bgqd_t smbd_t: unix_dgram_socket sendto; allow samba_dcerpcd_t samba_bgqd_t:unix_dgram_socket sendto; allow samba_dcerpcd_t nmbd_t:unix_dgram_socket sendto; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/spamassassin.te new/selinux-policy-20260605/policy/modules/contrib/spamassassin.te --- old/selinux-policy-20260526/policy/modules/contrib/spamassassin.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/spamassassin.te 2026-06-05 15:21:53.000000000 +0200 @@ -614,6 +614,8 @@ allow spamd_update_t self:unix_dgram_socket create_socket_perms; allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; allow spamd_update_t self:capability { dac_read_search dac_override }; +dontaudit spamd_update_t self:capability sys_admin; +dontaudit spamd_update_t self:capability2 perfmon; allow spamd_update_t self:cap_userns sys_ptrace; manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/tlp.te new/selinux-policy-20260605/policy/modules/contrib/tlp.te --- old/selinux-policy-20260526/policy/modules/contrib/tlp.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/tlp.te 2026-06-05 15:21:53.000000000 +0200 @@ -33,6 +33,7 @@ # greps for only tuned-ppd, power-profiles-daemon and # tlp-pd. ps does not need those two necessarily to work: dontaudit tlp_t self:cap_userns sys_ptrace; +dontaudit tlp_t self:capability dac_read_search; dontaudit tlp_t self:capability2 perfmon; allow tlp_t tlp_unit_file_t:file read_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/contrib/virt.te new/selinux-policy-20260605/policy/modules/contrib/virt.te --- old/selinux-policy-20260526/policy/modules/contrib/virt.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/contrib/virt.te 2026-06-05 15:21:53.000000000 +0200 @@ -28,7 +28,7 @@ ## <desc> ## <p> -## Allow virtqemu driver to use executable memory and executable stack +## [Obsolete]Allow virtqemu driver to use executable memory and executable stack ## </p> ## </desc> gen_tunable(virtqemud_use_execmem, true) @@ -610,7 +610,8 @@ # fsetid - for chmod'ing its runtime files allow virtd_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice sys_ptrace }; #allow virtd_t self:capability2 compromise_kernel; -allow virtd_t self:process { execmem getcap getsched setcap setexec setfscreate setsched setsockcreate sigkill signal signull }; +allow virtd_t self:process { getcap getsched setcap setexec setfscreate setsched setsockcreate sigkill signal signull }; +dontaudit virtd_t self:process execmem; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code dontaudit virtd_t self:capability { sys_module }; @@ -2365,10 +2366,6 @@ udev_domtrans(virtqemud_t) -tunable_policy(`virtqemud_use_execmem',` - allow virtqemud_t self:process { execmem execstack }; -') - tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtqemud_t) fs_manage_nfs_files(virtqemud_t) @@ -2493,6 +2490,8 @@ allow virtstoraged_t self:process { setsched }; +dontaudit virtstoraged_t self:process execmem; + files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir }) manage_dirs_pattern(virtstoraged_t, virt_var_run_t, virt_var_run_t) @@ -2531,6 +2530,7 @@ storage_raw_read_fixed_disk(virtstoraged_t) storage_raw_write_fixed_disk(virtstoraged_t) +storage_setattr_fixed_disk_dev(virtstoraged_t) userdom_read_user_home_content_files(virtstoraged_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/kernel/files.if new/selinux-policy-20260605/policy/modules/kernel/files.if --- old/selinux-policy-20260526/policy/modules/kernel/files.if 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/kernel/files.if 2026-06-05 15:21:53.000000000 +0200 @@ -1921,6 +1921,12 @@ ') mmap_exec_files_pattern($1, { file_type $2 }, { file_type $2 }) + + # possible to reach these via access(2) + allow $1 { file_type $2 }:lnk_file execute; + allow $1 { file_type $2 }:chr_file execute; + allow $1 { file_type $2 }:blk_file execute; + allow $1 { file_type $2 }:fifo_file execute; ') ######################################## @@ -9293,6 +9299,24 @@ files_watch_var_run_dirs($1) ') +####################################### +## <summary> +## Mounton a /run directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_var_run_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir mounton; +') + ######################################## ## <summary> ## List the contents of the runtime process diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/policy/modules/roles/staff.te new/selinux-policy-20260605/policy/modules/roles/staff.te --- old/selinux-policy-20260526/policy/modules/roles/staff.te 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/policy/modules/roles/staff.te 2026-06-05 15:21:53.000000000 +0200 @@ -35,6 +35,7 @@ kernel_getattr_core_if(staff_t) kernel_getattr_message_if(staff_t) kernel_mount_proc(staff_t) +kernel_mounton_proc(staff_t) kernel_read_software_raid_state(staff_t) kernel_read_fs_sysctls(staff_t) kernel_read_numa_state(staff_t) @@ -45,11 +46,13 @@ files_dontaudit_manage_boot_dirs(staff_t) fs_read_tmpfs_files(staff_t) fs_read_binfmt_misc(staff_t) +fs_read_nsfs_files(staff_t) fs_mount_tmpfs(staff_t) fs_unmount_tmpfs(staff_t) -fs_remount_xattr_fs(staff_t) +fs_remount_all_fs(staff_t) fs_unmount_xattr_fs(staff_t) +dev_mounton(staff_t) dev_read_cpuid(staff_t) dev_read_kmsg(staff_t) dev_map_video_dev(staff_t) @@ -64,6 +67,7 @@ files_read_kernel_modules(staff_t) files_mounton_rootfs(staff_t) +files_mounton_var_run_dirs(staff_t) files_mounton_generic_tmp_dirs(staff_t) seutil_read_module_store(staff_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260526/test/test.sh new/selinux-policy-20260605/test/test.sh --- old/selinux-policy-20260526/test/test.sh 2026-05-26 10:29:38.000000000 +0200 +++ new/selinux-policy-20260605/test/test.sh 2026-06-05 15:21:53.000000000 +0200 @@ -12,18 +12,22 @@ tmpdir="$(mktemp -d)" trap "rm -rf '$tmpdir'" EXIT -QEMU_BASEARGS=(-accel kvm -accel tcg -nographic -m 1024 -smp 4 -virtfs "local,path=${tmpdir},mount_tag=tmpdir,security_model=mapped-xattr") +QEMU_BASEARGS=(-cpu host -accel kvm -accel tcg -nographic -m 1024 -smp 4 -virtfs "local,path=${tmpdir},mount_tag=tmpdir,security_model=mapped-xattr") + +# Which VM image to boot. Overridden by the CI job to point at the correct download link. +VM_IMAGE_URL="${VM_IMAGE_URL}" +IMAGE_FILE="$(basename "${VM_IMAGE_URL}")" # Prepare the temporary dir cp -r "test/testscript" "artifacts" "${tmpdir}" ls -la "${tmpdir}/artifacts" cd "$tmpdir" -print 32 "# Downloading the latest Tumbleweed Minimal image..." -wget --no-verbose --progress=bar:force:noscroll https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen.qcow2 +print 32 "# Downloading the VM image (${VM_IMAGE_URL})..." +wget --no-verbose --progress=bar:force:noscroll "${VM_IMAGE_URL}" print 32 "# Starting the VM and runnig the testscript..." -timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive if=virtio,file=openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen.qcow2 \ +timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive if=virtio,file="${IMAGE_FILE}" \ -fw_cfg name=opt/org.opensuse.combustion/script,file=testscript | sed 's/\x1b\[0;30;47m//g' # sed 's/\x1b\[[0-9;]*m//g' # Exit if testscript fails to complete
