Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-06-19 16:30:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Fri Jun 19 16:30:53 2026 rev:163 rq:1360264 version:20260618 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-06-11 17:25:56.290746456 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1956/selinux-policy.changes 2026-06-19 17:22:49.881078348 +0200 @@ -1,0 +2,7 @@ +Thu Jun 18 11:34:41 UTC 2026 - Robert Frohl <[email protected]> + +- Update to version 20260618: + * Allow wireguard to setup DNS using dns_hatchet (bsc#1243148) + * Add sysnet_mount_file() interface + +------------------------------------------------------------------- Old: ---- selinux-policy-20260605.tar.xz New: ---- selinux-policy-20260618.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.tI7G0F/_old 2026-06-19 17:22:52.033152523 +0200 +++ /var/tmp/diff_new_pack.tI7G0F/_new 2026-06-19 17:22:52.037152661 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260605 +Version: 20260618 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.tI7G0F/_old 2026-06-19 17:22:52.161156934 +0200 +++ /var/tmp/diff_new_pack.tI7G0F/_new 2026-06-19 17:22:52.165157072 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">5aaf83f76fe73ede585eb034261da37b8b25dd11</param></service></servicedata> + <param name="changesrevision">556a7845509b348bcc7d401b14e99f64bfb78681</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260605.tar.xz -> selinux-policy-20260618.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260605/policy/modules/contrib/wireguard.te new/selinux-policy-20260618/policy/modules/contrib/wireguard.te --- old/selinux-policy-20260605/policy/modules/contrib/wireguard.te 2026-06-05 15:21:53.000000000 +0200 +++ new/selinux-policy-20260618/policy/modules/contrib/wireguard.te 2026-06-18 13:23:09.000000000 +0200 @@ -41,6 +41,33 @@ files_read_etc_files(wireguard_t) +# openSUSE only >> +## DNS hatchet part +allow wireguard_t self:capability sys_admin; + +sysnet_create_config(wireguard_t) +sysnet_mount_file(wireguard_t) +sysnet_write_config(wireguard_t) + +# DNS hatchet is creating a modified /dev/shm/resolv.conf and remounting to +# /etc/resolv.conf, labels need to be corrected +fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolv.conf") + +files_mounton_rootfs(wireguard_t) + +fs_all_mount_fs_perms_tmpfs(wireguard_t) +fs_mounton_tmpfs(wireguard_t) +fs_manage_tmpfs_files(wireguard_t) +fs_search_cgroup_dirs(wireguard_t) +storage_rw_fixed_disk_blk_dev(wireguard_t) + +optional_policy(` + mount_exec(wireguard_t) + mount_manage_pid_files(wireguard_t) +') + +# openSUSE only << + optional_policy(` auth_read_passwd(wireguard_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260605/policy/modules/system/sysnetwork.if new/selinux-policy-20260618/policy/modules/system/sysnetwork.if --- old/selinux-policy-20260605/policy/modules/system/sysnetwork.if 2026-06-05 15:21:53.000000000 +0200 +++ new/selinux-policy-20260618/policy/modules/system/sysnetwork.if 2026-06-18 13:23:09.000000000 +0200 @@ -1318,3 +1318,21 @@ files_pid_filetrans($1, net_conf_t, dir, "cloud-init") ') + +####################################### +## <summary> +## Mount network config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sysnet_mount_file',` + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:file mounton; +')
