Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2026-07-02 20:06:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "container-selinux"

Thu Jul  2 20:06:35 2026 rev:40 rq:1363479 version:2.250.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2026-06-08 14:05:36.372014664 +0200
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.1982/container-selinux.changes
    2026-07-02 20:07:36.781554221 +0200
@@ -1,0 +2,20 @@
+Thu Jul  2 11:07:51 UTC 2026 - Robert Frohl <[email protected]>
+
+- Update to version 2.250.0:
+  * Allow rpmdb to manage files on mounted container filesystems
+  * Add the container_runtime_signull() interface
+  * give container_domain perms on container_file_t fifo_files
+  * Suppress mmap_zero denials for container_runtime_t
+  * rpm: Require policycoreutils >= 3.10 for policydb version 24 support
+  * Add the container_spc_signull() interface
+  * Allow spc_t execstack and execmem (bsc#1268490)
+- Drop allow-spc_t-execstack-via-boolean-and-execmem-bsc-1268490.patch: 
included upstream
+
+-------------------------------------------------------------------
+Mon Jun 29 15:05:01 UTC 2026 - Cathy Hu <[email protected]>
+
+- Introduce container_can_execstack boolean for older Java applications
+  and allow execmem (bsc#1268490) 
+  - Add patch: allow-spc_t-execstack-via-boolean-and-execmem-bsc-1268490.patch
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.249.0.tar.xz

New:
----
  container-selinux-2.250.0.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.FVEgcC/_old  2026-07-02 20:07:37.697585883 +0200
+++ /var/tmp/diff_new_pack.FVEgcC/_new  2026-07-02 20:07:37.697585883 +0200
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.249.0
+Version:        2.250.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only
@@ -36,7 +36,7 @@
 BuildRequires:  selinux-policy-devel
 BuildRequires:  selinux-policy-%{selinuxtype}
 Requires:       selinux-policy >= %(rpm -q selinux-policy --qf 
'%%{version}-%%{release}')
-Requires(posttrans): policycoreutils
+Requires(posttrans): policycoreutils => 3.10
 Requires(posttrans): /usr/bin/sed
 Requires(posttrans): selinux-policy-base >= %{selinux_policyver}
 Requires(posttrans): selinux-policy-targeted >= %{selinux_policyver}
@@ -48,6 +48,7 @@
 
 %prep
 %setup -q
+%autopatch -p1
 
 %build
 %make_build

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.FVEgcC/_old  2026-07-02 20:07:37.793589201 +0200
+++ /var/tmp/diff_new_pack.FVEgcC/_new  2026-07-02 20:07:37.805589616 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/containers/container-selinux.git</param>
-              <param 
name="changesrevision">d3e0ce57e97c38e1403c0eb5a29b10d5d6dd82c6</param></service></servicedata>
+              <param 
name="changesrevision">9715eb09108e9fabb0fbaeee9044636b349370eb</param></service></servicedata>
 (No newline at EOF)
 

++++++ container-selinux-2.249.0.tar.xz -> container-selinux-2.250.0.tar.xz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.249.0/container.if 
new/container-selinux-2.250.0/container.if
--- old/container-selinux-2.249.0/container.if  2026-05-27 19:26:48.000000000 
+0200
+++ new/container-selinux-2.250.0/container.if  2026-07-02 12:09:09.000000000 
+0200
@@ -855,6 +855,24 @@
 
 ########################################
 ## <summary>
+##     Send null signals to container-runtime.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`container_runtime_signull',`
+       gen_require(`
+               type container_runtime_t;
+       ')
+
+       allow $1 container_runtime_t:process signull;
+')
+
+########################################
+## <summary>
 ##     Read the process state of spc containers
 ## </summary>
 ## <param name="domain">
@@ -982,6 +1000,7 @@
        allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads };
        manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
        manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
+       allow $1_t $2_file_t:fifo_file watch;
        manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
        allow $1_t $2_file_t:{file dir} mounton;
        allow $1_t $2_file_t:filesystem { mount remount unmount };
@@ -1009,6 +1028,24 @@
 ')
 
 ########################################
+## <summary>
+##     Send null signals to spc container.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`container_spc_signull',`
+       gen_require(`
+               type spc_t;
+       ')
+
+       allow $1 spc_t:process signull;
+')
+
+########################################
 ## <summary>
 ##     Execute container in the container domain.
 ## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.249.0/container.te 
new/container-selinux-2.250.0/container.te
--- old/container-selinux-2.249.0/container.te  2026-05-27 19:26:48.000000000 
+0200
+++ new/container-selinux-2.250.0/container.te  2026-07-02 12:09:09.000000000 
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.249.0)
+policy_module(container, 2.250.0)
 
 gen_require(`
        class passwd rootok;
@@ -12,6 +12,13 @@
 
 ## <desc>
 ##  <p>
+##  Allow container to make its stack executable
+##  </p>
+## </desc>
+gen_tunable(container_can_execstack, false)
+
+## <desc>
+##  <p>
 ##  Determine whether container can
 ##  connect to all TCP ports.
 ##  </p>
@@ -213,6 +220,9 @@
 allow container_runtime_domain self:dir mounton;
 allow container_runtime_domain self:file mounton;
 
+# Suppress mmap_zero denials for docker-ce's check utility
+dontaudit container_runtime_t self:memprotect mmap_zero;
+
 allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
 allow container_runtime_domain self:fifo_file manage_file_perms;
 allow container_runtime_domain self:msg all_msg_perms;
@@ -802,6 +812,10 @@
 # spc local policy
 #
 allow spc_t { container_file_t container_var_lib_t container_ro_file_t 
container_runtime_tmpfs_t}:file entrypoint;
+allow spc_t self:process execmem;
+tunable_policy(`container_can_execstack',`
+       allow spc_t self:process execstack;
+')
 role system_r types spc_t;
 dontaudit spc_t self:memprotect mmap_zero;
 
@@ -967,6 +981,7 @@
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
 allow container_domain self:fifo_file watch;
+allow container_domain container_file_t:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.249.0/rpm/container-selinux.spec 
new/container-selinux-2.250.0/rpm/container-selinux.spec
--- old/container-selinux-2.249.0/rpm/container-selinux.spec    2026-05-27 
19:26:48.000000000 +0200
+++ new/container-selinux-2.250.0/rpm/container-selinux.spec    2026-07-02 
12:09:09.000000000 +0200
@@ -20,6 +20,12 @@
 %define no_user_namespace 1
 %endif
 
+# https://redhat.atlassian.net/browse/RHEL-151636
+# RHEL <= 9 and Fedora <= 43 have older policydb versions
+%if (%{defined rhel} && 0%{?rhel} <= 9) || (%{defined fedora} && 0%{?fedora} 
<= 43)
+%define old_policydb 1
+%endif
+
 # set copr_build is more intuitive than copr_username
 %if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && 
"%{copr_projectname}" == "podman-next"
 %define next_build 1
@@ -52,7 +58,11 @@
 Requires(post): selinux-policy-base >= %_selinux_policy_version
 Requires(post): selinux-policy-any >= %_selinux_policy_version
 Recommends: selinux-policy-targeted >= %_selinux_policy_version
+%if %{defined old_policydb}
 Requires(post): policycoreutils
+%else
+Requires(post): policycoreutils >= 3.10
+%endif
 Requires(post): libselinux-utils
 Requires(post): sed
 Obsoletes: %{name} <= 2:1.12.5-13

Reply via email to