Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2026-07-02 20:06:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Thu Jul 2 20:06:35 2026 rev:40 rq:1363479 version:2.250.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2026-06-08 14:05:36.372014664 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1982/container-selinux.changes
2026-07-02 20:07:36.781554221 +0200
@@ -1,0 +2,20 @@
+Thu Jul 2 11:07:51 UTC 2026 - Robert Frohl <[email protected]>
+
+- Update to version 2.250.0:
+ * Allow rpmdb to manage files on mounted container filesystems
+ * Add the container_runtime_signull() interface
+ * give container_domain perms on container_file_t fifo_files
+ * Suppress mmap_zero denials for container_runtime_t
+ * rpm: Require policycoreutils >= 3.10 for policydb version 24 support
+ * Add the container_spc_signull() interface
+ * Allow spc_t execstack and execmem (bsc#1268490)
+- Drop allow-spc_t-execstack-via-boolean-and-execmem-bsc-1268490.patch:
included upstream
+
+-------------------------------------------------------------------
+Mon Jun 29 15:05:01 UTC 2026 - Cathy Hu <[email protected]>
+
+- Introduce container_can_execstack boolean for older Java applications
+ and allow execmem (bsc#1268490)
+ - Add patch: allow-spc_t-execstack-via-boolean-and-execmem-bsc-1268490.patch
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.249.0.tar.xz
New:
----
container-selinux-2.250.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.FVEgcC/_old 2026-07-02 20:07:37.697585883 +0200
+++ /var/tmp/diff_new_pack.FVEgcC/_new 2026-07-02 20:07:37.697585883 +0200
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.249.0
+Version: 2.250.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
@@ -36,7 +36,7 @@
BuildRequires: selinux-policy-devel
BuildRequires: selinux-policy-%{selinuxtype}
Requires: selinux-policy >= %(rpm -q selinux-policy --qf
'%%{version}-%%{release}')
-Requires(posttrans): policycoreutils
+Requires(posttrans): policycoreutils => 3.10
Requires(posttrans): /usr/bin/sed
Requires(posttrans): selinux-policy-base >= %{selinux_policyver}
Requires(posttrans): selinux-policy-targeted >= %{selinux_policyver}
@@ -48,6 +48,7 @@
%prep
%setup -q
+%autopatch -p1
%build
%make_build
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.FVEgcC/_old 2026-07-02 20:07:37.793589201 +0200
+++ /var/tmp/diff_new_pack.FVEgcC/_new 2026-07-02 20:07:37.805589616 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
- <param
name="changesrevision">d3e0ce57e97c38e1403c0eb5a29b10d5d6dd82c6</param></service></servicedata>
+ <param
name="changesrevision">9715eb09108e9fabb0fbaeee9044636b349370eb</param></service></servicedata>
(No newline at EOF)
++++++ container-selinux-2.249.0.tar.xz -> container-selinux-2.250.0.tar.xz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.249.0/container.if
new/container-selinux-2.250.0/container.if
--- old/container-selinux-2.249.0/container.if 2026-05-27 19:26:48.000000000
+0200
+++ new/container-selinux-2.250.0/container.if 2026-07-02 12:09:09.000000000
+0200
@@ -855,6 +855,24 @@
########################################
## <summary>
+## Send null signals to container-runtime.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`container_runtime_signull',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ allow $1 container_runtime_t:process signull;
+')
+
+########################################
+## <summary>
## Read the process state of spc containers
## </summary>
## <param name="domain">
@@ -982,6 +1000,7 @@
allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads };
manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
+ allow $1_t $2_file_t:fifo_file watch;
manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
allow $1_t $2_file_t:{file dir} mounton;
allow $1_t $2_file_t:filesystem { mount remount unmount };
@@ -1009,6 +1028,24 @@
')
########################################
+## <summary>
+## Send null signals to spc container.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`container_spc_signull',`
+ gen_require(`
+ type spc_t;
+ ')
+
+ allow $1 spc_t:process signull;
+')
+
+########################################
## <summary>
## Execute container in the container domain.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.249.0/container.te
new/container-selinux-2.250.0/container.te
--- old/container-selinux-2.249.0/container.te 2026-05-27 19:26:48.000000000
+0200
+++ new/container-selinux-2.250.0/container.te 2026-07-02 12:09:09.000000000
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.249.0)
+policy_module(container, 2.250.0)
gen_require(`
class passwd rootok;
@@ -12,6 +12,13 @@
## <desc>
## <p>
+## Allow container to make its stack executable
+## </p>
+## </desc>
+gen_tunable(container_can_execstack, false)
+
+## <desc>
+## <p>
## Determine whether container can
## connect to all TCP ports.
## </p>
@@ -213,6 +220,9 @@
allow container_runtime_domain self:dir mounton;
allow container_runtime_domain self:file mounton;
+# Suppress mmap_zero denials for docker-ce's check utility
+dontaudit container_runtime_t self:memprotect mmap_zero;
+
allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
allow container_runtime_domain self:fifo_file manage_file_perms;
allow container_runtime_domain self:msg all_msg_perms;
@@ -802,6 +812,10 @@
# spc local policy
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t
container_runtime_tmpfs_t}:file entrypoint;
+allow spc_t self:process execmem;
+tunable_policy(`container_can_execstack',`
+ allow spc_t self:process execstack;
+')
role system_r types spc_t;
dontaudit spc_t self:memprotect mmap_zero;
@@ -967,6 +981,7 @@
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
allow container_domain self:fifo_file watch;
+allow container_domain container_file_t:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.249.0/rpm/container-selinux.spec
new/container-selinux-2.250.0/rpm/container-selinux.spec
--- old/container-selinux-2.249.0/rpm/container-selinux.spec 2026-05-27
19:26:48.000000000 +0200
+++ new/container-selinux-2.250.0/rpm/container-selinux.spec 2026-07-02
12:09:09.000000000 +0200
@@ -20,6 +20,12 @@
%define no_user_namespace 1
%endif
+# https://redhat.atlassian.net/browse/RHEL-151636
+# RHEL <= 9 and Fedora <= 43 have older policydb versions
+%if (%{defined rhel} && 0%{?rhel} <= 9) || (%{defined fedora} && 0%{?fedora}
<= 43)
+%define old_policydb 1
+%endif
+
# set copr_build is more intuitive than copr_username
%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" &&
"%{copr_projectname}" == "podman-next"
%define next_build 1
@@ -52,7 +58,11 @@
Requires(post): selinux-policy-base >= %_selinux_policy_version
Requires(post): selinux-policy-any >= %_selinux_policy_version
Recommends: selinux-policy-targeted >= %_selinux_policy_version
+%if %{defined old_policydb}
Requires(post): policycoreutils
+%else
+Requires(post): policycoreutils >= 3.10
+%endif
Requires(post): libselinux-utils
Requires(post): sed
Obsoletes: %{name} <= 2:1.12.5-13