Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2026-07-06 13:11:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Mon Jul  6 13:11:36 2026 rev:165 rq:1363480 version:20260702

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2026-06-25 10:52:12.130981936 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1982/selinux-policy.changes  
2026-07-06 13:11:38.829341094 +0200
@@ -1,0 +2,53 @@
+Thu Jul 02 11:24:41 UTC 2026 - Robert Frohl <[email protected]>
+
+- Update to version 20260702:
+  * Include key_socket in socket_class_set
+  * Remove 14 permissive domains
+  * ci: Run cockpit-machines tests in PRs
+  * Remove the lockdown class from the policy
+  * Allow systemd-logind the sys_ptrace capability in the user namespace
+  * Allow systemd-sleep the perfmon capability
+  * Allow sshd_session_t dyntransition to sftpd_t
+  * Allow lttng kernel tracing
+  * Allow loadkeys create and use its private tmpfs files
+  * Allow journald create and use netlink_tcpdiag_socket
+  * Fix typo in the comment of build.conf
+  * Allow gpg_pinentry_t to write session dbus socket files
+  * Allow systemd-hostnamed read hwdb files
+  * Allow systemd-machined to manage nspawn runtime directory
+  * Allow pcm-sensor-server the sys_admin capability
+  * Allow nut/upsmon read nut_conf_t symlinks
+  * Support new sanlock features - using libdm and SG_IO
+  * Allow thumb_t mount proc filesystem
+  * Allow aide connect to the GDM userdb provider socket
+  * Allow postfix_postdrop_t/system_mail_t append to init unix domain stream 
sockets
+  * Allow nfsd_t to create netlink_generic_socket (bsc#1267826)
+  * Add anaconda_ioctl_fifo_files_install() and 
anaconda_write_fifo_files_install()
+  * Allow install_t domain transition to insights_client_t
+  * Allow staff user mounton /var/lib dirs
+  * Allow systemd-coredump signull container runtime
+  * Allow blueman get the attributes of a tmpfs filesystem
+  * portage_compile_domain: Require xdm_xserver_tmp_t type
+  * Add missing interface requirements
+  * Dontaudit virt_driver_domain execmem
+  * fixed file after comment from zpytela.
+  * added caddy related paths.
+  * Remove extra parameters from interface headers
+  * Update bootupd policy for running lsblk
+  * Allow pcscd_t to search cgroup
+- Syncing with upstream rawhide selinux-policy up to:
+  * 3cf2aa66a844ba5e87fb2a8f04be08c62cf5538a
+- Update embedded container-selinux version to commit:
+  * 9715eb09108e9fabb0fbaeee9044636b349370eb (v2.250.0)
+
+-------------------------------------------------------------------
+Tue Jun 30 14:28:49 UTC 2026 - Cathy Hu <[email protected]>
+
+- Update to version 20260630:
+  * Allow snapper_sdbootutil_plugin_t create transient units (bsc#1267377)
+  * Allow bootctl access unconfined_t pid (bsc#1267377)
+  * Refactor sdbootutil into seperate module (bsc#1267377)
+  * Allow pcrlock to send kernel dgram (bsc#1267377)
+  * Add tiny sdbootutil module for sdbootutil snapper plugin changes 
(bsc#1267377)
+
+-------------------------------------------------------------------

Old:
----
  selinux-policy-20260618.tar.xz

New:
----
  selinux-policy-20260702.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.MY3o7C/_old  2026-07-06 13:11:39.941379512 +0200
+++ /var/tmp/diff_new_pack.MY3o7C/_new  2026-07-06 13:11:39.941379512 +0200
@@ -37,7 +37,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20260618
+Version:        20260702
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.MY3o7C/_old  2026-07-06 13:11:40.029382552 +0200
+++ /var/tmp/diff_new_pack.MY3o7C/_new  2026-07-06 13:11:40.037382828 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">556a7845509b348bcc7d401b14e99f64bfb78681</param></service></servicedata>
+              <param 
name="changesrevision">6a1f6d5c2888c270101ee891b104b0004d2efce6</param></service></servicedata>
 (No newline at EOF)
 

++++++ container.if ++++++
--- /var/tmp/diff_new_pack.MY3o7C/_old  2026-07-06 13:11:40.105385178 +0200
+++ /var/tmp/diff_new_pack.MY3o7C/_new  2026-07-06 13:11:40.113385454 +0200
@@ -855,6 +855,24 @@
 
 ########################################
 ## <summary>
+##     Send null signals to container-runtime.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`container_runtime_signull',`
+       gen_require(`
+               type container_runtime_t;
+       ')
+
+       allow $1 container_runtime_t:process signull;
+')
+
+########################################
+## <summary>
 ##     Read the process state of spc containers
 ## </summary>
 ## <param name="domain">
@@ -982,6 +1000,7 @@
        allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads };
        manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
        manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
+       allow $1_t $2_file_t:fifo_file watch;
        manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
        allow $1_t $2_file_t:{file dir} mounton;
        allow $1_t $2_file_t:filesystem { mount remount unmount };
@@ -1009,6 +1028,24 @@
 ')
 
 ########################################
+## <summary>
+##     Send null signals to spc container.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`container_spc_signull',`
+       gen_require(`
+               type spc_t;
+       ')
+
+       allow $1 spc_t:process signull;
+')
+
+########################################
 ## <summary>
 ##     Execute container in the container domain.
 ## </summary>

++++++ container.te ++++++
--- /var/tmp/diff_new_pack.MY3o7C/_old  2026-07-06 13:11:40.141386421 +0200
+++ /var/tmp/diff_new_pack.MY3o7C/_new  2026-07-06 13:11:40.145386560 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.249.0)
+policy_module(container, 2.250.0)
 
 gen_require(`
        class passwd rootok;
@@ -12,6 +12,13 @@
 
 ## <desc>
 ##  <p>
+##  Allow container to make its stack executable
+##  </p>
+## </desc>
+gen_tunable(container_can_execstack, false)
+
+## <desc>
+##  <p>
 ##  Determine whether container can
 ##  connect to all TCP ports.
 ##  </p>
@@ -213,6 +220,9 @@
 allow container_runtime_domain self:dir mounton;
 allow container_runtime_domain self:file mounton;
 
+# Suppress mmap_zero denials for docker-ce's check utility
+dontaudit container_runtime_t self:memprotect mmap_zero;
+
 allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
 allow container_runtime_domain self:fifo_file manage_file_perms;
 allow container_runtime_domain self:msg all_msg_perms;
@@ -802,6 +812,10 @@
 # spc local policy
 #
 allow spc_t { container_file_t container_var_lib_t container_ro_file_t 
container_runtime_tmpfs_t}:file entrypoint;
+allow spc_t self:process execmem;
+tunable_policy(`container_can_execstack',`
+       allow spc_t self:process execstack;
+')
 role system_r types spc_t;
 dontaudit spc_t self:memprotect mmap_zero;
 
@@ -967,6 +981,7 @@
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
 allow container_domain self:fifo_file watch;
+allow container_domain container_file_t:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;

++++++ selinux-policy-20260618.tar.xz -> selinux-policy-20260702.tar.xz ++++++
++++ 2005 lines of diff (skipped)

Reply via email to