Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2026-07-07 09:00:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "selinux-policy"

Tue Jul  7 09:00:27 2026 rev:166 rq:1364176 version:20260618

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2026-07-06 13:11:38.829341094 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1982/selinux-policy.changes  
2026-07-07 09:00:30.286526173 +0200
@@ -2,53 +1,0 @@
-Thu Jul 02 11:24:41 UTC 2026 - Robert Frohl <[email protected]>
-
-- Update to version 20260702:
-  * Include key_socket in socket_class_set
-  * Remove 14 permissive domains
-  * ci: Run cockpit-machines tests in PRs
-  * Remove the lockdown class from the policy
-  * Allow systemd-logind the sys_ptrace capability in the user namespace
-  * Allow systemd-sleep the perfmon capability
-  * Allow sshd_session_t dyntransition to sftpd_t
-  * Allow lttng kernel tracing
-  * Allow loadkeys create and use its private tmpfs files
-  * Allow journald create and use netlink_tcpdiag_socket
-  * Fix typo in the comment of build.conf
-  * Allow gpg_pinentry_t to write session dbus socket files
-  * Allow systemd-hostnamed read hwdb files
-  * Allow systemd-machined to manage nspawn runtime directory
-  * Allow pcm-sensor-server the sys_admin capability
-  * Allow nut/upsmon read nut_conf_t symlinks
-  * Support new sanlock features - using libdm and SG_IO
-  * Allow thumb_t mount proc filesystem
-  * Allow aide connect to the GDM userdb provider socket
-  * Allow postfix_postdrop_t/system_mail_t append to init unix domain stream 
sockets
-  * Allow nfsd_t to create netlink_generic_socket (bsc#1267826)
-  * Add anaconda_ioctl_fifo_files_install() and 
anaconda_write_fifo_files_install()
-  * Allow install_t domain transition to insights_client_t
-  * Allow staff user mounton /var/lib dirs
-  * Allow systemd-coredump signull container runtime
-  * Allow blueman get the attributes of a tmpfs filesystem
-  * portage_compile_domain: Require xdm_xserver_tmp_t type
-  * Add missing interface requirements
-  * Dontaudit virt_driver_domain execmem
-  * fixed file after comment from zpytela.
-  * added caddy related paths.
-  * Remove extra parameters from interface headers
-  * Update bootupd policy for running lsblk
-  * Allow pcscd_t to search cgroup
-- Syncing with upstream rawhide selinux-policy up to:
-  * 3cf2aa66a844ba5e87fb2a8f04be08c62cf5538a
-- Update embedded container-selinux version to commit:
-  * 9715eb09108e9fabb0fbaeee9044636b349370eb (v2.250.0)
-
--------------------------------------------------------------------
-Tue Jun 30 14:28:49 UTC 2026 - Cathy Hu <[email protected]>
-
-- Update to version 20260630:
-  * Allow snapper_sdbootutil_plugin_t create transient units (bsc#1267377)
-  * Allow bootctl access unconfined_t pid (bsc#1267377)
-  * Refactor sdbootutil into seperate module (bsc#1267377)
-  * Allow pcrlock to send kernel dgram (bsc#1267377)
-  * Add tiny sdbootutil module for sdbootutil snapper plugin changes 
(bsc#1267377)
-
--------------------------------------------------------------------

Old:
----
  selinux-policy-20260702.tar.xz

New:
----
  selinux-policy-20260618.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.cHwvUY/_old  2026-07-07 09:00:31.178556644 +0200
+++ /var/tmp/diff_new_pack.cHwvUY/_new  2026-07-07 09:00:31.186556917 +0200
@@ -37,7 +37,7 @@
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20260702
+Version:        20260618
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.cHwvUY/_old  2026-07-07 09:00:31.274559924 +0200
+++ /var/tmp/diff_new_pack.cHwvUY/_new  2026-07-07 09:00:31.278560060 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param 
name="changesrevision">6a1f6d5c2888c270101ee891b104b0004d2efce6</param></service></servicedata>
+              <param 
name="changesrevision">556a7845509b348bcc7d401b14e99f64bfb78681</param></service></servicedata>
 (No newline at EOF)
 

++++++ container.if ++++++
--- /var/tmp/diff_new_pack.cHwvUY/_old  2026-07-07 09:00:31.338562110 +0200
+++ /var/tmp/diff_new_pack.cHwvUY/_new  2026-07-07 09:00:31.342562246 +0200
@@ -855,24 +855,6 @@
 
 ########################################
 ## <summary>
-##     Send null signals to container-runtime.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access
-##     </summary>
-## </param>
-#
-interface(`container_runtime_signull',`
-       gen_require(`
-               type container_runtime_t;
-       ')
-
-       allow $1 container_runtime_t:process signull;
-')
-
-########################################
-## <summary>
 ##     Read the process state of spc containers
 ## </summary>
 ## <param name="domain">
@@ -1000,7 +982,6 @@
        allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads };
        manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
        manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
-       allow $1_t $2_file_t:fifo_file watch;
        manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
        allow $1_t $2_file_t:{file dir} mounton;
        allow $1_t $2_file_t:filesystem { mount remount unmount };
@@ -1028,24 +1009,6 @@
 ')
 
 ########################################
-## <summary>
-##     Send null signals to spc container.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access
-##     </summary>
-## </param>
-#
-interface(`container_spc_signull',`
-       gen_require(`
-               type spc_t;
-       ')
-
-       allow $1 spc_t:process signull;
-')
-
-########################################
 ## <summary>
 ##     Execute container in the container domain.
 ## </summary>

++++++ container.te ++++++
--- /var/tmp/diff_new_pack.cHwvUY/_old  2026-07-07 09:00:31.374563339 +0200
+++ /var/tmp/diff_new_pack.cHwvUY/_new  2026-07-07 09:00:31.378563476 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.250.0)
+policy_module(container, 2.249.0)
 
 gen_require(`
        class passwd rootok;
@@ -12,13 +12,6 @@
 
 ## <desc>
 ##  <p>
-##  Allow container to make its stack executable
-##  </p>
-## </desc>
-gen_tunable(container_can_execstack, false)
-
-## <desc>
-##  <p>
 ##  Determine whether container can
 ##  connect to all TCP ports.
 ##  </p>
@@ -220,9 +213,6 @@
 allow container_runtime_domain self:dir mounton;
 allow container_runtime_domain self:file mounton;
 
-# Suppress mmap_zero denials for docker-ce's check utility
-dontaudit container_runtime_t self:memprotect mmap_zero;
-
 allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
 allow container_runtime_domain self:fifo_file manage_file_perms;
 allow container_runtime_domain self:msg all_msg_perms;
@@ -812,10 +802,6 @@
 # spc local policy
 #
 allow spc_t { container_file_t container_var_lib_t container_ro_file_t 
container_runtime_tmpfs_t}:file entrypoint;
-allow spc_t self:process execmem;
-tunable_policy(`container_can_execstack',`
-       allow spc_t self:process execstack;
-')
 role system_r types spc_t;
 dontaudit spc_t self:memprotect mmap_zero;
 
@@ -981,7 +967,6 @@
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
 allow container_domain self:fifo_file watch;
-allow container_domain container_file_t:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;

++++++ selinux-policy-20260702.tar.xz -> selinux-policy-20260618.tar.xz ++++++
++++ 2005 lines of diff (skipped)

Reply via email to