Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-07-07 09:00:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Tue Jul 7 09:00:27 2026 rev:166 rq:1364176 version:20260618 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-07-06 13:11:38.829341094 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1982/selinux-policy.changes 2026-07-07 09:00:30.286526173 +0200 @@ -2,53 +1,0 @@ -Thu Jul 02 11:24:41 UTC 2026 - Robert Frohl <[email protected]> - -- Update to version 20260702: - * Include key_socket in socket_class_set - * Remove 14 permissive domains - * ci: Run cockpit-machines tests in PRs - * Remove the lockdown class from the policy - * Allow systemd-logind the sys_ptrace capability in the user namespace - * Allow systemd-sleep the perfmon capability - * Allow sshd_session_t dyntransition to sftpd_t - * Allow lttng kernel tracing - * Allow loadkeys create and use its private tmpfs files - * Allow journald create and use netlink_tcpdiag_socket - * Fix typo in the comment of build.conf - * Allow gpg_pinentry_t to write session dbus socket files - * Allow systemd-hostnamed read hwdb files - * Allow systemd-machined to manage nspawn runtime directory - * Allow pcm-sensor-server the sys_admin capability - * Allow nut/upsmon read nut_conf_t symlinks - * Support new sanlock features - using libdm and SG_IO - * Allow thumb_t mount proc filesystem - * Allow aide connect to the GDM userdb provider socket - * Allow postfix_postdrop_t/system_mail_t append to init unix domain stream sockets - * Allow nfsd_t to create netlink_generic_socket (bsc#1267826) - * Add anaconda_ioctl_fifo_files_install() and anaconda_write_fifo_files_install() - * Allow install_t domain transition to insights_client_t - * Allow staff user mounton /var/lib dirs - * Allow systemd-coredump signull container runtime - * Allow blueman get the attributes of a tmpfs filesystem - * portage_compile_domain: Require xdm_xserver_tmp_t type - * Add missing interface requirements - * Dontaudit virt_driver_domain execmem - * fixed file after comment from zpytela. - * added caddy related paths. - * Remove extra parameters from interface headers - * Update bootupd policy for running lsblk - * Allow pcscd_t to search cgroup -- Syncing with upstream rawhide selinux-policy up to: - * 3cf2aa66a844ba5e87fb2a8f04be08c62cf5538a -- Update embedded container-selinux version to commit: - * 9715eb09108e9fabb0fbaeee9044636b349370eb (v2.250.0) - -------------------------------------------------------------------- -Tue Jun 30 14:28:49 UTC 2026 - Cathy Hu <[email protected]> - -- Update to version 20260630: - * Allow snapper_sdbootutil_plugin_t create transient units (bsc#1267377) - * Allow bootctl access unconfined_t pid (bsc#1267377) - * Refactor sdbootutil into seperate module (bsc#1267377) - * Allow pcrlock to send kernel dgram (bsc#1267377) - * Add tiny sdbootutil module for sdbootutil snapper plugin changes (bsc#1267377) - -------------------------------------------------------------------- Old: ---- selinux-policy-20260702.tar.xz New: ---- selinux-policy-20260618.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.cHwvUY/_old 2026-07-07 09:00:31.178556644 +0200 +++ /var/tmp/diff_new_pack.cHwvUY/_new 2026-07-07 09:00:31.186556917 +0200 @@ -37,7 +37,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260702 +Version: 20260618 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.cHwvUY/_old 2026-07-07 09:00:31.274559924 +0200 +++ /var/tmp/diff_new_pack.cHwvUY/_new 2026-07-07 09:00:31.278560060 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">6a1f6d5c2888c270101ee891b104b0004d2efce6</param></service></servicedata> + <param name="changesrevision">556a7845509b348bcc7d401b14e99f64bfb78681</param></service></servicedata> (No newline at EOF) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.cHwvUY/_old 2026-07-07 09:00:31.338562110 +0200 +++ /var/tmp/diff_new_pack.cHwvUY/_new 2026-07-07 09:00:31.342562246 +0200 @@ -855,24 +855,6 @@ ######################################## ## <summary> -## Send null signals to container-runtime. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`container_runtime_signull',` - gen_require(` - type container_runtime_t; - ') - - allow $1 container_runtime_t:process signull; -') - -######################################## -## <summary> ## Read the process state of spc containers ## </summary> ## <param name="domain"> @@ -1000,7 +982,6 @@ allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads }; manage_blk_files_pattern($1_t, $2_file_t, $2_file_t) manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t) - allow $1_t $2_file_t:fifo_file watch; manage_sock_files_pattern($1_t, $2_file_t, $2_file_t) allow $1_t $2_file_t:{file dir} mounton; allow $1_t $2_file_t:filesystem { mount remount unmount }; @@ -1028,24 +1009,6 @@ ') ######################################## -## <summary> -## Send null signals to spc container. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`container_spc_signull',` - gen_require(` - type spc_t; - ') - - allow $1 spc_t:process signull; -') - -######################################## ## <summary> ## Execute container in the container domain. ## </summary> ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.cHwvUY/_old 2026-07-07 09:00:31.374563339 +0200 +++ /var/tmp/diff_new_pack.cHwvUY/_new 2026-07-07 09:00:31.378563476 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.250.0) +policy_module(container, 2.249.0) gen_require(` class passwd rootok; @@ -12,13 +12,6 @@ ## <desc> ## <p> -## Allow container to make its stack executable -## </p> -## </desc> -gen_tunable(container_can_execstack, false) - -## <desc> -## <p> ## Determine whether container can ## connect to all TCP ports. ## </p> @@ -220,9 +213,6 @@ allow container_runtime_domain self:dir mounton; allow container_runtime_domain self:file mounton; -# Suppress mmap_zero denials for docker-ce's check utility -dontaudit container_runtime_t self:memprotect mmap_zero; - allow container_runtime_domain self:fifo_file rw_fifo_file_perms; allow container_runtime_domain self:fifo_file manage_file_perms; allow container_runtime_domain self:msg all_msg_perms; @@ -812,10 +802,6 @@ # spc local policy # allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; -allow spc_t self:process execmem; -tunable_policy(`container_can_execstack',` - allow spc_t self:process execstack; -') role system_r types spc_t; dontaudit spc_t self:memprotect mmap_zero; @@ -981,7 +967,6 @@ allow container_domain self:lnk_file read_file_perms; allow container_domain self:fifo_file create_fifo_file_perms; allow container_domain self:fifo_file watch; -allow container_domain container_file_t:fifo_file watch; allow container_domain self:filesystem associate; allow container_domain self:key manage_key_perms; allow container_domain self:netlink_route_socket r_netlink_socket_perms; ++++++ selinux-policy-20260702.tar.xz -> selinux-policy-20260618.tar.xz ++++++ ++++ 2005 lines of diff (skipped)
