Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2023-06-24 20:13:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Sat Jun 24 20:13:34 2023 rev:47 rq:1094793 version:20230622
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2023-04-26 17:25:06.149532608 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.15902/selinux-policy.changes
2023-06-24 20:13:46.136082496 +0200
@@ -1,0 +2,14 @@
+Thu Jun 22 12:14:15 UTC 2023 - jseg...@suse.com
+
+- Update to version 20230622:
+ * Allow keyutils_dns_resolver_exec_t be an entrypoint
+ * Allow collectd_t read network state symlinks
+ * Revert "Allow collectd_t read proc_net link files"
+ * Allow nfsd_t to list exports_t dirs
+ * Allow cupsd dbus chat with xdm
+ * Allow haproxy read hardware state information
+ * Label /dev/userfaultfd with userfaultfd_t
+ * Allow blueman send general signals to unprivileged user domains
+ * Allow dkim-milter domain transition to sendmail
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20230425.tar.xz
New:
----
selinux-policy-20230622.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.5DbHuj/_old 2023-06-24 20:13:46.916087101 +0200
+++ /var/tmp/diff_new_pack.5DbHuj/_new 2023-06-24 20:13:46.920087125 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20230425
+Version: 20230622
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.5DbHuj/_old 2023-06-24 20:13:46.996087574 +0200
+++ /var/tmp/diff_new_pack.5DbHuj/_new 2023-06-24 20:13:47.000087597 +0200
@@ -1,8 +1,10 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">41d70255c98105f4be875cbdd3f62383971dc7dd</param></service><service
name="tar_scm">
+ <param
name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
- <param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
+ <param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
+ <param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
+ <param
name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service></servicedata>
(No newline at EOF)
++++++ container.fc ++++++
--- /var/tmp/diff_new_pack.5DbHuj/_old 2023-06-24 20:13:47.076088047 +0200
+++ /var/tmp/diff_new_pack.5DbHuj/_new 2023-06-24 20:13:47.080088070 +0200
@@ -59,6 +59,7 @@
/etc/crio(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/registry(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -111,11 +112,16 @@
/var/lib/containers/storage/overlay2-images(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/ocid/sandboxes(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/cache/containers(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/cache/kata-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/kata-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/var/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/opt/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
++++++ container.if ++++++
--- /var/tmp/diff_new_pack.5DbHuj/_old 2023-06-24 20:13:47.096088164 +0200
+++ /var/tmp/diff_new_pack.5DbHuj/_new 2023-06-24 20:13:47.100088188 +0200
@@ -522,6 +522,7 @@
files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
+ files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file,
"config.env")
@@ -997,7 +998,6 @@
interface(`container_kubelet_run',`
gen_require(`
type kubelet_t;
- class dbus send_msg;
')
container_kubelet_domtrans($1)
++++++ container.te ++++++
--- /var/tmp/diff_new_pack.5DbHuj/_old 2023-06-24 20:13:47.128088353 +0200
+++ /var/tmp/diff_new_pack.5DbHuj/_new 2023-06-24 20:13:47.132088377 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.210.0)
+policy_module(container, 2.219.0)
gen_require(`
class passwd rootok;
@@ -19,6 +19,13 @@
## <desc>
## <p>
+## Allow all container domains to read cert files and directories
+## </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
+## <desc>
+## <p>
## Determine whether sshd can launch container engines
## </p>
## </desc>
@@ -81,7 +88,7 @@
range_transition container_runtime_t conmon_exec_t:process s0;
')
-type spc_t, container_domain;
+type spc_t;
domain_type(spc_t)
role system_r types spc_t;
@@ -169,6 +176,7 @@
allow container_runtime_domain self:udp_socket create_socket_perms;
allow container_runtime_domain self:capability2 block_suspend;
allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain port_t:icmp_socket name_bind;
allow container_runtime_domain self:filesystem associate;
allow container_runtime_domain self:packet_socket create_socket_perms;
allow container_runtime_domain self:socket create_socket_perms;
@@ -205,19 +213,24 @@
manage_lnk_files_pattern(container_runtime_domain, container_home_t,
container_home_t)
userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t,
dir, ".container")
userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
manage_dirs_pattern(container_runtime_domain, container_config_t,
container_config_t)
manage_files_pattern(container_runtime_domain, container_config_t,
container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir,
"container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir,
"containers")
manage_dirs_pattern(container_runtime_domain, container_lock_t,
container_lock_t)
manage_files_pattern(container_runtime_domain, container_lock_t,
container_lock_t)
files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file },
"lxc")
+files_manage_generic_locks(container_runtime_domain)
manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
manage_files_pattern(container_runtime_domain, container_log_t,
container_log_t)
manage_lnk_files_pattern(container_runtime_domain, container_log_t,
container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
logging_log_filetrans(container_runtime_domain, container_log_t, { dir file
lnk_file })
+
allow container_runtime_domain container_log_t:dir_file_class_set {
relabelfrom relabelto };
filetrans_pattern(container_runtime_domain, container_var_lib_t,
container_log_t, file, "container-json.log")
allow container_runtime_domain { container_var_lib_t container_ro_file_t
}:file entrypoint;
@@ -243,8 +256,23 @@
manage_blk_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
manage_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+manage_sock_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
allow container_runtime_domain container_ro_file_t:dir_file_class_set {
relabelfrom relabelto };
can_exec(container_runtime_domain, container_ro_file_t)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
+
filetrans_pattern(container_runtime_domain, container_var_lib_t,
container_ro_file_t, dir, "init")
filetrans_pattern(container_runtime_domain, container_var_lib_t,
container_ro_file_t, dir, "overlay")
filetrans_pattern(container_runtime_domain, container_var_lib_t,
container_ro_file_t, dir, "overlay2")
@@ -262,6 +290,7 @@
manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t,
container_var_lib_t)
allow container_runtime_domain container_var_lib_t:dir_file_class_set {
relabelfrom relabelto };
files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir
file lnk_file })
+files_var_filetrans(container_runtime_domain, container_var_lib_t, dir,
"containers")
manage_dirs_pattern(container_runtime_domain, container_var_run_t,
container_var_run_t)
manage_files_pattern(container_runtime_domain, container_var_run_t,
container_var_run_t)
@@ -270,17 +299,30 @@
manage_lnk_files_pattern(container_runtime_domain, container_var_run_t,
container_var_run_t)
files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file
lnk_file sock_file })
files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file
lnk_file sock_file })
+allow container_runtime_domain container_var_run_t:dir_file_class_set
relabelfrom;
allow container_runtime_domain container_devpts_t:chr_file { relabelfrom
rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(container_runtime_domain, container_devpts_t)
term_use_all_ttys(container_runtime_domain)
term_use_all_inherited_terms(container_runtime_domain)
+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
kernel_read_network_state(container_runtime_domain)
kernel_read_all_sysctls(container_runtime_domain)
kernel_rw_net_sysctls(container_runtime_domain)
kernel_setsched(container_runtime_domain)
kernel_rw_all_sysctls(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
domain_obj_id_change_exemption(container_runtime_t)
domain_subj_id_change_exemption(container_runtime_t)
@@ -390,7 +432,10 @@
')
optional_policy(`
- iptables_domtrans(container_runtime_domain)
+ gen_require(`
+ role unconfined_r;
+ ')
+ iptables_run(container_runtime_domain, unconfined_r)
container_read_pid_files(iptables_t)
container_read_state(iptables_t)
@@ -458,33 +503,38 @@
dev_rw_lvm_control(container_runtime_domain)
dev_read_mtrr(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
+
files_getattr_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_files(container_runtime_domain)
files_manage_isid_type_symlinks(container_runtime_domain)
files_manage_isid_type_chr_files(container_runtime_domain)
files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
files_exec_isid_files(container_runtime_domain)
files_mounton_isid(container_runtime_domain)
files_mounton_non_security(container_runtime_domain)
files_mounton_isid_type_chr_file(container_runtime_domain)
-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
fs_manage_cgroup_dirs(container_runtime_domain)
fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
-fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)
term_use_generic_ptys(container_runtime_domain)
@@ -563,6 +613,10 @@
allow container_domain cephfs_t:file execmod;
')
+tunable_policy(`container_read_certs',`
+ miscfiles_read_all_certs(container_domain)
+')
+
gen_require(`
type ecryptfs_t;
')
@@ -648,12 +702,12 @@
role unconfined_r;
')
role unconfined_r types container_user_domain;
+ role unconfined_r types spc_t;
unconfined_domain(container_runtime_t)
unconfined_run_to(container_runtime_t, container_runtime_exec_t)
- role_transition unconfined_r container_runtime_exec_t system_r;
allow container_domain unconfined_domain_type:fifo_file {
rw_fifo_file_perms map };
allow container_runtime_domain unconfined_t:fifo_file setattr;
- allow unconfined_domain_type container_domain:process {transition
dyntransition };
+ allow unconfined_domain_type container_domain:process {transition
dyntransition};
allow unconfined_t unlabeled_t:key manage_key_perms;
allow container_runtime_t unconfined_t:process transition;
allow unconfined_domain_type { container_var_lib_t container_ro_file_t
}:file entrypoint;
@@ -692,7 +746,7 @@
#
# spc local policy
#
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file
entrypoint;
role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -700,17 +754,20 @@
domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition
nosuid_transition };
+
admin_pattern(spc_t, kubernetes_file_t)
allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
allow spc_t { container_ro_file_t container_file_t }:system module_load;
-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched
signal_perms };
ps_process_pattern(container_runtime_domain, spc_t)
allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom
};
allow spc_t unlabeled_t:key manage_key_perms;
allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+fs_fusefs_entrypoint(spc_t)
+corecmd_entrypoint_all_executables(spc_t)
init_dbus_chat(spc_t)
@@ -731,6 +788,7 @@
# This should eventually be in upstream policy.
# https://github.com/fedora-selinux/selinux-policy/pull/806
allow spc_t domain:bpf { map_create map_read map_write prog_load
prog_run };
+ allow daemon spc_t:dbus send_msg;
')
optional_policy(`
@@ -744,7 +802,10 @@
gen_require(`
attribute virt_domain;
type virtd_t;
+ role unconfined_r;
')
+ role unconfined_r types virt_domain;
+ role unconfined_r types virtd_t;
container_spc_read_state(virt_domain)
container_spc_rw_pipes(virt_domain)
allow container_runtime_t virtd_t:process transition;
@@ -857,7 +918,7 @@
allow container_domain self:unix_stream_socket { sendto
create_stream_socket_perms };
fs_rw_onload_sockets(container_domain)
fs_fusefs_entrypoint(container_domain)
-
+fs_fusefs_entrypoint(spc_t)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
@@ -999,7 +1060,6 @@
allow container_net_domain self:netlink_kobject_uevent_socket
create_socket_perms;
allow container_net_domain self:netlink_xfrm_socket
create_netlink_socket_perms;
-
kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
kernel_unlabeled_entry_type(spc_t)
allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1188,6 +1248,8 @@
attribute userdomain;
')
+ allow userdomain container_domain:process transition;
+
can_exec(userdomain, container_runtime_exec_t)
container_manage_files(userdomain)
container_manage_share_dirs(userdomain)
@@ -1280,6 +1342,7 @@
optional_policy(`
qemu_entry_type(container_kvm_t)
qemu_exec(container_kvm_t)
+ allow container_kvm_t qemu_exec_t:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
')
manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@@ -1316,8 +1379,8 @@
')
tunable_policy(`container_use_devices',`
- allow container_domain device_node:chr_file rw_chr_file_perms;
- allow container_domain device_node:blk_file rw_blk_file_perms;
+ allow container_domain device_node:chr_file {rw_chr_file_perms map};
+ allow container_domain device_node:blk_file {rw_blk_file_perms map};
')
tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -1384,7 +1447,6 @@
gen_require(`
type sysadm_t;
role sysadm_r;
- attribute userdomain;
role unconfined_r;
')
@@ -1403,6 +1465,7 @@
container_domain_template(container_device_plugin, container)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
+kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
# Standard container which needs to be allowed to use any device and
@@ -1442,3 +1505,32 @@
dontaudit systemd_logind_t iptables_var_run_t:dir read;
')
+role container_user_r;
+userdom_restricted_user_template(container_user)
+userdom_manage_home_role(container_user_r, container_user_t)
+
+allow container_user_t container_domain:process { getattr getcap getsched
sigchld sigkill signal signull sigstop };
+
+role container_user_r types container_domain;
+role container_user_r types container_user_domain;
+role container_user_r types container_net_domain;
+role container_user_r types container_file_type;
+container_runtime_run(container_user_t, container_user_r)
+
+fs_manage_cgroup_dirs(container_user_t)
+fs_manage_cgroup_files(container_user_t)
+
+selinux_compute_access_vector(container_user_t)
+systemd_dbus_chat_hostnamed(container_user_t)
+systemd_start_systemd_services(container_user_t)
+
+
+allow container_domain container_file_t:file entrypoint;
+allow container_domain container_ro_file_t:file { entrypoint execmod execute
execute_no_trans getattr ioctl lock map open read };
+allow container_domain container_var_lib_t:file entrypoint;
+allow container_domain fusefs_t:file { append create entrypoint execmod
execute execute_no_trans getattr ioctl link lock map mounton open read rename
setattr unlink watch watch_reads write };
+
+corecmd_entrypoint_all_executables(container_kvm_t)
+allow svirt_sandbox_domain exec_type:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
+allow svirt_sandbox_domain mountpoint:file entrypoint;
+
++++++ selinux-policy-20230425.tar.xz -> selinux-policy-20230622.tar.xz ++++++
++++ 1902 lines of diff (skipped)
