Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2024-06-06 12:30:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Thu Jun 6 12:30:52 2024 rev:60 rq:1178674 version:20240411
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2024-03-22 15:28:25.598159722 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.24587/selinux-policy.changes
2024-06-06 12:30:58.876891299 +0200
@@ -1,0 +2,104 @@
+Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz <jseg...@suse.com>
+
+- Remove "Reference" from the package description. It's not the
+ reference policy, but the Fedora branch of the policy
+
+-------------------------------------------------------------------
+Tue May 28 11:12:57 UTC 2024 - Cathy Hu <cathy...@suse.com>
+
+- Use python311 tools in 15.4 and 15.5 when building selinux-policy to
deprecate
+ python36 tooling
+
+-------------------------------------------------------------------
+Wed May 8 11:06:43 UTC 2024 - Johannes Segitz <jseg...@suse.com>
+
+- Fixed varrun-convert.sh script to not break because of duplicate
+ entries
+
+-------------------------------------------------------------------
+Mon May 6 07:44:20 UTC 2024 - Johannes Segitz <jseg...@suse.com>
+
+- Move to %posttrans to ensure selinux-policy got updated before
+ the commands run (bsc#1221720)
+
+-------------------------------------------------------------------
+Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu <cathy...@suse.com>
+
+- Add file contexts "forwarding" to file_contexts.sub_dist
+ to fix systemd-gpt-auto-generator and systemd-fstab-generator
+ (bsc#1222736):
+ * /run/systemd/generator.early /usr/lib/systemd/system
+ * /run/systemd/generator.late /usr/lib/systemd/system
+
+-------------------------------------------------------------------
+Thu Apr 11 15:13:31 UTC 2024 - cathy...@suse.com
+
+- Update to version 20240411:
+ * Remove duplicate in sysnetwork.fc
+ * Rename /var/run/wicked* to /run/wicked*
+ * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
+ * policy: support pidfs
+ * Confine selinux-autorelabel-generator.sh
+ * Allow logwatch_mail_t read/write to init over a unix stream socket
+ * Allow logwatch read logind sessions files
+ * files_dontaudit_getattr_tmpfs_files allowed the access and didn't
dontaudit it
+ * files_dontaudit_mounton_modules_object allowed the access and didn't
dontaudit it
+ * Allow NetworkManager the sys_ptrace capability in user namespace
+ * dontaudit execmem for modemmanager
+ * Allow dhcpcd use unix_stream_socket
+ * Allow dhcpc read /run/netns files
+ * Update mmap_rw_file_perms to include the lock permission
+ * Allow plymouthd log during shutdown
+ * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
+ * Allow journalctl_t read filesystem sysctls
+ * Allow cgred_t to get attributes of cgroup filesystems
+ * Allow wdmd read hardware state information
+ * Allow wdmd list the contents of the sysfs directories
+ * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+ * Allow sulogin relabel tty1
+ * Dontaudit sulogin the checkpoint_restore capability
+ * Modify sudo_role_template() to allow getpgid
+ * Allow userdomain get attributes of files on an nsfs filesystem
+ * Allow opafm create NFS files and directories
+ * Allow virtqemud create and unlink files in /etc/libvirt/
+ * Allow virtqemud domain transition on swtpm execution
+ * Add the swtpm.if interface file for interactions with other domains
+ * Allow samba to have dac_override capability
+ * systemd: allow sys_admin capability for systemd_notify_t
+ * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
+ * Allow thumb_t to watch and watch_reads mount_var_run_t
+ * Allow krb5kdc_t map krb5kdc_principal_t files
+ * Allow unprivileged confined user dbus chat with setroubleshoot
+ * Allow login_userdomain map files in /var
+ * Allow wireguard work with firewall-cmd
+ * Differentiate between staff and sysadm when executing crontab with sudo
+ * Add crontab_admin_domtrans interface
+ * Allow abrt_t nnp domain transition to abrt_handle_event_t
+ * Allow xdm_t to watch and watch_reads mount_var_run_t
+ * Dontaudit subscription manager setfscreate and read file contexts
+ * Don't audit crontab_domain write attempts to user home
+ * Transition from sudodomains to crontab_t when executing crontab_exec_t
+ * Add crontab_domtrans interface
+ * Fix label of pseudoterminals created from sudodomain
+ * Allow utempter_t use ptmx
+ * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
+ * Allow admin user read/write on fixed_disk_device_t
+ * Only allow confined user domains to login locally without unconfined_login
+ * Add userdom_spec_domtrans_confined_admin_users interface
+ * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
+ * Add userdom_spec_domtrans_admin_users interface
+ * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
+ * Update ssh_role_template() for user ssh-agent type
+ * Allow init to inherit system DBus file descriptors
+ * Allow init to inherit fds from syslogd
+ * Allow any domain to inherit fds from rpm-ostree
+ * Update afterburn policy
+ * Allow init_t nnp domain transition to abrtd_t
+ * Rename all /var/lock file context entries to /run/lock
+ * Rename all /var/run file context entries to /run
+- Add script varrun-convert.sh for locally existing modules
+ to be able to cope with the /var/run -> /run change
+- Update embedded container-selinux to commit
+ a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20240321.tar.xz
New:
----
selinux-policy-20240411.tar.xz
varrun-convert.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.072934981 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.076935127 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240321
+Version: 20240411
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -61,6 +61,9 @@
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
+# Script to convert /var/run file context entries to /run
+Source37: varrun-convert.sh
+
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
@@ -80,20 +83,26 @@
URL: https://github.com/fedora-selinux/selinux-policy.git
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
+%if 0%{?suse_version} < 1600
+%define python_for_executables python311
+BuildRequires: %{python_for_executables}
+BuildRequires: %{python_for_executables}-policycoreutils
+%else
+BuildRequires: %primary_python
+BuildRequires: %{python_module policycoreutils}
+%endif
BuildRequires: checkpolicy
BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-devel
-BuildRequires: python3
-BuildRequires: python3-policycoreutils
# we need selinuxenabled
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): pam-config
-Requires(post): pam-config
-Requires(post): selinux-tools
-Requires(post): /usr/bin/sha512sum
+Requires(posttrans): pam-config
+Requires(posttrans): selinux-tools
+Requires(posttrans): /usr/bin/sha512sum
Recommends: audit
Recommends: selinux-tools
# for audit2allow
@@ -212,6 +221,7 @@
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
+%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
%verify(not md5 size mtime)
%{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
%nil
@@ -248,6 +258,7 @@
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
+%{_libexecdir}/selinux/varrun-convert.sh %2; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
@@ -292,9 +303,8 @@
done;
%description
-SELinux Reference Policy. A complete SELinux policy that can be used
-as the system policy for a variety of systems and used as the basis for
-creating other policies.
+A complete SELinux policy that can be used as the system policy for a variety
+of systems and used as the basis for creating other policies.
%files
%defattr(-,root,root,-)
@@ -305,6 +315,7 @@
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_libexecdir}/selinux/varrun-convert.sh
%package sandbox
Summary: SELinux policy sandbox
@@ -372,6 +383,9 @@
cp $i selinux_config
done
+mkdir -p %{buildroot}%{_libexecdir}/selinux
+install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
+
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
@@ -527,12 +541,12 @@
Requires: selinux-policy = %{version}-%{release}
%description targeted
-SELinux Reference policy targeted base module.
+SELinux policy targeted base module.
%pre targeted
%preInstall targeted
-%post targeted
+%posttrans targeted
%postInstall $1 targeted
exit 0
@@ -562,7 +576,7 @@
Requires: selinux-policy = %{version}-%{release}
%description minimum
-SELinux Reference policy minimum base module.
+SELinux policy minimum base module.
%pre minimum
%preInstall minimum
@@ -623,12 +637,12 @@
Requires: selinux-policy = %{version}-%{release}
%description mls
-SELinux Reference policy mls base module.
+SELinux policy mls base module.
%pre mls
%preInstall mls
-%post mls
+%posttrans mls
%postInstall $1 mls
%postun mls
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.144937610 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.148937757 +0200
@@ -1,10 +1,12 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">98a8f37af8bfa88f85287f21a38c10abb925c7f3</param></service><service
name="tar_scm">
+ <param
name="changesrevision">7eb64de2191880e9d2207fa60c9605268d6fc8ce</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service
name="tar_scm">
<param
name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
- <param
name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service></servicedata>
+ <param
name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service
name="tar_scm">
+ <param
name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param>
+ <param
name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata>
(No newline at EOF)
++++++ container.fc ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.228940678 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.232940825 +0200
@@ -9,14 +9,19 @@
/usr/local/s?bin/kubelet.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/hyperkube.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubenswrapper.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubenswrapper.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubensenter.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubensenter.* --
gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildah --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxc-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/fuidshift --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -117,7 +122,7 @@
/var/cache/kata-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/kata-containers(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
-/var/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?
gen_context(system_u:object_r:container_kvm_var_run_t,s0)
/var/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/opt/local-path-provisioner(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
@@ -126,6 +131,7 @@
/var/lib/kubernetes/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pod-resources/kubelet.sock
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/docker-latest(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log
gen_context(system_u:object_r:container_log_t,s0)
@@ -136,26 +142,25 @@
/var/lib/docker-latest/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/cni(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/lib/kubelet/pods(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/run/flannel(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/log/containers(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
-/var/run/containers(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?
gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid --
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock -s
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?
gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/containers(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?
gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid --
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock -s
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker/plugins(/.*)?
gen_context(system_u:object_r:container_plugin_var_run_t,s0)
/srv/containers(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/srv/containers(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
-/var/lock/lxc(/.*)?
gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?
gen_context(system_u:object_r:container_lock_t,s0)
/var/log/lxc(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
++++++ container.if ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.248941409 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.252941555 +0200
@@ -573,7 +573,7 @@
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"kata-containers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"kata-containers")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir,
"shm")
- files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+ files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
')
########################################
++++++ container.te ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.284942724 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.288942870 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.219.0)
+policy_module(container, 2.230.0)
gen_require(`
class passwd rootok;
@@ -39,6 +39,13 @@
gen_tunable(container_use_devices, false)
## <desc>
+## <p>
+## Allow containers to use any dri device volume mounted into container
+## </p>
+## </desc>
+gen_tunable(container_use_dri_devices, true)
+
+## <desc>
## <p>
## Allow sandbox containers to manage cgroup (systemd)
## </p>
@@ -136,6 +143,7 @@
term_pty(container_devpts_t)
typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
files_mountpoint(container_ro_file_t)
userdom_user_home_content(container_ro_file_t)
@@ -568,7 +576,6 @@
fs_manage_nfs_symlinks(container_runtime_domain)
fs_remount_nfs(container_runtime_domain)
fs_mount_nfs(container_runtime_domain)
- fs_unmount_nfs(container_runtime_domain)
fs_exec_nfs_files(container_runtime_domain)
kernel_rw_fs_sysctls(container_runtime_domain)
allow container_runtime_domain nfs_t:file execmod;
@@ -634,21 +641,16 @@
fs_manage_fusefs_files(container_runtime_domain)
fs_manage_fusefs_symlinks(container_runtime_domain)
fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)
-optional_policy(`
- files_search_all(container_domain)
- container_read_share_files(container_domain)
- container_exec_share_files(container_domain)
- allow container_domain container_ro_file_t:file execmod;
- container_lib_filetrans(container_domain,container_file_t, sock_file)
- container_use_ptys(container_domain)
- container_spc_stream_connect(container_domain)
- fs_dontaudit_remount_tmpfs(container_domain)
- dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
optional_policy(`
apache_exec_modules(container_runtime_domain)
@@ -746,7 +748,7 @@
#
# spc local policy
#
-allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file
entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t
container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -755,6 +757,7 @@
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
allow container_runtime_domain spc_t:process2 { nnp_transition
nosuid_transition };
+allow spc_t container_file_type:file execmod;
admin_pattern(spc_t, kubernetes_file_t)
@@ -776,6 +779,10 @@
systemd_dbus_chat_logind(spc_t)
')
+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
optional_policy(`
dbus_chat_system_bus(spc_t)
dbus_chat_session_bus(spc_t)
@@ -878,7 +885,7 @@
typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain,
container_user_domain;
allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t
container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t
container_file_t container_runtime_tmpfs_t}:file entrypoint;
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms
map };
allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -897,6 +904,7 @@
allow container_domain self:file rw_file_perms;
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -916,28 +924,33 @@
allow container_domain self:unix_stream_socket create_stream_socket_perms;
dontaudit container_domain self:capability2 block_suspend ;
allow container_domain self:unix_stream_socket { sendto
create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
fs_fusefs_entrypoint(spc_t)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
+dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
-
-dontaudit container_domain container_runtime_tmpfs_t:dir read;
-allow container_domain container_runtime_tmpfs_t:dir mounton;
-
dev_getattr_mtrr_dev(container_domain)
dev_list_sysfs(container_domain)
-allow container_domain sysfs_t:dir watch;
-
+dev_mounton_sysfs(container_t)
+dev_read_mtrr(container_domain)
+dev_read_rand(container_domain)
+dev_read_sysfs(container_domain)
+dev_read_urand(container_domain)
+dev_rw_inherited_dri(container_domain)
dev_rw_kvm(container_domain)
dev_rwx_zero(container_domain)
+dev_write_rand(container_domain)
+dev_write_urand(container_domain)
+allow container_domain sysfs_t:dir watch;
+
+dontaudit container_domain container_runtime_tmpfs_t:dir read;
+allow container_domain container_runtime_tmpfs_t:dir mounton;
+can_exec(container_domain, container_runtime_tmpfs_t)
allow container_domain self:key manage_key_perms;
dontaudit container_domain container_domain:key search;
@@ -953,7 +966,7 @@
allow container_domain self:passwd rootok;
allow container_domain self:filesystem associate;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept
ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept
append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto
setopt shutdown write };
kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
@@ -970,16 +983,42 @@
kernel_read_irq_sysctls(container_domain)
kernel_get_sysvipc_info(container_domain)
+fs_dontaudit_getattr_all_dirs(container_domain)
+fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
+fs_list_cgroup_dirs(container_domain)
fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
-fs_dontaudit_getattr_all_dirs(container_domain)
-fs_dontaudit_getattr_all_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)
term_use_all_inherited_terms(container_domain)
@@ -1003,18 +1042,6 @@
type cgroup_t;
')
-dev_read_sysfs(container_domain)
-dev_read_mtrr(container_domain)
-dev_mounton_sysfs(container_t)
-
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
-dev_read_rand(container_domain)
-dev_write_rand(container_domain)
-dev_read_urand(container_domain)
-dev_write_urand(container_domain)
-
files_read_kernel_modules(container_domain)
allow container_file_t cgroup_t:filesystem associate;
@@ -1069,9 +1096,6 @@
')
dontaudit container_domain usermodehelper_t:file write;
-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
sysnet_read_config(container_domain)
allow container_domain self:cap_userns { chown dac_override fowner kill setgid
setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1099,20 +1123,6 @@
fs_manage_cgroup_files(container_domain)
')
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
storage_rw_fuse(container_domain)
allow container_domain fusefs_t:file { mounton execmod };
allow container_domain fusefs_t:filesystem remount;
@@ -1187,6 +1197,7 @@
dev_mounton_sysfs(container_userns_t)
fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
fs_relabelfrom_tmpfs(container_userns_t)
fs_remount_cgroup(container_userns_t)
@@ -1383,6 +1394,10 @@
allow container_domain device_node:blk_file {rw_blk_file_perms map};
')
+tunable_policy(`container_use_dri_devices',`
+ dev_rw_dri(container_domain)
+')
+
tunable_policy(`virt_sandbox_use_sys_admin',`
allow container_init_t self:capability sys_admin;
allow container_init_t self:cap_userns sys_admin;
@@ -1399,19 +1414,24 @@
fs_unmount_cgroup(container_engine_t)
fs_manage_cgroup_dirs(container_engine_t)
fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+allow container_engine_t proc_t:filesystem remount;
+allow container_engine_t sysctl_t:{dir file} mounton;
type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)
@@ -1516,6 +1536,9 @@
role container_user_r types container_net_domain;
role container_user_r types container_file_type;
container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)
fs_manage_cgroup_dirs(container_user_t)
fs_manage_cgroup_files(container_user_t)
@@ -1524,6 +1547,12 @@
systemd_dbus_chat_hostnamed(container_user_t)
systemd_start_systemd_services(container_user_t)
+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:file { entrypoint execmod execute
execute_no_trans getattr ioctl lock map open read };
@@ -1534,3 +1563,8 @@
allow svirt_sandbox_domain exec_type:file { entrypoint execute
execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain mountpoint:file entrypoint;
+tunable_policy(`deny_ptrace',`',`
+ allow container_domain self:process ptrace;
+ allow spc_t self:process ptrace;
+')
+
++++++ file_contexts.subs_dist ++++++
--- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.328944331 +0200
+++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.332944477 +0200
@@ -1,5 +1,5 @@
-/run /var/run
-/run/lock /var/lock
+/var/run /run
+/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
@@ -10,6 +10,8 @@
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
+/run/systemd/generator.early /usr/lib/systemd/system
+/run/systemd/generator.late /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
++++++ selinux-policy-20240321.tar.xz -> selinux-policy-20240411.tar.xz ++++++
++++ 5562 lines of diff (skipped)
++++++ varrun-convert.sh ++++++
#!/bin/bash
### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content
### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output
# on the terminal and to the $LOG file
if [ "${DEBUG}" = "yes" ]; then
set -x
fi
# Auxiliary and log files will be created in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR}
if [ -z ${1} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument
(e.g. targeted)" >> $LOG
exit
fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
# Take current file_contexts and unify whitespace separators
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not
exist" >> $LOG
exit
fi
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit 0
fi
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
# Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
# Deduplicate already existing /var/run=/run entries
while read line
do
subline="${line#/var}"
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
# check for overal duplicate entries
subline2=$(echo $line | sed -E -e 's/ \S+$//')
if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
echo "$line"
echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
else
>&2 echo "DUP: $line"
fi
fi
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
# Exception handling: packages with already duplicate entries
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
# Change format to cil
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2)
(\2))))/' ${EXTRA_VARRUN_ENTRIES}
# Handle entries with <<none>> which do not match previous regexps
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
# Wrap each line with an optional block
i=1
while read line
do
echo "(optional extra_var_run_${i}"
echo " $line"
echo ")"
((i++))
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module
[ -s ${EXTRA_VARRUN_CIL} ] &&
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
