Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2020-11-02 14:04:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Mon Nov 2 14:04:02 2020 rev:4 rq:844986 version:20201029 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2020-10-23 12:20:39.572611671 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.3463/selinux-policy.changes 2020-11-02 14:04:16.436676002 +0100 @@ -1,0 +2,7 @@ +Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- wicked.fc: add libexec directories +- Update to version 20201029 + - update container policy + +------------------------------------------------------------------- Old: ---- fedora-policy.20201016.tar.bz2 New: ---- fedora-policy.20201029.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.QK6SZM/_old 2020-11-02 14:04:18.684677710 +0100 +++ /var/tmp/diff_new_pack.QK6SZM/_new 2020-11-02 14:04:18.688677713 +0100 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20201016 +Version: 20201029 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc ++++++ fedora-policy.20201016.tar.bz2 -> fedora-policy.20201029.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/container.te new/fedora-policy/policy/modules/contrib/container.te --- old/fedora-policy/policy/modules/contrib/container.te 2020-10-16 10:49:09.821324878 +0200 +++ new/fedora-policy/policy/modules/contrib/container.te 2020-10-29 09:07:49.792815272 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.148.0) +policy_module(container, 2.150.0) gen_require(` class passwd rootok; ') @@ -754,7 +754,7 @@ allow container_domain self:shm create_shm_perms; allow container_domain self:socket create_socket_perms; allow container_domain self:tcp_socket create_socket_perms; -allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; allow container_domain self:udp_socket create_socket_perms; allow container_domain self:unix_dgram_socket create_socket_perms; allow container_domain self:unix_stream_socket create_stream_socket_perms; @@ -1149,6 +1149,7 @@ container_stream_connect(container_kvm_t) dev_rw_inherited_vhost(container_kvm_t) +dev_rw_vfio_dev(container_kvm_t) corenet_rw_inherited_tun_tap_dev(container_kvm_t) corecmd_exec_shell(container_kvm_t) @@ -1158,9 +1159,12 @@ # virtiofs causes these AVC messages. kernel_mount_proc(container_kvm_t) kernel_mounton_proc(container_kvm_t) +kernel_unmount_proc(container_kvm_t) +kernel_dgram_send(container_kvm_t) files_mounton_rootfs(container_kvm_t) auth_read_passwd(container_kvm_t) +logging_send_syslog_msg(container_kvm_t) optional_policy(` qemu_entry_type(container_kvm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/keepalived.te new/fedora-policy/policy/modules/contrib/keepalived.te --- old/fedora-policy/policy/modules/contrib/keepalived.te 2020-10-16 10:49:08.473324807 +0200 +++ new/fedora-policy/policy/modules/contrib/keepalived.te 2020-10-29 09:07:48.496812045 +0100 @@ -62,6 +62,7 @@ corecmd_exec_bin(keepalived_t) corecmd_exec_shell(keepalived_t) +corenet_raw_bind_generic_node(keepalived_t) corenet_tcp_connect_connlcli_port(keepalived_t) corenet_tcp_connect_http_port(keepalived_t) corenet_tcp_connect_mysqld_port(keepalived_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/pcp.fc new/fedora-policy/policy/modules/contrib/pcp.fc --- old/fedora-policy/policy/modules/contrib/pcp.fc 2020-10-16 10:49:08.489324808 +0200 +++ new/fedora-policy/policy/modules/contrib/pcp.fc 2020-10-29 09:07:48.512812084 +0100 @@ -20,6 +20,11 @@ /usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) /usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) +/usr/libexec/pcp/lib/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) +/usr/libexec/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) +/usr/libexec/pcp/lib/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) +/usr/libexec/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) + /usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) /usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/rpc.fc new/fedora-policy/policy/modules/contrib/rpc.fc --- old/fedora-policy/policy/modules/contrib/rpc.fc 2020-10-16 10:49:08.509324809 +0200 +++ new/fedora-policy/policy/modules/contrib/rpc.fc 2020-10-29 09:07:48.524812114 +0100 @@ -4,6 +4,7 @@ # /etc # /etc/exports -- gen_context(system_u:object_r:exports_t,s0) +/etc/exports\.d(/.*)? gen_context(system_u:object_r:exports_t,s0) /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/squid.te new/fedora-policy/policy/modules/contrib/squid.te --- old/fedora-policy/policy/modules/contrib/squid.te 2020-10-16 10:49:08.521324809 +0200 +++ new/fedora-policy/policy/modules/contrib/squid.te 2020-10-29 09:07:48.528812125 +0100 @@ -200,7 +200,7 @@ ') tunable_policy(`squid_use_tproxy',` - allow squid_t self:capability net_admin; + allow squid_t self:capability { net_admin net_raw }; corenet_sendrecv_netport_server_packets(squid_t) corenet_tcp_bind_netport_port(squid_t) corenet_tcp_sendrecv_netport_port(squid_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/authlogin.fc new/fedora-policy/policy/modules/system/authlogin.fc --- old/fedora-policy/policy/modules/system/authlogin.fc 2020-10-16 10:49:06.605324708 +0200 +++ new/fedora-policy/policy/modules/system/authlogin.fc 2020-10-29 09:07:46.688807542 +0100 @@ -85,7 +85,3 @@ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) - -# Allow services not running as root to write MOTD messages via symlink -# out of /run/motd.d/. https://github.com/coreos/zincati/pull/276 -/var/run/zincati/public/motd\.d(/.*)? gen_context(system_u:object_r:motd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/userdomain.if new/fedora-policy/policy/modules/system/userdomain.if --- old/fedora-policy/policy/modules/system/userdomain.if 2020-10-16 10:49:06.617324708 +0200 +++ new/fedora-policy/policy/modules/system/userdomain.if 2020-10-29 09:07:46.692807551 +0100 @@ -4827,6 +4827,7 @@ gen_require(` attribute unpriv_userdomain, userdomain; ') + typeattribute $1 unpriv_userdomain; typeattribute $1 userdomain; auth_use_nsswitch($1) ++++++ wicked.fc ++++++ --- /var/tmp/diff_new_pack.QK6SZM/_old 2020-11-02 14:04:20.420679028 +0100 +++ /var/tmp/diff_new_pack.QK6SZM/_new 2020-11-02 14:04:20.420679028 +0100 @@ -19,6 +19,7 @@ /usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) /usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) +/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) #/usr/lib64/libwicked-0.6.63.so