Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2021-05-23 23:30:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Sun May 23 23:30:29 2021 rev:13 rq:894727 version:20210419 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2021-05-20 19:24:38.902043876 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2988/selinux-policy.changes 2021-05-23 23:30:31.508757088 +0200 @@ -1,0 +2,10 @@ +Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de> + +- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units + that trigger on changes in those. + Added fix_systemd_watch.patch +- own /usr/share/selinux/packages/$SELINUXTYPE/ and + /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install + files there + +------------------------------------------------------------------- New: ---- fix_systemd_watch.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.2ZdfcR/_old 2021-05-23 23:30:32.500752972 +0200 +++ /var/tmp/diff_new_pack.2ZdfcR/_new 2021-05-23 23:30:32.500752972 +0200 @@ -131,6 +131,7 @@ Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 Patch052: fix_cockpit.patch +Patch053: fix_systemd_watch.patch Patch100: sedoctool.patch @@ -183,6 +184,7 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ @@ -210,6 +212,8 @@ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ @@ -250,6 +254,7 @@ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ +%dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules-base.lst \ %{_datadir}/selinux/%1/modules-contrib.lst \ @@ -409,7 +414,7 @@ mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_datadir}/selinux/packages +mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do ++++++ fix_systemd_watch.patch ++++++ Index: fedora-policy-20210419/policy/modules/system/systemd.te =================================================================== --- fedora-policy-20210419.orig/policy/modules/system/systemd.te +++ fedora-policy-20210419/policy/modules/system/systemd.te @@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t) # systemd-sleep needs to getattr swap partitions storage_getattr_fixed_disk_dev(systemd_sleep_t) + + +####################################### +# +# Allow systemd to watch certificate dir for ca-certificates +# +watch_dirs_pattern(init_t,cert_t,cert_t) Index: fedora-policy-20210419/policy/modules/system/init.te =================================================================== --- fedora-policy-20210419.orig/policy/modules/system/init.te +++ fedora-policy-20210419/policy/modules/system/init.te @@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t, # Run /etc/X11/prefdm: files_exec_etc_files(init_t) files_watch_etc_dirs(init_t) +files_watch_etc_files(init_t) files_read_usr_files(init_t) +files_watch_usr_dirs(init_t) +files_watch_usr_files(init_t) files_watch_root_dirs(init_t) files_write_root_dirs(init_t) files_watch_var_dirs(init_t) @@ -334,6 +337,7 @@ files_remount_rootfs(init_t) files_create_var_dirs(init_t) files_watch_home(init_t) files_watch_all_pid(init_t) +watch_dirs_pattern(init_t,lib_t,lib_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log