commit selinux-policy for openSUSE:Factory

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-07-30 11:53:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1882 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Tue Jul 30 11:53:15 2024 rev:66 rq:1189796 version:20240726 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-07-15 19:46:36.473792324 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1882/selinux-policy.changes 2024-07-30 11:53:21.542848730 +0200 @@ -1,0 +2,20 @@ +Fri Jul 26 13:38:26 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240726: + * Allow snapper grub plugin to manage unlabeled_t and read link files + +------------------------------------------------------------------- +Thu Jul 25 07:43:52 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240725: + * Initial policy for grub2 snapper plugin (bsc#1228205) + +------------------------------------------------------------------- +Tue Jul 16 10:57:07 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240716: + * Set microos autorelabel script to systemd_autorelabel_generator_t + * Allow systemd_generator to write kmsg + * Initial policy for systemd growpart-generator (bsc#1226824) + +------------------------------------------------------------------- Old: ---- selinux-policy-20240715.tar.xz New: ---- selinux-policy-20240726.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.XxjC1L/_old 2024-07-30 11:53:25.290999799 +0200 +++ /var/tmp/diff_new_pack.XxjC1L/_new 2024-07-30 11:53:25.315000767 +0200 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240715 +Version: 20240726 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.XxjC1L/_old 2024-07-30 11:53:25.763018824 +0200 +++ /var/tmp/diff_new_pack.XxjC1L/_new 2024-07-30 11:53:25.775019308 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">a43a23eeaaacb1d90707bb00384efb94dc268b9e</param></service><service name="tar_scm"> + <param name="changesrevision">00a1eee94f80469b4b233f87194d42b3ea5de181</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ selinux-policy-20240715.tar.xz -> selinux-policy-20240726.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/contrib/snapper.fc new/selinux-policy-20240726/policy/modules/contrib/snapper.fc --- old/selinux-policy-20240715/policy/modules/contrib/snapper.fc 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/contrib/snapper.fc 2024-07-26 15:34:21.000000000 +0200 @@ -1,6 +1,7 @@ /usr/bin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) /usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0) +/usr/lib/snapper/plugins/grub -- gen_context(system_u:object_r:snapper_grub_plugin_exec_t,s0) /etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) /etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/contrib/snapper.if new/selinux-policy-20240726/policy/modules/contrib/snapper.if --- old/selinux-policy-20240715/policy/modules/contrib/snapper.if 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/contrib/snapper.if 2024-07-26 15:34:21.000000000 +0200 @@ -97,3 +97,30 @@ files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots") ') +######################################## +## <summary> +## Create a set of derived types for various +## snapper plugins +## </summary> +## <param name="prefix"> +## <summary> +## The name to be used for deriving type names. +## </summary> +## </param> +# +template(`snapper_plugin_template',` + gen_require(` + attribute snapper_plugin; + type snapperd_t; + ') + + type snapper_$1_plugin_t, snapper_plugin; + type snapper_$1_plugin_exec_t; + domain_type(snapper_$1_plugin_t) + domain_entry_file(snapper_$1_plugin_t, snapper_$1_plugin_exec_t) + + role system_r types snapper_$1_plugin_t; + domtrans_pattern(snapperd_t, snapper_$1_plugin_exec_t, snapper_$1_plugin_t) + dontaudit snapperd_t snapper_$1_plugin_t:process { noatsecure rlimitinh siginh }; +') + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/contrib/snapper.te new/selinux-policy-20240726/policy/modules/contrib/snapper.te --- old/selinux-policy-20240715/policy/modules/contrib/snapper.te 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/contrib/snapper.te 2024-07-26 15:34:21.000000000 +0200 @@ -111,3 +111,28 @@ optional_policy(` snapper_relabel_snapshots(snapperd_t) ') + +######################################## +# +# snapper plugins policy +# + +attribute snapper_plugin; + +snapper_plugin_template(grub); + +### snapper grub plugin +bootloader_exec(snapper_grub_plugin_t) +corecmd_exec_bin(snapper_grub_plugin_t) +files_manage_isid_type_dirs(snapper_grub_plugin_t) +files_manage_isid_type_files(snapper_grub_plugin_t) +snapper_filetrans_named_content(snapper_grub_plugin_t) +kernel_read_unlabeled_lnk_files(snapper_grub_plugin_t) + +allow snapper_grub_plugin_t snapperd_data_t:dir manage_dir_perms; +allow snapper_grub_plugin_t snapperd_data_t:file manage_file_perms; +dontaudit snapper_grub_plugin_t self:capability { sys_admin }; + +optional_policy(` + auth_dontaudit_read_passwd_file(snapper_grub_plugin_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/system/selinuxutil.fc new/selinux-policy-20240726/policy/modules/system/selinuxutil.fc --- old/selinux-policy-20240715/policy/modules/system/selinuxutil.fc 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/system/selinuxutil.fc 2024-07-26 15:34:21.000000000 +0200 @@ -29,7 +29,7 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) -/usr/lib/systemd/system-generators/selinux-autorelabel-generator\.sh -- gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0) +/usr/lib/systemd/system-generators/selinux-autorelabel-generator(\.sh)? -- gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0) /usr/libexec/selinux/selinux-autorelabel -- gen_context(system_u:object_r:semanage_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/system/selinuxutil.te new/selinux-policy-20240726/policy/modules/system/selinuxutil.te --- old/selinux-policy-20240715/policy/modules/system/selinuxutil.te 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/system/selinuxutil.te 2024-07-26 15:34:21.000000000 +0200 @@ -854,6 +854,9 @@ # src:mkdir -p "$earlydir/selinux-autorelabel.service.d" systemd_unit_file_filetrans(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, dir) + # (opensuse microos only) filetrans unit files: /run/systemd/generator/.*-relabel.service + systemd_unit_file_filetrans(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, file) + # src:ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" systemd_manage_unit_symlinks(selinux_autorelabel_generator_t) systemd_getattr_generic_unit_files(selinux_autorelabel_generator_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/system/systemd.fc new/selinux-policy-20240726/policy/modules/system/systemd.fc --- old/selinux-policy-20240715/policy/modules/system/systemd.fc 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/system/systemd.fc 2024-07-26 15:34:21.000000000 +0200 @@ -76,6 +76,7 @@ /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_network_generator_exec_t,s0) +/usr/lib/systemd/system-generators/growpart-generator.sh -- gen_context(system_u:object_r:systemd_growpart_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-bless-boot-generator -- gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-cryptsetup-generator -- gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-debug-generator -- gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240715/policy/modules/system/systemd.te new/selinux-policy-20240726/policy/modules/system/systemd.te --- old/selinux-policy-20240715/policy/modules/system/systemd.te 2024-07-15 13:55:08.000000000 +0200 +++ new/selinux-policy-20240726/policy/modules/system/systemd.te 2024-07-26 15:34:21.000000000 +0200 @@ -205,6 +205,8 @@ systemd_generator_template(systemd_getty_generator) # gpt-generator systemd_generator_template(systemd_gpt_generator) +# growpart-generator +systemd_generator_template(systemd_growpart_generator) # rc-local-generator systemd_generator_template(systemd_rc_local_generator) # ssh-generator @@ -1283,6 +1285,7 @@ fs_getattr_cgroup(systemd_generator) fs_search_cgroup_dirs(systemd_generator) kernel_read_proc_files(systemd_generator) +dev_write_kmsg(systemd_generator) ### Rules for individual systemd generator domains @@ -1297,7 +1300,6 @@ create_lnk_files_pattern(systemd_fstab_generator_t, systemd_unit_file_type, systemd_unit_file_type) -dev_write_kmsg(systemd_fstab_generator_t) dev_write_sysfs_dirs(systemd_fstab_generator_t) files_getattr_all_dirs(systemd_fstab_generator_t) @@ -1322,7 +1324,6 @@ allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; dev_read_sysfs(systemd_gpt_generator_t) -dev_write_kmsg(systemd_gpt_generator_t) dev_read_rand(systemd_gpt_generator_t) files_list_boot(systemd_gpt_generator_t) @@ -1352,6 +1353,23 @@ udev_read_pid_files(systemd_gpt_generator_t) ') +### growpart generator + +# needed for cat, ln +corecmd_exec_bin(systemd_growpart_generator_t) + +# needed for lsblk +dev_list_sysfs(systemd_growpart_generator_t) +dev_read_sysfs(systemd_growpart_generator_t) +storage_getattr_fixed_disk_dev(systemd_growpart_generator_t) + +optional_policy(` + # ignore #!/bin/bash reading passwd file + auth_dontaudit_read_passwd_file(systemd_growpart_generator_t) +') + +permissive systemd_growpart_generator_t; + ### systemd rc_local generator init_exec_script_files(systemd_rc_local_generator_t) @@ -1380,7 +1398,6 @@ dev_create_sysfs_files(systemd_zram_generator_t) dev_rw_sysfs(systemd_zram_generator_t) -dev_write_kmsg(systemd_zram_generator_t) # for systemd-detect-virt - needs to be confined corecmd_exec_bin(systemd_zram_generator_t)