Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-10-20 10:08:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.26871 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Sun Oct 20 10:08:57 2024 rev:82 rq:1208868 version:20241018 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-10-01 17:11:27.828841389 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.26871/selinux-policy.changes 2024-10-20 10:09:08.447602727 +0200 @@ -1,0 +2,8 @@ +Fri Oct 18 12:34:06 UTC 2024 - cathy.hu@suse.com + +- Update to version 20241018: + * Allow slpd to create TCPDIAG netlink socket (bsc#1231491) + * Allow slpd to use sys_chroot (bsc#1231491) + * Allow openvswitch-ipsec use strongswan (bsc#1231493) + +------------------------------------------------------------------- Old: ---- selinux-policy-20240930.tar.xz New: ---- selinux-policy-20241018.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.oxrTTq/_old 2024-10-20 10:09:09.547648333 +0200 +++ /var/tmp/diff_new_pack.oxrTTq/_new 2024-10-20 10:09:09.547648333 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240930 +Version: 20241018 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.oxrTTq/_old 2024-10-20 10:09:09.651652644 +0200 +++ /var/tmp/diff_new_pack.oxrTTq/_new 2024-10-20 10:09:09.655652810 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">ce2f393284de8ea7a3a76e76196b13e8b98770b2</param></service><service name="tar_scm"> + <param name="changesrevision">0f42d9d86addd3d512c65c9a866649f2be1d3c86</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ selinux-policy-20240930.tar.xz -> selinux-policy-20241018.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240930/policy/modules/contrib/openvswitch.te new/selinux-policy-20241018/policy/modules/contrib/openvswitch.te --- old/selinux-policy-20240930/policy/modules/contrib/openvswitch.te 2024-09-30 09:14:51.000000000 +0200 +++ new/selinux-policy-20241018/policy/modules/contrib/openvswitch.te 2024-10-18 14:33:42.000000000 +0200 @@ -141,6 +141,13 @@ ') optional_policy(` + ipsec_domtrans(openvswitch_t) + ipsec_domtrans_mgmt(openvswitch_t) + ipsec_manage_conf_files(openvswitch_t) + ipsec_manage_key_file(openvswitch_t) +') + +optional_policy(` iptables_domtrans(openvswitch_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240930/policy/modules/contrib/slpd.te new/selinux-policy-20241018/policy/modules/contrib/slpd.te --- old/selinux-policy-20240930/policy/modules/contrib/slpd.te 2024-09-30 09:14:51.000000000 +0200 +++ new/selinux-policy-20241018/policy/modules/contrib/slpd.te 2024-10-18 14:33:42.000000000 +0200 @@ -24,6 +24,13 @@ # allow slpd_t self:capability { kill net_admin setgid setuid }; + +# SUSE specific patch "extensions.diff" in openslp needs chroot() +allow slpd_t self:capability sys_chroot; + +# SUSE specific patch "openslp.netlink.diff" in openslp uses TCPDIAG_GETSOCK +allow slpd_t self:netlink_tcpdiag_socket create; + allow slpd_t self:process signal; allow slpd_t self:fifo_file rw_fifo_file_perms; allow slpd_t self:tcp_socket { accept listen }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240930/policy/modules/system/ipsec.fc new/selinux-policy-20241018/policy/modules/system/ipsec.fc --- old/selinux-policy-20240930/policy/modules/system/ipsec.fc 2024-09-30 09:14:51.000000000 +0200 +++ new/selinux-policy-20241018/policy/modules/system/ipsec.fc 2024-10-18 14:33:42.000000000 +0200 @@ -9,6 +9,8 @@ /etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/strongswan.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/strongswan.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/strongswan/swanctl/bliss/(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) @@ -38,6 +40,7 @@ /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240930/policy/modules/system/ipsec.if new/selinux-policy-20241018/policy/modules/system/ipsec.if --- old/selinux-policy-20240930/policy/modules/system/ipsec.if 2024-09-30 09:14:51.000000000 +0200 +++ new/selinux-policy-20241018/policy/modules/system/ipsec.if 2024-10-18 14:33:42.000000000 +0200 @@ -355,6 +355,27 @@ allow $1 ipsec_conf_file_t:dir list_dir_perms; ') + +####################################### +## <summary> +## Allow to manage ipsec conf files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_manage_conf_files',` + gen_require(` + type ipsec_conf_file_t; + ') + + manage_files_pattern($1, ipsec_conf_file_t, ipsec_conf_file_t) + files_etc_filetrans($1, ipsec_conf_file_t, file, "ipsec.conf") +') + + ######################################## ## <summary> ## Match the default SPD entry.