Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-09-12 16:54:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.17570 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Thu Sep 12 16:54:06 2024 rev:79 rq:1200261 version:20240912 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-09-10 21:12:23.883949470 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.17570/selinux-policy.changes 2024-09-12 16:54:16.791668002 +0200 @@ -1,0 +2,16 @@ +Thu Sep 12 07:34:20 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240912: + * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011) + * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315) + * Initial policy for udev-trigger-generator (bsc#1230315) + +------------------------------------------------------------------- +Tue Sep 10 13:33:53 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240910: + * Allow init_t mount syslog socket (bsc#1230134) + * Allow init_t create syslog files (bsc#1230134) + * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134) + +------------------------------------------------------------------- Old: ---- selinux-policy-20240905.tar.xz New: ---- selinux-policy-20240912.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.VrvO9j/_old 2024-09-12 16:54:17.623702616 +0200 +++ /var/tmp/diff_new_pack.VrvO9j/_new 2024-09-12 16:54:17.623702616 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240905 +Version: 20240912 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.VrvO9j/_old 2024-09-12 16:54:17.699705778 +0200 +++ /var/tmp/diff_new_pack.VrvO9j/_new 2024-09-12 16:54:17.703705945 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">48af429a1e0c001269e8f1e0cf4f677e74cfce46</param></service><service name="tar_scm"> + <param name="changesrevision">f8d70ad2b8a5d2628cd1ee881ccedbcebf189d3d</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ selinux-policy-20240905.tar.xz -> selinux-policy-20240912.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240905/policy/modules/system/init.te new/selinux-policy-20240912/policy/modules/system/init.te --- old/selinux-policy-20240905/policy/modules/system/init.te 2024-09-05 16:10:07.000000000 +0200 +++ new/selinux-policy-20240912/policy/modules/system/init.te 2024-09-12 09:33:00.000000000 +0200 @@ -397,6 +397,7 @@ libs_rw_ld_so_cache(init_t) logging_create_devlog_dev(init_t) +logging_create_journal_files(init_t) logging_send_syslog_msg(init_t) logging_send_audit_msgs(init_t) logging_manage_generic_logs(init_t) @@ -404,6 +405,7 @@ logging_relabel_devlog_dev(init_t) logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) +logging_mounton_syslog_pid_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) logging_dgram_accept(init_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240905/policy/modules/system/logging.if new/selinux-policy-20240912/policy/modules/system/logging.if --- old/selinux-policy-20240905/policy/modules/system/logging.if 2024-09-05 16:10:07.000000000 +0200 +++ new/selinux-policy-20240912/policy/modules/system/logging.if 2024-09-12 09:33:00.000000000 +0200 @@ -739,6 +739,24 @@ ######################################## ## <summary> +## Use the syslog pid sock_file as mount point. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_mounton_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:sock_file mounton; +') + +######################################## +## <summary> ## Relabel the syslog pid sock_file. ## </summary> ## <param name="domain"> @@ -1790,6 +1808,24 @@ ') ####################################### +## <summary> +## Create files in /run/log/journal/ directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_create_journal_files',` + gen_require(` + type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:file { create }; +') + +####################################### ## <summary> ## Map files in /run/log/journal/ directory. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240905/policy/modules/system/systemd.fc new/selinux-policy-20240912/policy/modules/system/systemd.fc --- old/selinux-policy-20240905/policy/modules/system/systemd.fc 2024-09-05 16:10:07.000000000 +0200 +++ new/selinux-policy-20240912/policy/modules/system/systemd.fc 2024-09-12 09:33:00.000000000 +0200 @@ -78,6 +78,7 @@ /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_network_generator_exec_t,s0) +/usr/lib/systemd/system-generators/btrfs-soft-reboot-generator -- gen_context(system_u:object_r:systemd_btrfs_soft_reboot_generator_exec_t,s0) /usr/lib/systemd/system-generators/growpart-generator.sh -- gen_context(system_u:object_r:systemd_growpart_generator_exec_t,s0) /usr/lib/systemd/system-generators/ibft-rule-generator -- gen_context(system_u:object_r:systemd_ibft_rule_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-bless-boot-generator -- gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0) @@ -91,6 +92,7 @@ /usr/lib/systemd/system-generators/status-mail-generator.sh -- gen_context(system_u:object_r:systemd_status_mail_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-tpm2-generator -- gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0) +/usr/lib/systemd/system-generators/udev-trigger-generator -- gen_context(system_u:object_r:systemd_udev_trigger_generator_exec_t,s0) /usr/lib/systemd/system-generators/zram-generator -- gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0) /usr/lib/systemd/system-generators/.+ -- gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0) /usr/lib/systemd/zram-generator.conf -- gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240905/policy/modules/system/systemd.te new/selinux-policy-20240912/policy/modules/system/systemd.te --- old/selinux-policy-20240905/policy/modules/system/systemd.te 2024-09-05 16:10:07.000000000 +0200 +++ new/selinux-policy-20240912/policy/modules/system/systemd.te 2024-09-12 09:33:00.000000000 +0200 @@ -195,6 +195,8 @@ ### domains and file types for systemd generators # bless-boot-generator systemd_generator_template(systemd_bless_boot_generator) +# btrfs-soft-reboot-generator +systemd_generator_template(systemd_btrfs_soft_reboot_generator) # cryptsetup-generator systemd_generator_template(systemd_cryptsetup_generator) # debug-generator @@ -219,6 +221,8 @@ systemd_generator_template(systemd_sysv_generator) # tpm2-generator systemd_generator_template(systemd_tpm2_generator) +# udev-trigger-generator +systemd_generator_template(systemd_udev_trigger_generator) # zram-generator systemd_generator_template(systemd_zram_generator) type systemd_zram_generator_conf_t; @@ -1319,6 +1323,11 @@ ### bless-boot generator fs_read_efivarfs_files(systemd_bless_boot_generator_t) +### systemd-btrfs-soft-reboot generator +mount_read_pid_files(systemd_btrfs_soft_reboot_generator_t) + +permissive systemd_btrfs_soft_reboot_generator_t; + ### cryptsetup generator manage_dirs_pattern(systemd_cryptsetup_generator_t, systemd_fstab_generator_unit_file_t, systemd_fstab_generator_unit_file_t) manage_files_pattern(systemd_cryptsetup_generator_t, systemd_fstab_generator_unit_file_t, systemd_fstab_generator_unit_file_t) @@ -1406,7 +1415,9 @@ ### ibft-rule-generator (from open-iscsi package) corecmd_exec_bin(systemd_ibft_rule_generator_t) +udev_create_rules_dir(systemd_ibft_rule_generator_t) udev_manage_rules_files(systemd_ibft_rule_generator_t) +udev_named_filetrans_runtime_generated_rules(systemd_ibft_rule_generator_t) optional_policy(` # ignore #!/bin/bash reading passwd file @@ -1448,6 +1459,19 @@ ### tpm2 generator dev_list_sysfs(systemd_tpm2_generator_t) +### udev trigger generator +corecmd_exec_bin(systemd_udev_trigger_generator_t) + +dev_list_sysfs(systemd_udev_trigger_generator_t) +dev_read_sysfs(systemd_udev_trigger_generator_t) + +optional_policy(` + # ignore #!/bin/bash reading passwd file + auth_dontaudit_read_passwd_file(systemd_udev_trigger_generator_t) +') + +permissive systemd_udev_trigger_generator_t; + ### zram generator allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file write_file_perms; permissive systemd_zram_generator_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240905/policy/modules/system/udev.if new/selinux-policy-20240912/policy/modules/system/udev.if --- old/selinux-policy-20240905/policy/modules/system/udev.if 2024-09-05 16:10:07.000000000 +0200 +++ new/selinux-policy-20240912/policy/modules/system/udev.if 2024-09-12 09:33:00.000000000 +0200 @@ -172,6 +172,42 @@ ######################################## ## <summary> +## Create udev rules directory +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`udev_create_rules_dir',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:dir create_dir_perms; +') + +######################################## +## <summary> +## named filetrans from udev_var_run_t to udev_rules_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +interface(`udev_named_filetrans_runtime_generated_rules',` + gen_require(` + type udev_rules_t; + type udev_var_run_t; + ') + + filetrans_pattern($1, udev_var_run_t, udev_rules_t, dir, "rules.d") +') + +######################################## +## <summary> ## Do not audit search of udev database directories. ## </summary> ## <param name="domain">