Hello community, here is the log from the commit of package container-selinux for openSUSE:Factory checked in at 2020-11-02 09:40:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/container-selinux (Old) and /work/SRC/openSUSE:Factory/.container-selinux.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "container-selinux" Mon Nov 2 09:40:20 2020 rev:3 rq:844834 version:2.150.0 Changes: -------- --- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes 2020-10-20 16:03:29.521813228 +0200 +++ /work/SRC/openSUSE:Factory/.container-selinux.new.3463/container-selinux.changes 2020-11-02 09:40:27.173613351 +0100 @@ -1,0 +2,7 @@ +Thu Oct 29 07:52:21 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> + +- Update to version 2.150.0 + - Add additional allow rules for kvm based containers using + virtiofsd. + +------------------------------------------------------------------- Old: ---- container-selinux-2.145.0.tar.gz New: ---- container-selinux-2.150.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ container-selinux.spec ++++++ --- /var/tmp/diff_new_pack.lpOhWS/_old 2020-11-02 09:40:28.469614595 +0100 +++ /var/tmp/diff_new_pack.lpOhWS/_new 2020-11-02 09:40:28.469614595 +0100 @@ -26,7 +26,7 @@ # Version of SELinux we were using %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}') Name: container-selinux -Version: 2.145.0 +Version: 2.150.0 Release: 0 Summary: SELinux policies for container runtimes License: GPL-2.0-only ++++++ container-selinux-2.145.0.tar.gz -> container-selinux-2.150.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.145.0/NOTICE new/container-selinux-2.150.0/NOTICE --- old/container-selinux-2.145.0/NOTICE 1970-01-01 01:00:00.000000000 +0100 +++ new/container-selinux-2.150.0/NOTICE 2020-10-22 21:07:11.000000000 +0200 @@ -0,0 +1,15 @@ +Copyright (c) 2015, 2020, Free Software Foundation, Inc. + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/container-selinux-2.145.0/container.te new/container-selinux-2.150.0/container.te --- old/container-selinux-2.145.0/container.te 2020-09-10 17:29:43.000000000 +0200 +++ new/container-selinux-2.150.0/container.te 2020-10-22 21:07:11.000000000 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.145.0) +policy_module(container, 2.150.0) gen_require(` class passwd rootok; ') @@ -104,6 +104,7 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) ') +mls_trusted_object(container_runtime_t) ######################################## @@ -115,6 +116,7 @@ allow container_runtime_domain self:process ~setcurrent; allow container_runtime_domain self:passwd rootok; allow container_runtime_domain self:fd use; +allow container_runtime_domain self:dir mounton; allow container_runtime_domain self:file mounton; allow container_runtime_domain self:fifo_file rw_fifo_file_perms; @@ -147,13 +149,17 @@ corenet_tcp_connect_all_ports(container_runtime_domain) corenet_sctp_bind_all_ports(container_net_domain) corenet_sctp_connect_all_ports(container_net_domain) +corenet_rw_tun_tap_dev(container_runtime_domain) container_auth_stream_connect(container_runtime_domain) +manage_files_pattern(container_runtime_domain, container_file_t, container_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_file_t, container_file_t) manage_blk_files_pattern(container_runtime_domain, container_file_t, container_file_t) +allow container_runtime_domain container_domain:key manage_key_perms; manage_sock_files_pattern(container_runtime_domain, container_file_t, container_file_t) -allow container_runtime_domain container_file_t:dir {relabelfrom relabelto execmod}; -allow container_runtime_domain container_file_t:chr_file mmap_file_perms; +allow container_runtime_domain container_file_t:dir_file_class_set {relabelfrom relabelto execmod}; +allow container_runtime_domain container_file_t:dir_file_class_set mmap_file_perms; manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) @@ -181,7 +187,6 @@ manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) -files_tmp_filetrans(container_runtime_domain, container_runtime_tmp_t, { dir file lnk_file }) manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) @@ -225,6 +230,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(container_runtime_domain, container_devpts_t) @@ -237,6 +243,9 @@ kernel_setsched(container_runtime_domain) kernel_rw_all_sysctls(container_runtime_domain) +domain_obj_id_change_exemption(container_runtime_t) +domain_subj_id_change_exemption(container_runtime_t) +domain_role_change_exemption(container_runtime_t) domain_use_interactive_fds(container_runtime_domain) domain_dontaudit_read_all_domains_state(container_runtime_domain) domain_sigchld_all_domains(container_runtime_domain) @@ -244,6 +253,13 @@ domain_read_all_domains_state(container_runtime_domain) domain_getattr_all_domains(container_runtime_domain) +userdom_map_tmp_files(container_runtime_domain) + +optional_policy(` + gnome_map_generic_data_home_files(container_runtime_domain) + allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; +') + gen_require(` attribute domain; ') @@ -382,6 +398,7 @@ kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) +dev_setattr_null_dev(container_runtime_t) dev_getattr_all(container_runtime_domain) dev_getattr_sysfs_fs(container_runtime_domain) dev_read_rand(container_runtime_domain) @@ -413,14 +430,13 @@ fs_relabelfrom_xattr_fs(container_runtime_domain) fs_relabelfrom_tmpfs(container_runtime_domain) fs_read_tmpfs_symlinks(container_runtime_domain) -fs_list_hugetlbfs(container_runtime_domain) fs_getattr_all_fs(container_runtime_domain) fs_list_inotifyfs(container_runtime_domain) fs_rw_inherited_tmpfs_files(container_runtime_domain) -fs_read_hugetlbfs_files(container_runtime_domain) fs_read_tmpfs_symlinks(container_runtime_domain) fs_search_tmpfs(container_runtime_domain) -fs_rw_hugetlbfs_files(container_runtime_domain) +fs_list_hugetlbfs(container_runtime_domain) +fs_manage_hugetlbfs_files(container_runtime_domain) term_use_generic_ptys(container_runtime_domain) @@ -444,6 +460,7 @@ userdom_relabel_user_tmp_dirs(container_runtime_domain) userdom_use_inherited_user_terminals(container_runtime_domain) userdom_use_user_ptys(container_runtime_domain) +userdom_connectto_stream(container_runtime_domain) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(container_runtime_domain) @@ -482,6 +499,8 @@ fs_mount_fusefs(container_runtime_domain) fs_unmount_fusefs(container_runtime_domain) fs_exec_fusefs_files(container_runtime_domain) +storage_rw_fuse(container_runtime_domain) + optional_policy(` files_search_all(container_domain) @@ -507,6 +526,7 @@ optional_policy(` dbus_system_bus_client(container_runtime_domain) + dbus_session_bus_client(container_runtime_domain) init_dbus_chat(container_runtime_domain) init_start_transient_unit(container_runtime_domain) @@ -541,6 +561,13 @@ ') optional_policy(` + gen_require(` + role staff_r; + ') + role_transition staff_r container_runtime_exec_t system_r; +') + +optional_policy(` unconfined_stub_role() unconfined_domain(container_runtime_t) unconfined_run_to(container_runtime_t, container_runtime_exec_t) @@ -587,6 +614,8 @@ domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) +domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) + allow container_runtime_domain spc_t:process2 nnp_transition; admin_pattern(spc_t, kubernetes_file_t) @@ -725,7 +754,7 @@ allow container_domain self:shm create_shm_perms; allow container_domain self:socket create_socket_perms; allow container_domain self:tcp_socket create_socket_perms; -allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; allow container_domain self:udp_socket create_socket_perms; allow container_domain self:unix_dgram_socket create_socket_perms; allow container_domain self:unix_stream_socket create_stream_socket_perms; @@ -794,10 +823,10 @@ fs_getattr_all_fs(container_domain) fs_list_inotifyfs(container_domain) fs_rw_inherited_tmpfs_files(container_domain) -fs_read_hugetlbfs_files(container_domain) fs_read_tmpfs_symlinks(container_domain) fs_search_tmpfs(container_domain) -fs_rw_hugetlbfs_files(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_hugetlbfs_files(container_domain) fs_exec_hugetlbfs_files(container_domain) fs_dontaudit_getattr_all_dirs(container_domain) fs_dontaudit_getattr_all_files(container_domain) @@ -807,6 +836,7 @@ userdom_use_user_ptys(container_domain) userdom_rw_inherited_user_pipes(container_domain) +domain_user_exemption_target(container_t) domain_dontaudit_link_all_domains_keyrings(container_domain) domain_dontaudit_search_all_domains_keyrings(container_domain) @@ -1119,6 +1149,7 @@ container_stream_connect(container_kvm_t) dev_rw_inherited_vhost(container_kvm_t) +dev_rw_vfio_dev(container_kvm_t) corenet_rw_inherited_tun_tap_dev(container_kvm_t) corecmd_exec_shell(container_kvm_t) @@ -1128,9 +1159,12 @@ # virtiofs causes these AVC messages. kernel_mount_proc(container_kvm_t) kernel_mounton_proc(container_kvm_t) +kernel_unmount_proc(container_kvm_t) +kernel_dgram_send(container_kvm_t) files_mounton_rootfs(container_kvm_t) auth_read_passwd(container_kvm_t) +logging_send_syslog_msg(container_kvm_t) optional_policy(` qemu_entry_type(container_kvm_t)