Sync from SUSE:SLFO:Main selinux-policy revision 42bfa15ee3174106c28906880b125467
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="changesrevision">1805634d61369054e3a36424c5772993fc0163d1</param></service></servicedata>
|
||||
<param name="changesrevision">68c4038281d54812db3c49ccc4a84b84172a82c1</param></service></servicedata>
|
||||
@@ -1,7 +1,8 @@
|
||||
policy_module(container, 2.237.0)
|
||||
policy_module(container, 2.238.0)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
type system_conf_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1626,3 +1627,7 @@ tunable_policy(`deny_ptrace',`',`
|
||||
allow container_domain self:process ptrace;
|
||||
allow spc_t self:process ptrace;
|
||||
')
|
||||
|
||||
# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
|
||||
# https://issues.redhat.com/browse/RHEL-91380
|
||||
files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")
|
||||
|
||||
BIN
selinux-policy-20250627+git0.1805634d.tar.xz
(Stored with Git LFS)
BIN
selinux-policy-20250627+git0.1805634d.tar.xz
(Stored with Git LFS)
Binary file not shown.
BIN
selinux-policy-20250627+git62.68c403828.tar.xz
(Stored with Git LFS)
Normal file
BIN
selinux-policy-20250627+git62.68c403828.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
@@ -1,3 +1,67 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 16 08:24:24 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
|
||||
|
||||
- Update to version 20250627+git62.68c403828:
|
||||
* Allow virtqemud_t use its private tmpfs files (bsc#1242998)
|
||||
* Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998)
|
||||
* Allow virtqemud_t read and write /dev/ptmx (bsc#1242998)
|
||||
* Extend virtqemud_t tcp_socket permissions (bsc#1242998)
|
||||
* Mark configfs_t as mountpoint (bsc#1246080)
|
||||
* healthchecker: add proper optional_policy() guards
|
||||
* Allow virtqemud_t to read and write generic pty (bsc#1242998)
|
||||
* Drop SUSE-specific /usr/etc = /etc equivalency
|
||||
* Allow irqbalance execute shell if irqbalance_run_unconfined is on
|
||||
* Allow openvswitch ioctl vduse devices
|
||||
* Label /dev/vduse/control and /dev/vduse/NAME devices
|
||||
* Allow virtstoraged the sys_rawio capability
|
||||
* Allow virtqemud read insights-core state files
|
||||
* Allow virtnodedev create mdevctl config dirs
|
||||
* Allow virtqemud additional permissions on scsi generic chr files
|
||||
* Allow local login execute gnome keyring daemon
|
||||
* Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470)
|
||||
* Allow virtqemud send a generic signal to passt
|
||||
* Allow svirt-tcg read init state
|
||||
* Allow irqbalance execute shell if irqbalance_run_unconfined is on
|
||||
* Label /run/opendkim with dkim_milter_data_t
|
||||
* Allow sa-update status systemd services
|
||||
* Introduce new cluster_service_transition_to_unconfined_user boolean (bsc#1244495)
|
||||
* Allow updpwd logging send audit messages
|
||||
* Temporary dontaudit iio-sensor-proxy sys_admin.
|
||||
* Allow iio-sensor-proxy sendto to journald over a unix datagram socket
|
||||
* Revert "Allow iio-sensor-proxy sendto to journald over a unix datagram socket"
|
||||
* virt: allow QEMU use of the qgs daemon for attestation
|
||||
* qgs: add contrib module for TDX "qgs" daemon
|
||||
* kernel: add interfaces for using SGX enclaves
|
||||
* Define file equivalency for /usr/etc
|
||||
* Allow mongod to receive pressure stall information
|
||||
* Dontaudit systemd_generator read sssd public files
|
||||
* Allow plymouthd read/write input event devices
|
||||
* Label 99-nvme-nbft-connect.sh with NetworkManager_dispatcher_nvme_script_t
|
||||
* Allow systemd-user-runtime-dir sendto to syslogd
|
||||
* Remove pcp module
|
||||
* Update irqbalance policy for using unconfined scripts
|
||||
* Allow utempter use terminal multiplexor
|
||||
* Allow virtqemud execute ovs-vsctl with a domain transition
|
||||
* Update the files_search_mnt() interface
|
||||
* Allow nmbd read network sysctls
|
||||
* Allow iio-sensor-proxy sendto to journald over a unix datagram socket
|
||||
* Allow logrotate stop all systemd services
|
||||
* systemd: rework systemd_manage_random_seed
|
||||
* Allow tuned-ppd connect to sssd over a unix stream socket
|
||||
* Drop config for /run/random-seed
|
||||
* Update file location for systemd random-seed file
|
||||
* Allow tomcat execute cracklib-check with a domain transition
|
||||
* Allow sssd watch lib dirs
|
||||
* Confine systemd-hibernate-resume
|
||||
* Allow login_userdomain create /run/tlog directory with user_tmp_t
|
||||
* Allow login_pgm read filesystem sysctls
|
||||
* Allow gconfd connect to system dbus
|
||||
* Allow NetworkManager manage NetworkManager_etc_rw_t symlinks
|
||||
- Syncing with upstream rawhide selinux-policy up to:
|
||||
* 23514206ea45e1d1d2f8a4c08288065c813fcc91
|
||||
- Update embedded container-selinux version to commit:
|
||||
* 36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c (version 2.238.0)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 27 08:40:10 UTC 2025 - cathy.hu@suse.com
|
||||
|
||||
|
||||
@@ -36,7 +36,7 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20250627+git0.1805634d
|
||||
Version: 20250627+git62.68c403828
|
||||
Release: 0
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: container.fc
|
||||
|
||||
Reference in New Issue
Block a user