Sync from SUSE:SLFO:Main selinux-policy revision 6ab2d18c2dd003faa59ed5c02f48f14f

2024-08-16 18:25:14 +02:00 · 2024-08-16 18:25:14 +02:00 · b454af874d
commit b454af874d
parent 92d963df0f
9 changed files with 125 additions and 27 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">ce3c66e63c1ce5ae2acfcbfc6996597c3ee5c951</param></service></servicedata>
+              <param name="changesrevision">0406315d7d94b88fd1fbdda30c6db42f35a7ff78</param></service></servicedata>
--- a/modules-minimum-contrib.conf
+++ b/modules-minimum-contrib.conf
@ -1465,13 +1465,6 @@ psad = module
 # 
 ptchown = module

-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-# 
-publicfile = module
-
 # Layer: apps
 # Module: pulseaudio
 #
--- a/modules-minimum-disable.lst
+++ b/modules-minimum-disable.lst
@ -1 +1 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
+abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@ -1034,13 +1034,6 @@ psad = module
 # 
 ptchown = module

-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-# 
-publicfile = module
-
 # Layer: apps
 # Module: pulseaudio
 #
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -1472,13 +1472,6 @@ psad = module
 # 
 ptchown = module

-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-# 
-publicfile = module
-
 # Layer: apps
 # Module: pulseaudio
 #
--- a/selinux-policy-20240604+git249.ce3c66e6.tar.xz
+++ b/selinux-policy-20240604+git249.ce3c66e6.tar.xz
--- a/selinux-policy-20240604+git376.0406315d.tar.xz
+++ b/selinux-policy-20240604+git376.0406315d.tar.xz
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,122 @@
+-------------------------------------------------------------------
+Thu Aug 15 14:24:41 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240604+git376.0406315d:
+  * Dontaudit dac_override of fstab generator (bsc#1229127)
+  * Update libvirt policy
+  * Add port 80/udp and 443/udp to http_port_t definition
+  * Additional updates stalld policy for bpf usage
+  * Label systemd-pcrextend and systemd-pcrlock properly
+  * Label /run/udev/rules.d as udev_rules_t
+  * Provide type for sysstat lock files (bsc#1228247)
+  * Allow coreos_installer_t work with partitions
+  * Revert "Allow coreos-installer-generator work with partitions"
+  * Add policy for systemd-pcrextend
+  * Update policy for systemd-getty-generator
+  * Allow snapper to delete unlabeled_t files (bsc#1228889)
+  * Allow ip command write to ipsec's logs
+  * Allow virt_driver_domain read virtd-lxc files in /proc
+  * Revert "Allow svirt read virtqemud fifo files"
+  * Update virtqemud policy for libguestfs usage
+  * Allow virtproxyd create and use its private tmp files
+  * Allow virtproxyd read network state
+  * Allow virt_driver_domain create and use log files in /var/log (bsc#1227483)
+  * Allow samba-dcerpcd work with ctdb cluster
+  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
+  * Allow setroubleshootd execute sendmail with a domain transition
+  * Allow key.dns_resolve set attributes on the kernel key ring
+  * Update qatlib policy for v24.02 with new features
+  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
+  * Allow tlp status power services
+  * Allow virtqemud domain transition on passt execution
+  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
+  * Allow boothd connect to systemd-userdbd over a unix socket
+  * Update policy for awstats scripts
+  * Allow bitlbee execute generic programs in system bin directories
+  * Allow login_userdomain read aliases file
+  * Allow login_userdomain read ipsec config files
+  * Allow login_userdomain read all pid files
+  * Allow rsyslog read systemd-logind session files
+  * Allow libvirt-dbus stream connect to virtlxcd
+  * Use new kanidm interfaces
+  * Initial module for kanidm
+  * Update bootupd policy
+  * Allow rhsmcertd read/write access to /dev/papr-sysparm
+  * Label /dev/papr-sysparm and /dev/papr-vpd
+  * Allow abrt-dump-journal-core connect to winbindd
+  * Allow systemd-hostnamed shut down nscd
+  * Allow systemd-pstore send a message to syslogd over a unix domain
+  * Allow postfix_domain map postfix_etc_t files
+  * Allow microcode create /sys/devices/system/cpu/microcode/reload
+  * Allow rhsmcertd read, write, and map ica tmpfs files
+  * Support SGX devices
+  * Allow initrc_t transition to passwd_t
+  * Update fstab and cryptsetup generators policy
+  * Allow xdm_t read and write the dma device
+  * Update stalld policy for bpf usage
+  * Allow systemd_gpt_generator to getattr on DOS directories
+  * Make cgroup_memory_pressure_t a part of the file_type attribute
+  * Allow ssh_t to change role to system_r
+  * Update policy for coreos generators
+  * Allow init_t nnp domain transition to firewalld_t
+  * Label /run/modprobe.d with modules_conf_t
+  * Allow virtnodedevd run udev with a domain transition
+  * Allow virtnodedev_t create and use virtnodedev_lock_t
+  * Allow virtstoraged manage files with virt_content_t type
+  * Allow virtqemud unmount a filesystem with extended attributes
+  * Allow svirt_t connect to unconfined_t over a unix domain socket
+  * Update afterburn file transition policy
+  * Allow systemd_generator read attributes of all filesystems
+  * Allow fstab-generator read and write cryptsetup-generator unit file
+  * Allow cryptsetup-generator read and write fstab-generator unit file
+  * Allow systemd_generator map files in /etc
+  * Allow systemd_generator read init's process state
+  * Allow coreos-installer-generator read sssd public files
+  * Allow coreos-installer-generator work with partitions
+  * Label /etc/mdadm.conf.d with mdadm_conf_t
+  * Confine coreos generators
+  * Label /run/metadata with afterburn_runtime_t
+  * Allow afterburn list ssh home directory
+  * Label samba certificates with samba_cert_t
+  * Label /run/coreos-installer-reboot with coreos_installer_var_run_t
+  * Allow virtqemud read virt-dbus process state
+  * Allow staff user dbus chat with virt-dbus
+  * Allow staff use watch /run/systemd
+  * Allow systemd_generator to write kmsg
+  * Allow virtqemud connect to sanlock over a unix stream socket
+  * Allow virtqemud relabel virt_var_run_t directories
+  * Allow svirt_tcg_t read vm sysctls
+  * Allow virtnodedevd connect to systemd-userdbd over a unix socket
+  * Allow svirt read virtqemud fifo files
+  * Allow svirt attach_queue to a virtqemud tun_socket
+  * Allow virtqemud run ssh client with a transition
+  * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
+  * Update keyutils policy
+  * Allow sshd_keygen_t connect to userdbd over a unix stream socket
+  * Allow postfix-smtpd read mysql config files
+  * Allow locate stream connect to systemd-userdbd
+  * Allow the staff user use wireshark
+  * Allow updatedb connect to userdbd over a unix stream socket
+  * Allow gpg_t set attributes of public-keys.d
+  * Allow gpg_t get attributes of login_userdomain stream
+  * Allow systemd_getty_generator_t read /proc/1/environ
+  * Allow systemd_getty_generator_t to read and write to tty_device_t
+  * Drop publicfile module
+  * Remove permissive domain for systemd_nsresourced_t
+  * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
+  * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
+  * Allow to create and delete socket files created by rhsm.service
+  * Allow virtnetworkd exec shell when virt_hooks_unconfined is on
+  * Allow unconfined_service_t transition to passwd_t
+  * Support /var is empty
+  * Allow abrt-dump-journal read all non_security socket files
+  * Allow timemaster write to sysfs files
+  * Dontaudit domain write cgroup files
+  * Label /usr/lib/node_modules/npm/bin with bin_t
+  * Allow ip the setexec permission
+  * Allow systemd-networkd write files in /var/lib/systemd/network
+  * Fix typo in systemd_nsresourced_prog_run_bpf()
+
 -------------------------------------------------------------------
 Fri Aug 09 12:47:22 UTC 2024 - cathy.hu@suse.com

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240604+git249.ce3c66e6
+Version:        20240604+git376.0406315d
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc