Sync from SUSE:SLFO:Main selinux-policy revision 446dda571c5c8f36f69c031e45e38c15

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">da1e0e20a01fbeb119d494032a15b17984baf509</param></service></servicedata>
+              <param name="changesrevision">2adbf6253fb003cf312691b42d804a4c15b61e56</param></service></servicedata>

container.fc

@@ -92,6 +92,7 @@
 # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
 /var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
 
+HOME_DIR/\.local/share/ramalama(/.*)?		 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)

container.if

@@ -562,6 +562,7 @@ interface(`container_filetrans_named_content',`
     # Third-party snapshotters
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
 
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")

container.te

@@ -1,4 +1,4 @@
-policy_module(container, 2.234.0)
+policy_module(container, 2.234.2)
 
 gen_require(`
 	class passwd rootok;

selinux-policy.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Wed Feb 19 10:57:17 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 20240604+git800.2adbf625:
+  * Enable postfix_local_write_mail_spool boolean by default for targeted only
+  * Revert "Enable postfix_local_write_mail_spool boolean by default"
+  * Support openSUSE-specific krb5kdc paths (bsc#1237064)
+  * Allow rlimit inheritance for domains transitioning to local_login_t
+  * Enable postfix_local_write_mail_spool boolean by default
+  * kanidm_unixd.fc: follow default style for aliased paths
+  * Dontaudit systemd-logind remove all files
+  * Add the files_dontaudit_read_all_dirs() interface
+  * Add the files_dontaudit_delete_all_files() interface
+  * Allow rhsmcertd notify virt-who
+  * Allow irqbalance to run unconfined scripts conditionally
+  * Allow snapperd execute systemctl in the caller domain
+  * Allow svirt_tcg_t to connect to nbdkit over a unix stream socket
+  * Allow iio-sensor-proxy read iio devices
+  * Label /dev/iio:device[0-9]+ devices
+  * Allow systemd-coredump the sys_admin capability
+  * Allow apcupsd's apccontrol to send messages using wall
+  * contrib/thumb: also allow per-user thumbnailers
+  * contrib/thumb: fix thunar thumbnailer (rhbz#2315893)
+  * Allow virt_domain to use pulseaudio - conditional
+  * Allow pcmsensor read nmi_watchdog state information
+  * Allow init_t nnp domain transition to gssproxy_t
+  * Allow quota_t load its kernel module (bsc#1235805)
+  * Allow apcupsd's apccontrol to send messages using wall (bsc#1235688)
+  * Allow systemd-generator connect to syslog over a unix stream socket
+  * Allow virtqemud manage fixed disk device nodes
+  * Allow iio-sensor-proxy connect to syslog over a unix stream socket
+  * Allow virtstoraged write to sysfs files
+  * Allow power-profiles-daemon write sysfs files
+  * Update iiosensorproxy policy
+  * Allow pcmsensor write nmi_watchdog state information
+  * Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t
+  * Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type
+  * Add the gpg_read_user_secrets() interface
+  * Dontaudit xdm_t wanting to create /root/.cache dir (bsc#1235669)
+  * Allow journalctl read messages from /var/lib/machines (bsc#1235829)
+  * Allow gnome-remote-desktop read resolv.conf
+  * Update switcheroo policy
+  * Allow nfsidmap connect to systemd-homed over a unix socket
+  * wtmpdbd systemd service uses NoNewPrivileges (bsc#1235660)
+  * Transition samba-dcerpcd pid file from smbd_var_run_t to winbind_var_run_t (bsc#1235801)
+  * /run/samba/samba-dcerpcd.pid needs fc type winbind_rpcd_var_run_t (bsc#1235801)
+  * Adjust rpcd_lsad, samba-bgqd, samba-dcerpcd to SUSE-specific part (bsc#1235801)
+  * Transition nmbd pid file from smbd_var_run_t to nmbd_var_run_t (bsc#1235801)
+  * Add the auth_write_motd_var_run_files() interface
+  * Add the bind_exec_named_checkconf() interface
+  * Add the virt_exec_virsh() interface
+  * Allow database rotation for wtmpdbd_t
+  * Allow wtmpdbd to send messages notifications
+  * Introduce policy for wtmpdbd (bsc#1235660)
+  * Label xrdp scripts in /etc as bin_t (bsc#1233738)
+  * introduce unconfined_service_transition_to_unconfined_user boolean (bsc#1233738)
+  * Allow virtqemud domain transition to nbdkit
+  * Add nbdkit interfaces defined conditionally
+  * Allow samba-bgqd connect to cupsd over an unix domain stream socket
+  * Confine the switcheroo-control service
+  * Allow svirt_t read sysfs files
+  * Allow init to manage DOS files (bsc#1232527)
+  * Add rhsmcertd interfaces
+  * Add the ssh_exec_sshd() interface
+  * Add the gpg_domtrans_agent() interface
+  * Label /usr/bin/dnf5 with rpm_exec_t
+  * Label /dev/pmem[0-9]+ with fixed_disk_device_t
+  * allow kdm to create /root/.kde/ with correct label
+  * Change /usr/sbin entries to use /usr/bin or remove them
+  * Allow systemd-homed get filesystem quotas
+  * Allow login_userdomain getattr nsfs files
+  * Allow virtqemud send a generic signal to the ssh client domain
+  * Dontaudit request-key read /etc/passwd
+  * Update virtqemud policy regarding the svirt_tcg_t domain
+  * Allow virtqemud domain transition on numad execution
+  * Support virt live migration using ssh
+  * Allow virtqemud permissions needed for live migration
+  * Allow virtqemud the getpgid process permission
+  * Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
+  * Allow virtqemud relabelfrom virt_log_t files
+  * Allow virtqemud relabel tun_socket
+  * Add policy for systemd-import-generator
+  * Confine vsftpd systemd system generator
+  * Allow virtqemud read and write sgx_vepc devices
+  * Allow systemd-networkd list cgroup directories
+  * Allow xdm dbus chat with power-profiles-daemon
+  * Allow ssh_t read systemd config files
+  * Add Valkey rules to Redis module
+  * Update ktlsh policy
+  * Allow request-key to read /etc/passwd
+  * Allow request-key to manage all domains' keys
+  * Add support for the KVM guest memfd anon inodes
+
+-------------------------------------------------------------------
+Fri Feb  7 10:03:50 UTC 2025 - Robert Frohl <rfrohl@suse.com>
+
+- Improve semodule stderr logging during install/update: Verbose logging
+  will just confuse users and the policy will be rebuild later in the update
+  process correctly, if there was an earlier error. These transient errors
+  are only related to the order in which packages are installed.
+
 -------------------------------------------------------------------
 Mon Jan 27 08:27:09 UTC 2025 - cathy.hu@suse.com
 

selinux-policy.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240604+git689.da1e0e20
+Version:        20240604+git800.2adbf625
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
@@ -219,7 +219,7 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
-  /usr/sbin/semodule -B -n -s %2; \
+  /usr/sbin/semodule -B -n -s %2 2> /dev/null; \
 fi; \
 if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
   touch /etc/selinux/.autorelabel \
@@ -284,7 +284,7 @@ SELinux sandbox policy used for the policycoreutils-sandbox package
 %post sandbox
 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
-%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
+%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
 if %{_sbindir}/selinuxenabled ; then
     %{_sbindir}/load_policy
 fi;
@@ -394,8 +394,9 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
 # commandline option.
 #
 # SELINUX= can take one of these three values:
-#     enforcing - SELinux security policy is enforced.
+#     enforcing  - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
+#     disabled   - SELinux is disabled
 SELINUX=permissive
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
@@ -499,7 +500,7 @@ exit 0
 %post_un $1 targeted
 
 %triggerin -- libpcre2-8-0
-%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
+%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
 exit 0
 
 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
@@ -548,7 +549,7 @@ login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
     /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
-    %{_sbindir}/semodule -B -s minimum
+    %{_sbindir}/semodule -B -s minimum 2> /dev/null
 else
     instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
     for p in $packages; do
@@ -557,7 +558,7 @@ else
     for p in $instpackages snapper dbus kerberos nscd rtkit; do
 	rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
     done
-    %{_sbindir}/semodule -B -s minimum
+    %{_sbindir}/semodule -B -s minimum 2> /dev/null
     %relabel minimum
 fi
 exit 0