From 4b3ec21f8508bfc051f0d2a5167095e78729c95d46623bc72e8054766e456eac Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Tue, 6 Feb 2024 08:12:43 +0000
Subject: [PATCH] Accepting request 1144343 from
 home:cahu:branches:security:SELinux

- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.

OBS-URL: https://build.opensuse.org/request/show/1144343
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=208
---
 _servicedata                   |  2 +-
 selinux-policy-20240116.tar.xz |  3 --
 selinux-policy-20240205.tar.xz |  3 ++
 selinux-policy.changes         | 97 ++++++++++++++++++++++++++++++++++
 selinux-policy.spec            |  2 +-
 5 files changed, 102 insertions(+), 5 deletions(-)
 delete mode 100644 selinux-policy-20240116.tar.xz
 create mode 100644 selinux-policy-20240205.tar.xz

diff --git a/_servicedata b/_servicedata
index 16f10a6..b95dbdd 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">a4fccbf76d237e1ce279bbef49392676af5c4334</param></service><service name="tar_scm">
+              <param name="changesrevision">e17843ad685ede6b0ba9a2571bf3199e56408f83</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
diff --git a/selinux-policy-20240116.tar.xz b/selinux-policy-20240116.tar.xz
deleted file mode 100644
index 9c7c8ae..0000000
--- a/selinux-policy-20240116.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9eca3a8185fcc6583627d8ad90ab83b2010d197a4f8d6d87bb08b07339c72fee
-size 765912
diff --git a/selinux-policy-20240205.tar.xz b/selinux-policy-20240205.tar.xz
new file mode 100644
index 0000000..815d239
--- /dev/null
+++ b/selinux-policy-20240205.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4352abee42d51bd6d340b155e0363c101fed4cce8fa6b8799aa6786e570fd3d5
+size 794716
diff --git a/selinux-policy.changes b/selinux-policy.changes
index a053a62..ae75860 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,100 @@
+-------------------------------------------------------------------
+Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240205:
+  * Allow gpg manage rpm cache
+  * Allow login_userdomain name_bind to howl and xmsg udp ports
+  * Allow rules for confined users logged in plasma
+  * Label /dev/iommu with iommu_device_t
+  * Remove duplicate file context entries in /run
+  * Dontaudit getty and plymouth the checkpoint_restore capability
+  * Allow su domains write login records
+  * Revert "Allow su domains write login records"
+  * Allow login_userdomain delete session dbusd tmp socket files
+  * Allow unix dgram sendto between exim processes
+  * Allow su domains write login records
+  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
+  * Allow chronyd-restricted read chronyd key files
+  * Allow conntrackd_t to use bpf capability2
+  * Allow systemd-networkd manage its runtime socket files
+  * Allow init_t nnp domain transition to colord_t
+  * Allow polkit status systemd services
+  * nova: Fix duplicate declarations
+  * Allow httpd work with PrivateTmp
+  * Add interfaces for watching and reading ifconfig_var_run_t
+  * Allow collectd read raw fixed disk device
+  * Allow collectd read udev pid files
+  * Set correct label on /etc/pki/pki-tomcat/kra
+  * Allow systemd domains watch system dbus pid socket files
+  * Allow certmonger read network sysctls
+  * Allow mdadm list stratisd data directories
+  * Allow syslog to run unconfined scripts conditionally
+  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
+  * Allow qatlib set attributes of vfio device files
+  * Allow systemd-sleep set attributes of efivarfs files
+  * Allow samba-dcerpcd read public files
+  * Allow spamd_update_t the sys_ptrace capability in user namespace
+  * Allow bluetooth devices work with alsa
+  * Allow alsa get attributes filesystems with extended attributes
+  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
+  * Add interface for write-only access to NetworkManager rw conf
+  * Allow systemd-sleep send a message to syslog over a unix dgram socket
+  * Allow init create and use netlink netfilter socket
+  * Allow qatlib load kernel modules
+  * Allow qatlib run lspci
+  * Allow qatlib manage its private runtime socket files
+  * Allow qatlib read/write vfio devices
+  * Label /etc/redis.conf with redis_conf_t
+  * Remove the lockdown-class rules from the policy
+  * Allow init read all non-security socket files
+  * Replace redundant dnsmasq pattern macros
+  * Remove unneeded symlink perms in dnsmasq.if
+  * Add additions to dnsmasq interface
+  * Allow nvme_stas_t create and use netlink kobject uevent socket
+  * Allow collectd connect to statsd port
+  * Allow keepalived_t to use sys_ptrace of cap_userns
+  * Allow dovecot_auth_t connect to postgresql using UNIX socket
+  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
+  * Allow sysadm execute traceroute in sysadm_t domain using sudo
+  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
+  * Allow opafm search nfs directories
+  * Add support for syslogd unconfined scripts
+  * Allow gpsd use /dev/gnss devices
+  * Allow gpg read rpm cache
+  * Allow virtqemud additional permissions
+  * Allow virtqemud manage its private lock files
+  * Allow virtqemud use the io_uring api
+  * Allow ddclient send e-mail notifications
+  * Allow postfix_master_t map postfix data files
+  * Allow init create and use vsock sockets
+  * Allow thumb_t append to init unix domain stream sockets
+  * Label /dev/vas with vas_device_t
+  * Create interface selinux_watch_config and add it to SELinux users
+  * Update cifs interfaces to include fs_search_auto_mountpoints()
+  * Allow sudodomain read var auth files
+  * Allow spamd_update_t read hardware state information
+  * Allow virtnetworkd domain transition on tc command execution
+  * Allow sendmail MTA connect to sendmail LDA
+  * Allow auditd read all domains process state
+  * Allow rsync read network sysctls
+  * Add dhcpcd bpf capability to run bpf programs
+  * Dontaudit systemd-hwdb dac_override capability
+  * Allow systemd-sleep create efivarfs files
+  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  * Allow graphical applications work in Wayland
+  * Allow kdump work with PrivateTmp
+  * Allow dovecot-auth work with PrivateTmp
+  * Allow nfsd get attributes of all filesystems
+  * Allow unconfined_domain_type use io_uring cmd on domain
+  * ci: Only run Rawhide revdeps tests on the rawhide branch
+  * Label /var/run/auditd.state as auditd_var_run_t
+  * Allow fido-device-onboard (FDO) read the crack database
+  * Allow ip an explicit domain transition to other domains
+  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
+  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
+  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
+  * Allow ntp to bind and connect to ntske port.
+
 -------------------------------------------------------------------
 Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 73e7fc6..b1f5deb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240116
+Version:        20240205
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc