From 773eae054e60bb461cf0d469ca9209d4d7b9cd778a591ccd0a09e83e9f737005 Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Wed, 12 Jun 2024 08:45:42 +0000
Subject: [PATCH 1/2] Accepting request 1180132 from
 home:cahu:branches:security:SELinux

- Update to version 20240612:
  * Allow all domains read and write z90crypt device
  * Allow tpm2 generator setfscreate
  * Allow systemd (PID 1) manage systemd conf files
  * Allow pulseaudio map its runtime files
  * Update policy for getty-generator
  * Allow systemd-hwdb send messages to kernel unix datagram sockets
  * Allow systemd-machined manage runtime sockets
  * Allow fstab-generator create unit file symlinks
  * Update policy for cryptsetup-generator
  * Update policy for fstab-generator
  * Allow virtqemud read vm sysctls
  * Allow collectd to trace processes in user namespace
  * Allow bootupd search efivarfs dirs
  * Add policy for systemd-mountfsd
  * Add policy for systemd-nsresourced
  * Update policy generators
  * Add policy for anaconda-generator
  * Update policy for fstab and gpt generators
  * Add policy for kdump-dep-generator
  * Add policy for a generic generator
  * Add policy for tpm2 generator
  * Add policy for ssh-generator
  * Add policy for second batch of generators
  * Update policy for systemd generators
  * ci: Adjust Cockpit test plans
  * Allow journald read systemd config files and directories
  * Allow systemd_domain read systemd_conf_t dirs
  * Fix bad Python regexp escapes
  * Allow fido services connect to postgres database
  * Revert "Update the README.md file with the c10s branch information"
  * Update the README.md file with the c10s branch information
  * Allow postfix smtpd map aliases file
  * Ensure dbus communication is allowed bidirectionally
  * Label systemd configuration files with systemd_conf_t
  * Label /run/systemd/machine with systemd_machined_var_run_t
  * Allow systemd-hostnamed read the vsock device
  * Allow sysadm execute dmidecode using sudo
  * Allow sudodomain list files in /var
  * Allow setroubleshootd get attributes of all sysctls
  * Allow various services read and write z90crypt device
  * Allow nfsidmap connect to systemd-homed
  * Allow sandbox_x_client_t dbus chat with accountsd
  * Allow system_cronjob_t dbus chat with avahi_t
  * Allow staff_t the io_uring sqpoll permission
  * Allow staff_t use the io_uring API
  * Add support for secretmem anon inode
  * Allow virtqemud read vfio devices
  * Allow virtqemud get attributes of a tmpfs filesystem
  * Allow svirt_t read vm sysctls
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud get attributes of cifs files
  * Allow virtqemud get attributes of filesystems with extended attributes
  * Allow virtqemud get attributes of NFS filesystems
  * Allow virt_domain read and write usb devices conditionally
  * Allow virtstoraged use the io_uring API
  * Allow virtstoraged execute lvm programs in the lvm domain
  * Allow virtnodevd_t map /var/lib files
  * Allow svirt_tcg_t map svirt_image_t files
  * Allow abrt-dump-journal-core connect to systemd-homed
  * Allow abrt-dump-journal-core connect to systemd-machined
  * Allow sssd create and use io_uring
  * Allow selinux-relabel-generator create units dir
  * Allow dbus-broker read/write inherited user ttys
  * Define transitions for /run/libvirt/common and /run/libvirt/qemu
  * Allow systemd-sleep read raw disk data
  * Allow numad to trace processes in user namespace
  * Allow abrt-dump-journal-core connect to systemd-userdbd
  * Allow plymouthd read efivarfs files
  * Update the auth_dontaudit_read_passwd_file() interface
  * Label /dev/mmcblk0rpmb character device with removable_device_t
  * fix hibernate on btrfs swapfile (F40)
  * Allow nut to statfs()
  * Allow system dbusd service status systemd services
  * Allow systemd-timedated get the timemaster service status
  * Allow keyutils-dns-resolver connect to the system log service
  * Allow qemu-ga read vm sysctls
  * postfix: allow qmgr to delete mails in bounce/ directory

OBS-URL: https://build.opensuse.org/request/show/1180132
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=225
---
 _servicedata                   |  2 +-
 selinux-policy-20240411.tar.xz |  3 --
 selinux-policy-20240612.tar.xz |  3 ++
 selinux-policy.changes         | 82 ++++++++++++++++++++++++++++++++++
 selinux-policy.spec            |  2 +-
 5 files changed, 87 insertions(+), 5 deletions(-)
 delete mode 100644 selinux-policy-20240411.tar.xz
 create mode 100644 selinux-policy-20240612.tar.xz

diff --git a/_servicedata b/_servicedata
index 7f96451..3c1238d 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">7eb64de2191880e9d2207fa60c9605268d6fc8ce</param></service><service name="tar_scm">
+              <param name="changesrevision">4e2aae8d6a013a92737bddfbf0f0d65fdaabdc5d</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
diff --git a/selinux-policy-20240411.tar.xz b/selinux-policy-20240411.tar.xz
deleted file mode 100644
index 7127a19..0000000
--- a/selinux-policy-20240411.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3570c8520464f6d7719a016ea1d7b65c1a276102d75fbdaf7be4e7decaa1307d
-size 768484
diff --git a/selinux-policy-20240612.tar.xz b/selinux-policy-20240612.tar.xz
new file mode 100644
index 0000000..704e85f
--- /dev/null
+++ b/selinux-policy-20240612.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ec4fe6a787325c5f2e917b023434d9a7c0d182447f47dd635b7cc4aac70c40cf
+size 770332
diff --git a/selinux-policy.changes b/selinux-policy.changes
index d478761..575814e 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,85 @@
+-------------------------------------------------------------------
+Wed Jun 12 08:43:02 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240612:
+  * Allow all domains read and write z90crypt device
+  * Allow tpm2 generator setfscreate
+  * Allow systemd (PID 1) manage systemd conf files
+  * Allow pulseaudio map its runtime files
+  * Update policy for getty-generator
+  * Allow systemd-hwdb send messages to kernel unix datagram sockets
+  * Allow systemd-machined manage runtime sockets
+  * Allow fstab-generator create unit file symlinks
+  * Update policy for cryptsetup-generator
+  * Update policy for fstab-generator
+  * Allow virtqemud read vm sysctls
+  * Allow collectd to trace processes in user namespace
+  * Allow bootupd search efivarfs dirs
+  * Add policy for systemd-mountfsd
+  * Add policy for systemd-nsresourced
+  * Update policy generators
+  * Add policy for anaconda-generator
+  * Update policy for fstab and gpt generators
+  * Add policy for kdump-dep-generator
+  * Add policy for a generic generator
+  * Add policy for tpm2 generator
+  * Add policy for ssh-generator
+  * Add policy for second batch of generators
+  * Update policy for systemd generators
+  * ci: Adjust Cockpit test plans
+  * Allow journald read systemd config files and directories
+  * Allow systemd_domain read systemd_conf_t dirs
+  * Fix bad Python regexp escapes
+  * Allow fido services connect to postgres database
+  * Revert "Update the README.md file with the c10s branch information"
+  * Update the README.md file with the c10s branch information
+  * Allow postfix smtpd map aliases file
+  * Ensure dbus communication is allowed bidirectionally
+  * Label systemd configuration files with systemd_conf_t
+  * Label /run/systemd/machine with systemd_machined_var_run_t
+  * Allow systemd-hostnamed read the vsock device
+  * Allow sysadm execute dmidecode using sudo
+  * Allow sudodomain list files in /var
+  * Allow setroubleshootd get attributes of all sysctls
+  * Allow various services read and write z90crypt device
+  * Allow nfsidmap connect to systemd-homed
+  * Allow sandbox_x_client_t dbus chat with accountsd
+  * Allow system_cronjob_t dbus chat with avahi_t
+  * Allow staff_t the io_uring sqpoll permission
+  * Allow staff_t use the io_uring API
+  * Add support for secretmem anon inode
+  * Allow virtqemud read vfio devices
+  * Allow virtqemud get attributes of a tmpfs filesystem
+  * Allow svirt_t read vm sysctls
+  * Allow virtqemud create and unlink files in /etc/libvirt/
+  * Allow virtqemud get attributes of cifs files
+  * Allow virtqemud get attributes of filesystems with extended attributes
+  * Allow virtqemud get attributes of NFS filesystems
+  * Allow virt_domain read and write usb devices conditionally
+  * Allow virtstoraged use the io_uring API
+  * Allow virtstoraged execute lvm programs in the lvm domain
+  * Allow virtnodevd_t map /var/lib files
+  * Allow svirt_tcg_t map svirt_image_t files
+  * Allow abrt-dump-journal-core connect to systemd-homed
+  * Allow abrt-dump-journal-core connect to systemd-machined
+  * Allow sssd create and use io_uring
+  * Allow selinux-relabel-generator create units dir
+  * Allow dbus-broker read/write inherited user ttys
+  * Define transitions for /run/libvirt/common and /run/libvirt/qemu
+  * Allow systemd-sleep read raw disk data
+  * Allow numad to trace processes in user namespace
+  * Allow abrt-dump-journal-core connect to systemd-userdbd
+  * Allow plymouthd read efivarfs files
+  * Update the auth_dontaudit_read_passwd_file() interface
+  * Label /dev/mmcblk0rpmb character device with removable_device_t
+  * fix hibernate on btrfs swapfile (F40)
+  * Allow nut to statfs()
+  * Allow system dbusd service status systemd services
+  * Allow systemd-timedated get the timemaster service status
+  * Allow keyutils-dns-resolver connect to the system log service
+  * Allow qemu-ga read vm sysctls
+  * postfix: allow qmgr to delete mails in bounce/ directory
+
 -------------------------------------------------------------------
 Mon Jun  3 13:42:13 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 41e7962..0c7f522 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240411
+Version:        20240612
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

From ee6d23dd065b2de2dc04d10a9d425c007736b7f696f04fd8063cf2eea13b99cf Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Thu, 13 Jun 2024 08:13:40 +0000
Subject: [PATCH 2/2] - Update to version 20240613:   * Allow
 systemd_fstab_generator_t read tmpfs files (bsc#1223599)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=226
---
 _servicedata                   | 2 +-
 selinux-policy-20240612.tar.xz | 3 ---
 selinux-policy-20240613.tar.xz | 3 +++
 selinux-policy.changes         | 6 ++++++
 selinux-policy.spec            | 2 +-
 5 files changed, 11 insertions(+), 5 deletions(-)
 delete mode 100644 selinux-policy-20240612.tar.xz
 create mode 100644 selinux-policy-20240613.tar.xz

diff --git a/_servicedata b/_servicedata
index 3c1238d..2c358ef 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">4e2aae8d6a013a92737bddfbf0f0d65fdaabdc5d</param></service><service name="tar_scm">
+              <param name="changesrevision">2cc0ac20c300647eefb1dc0a3c0856277c16af0d</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
diff --git a/selinux-policy-20240612.tar.xz b/selinux-policy-20240612.tar.xz
deleted file mode 100644
index 704e85f..0000000
--- a/selinux-policy-20240612.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ec4fe6a787325c5f2e917b023434d9a7c0d182447f47dd635b7cc4aac70c40cf
-size 770332
diff --git a/selinux-policy-20240613.tar.xz b/selinux-policy-20240613.tar.xz
new file mode 100644
index 0000000..2b071a5
--- /dev/null
+++ b/selinux-policy-20240613.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26aa906a1f651a29efd4e4c4118ecd9edbdef8332b34b7aa85a233f85fa51f1b
+size 770192
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 575814e..d1298de 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun 13 08:12:47 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240613:
+  * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
+
 -------------------------------------------------------------------
 Wed Jun 12 08:43:02 UTC 2024 - cathy.hu@suse.com
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c7f522..96be459 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240612
+Version:        20240613
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc