From 83d1f9398e96eb6e5681b949dbfc8dee17b44633639ba371e8e359c293e2e756 Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Mon, 12 Aug 2024 15:39:19 +0000
Subject: [PATCH 1/3] - Update to version 20240812:   * Update libvirt policy  
 * Add port 80/udp and 443/udp to http_port_t definition   * Additional
 updates stalld policy for bpf usage   * Label systemd-pcrextend and
 systemd-pcrlock properly   * Allow coreos_installer_t work with partitions  
 * Revert "Allow coreos-installer-generator work with partitions"   * Add
 policy for systemd-pcrextend   * Update policy for systemd-getty-generator  
 * Allow ip command write to ipsec's logs   * Allow virt_driver_domain read
 virtd-lxc files in /proc   * Revert "Allow svirt read virtqemud fifo files"  
 * Update virtqemud policy for libguestfs usage   * Allow virtproxyd create
 and use its private tmp files   * Allow virtproxyd read network state   *
 Allow virt_driver_domain create and use log files in /var/log   * Allow
 samba-dcerpcd work with ctdb cluster   * Allow NetworkManager_dispatcher_t
 send SIGKILL to plugins   * Allow setroubleshootd execute sendmail with a
 domain transition   * Allow key.dns_resolve set attributes on the kernel key
 ring   * Update qatlib policy for v24.02 with new features   * Label
 /var/lib/systemd/sleep with systemd_sleep_var_lib_t   * Allow tlp status
 power services   * Allow virtqemud domain transition on passt execution   *
 Allow virt_driver_domain connect to systemd-userdbd over a unix socket   *
 Allow boothd connect to systemd-userdbd over a unix socket   * Update policy
 for awstats scripts   * Allow bitlbee execute generic programs in system bin
 directories   * Allow login_userdomain read aliases file   * Allow
 login_userdomain read ipsec config files   * Allow login_userdomain read all
 pid files   * Allow rsyslog read systemd-logind session files   * Allow
 libvirt-dbus stream connect to virtlxcd

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=251
---
 _servicedata                   |  2 +-
 selinux-policy-20240809.tar.xz |  3 ---
 selinux-policy-20240812.tar.xz |  3 +++
 selinux-policy.changes         | 37 ++++++++++++++++++++++++++++++++++
 selinux-policy.spec            |  2 +-
 5 files changed, 42 insertions(+), 5 deletions(-)
 delete mode 100644 selinux-policy-20240809.tar.xz
 create mode 100644 selinux-policy-20240812.tar.xz

diff --git a/_servicedata b/_servicedata
index 55b47b1..4f3dc20 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">02657ab47aa16a1ed9638b511b4ed12298f2352b</param></service><service name="tar_scm">
+              <param name="changesrevision">c44072485dc8fdbfc6f3ae14cc61382b43ad43fa</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
diff --git a/selinux-policy-20240809.tar.xz b/selinux-policy-20240809.tar.xz
deleted file mode 100644
index 9357509..0000000
--- a/selinux-policy-20240809.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9b1e7b4c6306f438081643f4189bf856c4eaa90e1c97ca508a5a3f6bff9a6fb7
-size 773308
diff --git a/selinux-policy-20240812.tar.xz b/selinux-policy-20240812.tar.xz
new file mode 100644
index 0000000..ac142e1
--- /dev/null
+++ b/selinux-policy-20240812.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bafc5d6f473a062c09f2c83f74a78fa5cfb82e1197eb1de115eb152b95fd5d72
+size 773868
diff --git a/selinux-policy.changes b/selinux-policy.changes
index a16c602..1191cd2 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240812:
+  * Update libvirt policy
+  * Add port 80/udp and 443/udp to http_port_t definition
+  * Additional updates stalld policy for bpf usage
+  * Label systemd-pcrextend and systemd-pcrlock properly
+  * Allow coreos_installer_t work with partitions
+  * Revert "Allow coreos-installer-generator work with partitions"
+  * Add policy for systemd-pcrextend
+  * Update policy for systemd-getty-generator
+  * Allow ip command write to ipsec's logs
+  * Allow virt_driver_domain read virtd-lxc files in /proc
+  * Revert "Allow svirt read virtqemud fifo files"
+  * Update virtqemud policy for libguestfs usage
+  * Allow virtproxyd create and use its private tmp files
+  * Allow virtproxyd read network state
+  * Allow virt_driver_domain create and use log files in /var/log
+  * Allow samba-dcerpcd work with ctdb cluster
+  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
+  * Allow setroubleshootd execute sendmail with a domain transition
+  * Allow key.dns_resolve set attributes on the kernel key ring
+  * Update qatlib policy for v24.02 with new features
+  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
+  * Allow tlp status power services
+  * Allow virtqemud domain transition on passt execution
+  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
+  * Allow boothd connect to systemd-userdbd over a unix socket
+  * Update policy for awstats scripts
+  * Allow bitlbee execute generic programs in system bin directories
+  * Allow login_userdomain read aliases file
+  * Allow login_userdomain read ipsec config files
+  * Allow login_userdomain read all pid files
+  * Allow rsyslog read systemd-logind session files
+  * Allow libvirt-dbus stream connect to virtlxcd
+
 -------------------------------------------------------------------
 Fri Aug 09 12:35:40 UTC 2024 - cathy.hu@suse.com
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0a08cad..4db403c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240809
+Version:        20240812
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc

From 4d1c9147031835fd3fec6b5b0c930c144f90ecd1862105dc8e6f606ec6423b34 Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Wed, 14 Aug 2024 12:09:35 +0000
Subject: [PATCH 2/3] - Drop varrun-convert.sh script as it causes issues with 
  container-selinux update (bsc#1228951)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=252
---
 selinux-policy.changes |   6 +++
 selinux-policy.spec    |   9 ----
 varrun-convert.sh      | 105 -----------------------------------------
 3 files changed, 6 insertions(+), 114 deletions(-)
 delete mode 100644 varrun-convert.sh

diff --git a/selinux-policy.changes b/selinux-policy.changes
index 1191cd2..4c8b08b 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Drop varrun-convert.sh script as it causes issues with
+  container-selinux update (bsc#1228951)
+
 -------------------------------------------------------------------
 Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4db403c..c1463db 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -61,9 +61,6 @@ Source30:       setrans-targeted.conf
 Source31:       setrans-mls.conf
 Source32:       setrans-minimum.conf
 
-# Script to convert /var/run file context entries to /run
-Source37:       varrun-convert.sh
-
 Source40:       securetty_types-targeted
 Source41:       securetty_types-mls
 Source42:       securetty_types-minimum
@@ -221,7 +218,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
-%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
 %nil
 
@@ -258,7 +254,6 @@ fi;
 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-%{_libexecdir}/selinux/varrun-convert.sh %2; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
   /usr/sbin/semodule -B -n -s %2; \
@@ -315,7 +310,6 @@ of systems and used as the basis for creating other policies.
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
-%{_libexecdir}/selinux/varrun-convert.sh
 
 %package sandbox
 Summary:        SELinux policy sandbox
@@ -383,9 +377,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
  cp $i selinux_config
 done
 
-mkdir -p %{buildroot}%{_libexecdir}/selinux
-install -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
-
 make clean
 %if %{BUILD_TARGETED}
 %makeCmds targeted mcs allow
diff --git a/varrun-convert.sh b/varrun-convert.sh
deleted file mode 100644
index 270ce1e..0000000
--- a/varrun-convert.sh
+++ /dev/null
@@ -1,105 +0,0 @@
-#!/bin/bash
-### varrun-convert.sh
-### convert legacy filecontext entries containing /var/run to /run
-### and load an extra selinux module with the new content
-### the script takes a policy name as an argument
-
-# Set DEBUG=yes before running the script to get more verbose output
-# on the terminal and to the $LOG file
-if [ "${DEBUG}" = "yes" ]; then
-  set -x
-fi
-
-# Auxiliary and log files will be created in OUTPUTDIR
-OUTPUTDIR="/run/selinux-policy"
-LOG="$OUTPUTDIR/log"
-mkdir -p ${OUTPUTDIR}
-
-if [ -z ${1} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
-  exit
-fi
-
-SEMODULEOPT="-s ${1}"
-[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
-
-# Take current file_contexts and unify whitespace separators
-FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
-FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
-if [ ! -f ${FILE_CONTEXTS} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
-  exit
-fi
-
-if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
-  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
-  exit 0
-fi
-
-EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
-EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
-EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
-EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
-
-# Print only /var/run entries
-grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-
-# Unify whitespace separators
-sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
-
-rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-# Deduplicate already existing /var/run=/run entries
-while read line
-do
-  subline="${line#/var}"
-  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
-    # check for overal duplicate entries
-    subline2=$(echo $line | sed -E -e 's/ \S+$//')
-    if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
-      echo "$line"
-      echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-    else
-      >&2 echo "DUP: $line"
-    fi
-  fi
-done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
-
-# Change /var/run to /run
-sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
-
-# Exception handling: packages with already duplicate entries
-sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
-
-# Change format to cil
-sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
-
-# Handle entries with <<none>> which do not match previous regexps
-sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
-
-# Wrap each line with an optional block
-i=1
-while read line
-do
-  echo "(optional extra_var_run_${i}"
-  echo "  $line"
-  echo ")"
-  ((i++))
-done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
-
-# Load module
-[ -s ${EXTRA_VARRUN_CIL} ] &&
-/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
-

From 3425be62a3180a4dd24df1b05cf22480db079ae0b2fa8f73f7cee952c7b01fb2 Mon Sep 17 00:00:00 2001
From: Hu <cathy.hu@suse.com>
Date: Wed, 14 Aug 2024 12:12:40 +0000
Subject: [PATCH 3/3] - Update to version 20240814:   * Dontaudit dac_override
 of fstab generator (bsc#1229127)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=253
---
 _servicedata                   | 2 +-
 selinux-policy-20240812.tar.xz | 3 ---
 selinux-policy-20240814.tar.xz | 3 +++
 selinux-policy.changes         | 6 ++++++
 selinux-policy.spec            | 2 +-
 5 files changed, 11 insertions(+), 5 deletions(-)
 delete mode 100644 selinux-policy-20240812.tar.xz
 create mode 100644 selinux-policy-20240814.tar.xz

diff --git a/_servicedata b/_servicedata
index 4f3dc20..469ea6c 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">c44072485dc8fdbfc6f3ae14cc61382b43ad43fa</param></service><service name="tar_scm">
+              <param name="changesrevision">e9e6076cfc96d33de1645e596ab0061c755c95b2</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
diff --git a/selinux-policy-20240812.tar.xz b/selinux-policy-20240812.tar.xz
deleted file mode 100644
index ac142e1..0000000
--- a/selinux-policy-20240812.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bafc5d6f473a062c09f2c83f74a78fa5cfb82e1197eb1de115eb152b95fd5d72
-size 773868
diff --git a/selinux-policy-20240814.tar.xz b/selinux-policy-20240814.tar.xz
new file mode 100644
index 0000000..8fea48e
--- /dev/null
+++ b/selinux-policy-20240814.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ee6c71012690d5ad00b4dbb906d62aa69f4019e84c707e13acfbe7a722214b5
+size 773828
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 4c8b08b..ab10e29 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Aug 14 12:11:13 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240814:
+  * Dontaudit dac_override of fstab generator (bsc#1229127)
+
 -------------------------------------------------------------------
 Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c1463db..57f4c3d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240812
+Version:        20240814
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc