Accepting request 1144343 from home:cahu:branches:security:SELinux

- Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port. OBS-URL: https://build.opensuse.org/request/show/1144343 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=208
2024-02-06 08:12:43 +00:00 · 2024-02-06 08:12:43 +00:00 · 4b3ec21f85
commit 4b3ec21f85
parent ceb3fcfaa1
5 changed files with 102 additions and 5 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">a4fccbf76d237e1ce279bbef49392676af5c4334</param></service><service name="tar_scm">
+              <param name="changesrevision">e17843ad685ede6b0ba9a2571bf3199e56408f83</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
--- a/selinux-policy-20240116.tar.xz
+++ b/selinux-policy-20240116.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9eca3a8185fcc6583627d8ad90ab83b2010d197a4f8d6d87bb08b07339c72fee
-size 765912
--- a/selinux-policy-20240205.tar.xz
+++ b/selinux-policy-20240205.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4352abee42d51bd6d340b155e0363c101fed4cce8fa6b8799aa6786e570fd3d5
+size 794716
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,100 @@
+-------------------------------------------------------------------
+Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240205:
+  * Allow gpg manage rpm cache
+  * Allow login_userdomain name_bind to howl and xmsg udp ports
+  * Allow rules for confined users logged in plasma
+  * Label /dev/iommu with iommu_device_t
+  * Remove duplicate file context entries in /run
+  * Dontaudit getty and plymouth the checkpoint_restore capability
+  * Allow su domains write login records
+  * Revert "Allow su domains write login records"
+  * Allow login_userdomain delete session dbusd tmp socket files
+  * Allow unix dgram sendto between exim processes
+  * Allow su domains write login records
+  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
+  * Allow chronyd-restricted read chronyd key files
+  * Allow conntrackd_t to use bpf capability2
+  * Allow systemd-networkd manage its runtime socket files
+  * Allow init_t nnp domain transition to colord_t
+  * Allow polkit status systemd services
+  * nova: Fix duplicate declarations
+  * Allow httpd work with PrivateTmp
+  * Add interfaces for watching and reading ifconfig_var_run_t
+  * Allow collectd read raw fixed disk device
+  * Allow collectd read udev pid files
+  * Set correct label on /etc/pki/pki-tomcat/kra
+  * Allow systemd domains watch system dbus pid socket files
+  * Allow certmonger read network sysctls
+  * Allow mdadm list stratisd data directories
+  * Allow syslog to run unconfined scripts conditionally
+  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
+  * Allow qatlib set attributes of vfio device files
+  * Allow systemd-sleep set attributes of efivarfs files
+  * Allow samba-dcerpcd read public files
+  * Allow spamd_update_t the sys_ptrace capability in user namespace
+  * Allow bluetooth devices work with alsa
+  * Allow alsa get attributes filesystems with extended attributes
+  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
+  * Add interface for write-only access to NetworkManager rw conf
+  * Allow systemd-sleep send a message to syslog over a unix dgram socket
+  * Allow init create and use netlink netfilter socket
+  * Allow qatlib load kernel modules
+  * Allow qatlib run lspci
+  * Allow qatlib manage its private runtime socket files
+  * Allow qatlib read/write vfio devices
+  * Label /etc/redis.conf with redis_conf_t
+  * Remove the lockdown-class rules from the policy
+  * Allow init read all non-security socket files
+  * Replace redundant dnsmasq pattern macros
+  * Remove unneeded symlink perms in dnsmasq.if
+  * Add additions to dnsmasq interface
+  * Allow nvme_stas_t create and use netlink kobject uevent socket
+  * Allow collectd connect to statsd port
+  * Allow keepalived_t to use sys_ptrace of cap_userns
+  * Allow dovecot_auth_t connect to postgresql using UNIX socket
+  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
+  * Allow sysadm execute traceroute in sysadm_t domain using sudo
+  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
+  * Allow opafm search nfs directories
+  * Add support for syslogd unconfined scripts
+  * Allow gpsd use /dev/gnss devices
+  * Allow gpg read rpm cache
+  * Allow virtqemud additional permissions
+  * Allow virtqemud manage its private lock files
+  * Allow virtqemud use the io_uring api
+  * Allow ddclient send e-mail notifications
+  * Allow postfix_master_t map postfix data files
+  * Allow init create and use vsock sockets
+  * Allow thumb_t append to init unix domain stream sockets
+  * Label /dev/vas with vas_device_t
+  * Create interface selinux_watch_config and add it to SELinux users
+  * Update cifs interfaces to include fs_search_auto_mountpoints()
+  * Allow sudodomain read var auth files
+  * Allow spamd_update_t read hardware state information
+  * Allow virtnetworkd domain transition on tc command execution
+  * Allow sendmail MTA connect to sendmail LDA
+  * Allow auditd read all domains process state
+  * Allow rsync read network sysctls
+  * Add dhcpcd bpf capability to run bpf programs
+  * Dontaudit systemd-hwdb dac_override capability
+  * Allow systemd-sleep create efivarfs files
+  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  * Allow graphical applications work in Wayland
+  * Allow kdump work with PrivateTmp
+  * Allow dovecot-auth work with PrivateTmp
+  * Allow nfsd get attributes of all filesystems
+  * Allow unconfined_domain_type use io_uring cmd on domain
+  * ci: Only run Rawhide revdeps tests on the rawhide branch
+  * Label /var/run/auditd.state as auditd_var_run_t
+  * Allow fido-device-onboard (FDO) read the crack database
+  * Allow ip an explicit domain transition to other domains
+  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
+  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
+  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
+  * Allow ntp to bind and connect to ntske port.
+
 -------------------------------------------------------------------
 Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240116
+Version:        20240205
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc