From 4b3ec21f8508bfc051f0d2a5167095e78729c95d46623bc72e8054766e456eac Mon Sep 17 00:00:00 2001 From: Hu Date: Tue, 6 Feb 2024 08:12:43 +0000 Subject: [PATCH] Accepting request 1144343 from home:cahu:branches:security:SELinux - Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port. OBS-URL: https://build.opensuse.org/request/show/1144343 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=208 --- _servicedata | 2 +- selinux-policy-20240116.tar.xz | 3 -- selinux-policy-20240205.tar.xz | 3 ++ selinux-policy.changes | 97 ++++++++++++++++++++++++++++++++++ selinux-policy.spec | 2 +- 5 files changed, 102 insertions(+), 5 deletions(-) delete mode 100644 selinux-policy-20240116.tar.xz create mode 100644 selinux-policy-20240205.tar.xz diff --git a/_servicedata b/_servicedata index 16f10a6..b95dbdd 100644 --- a/_servicedata +++ b/_servicedata @@ -1,7 +1,7 @@ https://gitlab.suse.de/selinux/selinux-policy.git - a4fccbf76d237e1ce279bbef49392676af5c4334 + e17843ad685ede6b0ba9a2571bf3199e56408f83 https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 https://gitlab.suse.de/jsegitz/selinux-policy.git diff --git a/selinux-policy-20240116.tar.xz b/selinux-policy-20240116.tar.xz deleted file mode 100644 index 9c7c8ae..0000000 --- a/selinux-policy-20240116.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9eca3a8185fcc6583627d8ad90ab83b2010d197a4f8d6d87bb08b07339c72fee -size 765912 diff --git a/selinux-policy-20240205.tar.xz b/selinux-policy-20240205.tar.xz new file mode 100644 index 0000000..815d239 --- /dev/null +++ b/selinux-policy-20240205.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4352abee42d51bd6d340b155e0363c101fed4cce8fa6b8799aa6786e570fd3d5 +size 794716 diff --git a/selinux-policy.changes b/selinux-policy.changes index a053a62..ae75860 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,100 @@ +------------------------------------------------------------------- +Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240205: + * Allow gpg manage rpm cache + * Allow login_userdomain name_bind to howl and xmsg udp ports + * Allow rules for confined users logged in plasma + * Label /dev/iommu with iommu_device_t + * Remove duplicate file context entries in /run + * Dontaudit getty and plymouth the checkpoint_restore capability + * Allow su domains write login records + * Revert "Allow su domains write login records" + * Allow login_userdomain delete session dbusd tmp socket files + * Allow unix dgram sendto between exim processes + * Allow su domains write login records + * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on + * Allow chronyd-restricted read chronyd key files + * Allow conntrackd_t to use bpf capability2 + * Allow systemd-networkd manage its runtime socket files + * Allow init_t nnp domain transition to colord_t + * Allow polkit status systemd services + * nova: Fix duplicate declarations + * Allow httpd work with PrivateTmp + * Add interfaces for watching and reading ifconfig_var_run_t + * Allow collectd read raw fixed disk device + * Allow collectd read udev pid files + * Set correct label on /etc/pki/pki-tomcat/kra + * Allow systemd domains watch system dbus pid socket files + * Allow certmonger read network sysctls + * Allow mdadm list stratisd data directories + * Allow syslog to run unconfined scripts conditionally + * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t + * Allow qatlib set attributes of vfio device files + * Allow systemd-sleep set attributes of efivarfs files + * Allow samba-dcerpcd read public files + * Allow spamd_update_t the sys_ptrace capability in user namespace + * Allow bluetooth devices work with alsa + * Allow alsa get attributes filesystems with extended attributes + * Allow hypervkvp_t write access to NetworkManager_etc_rw_t + * Add interface for write-only access to NetworkManager rw conf + * Allow systemd-sleep send a message to syslog over a unix dgram socket + * Allow init create and use netlink netfilter socket + * Allow qatlib load kernel modules + * Allow qatlib run lspci + * Allow qatlib manage its private runtime socket files + * Allow qatlib read/write vfio devices + * Label /etc/redis.conf with redis_conf_t + * Remove the lockdown-class rules from the policy + * Allow init read all non-security socket files + * Replace redundant dnsmasq pattern macros + * Remove unneeded symlink perms in dnsmasq.if + * Add additions to dnsmasq interface + * Allow nvme_stas_t create and use netlink kobject uevent socket + * Allow collectd connect to statsd port + * Allow keepalived_t to use sys_ptrace of cap_userns + * Allow dovecot_auth_t connect to postgresql using UNIX socket + * Make named_zone_t and named_var_run_t a part of the mountpoint attribute + * Allow sysadm execute traceroute in sysadm_t domain using sudo + * Allow sysadm execute tcpdump in sysadm_t domain using sudo + * Allow opafm search nfs directories + * Add support for syslogd unconfined scripts + * Allow gpsd use /dev/gnss devices + * Allow gpg read rpm cache + * Allow virtqemud additional permissions + * Allow virtqemud manage its private lock files + * Allow virtqemud use the io_uring api + * Allow ddclient send e-mail notifications + * Allow postfix_master_t map postfix data files + * Allow init create and use vsock sockets + * Allow thumb_t append to init unix domain stream sockets + * Label /dev/vas with vas_device_t + * Create interface selinux_watch_config and add it to SELinux users + * Update cifs interfaces to include fs_search_auto_mountpoints() + * Allow sudodomain read var auth files + * Allow spamd_update_t read hardware state information + * Allow virtnetworkd domain transition on tc command execution + * Allow sendmail MTA connect to sendmail LDA + * Allow auditd read all domains process state + * Allow rsync read network sysctls + * Add dhcpcd bpf capability to run bpf programs + * Dontaudit systemd-hwdb dac_override capability + * Allow systemd-sleep create efivarfs files + * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on + * Allow graphical applications work in Wayland + * Allow kdump work with PrivateTmp + * Allow dovecot-auth work with PrivateTmp + * Allow nfsd get attributes of all filesystems + * Allow unconfined_domain_type use io_uring cmd on domain + * ci: Only run Rawhide revdeps tests on the rawhide branch + * Label /var/run/auditd.state as auditd_var_run_t + * Allow fido-device-onboard (FDO) read the crack database + * Allow ip an explicit domain transition to other domains + * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t + * Allow winbind_rpcd_t processes access when samba_export_all_* is on + * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection + * Allow ntp to bind and connect to ntske port. + ------------------------------------------------------------------- Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index 73e7fc6..b1f5deb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240116 +Version: 20240205 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc