diff --git a/_servicedata b/_servicedata index 03f6b76..0250f19 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f + ca88adc84584e150ecb8f67ec2c1dc5a29618ab9 https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container.te b/container.te index 7b156e7..9220dde 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.205.0) +policy_module(container, 2.210.0) gen_require(` class passwd rootok; @@ -17,6 +17,13 @@ gen_require(` ## gen_tunable(container_connect_any, false) +## +##

+## Determine whether sshd can launch container engines +##

+## +gen_tunable(sshd_launch_containers, false) + ## ##

## Allow containers to use any device volume mounted into container @@ -77,7 +84,6 @@ ifdef(`enable_mls',` type spc_t, container_domain; domain_type(spc_t) role system_r types spc_t; -init_initrc_domain(spc_t) type container_auth_t alias docker_auth_t; type container_auth_exec_t alias docker_auth_exec_t; @@ -124,6 +130,7 @@ term_pty(container_devpts_t) typealias container_ro_file_t alias { container_share_t docker_share_t }; files_mountpoint(container_ro_file_t) +userdom_user_home_content(container_ro_file_t) type container_port_t alias docker_port_t; corenet_port(container_port_t) @@ -287,6 +294,8 @@ domain_getattr_all_domains(container_runtime_domain) userdom_map_tmp_files(container_runtime_domain) +anaconda_domtrans_install(container_runtime_domain) + optional_policy(` gnome_map_generic_data_home_files(container_runtime_domain) allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; @@ -575,7 +584,6 @@ fs_unmount_fusefs(container_runtime_domain) fs_exec_fusefs_files(container_runtime_domain) storage_rw_fuse(container_runtime_domain) - optional_policy(` files_search_all(container_domain) container_read_share_files(container_domain) @@ -806,7 +814,7 @@ gen_require(` ') container_manage_files_template(container, container) -typeattribute container_file_t container_file_type; +typeattribute container_file_t container_file_type, user_home_type; typeattribute container_t container_domain, container_net_domain, container_user_domain; allow container_user_domain self:process getattr; allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; @@ -1411,7 +1419,7 @@ optional_policy(` type syslogd_t; ') - allow syslogd_t container_runtime_tmpfs_t:file { read write }; + allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms; logging_send_syslog_msg(container_runtime_t) ') @@ -1422,3 +1430,14 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_ manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) + +tunable_policy(`sshd_launch_containers',` + gen_require(` + type sshd_t; + type systemd_logind_t; + type iptables_var_run_t; + ') + + container_runtime_domtrans(sshd_t) + dontaudit systemd_logind_t iptables_var_run_t:dir read; +') diff --git a/selinux-policy-20230321.tar.xz b/selinux-policy-20230321.tar.xz deleted file mode 100644 index 99b7daa..0000000 --- a/selinux-policy-20230321.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04 -size 752588 diff --git a/selinux-policy-20230420.tar.xz b/selinux-policy-20230420.tar.xz new file mode 100644 index 0000000..3f2c179 --- /dev/null +++ b/selinux-policy-20230420.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc623df379efb3571e2da1798099459b353d4a02bc6b6d9045cf8545ef15086e +size 754612 diff --git a/selinux-policy.changes b/selinux-policy.changes index 2dd0a11..fe42ae6 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,66 @@ +------------------------------------------------------------------- +Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com + +- Update to version 20230420: + * libzypp creates temporary files in /var/adm/mount. Label it with + rpm_var_cache_t to prevent wrong labels in /var/cache/zypp + * only use rsync_exec_t for the rsync server, not for the client + (bsc#1209890) + * properly label sshd-gen-keys-start to ensure ssh host keys have proper + labels after creation + * Allow dovecot-deliver write to the main process runtime fifo files + * Allow dmidecode write to cloud-init tmp files + * Allow chronyd send a message to cloud-init over a datagram socket + * Allow cloud-init domain transition to insights-client domain + * Allow mongodb read filesystem sysctls + * Allow mongodb read network sysctls + * Allow accounts-daemon read generic systemd unit lnk files + * Allow blueman watch generic device dirs + * Allow nm-dispatcher tlp plugin create tlp dirs + * Allow systemd-coredump mounton /usr + * Allow rabbitmq to read network sysctls + * Allow certmonger dbus chat with the cron system domain + * Allow geoclue read network sysctls + * Allow geoclue watch the /etc directory + * Allow logwatch_mail_t read network sysctls + * allow systemd_resolved_t to bind to all nodes (bsc#1200182) + * Allow insights-client read all sysctls + * Allow passt manage qemu pid sock files + * Allow sssd read accountsd fifo files + * Add support for the passt_t domain + * Allow virtd_t and svirt_t work with passt + * Add new interfaces in the virt module + * Add passt interfaces defined conditionally + * Allow tshark the setsched capability + * Allow poweroff create connections to system dbus + * Allow wg load kernel modules, search debugfs dir + * Boolean: allow qemu-ga manage ssh home directory + * Label smtpd with sendmail_exec_t + * Label msmtp and msmtpd with sendmail_exec_t + * Allow dovecot to map files in /var/spool/dovecot + * Confine gnome-initial-setup + * Allow qemu-guest-agent create and use vsock socket + * Allow login_pgm setcap permission + * Allow chronyc read network sysctls + * Enhancement of the /usr/sbin/request-key helper policy + * Fix opencryptoki file names in /dev/shm + * Allow system_cronjob_t transition to rpm_script_t + * Revert "Allow system_cronjob_t domtrans to rpm_script_t" + * Add tunable to allow squid bind snmp port + * Allow staff_t getattr init pid chr & blk files and read krb5 + * Allow firewalld to rw z90crypt device + * Allow httpd work with tokens in /dev/shm + * Allow svirt to map svirt_image_t char files + * Allow sysadm_t run initrc_t script and sysadm_r role access + * Allow insights-client manage fsadm pid files + * Allowing snapper to create snapshots of /home/ subvolume/partition + * Add boolean qemu-ga to run unconfined script + * Label systemd-journald feature LogNamespace + * Add none file context for polyinstantiated tmp dirs + * Allow certmonger read the contents of the sysfs filesystem + * Add journalctl the sys_resource capability + * Allow nm-dispatcher plugins read generic files in /proc + ------------------------------------------------------------------- Tue Mar 28 12:27:47 UTC 2023 - Hu diff --git a/selinux-policy.spec b/selinux-policy.spec index ede9b73..ab72a6d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230321 +Version: 20230420 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc