Accepting request 1080814 from home:jsegitz:branches:security:SELinux

- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally

OBS-URL: https://build.opensuse.org/request/show/1080814
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=181

_servicedata

@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm">
+              <param name="changesrevision">ca88adc84584e150ecb8f67ec2c1dc5a29618ab9</param></service><service name="tar_scm">
                 <param name="url">https://github.com/containers/container-selinux.git</param>
               <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>

container.te

@@ -1,4 +1,4 @@
-policy_module(container, 2.205.0)
+policy_module(container, 2.210.0)
 
 gen_require(`
 	class passwd rootok;
@@ -17,6 +17,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 
+## <desc>
+##  <p>
+##  Determine whether sshd can launch container engines
+##  </p>
+## </desc>
+gen_tunable(sshd_launch_containers, false)
+
 ## <desc>
 ##  <p>
 ##  Allow containers to use any device volume mounted into container
@@ -77,7 +84,6 @@ ifdef(`enable_mls',`
 type spc_t, container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
-init_initrc_domain(spc_t)
 
 type container_auth_t alias docker_auth_t;
 type container_auth_exec_t alias docker_auth_exec_t;
@@ -124,6 +130,7 @@ term_pty(container_devpts_t)
 
 typealias container_ro_file_t alias { container_share_t docker_share_t };
 files_mountpoint(container_ro_file_t)
+userdom_user_home_content(container_ro_file_t)
 
 type container_port_t alias docker_port_t;
 corenet_port(container_port_t)
@@ -287,6 +294,8 @@ domain_getattr_all_domains(container_runtime_domain)
 
 userdom_map_tmp_files(container_runtime_domain)
 
+anaconda_domtrans_install(container_runtime_domain)
+
 optional_policy(`
 	gnome_map_generic_data_home_files(container_runtime_domain)
 	allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
@@ -575,7 +584,6 @@ fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
 
-
 optional_policy(`
     files_search_all(container_domain)
     container_read_share_files(container_domain)
@@ -806,7 +814,7 @@ gen_require(`
 ')
 container_manage_files_template(container, container)
 
-typeattribute container_file_t container_file_type;
+typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
 allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
@@ -1411,7 +1419,7 @@ optional_policy(`
 		type syslogd_t;
 	')
 
-	allow syslogd_t container_runtime_tmpfs_t:file { read write };
+	allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
 	logging_send_syslog_msg(container_runtime_t)
 ')
 
@@ -1422,3 +1430,14 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_
 manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+
+tunable_policy(`sshd_launch_containers',`
+	gen_require(`
+		type sshd_t;
+		type systemd_logind_t;
+		type iptables_var_run_t;
+	')
+
+	container_runtime_domtrans(sshd_t)
+	dontaudit systemd_logind_t iptables_var_run_t:dir read;
+')

selinux-policy-20230321.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
-size 752588

selinux-policy-20230420.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc623df379efb3571e2da1798099459b353d4a02bc6b6d9045cf8545ef15086e
+size 754612

selinux-policy.changes

@@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230420:
+  * libzypp creates temporary files in /var/adm/mount. Label it with
+    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
+  * only use rsync_exec_t for the rsync server, not for the client
+    (bsc#1209890)
+  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
+    labels after creation
+  * Allow dovecot-deliver write to the main process runtime fifo files
+  * Allow dmidecode write to cloud-init tmp files
+  * Allow chronyd send a message to cloud-init over a datagram socket
+  * Allow cloud-init domain transition to insights-client domain
+  * Allow mongodb read filesystem sysctls
+  * Allow mongodb read network sysctls
+  * Allow accounts-daemon read generic systemd unit lnk files
+  * Allow blueman watch generic device dirs
+  * Allow nm-dispatcher tlp plugin create tlp dirs
+  * Allow systemd-coredump mounton /usr
+  * Allow rabbitmq to read network sysctls
+  * Allow certmonger dbus chat with the cron system domain
+  * Allow geoclue read network sysctls
+  * Allow geoclue watch the /etc directory
+  * Allow logwatch_mail_t read network sysctls
+  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
+  * Allow insights-client read all sysctls
+  * Allow passt manage qemu pid sock files
+  * Allow sssd read accountsd fifo files
+  * Add support for the passt_t domain
+  * Allow virtd_t and svirt_t work with passt
+  * Add new interfaces in the virt module
+  * Add passt interfaces defined conditionally
+  * Allow tshark the setsched capability
+  * Allow poweroff create connections to system dbus
+  * Allow wg load kernel modules, search debugfs dir
+  * Boolean: allow qemu-ga manage ssh home directory
+  * Label smtpd with sendmail_exec_t
+  * Label msmtp and msmtpd with sendmail_exec_t
+  * Allow dovecot to map files in /var/spool/dovecot
+  * Confine gnome-initial-setup
+  * Allow qemu-guest-agent create and use vsock socket
+  * Allow login_pgm setcap permission
+  * Allow chronyc read network sysctls
+  * Enhancement of the /usr/sbin/request-key helper policy
+  * Fix opencryptoki file names in /dev/shm
+  * Allow system_cronjob_t transition to rpm_script_t
+  * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
+  * Add tunable to allow squid bind snmp port
+  * Allow staff_t getattr init pid chr & blk files and read krb5
+  * Allow firewalld to rw z90crypt device
+  * Allow httpd work with tokens in /dev/shm
+  * Allow svirt to map svirt_image_t char files
+  * Allow sysadm_t run initrc_t script and sysadm_r role access
+  * Allow insights-client manage fsadm pid files
+  * Allowing snapper to create snapshots of /home/ subvolume/partition
+  * Add boolean qemu-ga to run unconfined script
+  * Label systemd-journald feature LogNamespace
+  * Add none file context for polyinstantiated tmp dirs
+  * Allow certmonger read the contents of the sysfs filesystem
+  * Add journalctl the sys_resource capability
+  * Allow nm-dispatcher plugins read generic files in /proc
+
 -------------------------------------------------------------------
 Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy.hu@suse.com>
 

selinux-policy.spec

@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230321
+Version:        20230420
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc