Accepting request 1057912 from home:jsegitz:branches:security:SELinux

- Add fix_container.patch to allow privileged containers to use
  timedatectl (bsc#1207054)

OBS-URL: https://build.opensuse.org/request/show/1057912
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=168

fix_container.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy-20221019/policy/modules/services/container.te
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/services/container.te
++++ fedora-policy-20221019/policy/modules/services/container.te
+@@ -681,6 +681,7 @@ init_dbus_chat(spc_t)
+ optional_policy(`
+ 	systemd_dbus_chat_machined(spc_t)
+ 	systemd_dbus_chat_logind(spc_t)
++	systemd_dbus_chat_timedated(spc_t)
+ ')
+ 
+ optional_policy(`

selinux-policy.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jan 11 14:17:02 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Add fix_container.patch to allow privileged containers to use
+  timedatectl (bsc#1207054)
+
 -------------------------------------------------------------------
 Thu Dec 15 16:11:15 UTC 2022 - Hu <cathy.hu@suse.com>
 

selinux-policy.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -148,6 +148,8 @@ Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
 Patch065:       fix_sendmail.patch
 Patch066:       fix_ipsec.patch
+# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included
+Patch067:       fix_container.patch
 
 Patch100:       sedoctool.patch