Accepting request 1080824 from security:SELinux

- Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally OBS-URL: https://build.opensuse.org/request/show/1080824 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=45
2023-04-21 12:15:52 +00:00 · 2023-04-21 12:15:52 +00:00 · ae7e61e582
commit ae7e61e582
parent b73764daca d97aac754e
7 changed files with 132 additions and 10 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm">
+              <param name="changesrevision">ca88adc84584e150ecb8f67ec2c1dc5a29618ab9</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
--- a/container.te
+++ b/container.te
@ -1,4 +1,4 @@
-policy_module(container, 2.205.0)
+policy_module(container, 2.210.0)
 gen_require(`
 	class passwd rootok;
@ -17,6 +17,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
 ##  </p>
 ## </desc>
 gen_tunable(sshd_launch_containers, false)
 ## <desc>
 ##  <p>
 ##  Allow containers to use any device volume mounted into container
@ -77,7 +84,6 @@ ifdef(`enable_mls',`
 type spc_t, container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
 init_initrc_domain(spc_t)
 type container_auth_t alias docker_auth_t;
 type container_auth_exec_t alias docker_auth_exec_t;
@ -124,6 +130,7 @@ term_pty(container_devpts_t)
 typealias container_ro_file_t alias { container_share_t docker_share_t };
 files_mountpoint(container_ro_file_t)
 userdom_user_home_content(container_ro_file_t)
 type container_port_t alias docker_port_t;
 corenet_port(container_port_t)
@ -287,6 +294,8 @@ domain_getattr_all_domains(container_runtime_domain)
 userdom_map_tmp_files(container_runtime_domain)
 anaconda_domtrans_install(container_runtime_domain)
 optional_policy(`
 	gnome_map_generic_data_home_files(container_runtime_domain)
 	allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
@ -575,7 +584,6 @@ fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
 optional_policy(`
    files_search_all(container_domain)
    container_read_share_files(container_domain)
@ -806,7 +814,7 @@ gen_require(`
 ')
 container_manage_files_template(container, container)
-typeattribute container_file_t container_file_type;
+typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
 allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
@ -1411,7 +1419,7 @@ optional_policy(`
 		type syslogd_t;
 	')
-	allow syslogd_t container_runtime_tmpfs_t:file { read write };
+	allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
 	logging_send_syslog_msg(container_runtime_t)
 ')
@ -1422,3 +1430,14 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_
 manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 tunable_policy(`sshd_launch_containers',`
 	gen_require(`
 		type sshd_t;
 		type systemd_logind_t;
 		type iptables_var_run_t;
 	')
 	container_runtime_domtrans(sshd_t)
 	dontaudit systemd_logind_t iptables_var_run_t:dir read;
 ')
--- a/debug-build.sh
+++ b/debug-build.sh
@ -0,0 +1,34 @@
 # This script creates a debugging and testing environment when working on the policy
 # Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
 # 
 # 1. Get the git repository with 'osc service manualrun' or './update.sh'
 # 2. Do your changes in the selinux-policy repository, test around
 # 	1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
 # 	2. Build locally: e.g. with osc build
 #	3. Test your rpms that contain your changes and repeat 
 # 3. When finished, commit your changes in the selinux-policy repository and push to git
 # 4. Run './update.sh' and checkin the changes to OBS
 REPO_NAME=selinux-policy
 # Check if git repository exists, if not ask the user to fetch the latest version 
 if ! test -d "$REPO_NAME"; then
    	echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
 	exit 1;
 fi
 # Get current version: Parse "Version: <current-version>" from specfile
 VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
 # Create tar file with name like selinux-policy-<current-version>.tar.xz 
 TAR_NAME=$REPO_NAME-$VERSION.tar.xz
 echo "Creating tar file: $TAR_NAME"
 tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
 # Some helpful prompts
 if test $? -eq 0; then 
 	echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
 	echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
 else
 	echo "Error, creating archive failed"
 fi
--- a/selinux-policy-20230321.tar.xz
+++ b/selinux-policy-20230321.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
 size 752588
--- a/selinux-policy-20230420.tar.xz
+++ b/selinux-policy-20230420.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:fc623df379efb3571e2da1798099459b353d4a02bc6b6d9045cf8545ef15086e
 size 754612
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,71 @@
 -------------------------------------------------------------------
 Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com
 - Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally
  * Allow tshark the setsched capability
  * Allow poweroff create connections to system dbus
  * Allow wg load kernel modules, search debugfs dir
  * Boolean: allow qemu-ga manage ssh home directory
  * Label smtpd with sendmail_exec_t
  * Label msmtp and msmtpd with sendmail_exec_t
  * Allow dovecot to map files in /var/spool/dovecot
  * Confine gnome-initial-setup
  * Allow qemu-guest-agent create and use vsock socket
  * Allow login_pgm setcap permission
  * Allow chronyc read network sysctls
  * Enhancement of the /usr/sbin/request-key helper policy
  * Fix opencryptoki file names in /dev/shm
  * Allow system_cronjob_t transition to rpm_script_t
  * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
  * Add tunable to allow squid bind snmp port
  * Allow staff_t getattr init pid chr & blk files and read krb5
  * Allow firewalld to rw z90crypt device
  * Allow httpd work with tokens in /dev/shm
  * Allow svirt to map svirt_image_t char files
  * Allow sysadm_t run initrc_t script and sysadm_r role access
  * Allow insights-client manage fsadm pid files
  * Allowing snapper to create snapshots of /home/ subvolume/partition
  * Add boolean qemu-ga to run unconfined script
  * Label systemd-journald feature LogNamespace
  * Add none file context for polyinstantiated tmp dirs
  * Allow certmonger read the contents of the sysfs filesystem
  * Add journalctl the sys_resource capability
  * Allow nm-dispatcher plugins read generic files in /proc
 -------------------------------------------------------------------
 Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy.hu@suse.com>
 - Add debug-build.sh script to make debugging without committing easier
 -------------------------------------------------------------------
 Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230321
+Version:        20230420
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
@ -42,6 +42,7 @@ Source3:        container.if
 Source4:        selinux-policy-rpmlintrc
 Source5:        README.Update
 Source6:        update.sh
 Source7:        debug-build.sh
 Source10:       modules-targeted-base.conf
 Source11:       modules-targeted-contrib.conf