Accepting request 1193871 from security:SELinux

- Update to version 20240814: * Dontaudit dac_override of fstab generator (bsc#1229127) - Drop varrun-convert.sh script as it causes issues with container-selinux update (bsc#1228951) - Update to version 20240812: * Update libvirt policy * Add port 80/udp and 443/udp to http_port_t definition * Additional updates stalld policy for bpf usage * Label systemd-pcrextend and systemd-pcrlock properly * Allow coreos_installer_t work with partitions * Revert "Allow coreos-installer-generator work with partitions" * Add policy for systemd-pcrextend * Update policy for systemd-getty-generator * Allow ip command write to ipsec's logs * Allow virt_driver_domain read virtd-lxc files in /proc * Revert "Allow svirt read virtqemud fifo files" * Update virtqemud policy for libguestfs usage * Allow virtproxyd create and use its private tmp files * Allow virtproxyd read network state * Allow virt_driver_domain create and use log files in /var/log * Allow samba-dcerpcd work with ctdb cluster * Allow NetworkManager_dispatcher_t send SIGKILL to plugins * Allow setroubleshootd execute sendmail with a domain transition * Allow key.dns_resolve set attributes on the kernel key ring * Update qatlib policy for v24.02 with new features * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t * Allow tlp status power services * Allow virtqemud domain transition on passt execution * Allow virt_driver_domain connect to systemd-userdbd over a unix socket * Allow boothd connect to systemd-userdbd over a unix socket * Update policy for awstats scripts * Allow bitlbee execute generic programs in system bin directories * Allow login_userdomain read aliases file * Allow login_userdomain read ipsec config files * Allow login_userdomain read all pid files * Allow rsyslog read systemd-logind session files * Allow libvirt-dbus stream connect to virtlxcd OBS-URL: https://build.opensuse.org/request/show/1193871 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=70
2024-08-15 07:57:36 +00:00 · 2024-08-15 07:57:36 +00:00 · 3743169a39
commit 3743169a39
parent 7ad5616cbb 3425be62a3
6 changed files with 54 additions and 119 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">02657ab47aa16a1ed9638b511b4ed12298f2352b</param></service><service name="tar_scm">
+              <param name="changesrevision">e9e6076cfc96d33de1645e596ab0061c755c95b2</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
--- a/selinux-policy-20240809.tar.xz
+++ b/selinux-policy-20240809.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9b1e7b4c6306f438081643f4189bf856c4eaa90e1c97ca508a5a3f6bff9a6fb7
-size 773308
--- a/selinux-policy-20240814.tar.xz
+++ b/selinux-policy-20240814.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ee6c71012690d5ad00b4dbb906d62aa69f4019e84c707e13acfbe7a722214b5
+size 773828
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Wed Aug 14 12:11:13 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240814:
+  * Dontaudit dac_override of fstab generator (bsc#1229127)
+
+-------------------------------------------------------------------
+Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Drop varrun-convert.sh script as it causes issues with
+  container-selinux update (bsc#1228951)
+
+-------------------------------------------------------------------
+Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240812:
+  * Update libvirt policy
+  * Add port 80/udp and 443/udp to http_port_t definition
+  * Additional updates stalld policy for bpf usage
+  * Label systemd-pcrextend and systemd-pcrlock properly
+  * Allow coreos_installer_t work with partitions
+  * Revert "Allow coreos-installer-generator work with partitions"
+  * Add policy for systemd-pcrextend
+  * Update policy for systemd-getty-generator
+  * Allow ip command write to ipsec's logs
+  * Allow virt_driver_domain read virtd-lxc files in /proc
+  * Revert "Allow svirt read virtqemud fifo files"
+  * Update virtqemud policy for libguestfs usage
+  * Allow virtproxyd create and use its private tmp files
+  * Allow virtproxyd read network state
+  * Allow virt_driver_domain create and use log files in /var/log
+  * Allow samba-dcerpcd work with ctdb cluster
+  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
+  * Allow setroubleshootd execute sendmail with a domain transition
+  * Allow key.dns_resolve set attributes on the kernel key ring
+  * Update qatlib policy for v24.02 with new features
+  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
+  * Allow tlp status power services
+  * Allow virtqemud domain transition on passt execution
+  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
+  * Allow boothd connect to systemd-userdbd over a unix socket
+  * Update policy for awstats scripts
+  * Allow bitlbee execute generic programs in system bin directories
+  * Allow login_userdomain read aliases file
+  * Allow login_userdomain read ipsec config files
+  * Allow login_userdomain read all pid files
+  * Allow rsyslog read systemd-logind session files
+  * Allow libvirt-dbus stream connect to virtlxcd
+
 -------------------------------------------------------------------
 Fri Aug 09 12:35:40 UTC 2024 - cathy.hu@suse.com

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240809
+Version:        20240814
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
@ -61,9 +61,6 @@ Source30:       setrans-targeted.conf
 Source31:       setrans-mls.conf
 Source32:       setrans-minimum.conf

-# Script to convert /var/run file context entries to /run
-Source37:       varrun-convert.sh
-
 Source40:       securetty_types-targeted
 Source41:       securetty_types-mls
 Source42:       securetty_types-minimum
@ -221,7 +218,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
-%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
 %nil

@ -258,7 +254,6 @@ fi;

 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-%{_libexecdir}/selinux/varrun-convert.sh %2; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
  rm %{_sysconfdir}/selinux/%2/.rebuild; \
  /usr/sbin/semodule -B -n -s %2; \
@ -315,7 +310,6 @@ of systems and used as the basis for creating other policies.
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
-%{_libexecdir}/selinux/varrun-convert.sh

 %package sandbox
 Summary:        SELinux policy sandbox
@ -383,9 +377,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
 cp $i selinux_config
 done

-mkdir -p %{buildroot}%{_libexecdir}/selinux
-install -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
-
 make clean
 %if %{BUILD_TARGETED}
 %makeCmds targeted mcs allow
--- a/varrun-convert.sh
+++ b/varrun-convert.sh
@ -1,105 +0,0 @@
-#!/bin/bash
-### varrun-convert.sh
-### convert legacy filecontext entries containing /var/run to /run
-### and load an extra selinux module with the new content
-### the script takes a policy name as an argument
-
-# Set DEBUG=yes before running the script to get more verbose output
-# on the terminal and to the $LOG file
-if [ "${DEBUG}" = "yes" ]; then
-  set -x
-fi
-
-# Auxiliary and log files will be created in OUTPUTDIR
-OUTPUTDIR="/run/selinux-policy"
-LOG="$OUTPUTDIR/log"
-mkdir -p ${OUTPUTDIR}
-
-if [ -z ${1} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
-  exit
-fi
-
-SEMODULEOPT="-s ${1}"
-[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
-
-# Take current file_contexts and unify whitespace separators
-FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
-FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
-if [ ! -f ${FILE_CONTEXTS} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
-  exit
-fi
-
-if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
-  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
-  exit 0
-fi
-
-EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
-EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
-EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
-EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
-
-# Print only /var/run entries
-grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-
-# Unify whitespace separators
-sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
-
-rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-# Deduplicate already existing /var/run=/run entries
-while read line
-do
-  subline="${line#/var}"
-  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
-    # check for overal duplicate entries
-    subline2=$(echo $line | sed -E -e 's/ \S+$//')
-    if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
-      echo "$line"
-      echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-    else
-      >&2 echo "DUP: $line"
-    fi
-  fi
-done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
-
-# Change /var/run to /run
-sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
-
-# Exception handling: packages with already duplicate entries
-sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
-
-# Change format to cil
-sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
-
-# Handle entries with <<none>> which do not match previous regexps
-sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
-
-# Wrap each line with an optional block
-i=1
-while read line
-do
-  echo "(optional extra_var_run_${i}"
-  echo "  $line"
-  echo ")"
-  ((i++))
-done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
-
-# Load module
-[ -s ${EXTRA_VARRUN_CIL} ] &&
-/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
-