Packages changed: MicroOS-release (20260712 -> 20260714) checkpolicy (3.10 -> 3.11) libcamera (0.7.1 -> 0.7.2) libdovi (3.3.2 -> 3.4.0) libpsl (0.22.0 -> 0.23.0) libseccomp (2.6.0 -> 2.6.1) libselinux (3.10 -> 3.11) libselinux-bindings (3.10 -> 3.11) libsemanage (3.10 -> 3.11) libsepol (3.10 -> 3.11) policycoreutils (3.10 -> 3.11) python-semanage (3.10 -> 3.11) sdbootutil (1+git20260506.25d47bf -> 1+git20260714.d9bb736) selinux-policy (20260618 -> 20260702) xsetroot (1.1.3 -> 1.1.4) === Details === ==== MicroOS-release ==== Version update (20260712 -> 20260714) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== checkpolicy ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Fixed checkpolicy handling of out-of-range and complement at range boundaries for xperm rules (#530, #531). - Dropped legacy fscon statement support from checkpolicy - never used in SELinux policies for mainline kernels (#518). - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Test fixes - Notable Bugfixes: - checkpolicy: remove unneeded malloc() casts - checkpolicy: add missing strdup() failure checks - checkpolicy: use calloc() so no need to do memset() - checkpolicy: replace malloc()+memset() with calloc() ==== libcamera ==== Version update (0.7.1 -> 0.7.2) Subpackages: libcamera-base0_7 libcamera0_7 - Update to release 0.7.2 * Fixes two separate saturation handling bugs in both the SoftISP and the Raspberry Pi IPA. * On the SoftISP, 12-bit formats are now supported, black level correction is 'fixed' and there are interesting performance improvements with eGL buffer caching. * Within the IPA handling, support for Sony IMX678 was added, as well as Omnivision OV08x40 and OV01A10, and moved to a proportional AGC algorithm for the simple pipeline handler. - Delete libcamera-ov02e10-initial-support.patch ==== libdovi ==== Version update (3.3.2 -> 3.4.0) - Update to 3.4.0: * dovi_rpu_add_cmv40_safe_default_metadata: Adds CMv4.0 default metadata to an existing CMv2.9 RPU * dovi_generate_from_json: Allows generating a list of RPUs from JSON * dovi_rpu_remove_cmv40_metadata: Allows to completely remove CM v4.0 metadata from the RPU * dovi/level11: improve byte1 parsing and remove byte2 validation ==== libpsl ==== Version update (0.22.0 -> 0.23.0) - Update to version 0.23.0: * Properly handle leading dot in domains (CVE-2026-8924) * Using libidn as runtime now requires explicit configuration * Modernize configure.ac * Simplify license headers - Regenerate the built-in PSL and test DAFSA files from the system publicsuffix at build time, so they stay in sync with the packaged list and test-is-public-all no longer fails on version skew ==== libseccomp ==== Version update (2.6.0 -> 2.6.1) - Produce unique .src.rpm files per multibuild flavor. - Update to release 2.6.1 * Fixed incorrect 64-bit comparison merge that can weaken libseccomp filters. * Fixed issue where oversized libseccomp filters can trigger a double free. * Fixed issue where oversized libseccomp filters can trigger a heap corruption. * Fixed struct aliasing undefined behavior in the internal libseccomp hash algorithm. * Fixed issue where extraneous bytes were being copied to the destination buffer in seccomp_export_bpf_mem(). * Fix a bug where merged libseccomp filters failed to merge the notify_used flag, leading to no listener file descriptor being generated. - 62-sim-arch_transactions-remove-fuzzer.patch: removed upstream - Fixes in SPEC file. - Update make-python-build.patch to work with multiple versions of Python interpreters. - Add python-pip-packages.patch, modernize-python-build.patch - Enable _multibuild back. - Add support for generating of multiple versions of Python subpackages (using %python_subpackage_only). ==== libselinux ==== Version update (3.10 -> 3.11) Subpackages: libselinux1 selinux-tools - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Several security improvements in libselinux - Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file relabeling if /proc is available - Fixed libselinux constructor to not clobber errno (#445). - Fixed libselinux selabel_partial_match(3) to correctly find partial matches. - Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on /sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur legitimately within a user namespace. - Improved restorecon related functionality in libselinux - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Fixed libselinux build for non-pthread builds. - Multiple fixes for musl/llvm-based builds, including adding a new EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass - -undefined-version through to lld (#511 thru #515). - Fixed uclibc build failure (#435). - Build shared libraries with -fPIC for LTO. - Notable bug fixes: - libselinux: avoid out-of-bounds access on zero-length lines - Packaging changes: - Drop patch restorecon-Only-log-error-on-readonly-fs-bsc-1232226.patch as it was accepted upstream - Rewrite skip_cycles.patch since the code path has been rewritten entirely upstream ==== libselinux-bindings ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - libselinux and python use system Python3 build module - Updated pywrap build targets for modern python builds using the Python3 build module. - Build shared libraries with -fPIC for LTO. - Packaging changes: - Add python-build as BuildRequires - Drop python3.6 build in 15.7, as python-build is not available for python3.6 - Add workaround in Makefile as python multi build does not work with the combined dist/ folder from upstream ==== libsemanage ==== Version update (3.10 -> 3.11) Subpackages: libsemanage-conf libsemanage2 - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Test fixes - Notable bug fixes: - libsemanage: guard end of path in semanage_fc_find_meta - libsemanage: bunzip: guard against size overflow - libsemanage: genhomedircon: fix STR_COMPARATOR() passed to lfind() - libsemanage: genhomdircon: handle NULL bsearch() in get_users() - libsemanage: fix OOB cleanup in semanage_direct_list() - libsemanage: make expand-check a proper boolean option - libsemanage: use 'bool' for boolean options - libsemanage: Do not use vfork() - libsemanage: Do not discard ‘const’ qualifier ==== libsepol ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Fixed libsepol generation of constraint expressions with a list of names when writing policy.conf from CIL. - Fixed libsepol to generate constrain/validatetrans instead of mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the constraint contains an expression based on level. - Fixed libsepol selection of tunableif or booleanif and to skip empty conditional blocks when converting a module to CIL. - Fixed libsepol/secilc reporting of CIL source file info. - Fixed libsepol to require at least one perm in a CIL classperm and to correctly count the number of elements in the avtab. - Fixed libsepol to link xperm rule permissions correctly. - Fixed libsepol off-by-one error in cats_ebitmap_len(). - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Many hardening fixes spanning the entire tree - Notable bug fixes: - libsepol: cast to unsigned char in ctype calls - libsepol: bound type values in type_set_expand negset loop - libsepol/cil: fix double free of borrowed type datum on error path ==== policycoreutils ==== Version update (3.10 -> 3.11) Subpackages: policycoreutils-python-utils python313-policycoreutils - Move the sandbox subpackage to the separate selinux-sandbox package (bsc#1270534) drop policycoreutils-sandbox-fix-cleanup.patch - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - User-visible changes: - Several security improvements in dbus and gui - Dropped Python 2 support from audit2why - Added `setfiles -A` option to disable SELINUX_RESTORECON_ADD_ASSOC - restorecon only logs error on read-only filesystem instead of failing (allows relabeling with read-only BTRFS subvolumes) - Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to relabel files with multiple hard links to prevent mislabeling them. Updated restorecond(8) to always pass this flag when relabeling files to prevent mislabeling hard links to files owned by others, e.g. when relabeling user home directories or /tmp. - Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large semanage import operations (#291). - Improved semanage-fcontext(8) manpage - Fixed dispol and dismod to show all options in the -h text. - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Updated pywrap build targets for modern python builds using the Python3 build module. - Disabled build isolation for sepolicy python module. - Fixed build errors with glibc 2.43. - Updated pywrap build targets for modern python builds using the Python3 build module. - Packaging changes: - Drop sepolicy-build-isolation.patch was accepted upstream - Drop sandbox-sandbox-fix-saving-file-changes.patch was accepted upstream - Add python-build as new BuildRequires - Rewrite policycoreutils-sandbox-fix-cleanup.patch Code was rewritten upstream, dropped the part in seunshare.c - Rewrite usr_etc.patch Did not apply anymore due to code changes ==== python-semanage ==== Version update (3.10 -> 3.11) - Update to version 3.11 https://github.com/SELinuxProject/selinux/releases/tag/3.11 - Development-relevant changes: - Reformatted entire tree based on .clang-format and added new check-format/format make targets to check and/or reformat code to match. This is now a requirement for new patches. - Fixed libsemanage pywrap target deps for parallel builds. - Packaging changes: - Drop 1266385-libsemanage-Require-LIBSO-before-SWIGSO-and-SWIGRUBY.patch was accepted upstream ==== sdbootutil ==== Version update (1+git20260506.25d47bf -> 1+git20260714.d9bb736) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20260714.d9bb736: * tukit: do not fail if service is not found - Update to version 1+git20260713.d869cf8: * Ignore errors in the snapper plugin - Update to version 1+git20260709.7dfd021: * Remove the background process in the plugin * Fix missing initrd condition (bsc#1270420) * After reboot the shutdown service is not active * Disable the shutdown service after main service * Update uhmac dependencies (rust-openssl) bsc#1270192, CVE-2026-41676 bsc#1270995, CVE-2026-45784 bsc#1270922, CVE-2026-44662 bsc#1270863, CVE-2026-41898 bsc#1270742, CVE-2026-41681 bsc#1270670, CVE-2026-41678 bsc#1270616, CVE-2026-41677 bsc#1270471, CVE-2026-42327 * Add systemd transient service to update predictions * Install extra EFI binaries - Update to version 1+git20260625.7fa275e: * Remove duplicate code and parametrize timers * Check boot entry before kernel installation * Re-install an old kernel if initrd cannot be reused * Skip installation for already installed kernel * Add configurable devicetree entry support * Set explicit kernel and initrd paths * Remove the full tmpdir in the service * Fix /run/sdbootutil permissions * Execute predictions in the background * Add --disable-predictions parameter * Fix comparison operator * Add print-loader-path command ==== selinux-policy ==== Version update (20260618 -> 20260702) Subpackages: selinux-policy-targeted - Update selinux-policy-sandbox description (bsc#1270534) - Update to version 20260702: * Include key_socket in socket_class_set * Remove 14 permissive domains * ci: Run cockpit-machines tests in PRs * Remove the lockdown class from the policy * Allow systemd-logind the sys_ptrace capability in the user namespace * Allow systemd-sleep the perfmon capability * Allow sshd_session_t dyntransition to sftpd_t * Allow lttng kernel tracing * Allow loadkeys create and use its private tmpfs files * Allow journald create and use netlink_tcpdiag_socket * Fix typo in the comment of build.conf * Allow gpg_pinentry_t to write session dbus socket files * Allow systemd-hostnamed read hwdb files * Allow systemd-machined to manage nspawn runtime directory * Allow pcm-sensor-server the sys_admin capability * Allow nut/upsmon read nut_conf_t symlinks * Support new sanlock features - using libdm and SG_IO * Allow thumb_t mount proc filesystem * Allow aide connect to the GDM userdb provider socket * Allow postfix_postdrop_t/system_mail_t append to init unix domain stream sockets * Allow nfsd_t to create netlink_generic_socket (bsc#1267826) * Add anaconda_ioctl_fifo_files_install() and anaconda_write_fifo_files_install() * Allow install_t domain transition to insights_client_t * Allow staff user mounton /var/lib dirs * Allow systemd-coredump signull container runtime * Allow blueman get the attributes of a tmpfs filesystem * portage_compile_domain: Require xdm_xserver_tmp_t type * Add missing interface requirements * Dontaudit virt_driver_domain execmem * fixed file after comment from zpytela. * added caddy related paths. * Remove extra parameters from interface headers * Update bootupd policy for running lsblk * Allow pcscd_t to search cgroup - Syncing with upstream rawhide selinux-policy up to: * 3cf2aa66a844ba5e87fb2a8f04be08c62cf5538a - Update embedded container-selinux version to commit: * 9715eb09108e9fabb0fbaeee9044636b349370eb (v2.250.0) - Update to version 20260630: * Allow snapper_sdbootutil_plugin_t create transient units (bsc#1267377) * Allow bootctl access unconfined_t pid (bsc#1267377) * Refactor sdbootutil into seperate module (bsc#1267377) * Allow pcrlock to send kernel dgram (bsc#1267377) * Add tiny sdbootutil module for sdbootutil snapper plugin changes (bsc#1267377) ==== xsetroot ==== Version update (1.1.3 -> 1.1.4) - Update to version 1.1.4 * -help should exit(0) not (1) * Accept --help & --version as aliases to -help & -version * Improve man page formatting * man page: fix warnings from `mandoc -T lint` * gitlab CI: drop the ci-fairy check-mr job * Strip trailing whitespace from source files * meson: Add option to build with meson - Switch to Meson build system