selinux-policy-38.28-1.fc39 >t 6 6_ (,6btx3!92d LuZLea uZLg09RDWS˜{_!Pydz=ʶ)V8F Tir^Mg%;F[KciWK>rLgg7m?A3n/i%_zOsca2&jLj& 727W}jyTޘN/fsn+`P8+5C}vpP=JxE ,}~7' WYbrI4*Թ/PtQ-$Qι <1ɉގM[?7ڇxv̟2:飶'hl/Jlǖ$wHәAvxX?0]co7cOBf_ jz#/iNmه%^6ܟ9aժu8M;{׷=9)IfuQ$rj/Khg 5BRk{1=~1K6 X'¡,db8695d95e6fdeba4c9e657b62c6713457739f255086fc06721cb2594415da7a8f1f49922cc0e000ee43c791baf0df8a06da46cd030204388b603e004730450221009f2c56c5aec7cb0608029998a7737f3a6d0e3f5b4c695bdd892a140a9857d8e1022059cf9b4ce871f17206adf278973b3810b986d702549a628e139345540172ab31030204388b603e0046304402207b765fa7e83514caa6c8a01d39dd05f10f5430aa7042452e1213ea9b89c01e6702204e4ac716f31a5f8ffd96a2012d8e4e0b4699dd5e3a848d756978a04f1f660692030204388b603e00473045022017dbe6acea2dcf448b5fb440fbdc3df3b11ddfdbc3672a70f43b74eb78a49d3e022100fb461727f1b8c31e435c70d96aeace3dce5f8a823d68a3fe2fd0b37447028eb1030204388b603e00473045022100dd9a13b67cc5dbfc23abf1c6669044624f7b68b91e8b726c8a34bd664d04b70a022007b26220c10c176aae8b0380d592bff88215788f2cac2aefc4faac0e38577165ǁ3!92d LuZLea uZL7B~:kނe_G*abU0\j\!w9{AwS Ad$^$,P8t?Έkr@ZLK` wn}btSvT+yc{EEcYl p` w'-GJVϼY:9cڒ0(0!AH4xy@ fDKj}_z\;ʱrhK4Ւ's;~_AkC!u MmѢ%3U<@Nb־z)2]qz!2)IZ!oӒ5_6 "R:1efx{VJ6}%X@Bc'q,b9ĩJ$i>`M?d  ; .:kqx  $   8   L   t   ~       8  `()*+,-8-9p-:~->?@DG H I$ X0Yt\ ] ^b b$deflt u v,w` x y248>Cselinux-policy38.281.fc39SELinux policy configurationSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.eZbuildvm-s390x-18.s390.fedoraproject.orgdFedora ProjectFedora ProjectGPL-2.0-or-laterFedora ProjectUnspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarch if [ $1 -eq 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Initial installation /usr/lib/systemd/systemd-update-helper install-system-units selinux-check-proper-disable.service || : fi if [ ! -s /etc/selinux/config ]; then # # New install so we will default to targeted policy # echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > /etc/selinux/config ln -sf ../selinux/config /etc/sysconfig/selinux /usr/sbin/restorecon /etc/selinux/config 2> /dev/null || : else . /etc/selinux/config fi exit 0 if [ $1 -eq 0 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Package removal, not upgrade /usr/lib/systemd/systemd-update-helper remove-system-units selinux-check-proper-disable.service || : fi if [ $1 = 0 ]; then /usr/sbin/setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi exit 0FYA큤A큤AAeeeeeeeeee9762922c9c46fcf6f7a80a57c526962515a244ba02ca5e02a93374b3925e530eb3240fd7982059a65867f81ebab303d478bd1c29b1559bdcb2ba70781916b1ae8a0beca7f576064bfe85859d53e85dfc31157974115cac99b4e52ae31b77b185204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994Q@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-38.28-1.fc39.src.rpmconfig(selinux-policy)rpm_macro(_file_context_file)rpm_macro(_file_context_file_pre)rpm_macro(_file_custom_defined_booleans)rpm_macro(_file_custom_defined_booleans_tmp)rpm_macro(_selinux_policy_version)rpm_macro(_selinux_store_path)rpm_macro(_selinux_store_policy_path)rpm_macro(selinux_modules_install)rpm_macro(selinux_modules_uninstall)rpm_macro(selinux_relabel_post)rpm_macro(selinux_relabel_pre)rpm_macro(selinux_requires)rpm_macro(selinux_set_booleans)rpm_macro(selinux_unset_booleans)selinux-policyselinux-policy-base      /bin/awk/bin/sh/bin/sh/bin/sh/bin/sh/usr/bin/sha512sumconfig(selinux-policy)policycoreutilsrpm-plugin-selinuxrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsZstd)selinux-policy-any38.28-1.fc393.4-13.0.4-14.6.0-14.0-15.4.18-138.28-1.fc394.18.92/usr/sbin/selinuxenabled && /usr/sbin/semodule -nB exit 0rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null exit 0pcre2selinux-policy-targeted3.12.1-74eG@ddF@d"d@dE@d@dd@dr@d@d,@d@d@du@dp@dkY@dGd9@@d,@dd@ccױ@ccGcR@cc.c{h@c_c:c,N@c!@c@b@b@bb@b>b@b=b@bu boZdenek Pytela - 38.28-1Zdenek Pytela - 38.27-1Zdenek Pytela - 38.26-1Zdenek Pytela - 38.25-1Zdenek Pytela - 38.24-1Zdenek Pytela - 38.23-1Zdenek Pytela - 38.22-1Fedora Release Engineering - 38.21-2Zdenek Pytela - 38.21-1Zdenek Pytela - 38.20-1Zdenek Pytela - 38.19-1Zdenek Pytela - 38.18-1Zdenek Pytela - 38.17-1Zdenek Pytela - 38.16-1Zdenek Pytela - 38.15-1Zdenek Pytela - 38.14-1Zdenek Pytela - 38.13-1Zdenek Pytela - 38.12-1Zdenek Pytela - 38.11-1Zdenek Pytela - 38.10-1Zdenek Pytela - 38.9-1Zdenek Pytela - 38.8-1Zdenek Pytela - 38.7-1Zdenek Pytela - 38.6-1Fedora Release Engineering - 38.5-2Zdenek Pytela - 38.5-1Zdenek Pytela - 38.4-1Zdenek Pytela - 38.3-1Zdenek Pytela - 38.2-1Zdenek Pytela - 38.1-1Zdenek Pytela - 37.14-1Zdenek Pytela - 37.13-1Zdenek Pytela - 37.12-1Zdenek Pytela - 37.11-1Zdenek Pytela - 37.10-1Zdenek Pytela - 37.9-1Zdenek Pytela - 37.8-1Fedora Release Engineering - 37.7-2Zdenek Pytela - 37.7-1Zdenek Pytela - 37.6-1Zdenek Pytela - 37.5-1Zdenek Pytela - 37.4-1Zdenek Pytela - 37.3-1Zdenek Pytela - 37.2-1Zdenek Pytela - 37.1-1- Allow sssd domain transition on passkey_child execution conditionally - Allow login_userdomain watch lnk_files in /usr - Allow login_userdomain watch video4linux devices - Change systemd-network-generator transition to include class file - Revert "Change file transition for systemd-network-generator" - Allow nm-dispatcher winbind plugin read/write samba var files - Allow systemd-networkd write to cgroup files - Allow kdump create and use its memfd: objects- Allow fedora-third-party get generic filesystem attributes - Allow sssd use usb devices conditionally - Update policy for qatlib - Allow ssh_agent_type manage generic cache home files - Update make-rhat-patches.sh file to use the f39 dist-git branch in F39- Change file transition for systemd-network-generator - Additional support for gnome-initial-setup - Update gnome-initial-setup policy for geoclue - Allow openconnect vpn open vhost net device - Allow cifs.upcall to connect to SSSD also through the /var/run socket - Grant cifs.upcall more required capabilities - Allow xenstored map xenfs files - Update policy for fdo - Allow keepalived watch var_run dirs - Allow svirt to rw /dev/udmabuf - Allow qatlib to modify hardware state information. - Allow key.dns_resolve connect to avahi over a unix stream socket - Allow key.dns_resolve create and use unix datagram socket - Use quay.io as the container image source for CI- ci: Move srpm/rpm build to packit - .copr: Avoid subshell and changing directory - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t - Make insights_client_t an unconfined domain - Allow insights-client manage user temporary files - Allow insights-client create all rpm logs with a correct label - Allow insights-client manage generic logs - Allow cloud_init create dhclient var files and init_t manage net_conf_t - Allow insights-client read and write cluster tmpfs files - Allow ipsec read nsfs files - Make tuned work with mls policy - Remove nsplugin_role from mozilla.if - allow mon_procd_t self:cap_userns sys_ptrace - Allow pdns name_bind and name_connect all ports - Set the MLS range of fsdaemon_t to s0 - mls_systemhigh - ci: Move to actions/checkout@v3 version - .copr: Replace chown call with standard workflow safe.directory setting - .copr: Enable `set -u` for robustness - .copr: Simplify root directory variable- Allow rhsmcertd dbus chat with policykit - Allow polkitd execute pkla-check-authorization with nnp transition - Allow user_u and staff_u get attributes of non-security dirs - Allow unconfined user filetrans chrome_sandbox_home_t - Allow svnserve execute postdrop with a transition - Do not make postfix_postdrop_t type an MTA executable file - Allow samba-dcerpc service manage samba tmp files - Add use_nfs_home_dirs boolean for mozilla_plugin - Fix labeling for no-stub-resolv.conf- Revert "Allow winbind-rpcd use its private tmp files" - Allow upsmon execute upsmon via a helper script - Allow openconnect vpn read/write inherited vhost net device - Allow winbind-rpcd use its private tmp files - Update samba-dcerpc policy for printing - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty - Allow nscd watch system db dirs - Allow qatlib to read sssd public files - Allow fedora-third-party read /sys and proc - Allow systemd-gpt-generator mount a tmpfs filesystem - Allow journald write to cgroup files - Allow rpc.mountd read network sysctls - Allow blueman read the contents of the sysfs filesystem - Allow logrotate_t to map generic files in /etc - Boolean: Allow virt_qemu_ga create ssh directory- Allow systemd-network-generator send system log messages - Dontaudit the execute permission on sock_file globally - Allow fsadm_t the file mounton permission - Allow named and ndc the io_uring sqpoll permission - Allow sssd io_uring sqpoll permission - Fix location for /run/nsd - Allow qemu-ga get fixed disk devices attributes - Update bitlbee policy - Label /usr/sbin/sos with sosreport_exec_t - Update policy for the sblim-sfcb service - Add the files_getattr_non_auth_dirs() interface - Fix the CI to work with DNF5- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild- Make systemd_tmpfiles_t MLS trusted for lowering the level of files - Revert "Allow insights client map cache_home_t" - Allow nfsidmapd connect to systemd-machined over a unix socket - Allow snapperd connect to kernel over a unix domain stream socket - Allow virt_qemu_ga_t create .ssh dir with correct label - Allow targetd read network sysctls - Set the abrt_handle_event boolean to on - Permit kernel_t to change the user identity in object contexts - Allow insights client map cache_home_t - Label /usr/sbin/mariadbd with mysqld_exec_t - Trim changelog so that it starts at F37 time - Define equivalency for /run/systemd/generator.early- Allow httpd tcp connect to redis port conditionally - Label only /usr/sbin/ripd and ripngd with zebra_exec_t - Dontaudit aide the execmem permission - Remove permissive from fdo - Allow sa-update manage spamc home files - Allow sa-update connect to systemlog services - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t - Allow bootupd search EFI directory- Change init_audit_control default value to true - Allow nfsidmapd connect to systemd-userdbd with a unix socket - Add the qatlib module - Add the fdo module - Add the bootupd module - Set default ports for keylime policy - Create policy for qatlib - Add policy for FIDO Device Onboard - Add policy for bootupd - Add the qatlib module - Add the fdo module - Add the bootupd module- Add support for kafs-dns requested by keyutils - Allow insights-client execmem - Add support for chronyd-restricted - Add init_explicit_domain() interface - Allow fsadm_t to get attributes of cgroup filesystems - Add list_dir_perms to kerberos_read_keytab - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t - Allow sendmail manage its runtime files - Allow keyutils_dns_resolver_exec_t be an entrypoint - Allow collectd_t read network state symlinks - Revert "Allow collectd_t read proc_net link files" - Allow nfsd_t to list exports_t dirs - Allow cupsd dbus chat with xdm - Allow haproxy read hardware state information - Add the kafs module- Label /dev/userfaultfd with userfaultfd_t - Allow blueman send general signals to unprivileged user domains - Allow dkim-milter domain transition to sendmail - Label /usr/sbin/cifs.idmap with cifs_helper_exec_t - Allow cifs-helper read sssd kerberos configuration files - Allow rpm_t sys_admin capability - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file - Allow collectd_t read proc_net link files - Allow insights-client getsession process permission - Allow insights-client work with pipe and socket tmp files - Allow insights-client map generic log files - Update cyrus_stream_connect() to use sockets in /run - Allow keyutils-dns-resolver read/view kernel key ring - Label /var/log/kdump.log with kdump_log_t- Add support for the systemd-pstore service - Allow kdumpctl_t to execmem - Update sendmail policy module for opensmtpd - Allow nagios-mail-plugin exec postfix master - Allow subscription-manager execute ip - Allow ssh client connect with a user dbus instance - Add support for ksshaskpass - Allow rhsmcertd file transition in /run also for socket files - Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t - Allow plymouthd read/write X server miscellaneous devices - Allow systemd-sleep read udev pid files - Allow exim read network sysctls - Allow sendmail request load module - Allow named map its conf files - Allow squid map its cache files - Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition- Update policy for systemd-sleep - Remove permissive domain for rshim_t - Remove permissive domain for mptcpd_t - Allow systemd-bootchartd the sys_ptrace userns capability - Allow sysadm_t read nsfs files - Allow sysadm_t run kernel bpf programs - Update ssh_role_template for ssh-agent - Update ssh_role_template to allow read/write unallocated ttys - Add the booth module to modules.conf - Allow firewalld rw ica_tmpfs_t files- Remove permissive domain for cifs_helper_t - Update the cifs-helper policy - Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() - Update pkcsslotd policy for sandboxing - Allow abrt_t read kernel persistent storage files - Dontaudit targetd search httpd config dirs - Allow init_t nnp domain transition to policykit_t - Allow rpcd_lsad setcap and use generic ptys - Allow samba-dcerpcd connect to systemd_machined over a unix socket - Allow wireguard to rw network sysctls - Add policy for boothd - Allow kernel to manage its own BPF objects - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t- Add initial policy for cifs-helper - Label key.dns_resolver with keyutils_dns_resolver_exec_t - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t - Allow some systemd services write to cgroup files - Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files - Allow systemd resolved to bind to arbitrary nodes - Allow plymouthd_t bpf capability to run bpf programs - Allow cupsd to create samba_var_t files - Allow rhsmcert request the kernel to load a module - Allow virsh name_connect virt_port_t - Allow certmonger manage cluster library files - Allow plymouthd read init process state - Add chromium_sandbox_t setcap capability - Allow snmpd read raw disk data - Allow samba-rpcd work with passwords - Allow unconfined service inherit signal state from init - Allow cloud-init manage gpg admin home content - Allow cluster_t dbus chat with various services - Allow nfsidmapd work with systemd-userdbd and sssd - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes - Allow plymouthd map dri and framebuffer devices - Allow rpmdb_migrate execute rpmdb - Allow logrotate dbus chat with systemd-hostnamed - Allow icecast connect to kernel using a unix stream socket - Allow lldpad connect to systemd-userdbd over a unix socket - Allow journalctl open user domain ptys and ttys - Allow keepalived to manage its tmp files - Allow ftpd read network sysctls - Label /run/bgpd with zebra_var_run_t - Allow gssproxy read network sysctls - Add the cifsutils module- Allow telnetd read network sysctls - Allow munin system plugin read generic SSL certificates - Allow munin system plugin create and use netlink generic socket - Allow login_userdomain create user namespaces - Allow request-key to send syslog messages - Allow request-key to read/view any key - Add fs_delete_pstore_files() interface - Allow insights-client work with teamdctl - Allow insights-client read unconfined service semaphores - Allow insights-client get quotas of all filesystems - Add fs_read_pstore_files() interface - Allow generic kernel helper to read inherited kernel pipes- Allow dovecot-deliver write to the main process runtime fifo files - Allow dmidecode write to cloud-init tmp files - Allow chronyd send a message to cloud-init over a datagram socket - Allow cloud-init domain transition to insights-client domain - Allow mongodb read filesystem sysctls - Allow mongodb read network sysctls - Allow accounts-daemon read generic systemd unit lnk files - Allow blueman watch generic device dirs - Allow nm-dispatcher tlp plugin create tlp dirs - Allow systemd-coredump mounton /usr - Allow rabbitmq to read network sysctls- Allow certmonger dbus chat with the cron system domain - Allow geoclue read network sysctls - Allow geoclue watch the /etc directory - Allow logwatch_mail_t read network sysctls - Allow insights-client read all sysctls - Allow passt manage qemu pid sock files- Allow sssd read accountsd fifo files - Add support for the passt_t domain - Allow virtd_t and svirt_t work with passt - Add new interfaces in the virt module - Add passt interfaces defined conditionally - Allow tshark the setsched capability - Allow poweroff create connections to system dbus - Allow wg load kernel modules, search debugfs dir - Boolean: allow qemu-ga manage ssh home directory - Label smtpd with sendmail_exec_t - Label msmtp and msmtpd with sendmail_exec_t - Allow dovecot to map files in /var/spool/dovecot- Confine gnome-initial-setup - Allow qemu-guest-agent create and use vsock socket - Allow login_pgm setcap permission - Allow chronyc read network sysctls - Enhancement of the /usr/sbin/request-key helper policy - Fix opencryptoki file names in /dev/shm - Allow system_cronjob_t transition to rpm_script_t - Revert "Allow system_cronjob_t domtrans to rpm_script_t" - Add tunable to allow squid bind snmp port - Allow staff_t getattr init pid chr & blk files and read krb5 - Allow firewalld to rw z90crypt device - Allow httpd work with tokens in /dev/shm - Allow svirt to map svirt_image_t char files - Allow sysadm_t run initrc_t script and sysadm_r role access - Allow insights-client manage fsadm pid files- Allowing snapper to create snapshots of /home/ subvolume/partition - Add boolean qemu-ga to run unconfined script - Label systemd-journald feature LogNamespace - Add none file context for polyinstantiated tmp dirs - Allow certmonger read the contents of the sysfs filesystem - Add journalctl the sys_resource capability - Allow nm-dispatcher plugins read generic files in /proc - Add initial policy for the /usr/sbin/request-key helper - Additional support for rpmdb_migrate - Add the keyutils module- Boolean: allow qemu-ga read ssh home directory - Allow kernel_t to read/write all sockets - Allow kernel_t to UNIX-stream connect to all domains - Allow systemd-resolved send a datagram to journald - Allow kernel_t to manage and have "execute" access to all files - Fix the files_manage_all_files() interface - Allow rshim bpf cap2 and read sssd public files - Allow insights-client work with su and lpstat - Allow insights-client tcp connect to all ports - Allow nm-cloud-setup dispatcher plugin restart nm services - Allow unconfined user filetransition for sudo log files - Allow modemmanager create hardware state information files - Allow ModemManager all permissions for netlink route socket - Allow wg to send msg to kernel, write to syslog and dbus connections - Allow hostname_t to read network sysctls. - Dontaudit ftpd the execmem permission - Allow svirt request the kernel to load a module - Allow icecast rename its log files - Allow upsd to send signal to itself - Allow wireguard to create udp sockets and read net_conf - Use ' %setup -q ' instead of '%setup' - Pass -p 1 to ' %setup -q '- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild- Allow insights client work with gluster and pcp - Add insights additional capabilities - Add interfaces in domain, files, and unconfined modules - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t - Allow sudodomain use sudo.log as a logfile - Allow pdns server map its library files and bind to unreserved ports - Allow sysadm_t read/write ipmi devices - Allow prosody manage its runtime socket files - Allow kernel threads manage kernel keys - Allow systemd-userdbd the sys_resource capability - Allow systemd-journal list cgroup directories - Allow apcupsd dbus chat with systemd-logind - Allow nut_domain manage also files and sock_files in /var/run - Allow winbind-rpcd make a TCP connection to the ldap port - Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t - Allow tlp read generic SSL certificates - Allow systemd-resolved watch tmpfs directories - Revert "Allow systemd-resolved watch tmpfs directories"- Allow NetworkManager and wpa_supplicant the bpf capability - Allow systemd-rfkill the bpf capability - Allow winbind-rpcd manage samba_share_t files and dirs - Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t - Allow gpsd the sys_ptrace userns capability - Introduce gpsd_tmp_t for sockfiles managed by gpsd_t - Allow load_policy_t write to unallocated ttys - Allow ndc read hardware state information - Allow system mail service read inherited certmonger runtime files - Add lpr_roles to system_r roles - Revert "Allow insights-client run lpr and allow the proper role" - Allow stalld to read /sys/kernel/security/lockdown file - Allow keepalived to set resource limits - Add policy for mptcpd - Add policy for rshim - Allow admin users to create user namespaces - Allow journalctl relabel with var_log_t and syslogd_var_run_t files - Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted - Trim changelog so that it starts at F35 time - Add mptcpd and rshim modules- Allow insights-client dbus chat with various services - Allow insights-client tcp connect to various ports - Allow insights-client run lpr and allow the proper role - Allow insights-client work with pcp and manage user config files - Allow redis get user names - Allow kernel threads to use fds from all domains - Allow systemd-modules-load load kernel modules - Allow login_userdomain watch systemd-passwd pid dirs - Allow insights-client dbus chat with abrt - Grant kernel_t certain permissions in the system class - Allow systemd-resolved watch tmpfs directories - Allow systemd-timedated watch init runtime dir - Make `bootc` be `install_exec_t` - Allow systemd-coredump create user_namespace - Allow syslog the setpcap capability - donaudit virtlogd and dnsmasq execmem- Don't make kernel_t an unconfined domain - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition - Allow kernel_t to execute systemctl to do a poweroff/reboot - Grant basic permissions to the domain created by systemd_systemctl_domain() - Allow kernel_t to request module loading - Allow kernel_t to do compute_create - Allow kernel_t to manage perf events - Grant almost all capabilities to kernel_t - Allow kernel_t to fully manage all devices - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" - Allow pulseaudio to write to session_dbusd tmp socket files - Allow systemd and unconfined_domain_type create user_namespace - Add the user_namespace security class - Reuse tmpfs_t also for the ramfs filesystem - Label udf tools with fsadm_exec_t - Allow networkmanager_dispatcher_plugin work with nscd - Watch_sb all file type directories. - Allow spamc read hardware state information files - Allow sysadm read ipmi devices - Allow insights client communicate with cupsd, mysqld, openvswitch, redis - Allow insights client read raw memory devices - Allow the spamd_update_t domain get generic filesystem attributes - Dontaudit systemd-gpt-generator the sys_admin capability - Allow ipsec_t only read tpm devices - Allow cups-pdf connect to the system log service - Allow postfix/smtpd read kerberos key table - Allow syslogd read network sysctls - Allow cdcc mmap dcc-client-map files - Add watch and watch_sb dosfs interface- Revert "Allow sysadm_t read raw memory devices" - Allow systemd-socket-proxyd get attributes of cgroup filesystems - Allow rpc.gssd read network sysctls - Allow winbind-rpcd get attributes of device and pty filesystems - Allow insights-client domain transition on semanage execution - Allow insights-client create gluster log dir with a transition - Allow insights-client manage generic locks - Allow insights-client unix_read all domain semaphores - Add domain_unix_read_all_semaphores() interface - Allow winbind-rpcd use the terminal multiplexor - Allow mrtg send mails - Allow systemd-hostnamed dbus chat with init scripts - Allow sssd dbus chat with system cronjobs - Add interface to watch all filesystems - Add watch_sb interfaces - Add watch interfaces - Allow dhcpd bpf capability to run bpf programs - Allow netutils and traceroute bpf capability to run bpf programs - Allow pkcs_slotd_t bpf capability to run bpf programs - Allow xdm bpf capability to run bpf programs - Allow pcscd bpf capability to run bpf programs - Allow lldpad bpf capability to run bpf programs - Allow keepalived bpf capability to run bpf programs - Allow ipsec bpf capability to run bpf programs - Allow fprintd bpf capability to run bpf programs - Allow systemd-socket-proxyd get filesystems attributes - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files- Allow rotatelogs read httpd_log_t symlinks - Add winbind-rpcd to samba_enable_home_dirs boolean - Allow system cronjobs dbus chat with setroubleshoot - Allow setroubleshootd read device sysctls - Allow virt_domain read device sysctls - Allow rhcd compute selinux access vector - Allow insights-client manage samba var dirs - Label ports 10161-10162 tcp/udp with snmp - Allow aide to connect to systemd_machined with a unix socket. - Allow samba-dcerpcd use NSCD services over a unix stream socket - Allow vlock search the contents of the /dev/pts directory - Allow insights-client send null signal to rpm and system cronjob - Label port 15354/tcp and 15354/udp with opendnssec - Allow ftpd map ftpd_var_run files - Allow targetclid to manage tmp files - Allow insights-client connect to postgresql with a unix socket - Allow insights-client domtrans on unix_chkpwd execution - Add file context entries for insights-client and rhc - Allow pulseaudio create gnome content (~/.config) - Allow login_userdomain dbus chat with rhsmcertd - Allow sbd the sys_ptrace capability - Allow ptp4l_t name_bind ptp_event_port_t- Remove the ipa module - Allow sss daemons read/write unnamed pipes of cloud-init - Allow postfix_mailqueue create and use unix dgram sockets - Allow xdm watch user home directories - Allow nm-dispatcher ddclient plugin load a kernel module - Stop ignoring standalone interface files - Drop cockpit module - Allow init map its private tmp files - Allow xenstored change its hard resource limits - Allow system_mail-t read network sysctls - Add bgpd sys_chroot capability- nut-upsd: kernel_read_system_state, fs_getattr_cgroup - Add numad the ipc_owner capability - Allow gst-plugin-scanner read virtual memory sysctls - Allow init read/write inherited user fifo files - Update dnssec-trigger policy: setsched, module_request - added policy for systemd-socket-proxyd - Add the new 'cmd' permission to the 'io_uring' class - Allow winbind-rpcd read and write its key ring - Label /run/NetworkManager/no-stub-resolv.conf net_conf_t - blueman-mechanism can read ~/.local/lib/python*/site-packages directory - pidof executed by abrt can readlink /proc/*/exe - Fix typo in comment - Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum- Allow tor get filesystem attributes - Allow utempter append to login_userdomain stream - Allow login_userdomain accept a stream connection to XDM - Allow login_userdomain write to boltd named pipes - Allow staff_u and user_u users write to bolt pipe - Allow login_userdomain watch various directories - Update rhcd policy for executing additional commands 5 - Update rhcd policy for executing additional commands 4 - Allow rhcd create rpm hawkey logs with correct label - Allow systemd-gpt-auto-generator to check for empty dirs - Update rhcd policy for executing additional commands 3 - Allow journalctl read rhcd fifo files - Update insights-client policy for additional commands execution 5 - Allow init remount all file_type filesystems - Confine insights-client systemd unit - Update insights-client policy for additional commands execution 4 - Allow pcp pmcd search tracefs and acct_data dirs - Allow httpd read network sysctls - Dontaudit domain map permission on directories - Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" - Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" - Update insights-client policy for additional commands execution 3 - Allow systemd permissions needed for sandboxed services - Add rhcd module - Make dependency on rpm-plugin-selinux unordered- Allow ipsec_t read/write tpm devices - Allow rhcd execute all executables - Update rhcd policy for executing additional commands 2 - Update insights-client policy for additional commands execution 2 - Allow sysadm_t read raw memory devices - Allow chronyd send and receive chronyd/ntp client packets - Allow ssh client read kerberos homedir config files - Label /var/log/rhc-worker-playbook with rhcd_var_log_t - Update insights-client policy (auditctl, gpg, journal) - Allow system_cronjob_t domtrans to rpm_script_t - Allow smbd_t process noatsecure permission for winbind_rpcd_t - Update tor_bind_all_unreserved_ports interface - Allow chronyd bind UDP sockets to ptp_event ports. - Allow unconfined and sysadm users transition for /root/.gnupg - Add gpg_filetrans_admin_home_content() interface - Update rhcd policy for executing additional commands - Update insights-client policy for additional commands execution - Add userdom_view_all_users_keys() interface - Allow gpg read and write generic pty type - Allow chronyc read and write generic pty type - Allow system_dbusd ioctl kernel with a unix stream sockets - Allow samba-bgqd to read a printer list - Allow stalld get and set scheduling policy of all domains. - Allow unconfined_t transition to targetclid_home_t- Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher sendmail plugin get status of systemd services - Allow xdm read the kernel key ring - Allow login_userdomain check status of mount units - Allow postfix/smtp and postfix/virtual read kerberos key table - Allow services execute systemd-notify - Do not allow login_userdomain use sd_notify() - Allow launch-xenstored read filesystem sysctls - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd - Allow openvswitch fsetid capability - Allow openvswitch use its private tmpfs files and dirs - Allow openvswitch search tracefs dirs - Allow pmdalinux read files on an nfsd filesystem - Allow winbind-rpcd write to winbind pid files - Allow networkmanager to signal unconfined process - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t - Allow samba-bgqd get a printer list - fix(init.fc): Fix section description - Allow fedora-third-party read the passwords file - Remove permissive domain for rhcd_t - Allow pmie read network state information and network sysctls - Revert "Dontaudit domain the fowner capability" - Allow sysadm_t to run bpftool on the userdomain attribute - Add the userdom_prog_run_bpf_userdomain() interface - Allow insights-client rpm named file transitions - Add /var/tmp/insights-archive to insights_client_filetrans_named_content- Allow sa-update to get init status and start systemd files - Use insights_client_filetrans_named_content - Make default file context match with named transitions - Allow nm-dispatcher tlp plugin send system log messages - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket - Add permissions to manage lnk_files into gnome_manage_home_config - Allow rhsmcertd to read insights config files - Label /etc/insights-client/machine-id - fix(devices.fc): Replace single quote in comment to solve parsing issues - Make NetworkManager_dispatcher_custom_t an unconfined domain- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild- Update winbind_rpcd_t - Allow some domains use sd_notify() - Revert "Allow rabbitmq to use systemd notify" - fix(sedoctool.py): Fix syntax warning: "is not" with a literal - Allow nm-dispatcher console plugin manage etc files - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs - Allow nm-dispatcher console plugin setfscreate - Support using systemd-update-helper in rpm scriptlets - Allow nm-dispatcher winbind plugin read samba config files - Allow domain use userfaultfd over all domains - Allow cups-lpd read network sysctls- Allow stalld set scheduling policy of kernel threads - Allow targetclid read /var/target files - Allow targetclid read generic SSL certificates (fixed) - Allow firewalld read the contents of the sysfs filesystem - Fix file context pattern for /var/target - Use insights_client_etc_t in insights_search_config() - Allow nm-dispatcher ddclient plugin handle systemd services - Allow nm-dispatcher winbind plugin run smbcontrol - Allow nm-dispatcher custom plugin create and use unix dgram socket - Update samba-dcerpcd policy for kerberos usage 2 - Allow keepalived read the contents of the sysfs filesystem - Allow amandad read network sysctls - Allow cups-lpd read network sysctls - Allow kpropd read network sysctls - Update insights_client_filetrans_named_content() - Allow rabbitmq to use systemd notify - Label /var/target with targetd_var_t - Allow targetclid read generic SSL certificates - Update rhcd policy - Allow rhcd search insights configuration directories - Add the kernel_read_proc_files() interface - Require policycoreutils >= 3.4-1 - Add a script for enclosing interfaces in ifndef statements - Disable rpm verification on interface_info- Allow transition to insights_client named content - Add the insights_client_filetrans_named_content() interface - Update policy for insights-client to run additional commands 3 - Allow dhclient manage pid files used by chronyd - Allow stalld get scheduling policy of kernel threads - Allow samba-dcerpcd work with sssd - Allow dlm_controld send a null signal to a cluster daemon - Allow ksmctl create hardware state information files - Allow winbind_rpcd_t connect to self over a unix_stream_socket - Update samba-dcerpcd policy for kerberos usage - Allow insights-client execute its private memfd: objects - Update policy for insights-client to run additional commands 2 - Use insights_client_tmp_t instead of insights_client_var_tmp_t - Change space indentation to tab in insights-client - Use socket permissions sets in insights-client - Update policy for insights-client to run additional commands - Change rpm_setattr_db_files() to use a pattern - Allow init_t to rw insights_client unnamed pipe - Add rpm setattr db files macro - Fix insights client - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling - Allow rabbitmq to access its private memfd: objects - Update policy for samba-dcerpcd - Allow stalld setsched and sys_nice- Allow auditd_t noatsecure for a transition to audisp_remote_t - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket - Allow pcp_domain execute its private memfd: objects - Add support for samba-dcerpcd - Add policy for wireguard - Confine targetcli - Allow systemd work with install_t unix stream sockets - Allow iscsid the sys_ptrace userns capability - Allow xdm connect to unconfined_service_t over a unix stream socket- Allow nm-dispatcher custom plugin execute systemctl - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher custom plugin create and use udp socket - Allow nm-dispatcher custom plugin create and use netlink_route_socket - Use create_netlink_socket_perms in netlink_route_socket class permissions - Add support for nm-dispatcher sendmail scripts - Allow sslh net_admin capability - Allow insights-client manage gpg admin home content - Add the gpg_manage_admin_home_content() interface - Allow rhsmcertd create generic log files - Update logging_create_generic_logs() to use create_files_pattern() - Label /var/cache/insights with insights_client_cache_t - Allow insights-client search gconf homedir - Allow insights-client create and use unix_dgram_socket - Allow blueman execute its private memfd: files - Move the chown call into make-srpm.sh- Use the networkmanager_dispatcher_plugin attribute in allow rules - Make a custom nm-dispatcher plugin transition - Label port 4784/tcp and 4784/udp with bfd_multi - Allow systemd watch and watch_reads user ptys - Allow sblim-gatherd the kill capability - Label more vdsm utils with virtd_exec_t - Add ksm service to ksmtuned - Add rhcd policy - Dontaudit guest attempts to dbus chat with systemd domains - Dontaudit guest attempts to dbus chat with system bus types - Use a named transition in systemd_hwdb_manage_config() - Add default fc specifications for patterns in /opt - Add the files_create_etc_files() interface - Allow nm-dispatcher console plugin create and write files in /etc - Allow nm-dispatcher console plugin transition to the setfiles domain - Allow more nm-dispatcher plugins append to init stream sockets - Allow nm-dispatcher tlp plugin dbus chat with nm - Reorder networkmanager_dispatcher_plugin_template() calls - Allow svirt connectto virtlogd - Allow blueman map its private memfd: files - Allow sysadm user execute init scripts with a transition - Allow sblim-sfcbd connect to sblim-reposd stream - Allow keepalived_unconfined_script_t dbus chat with init - Run restorecon with "-i" not to report errors- Fix users for SELinux userspace 3.4 - Label /var/run/machine-id as machineid_t - Add stalld to modules.conf - Use files_tmpfs_file() for rhsmcertd_tmpfs_t - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh 38.28-1.fc3938.28-1.fc3938.28-1.fc39 selinuxconfigselinuxmacros.selinux-policyselinux-check-proper-disable.serviceselinux-policy.confselinux-policyCOPYINGselinuxpackages/etc//etc/selinux//etc/sysconfig//usr/lib/rpm/macros.d//usr/lib/systemd/system//usr/lib/tmpfiles.d//usr/share/licenses//usr/share/licenses/selinux-policy//usr/share//usr/share/selinux/-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protectioncpiozstd19noarch-redhat-linux-gnudirectoryemptyUnicode text, UTF-8 textASCII textPPPPPPPPP P P P P Phttps://bugz.fedoraproject.org/selinux-policyselinux-policy-targetedutf-8286384dbddaf3409c207148c6f755891b051b210700bc9ea327ffb08f5a3a8c731739e7b971c1dc365dad51e8becce709c19142c46af36d08639770c24806a08?0(/h d(?ks Y+eT,i)d:c"[Vw_jWkMG\P;.ű'Xė@`_NjeKBZwMeh/zRa+q't0iB^rG㵄~Y(M~dWBM2F14}t6A%$UX# `B1IX1UA ,*+Si4U*!X [zn8/~Gȴvgw: c q<jr4T0qTy6$/۴^p҇+Nox|j0EIa+ @*"slz=ņ0&I{CR+MEHIk%X vr, 4 k7OJce~}".KHЀJ+:CX^["%+Y5SsOO [Qɥ߭cw2=&9֙w$_t.j~gBqۓ+ɦ:>O]ngǁ0 ~ow29 !b}rJa&}-Q X(.A/VzaY1eوIDDXeU`% dX b(Nv&dR 0 HVz=BǂsM?{`P/Kl9{G~Y=T}c J |jC! ( DZX6bhOJ% #5CJO=;mDKG4|+= =`A w^*0ゑXb-K `dH9i@AAZOHY@YT CX~ ;8TZ?,6^)ºRe0( bɒP+l|`gag煲~B4†=}.^#쾎,.?uHgRI#!5ud.uΛY.mro=adJ,M߉ 'K0%k²h"|a^ N]tEZ6p-cYB9}'cw]>v-GJȠ`&"Yך݄IIJAKJݟu7՗Cg8Ha$d:A^d-g 0TUylp; pҺHe% gV k-wLhtMfgTB)*A0g}4MĞFFwt." yI4tϖ~p? 畱wpm#5Oïjtx( q Cih\2& cQ\x(Be*h0 ƺTJNT ú::tHVWq&,``2 DF,Ǣ6], Ret TQ<*a`84{PC4撱 u*ƪVX D:Tâ:USa`4ј`q<f,ӱ*h\ҨMu٩ sAm6v\x؄NkYc v燲ț}:Sג&od&٥d#MK]d_&tR]R1. !g|Ds)E3c@ &6]D M"$*F)1(Aа0mu8Ż".N7Gn{R1`3Tz.$BV"Z+%LJtNYٻdנ@W{%PCȳ]H %q9ѾʧŮ]ڊeax]NmӿK"$[dɷmI?SR^e(= -dp1P7*գSVukdNZAٯ69Ȭ]m +; ρ/ fYCsSymQZ09GZsTL-y\?5bG-I+w?S~+!-:z[.l4 ]7kTo '{HE!@LI%JFn-̋΀v-rT A?qguC ؘ{2',ʒS$J}I[A Ք1sy@I'70q?dUAkqz%w}qn#-;zyWHN'6 y J#1/?6  $x/[ ׆@\ S#E;|zp^$<3;NlTfq BiF;t D0;؆u׿cGkJӶT\r!*^n m鳃]\D_I(Vwӻ9'T& `N6^,fbK.]1e*7$o㯹іT(^FuV@U":]M8 So/#O9^;=z9pTaa,g8{:$go kmt'mXyUKB`$iq A71W`d)F1I[ 6m^Uo|֖*BA-m4X6n'2xBIp[+T=/,hGJ8ߴ¯8+9갧"[Q5P=D.Bn>ԝ1~7B'>nMoJ4N'Ą4:TI/iY܏Ŧ]m> 52MԘT 3Ũj7 tN7dޑm-!\v}+:` eO ϑ"c]%P 6b$3JRGE3SB~*}D2x>o )3>s59k]q32Y@Dbvg!Ԟށaa9:JpA$#LM+-&ɤfRSa_)7 >~E%` d֞A! 3h)" >3]'R}I8::]i"G^O $Yb^zXoͫkGbc- 8M䤤'kDC["PBG2: RP6PFa@_`3\pM BL30K&.v(7-t2nKI"xcM"hO7i,ocjz\_jsj=W |AH(]F Zޅ7kRALhtvWj'L4ˇGfrPJ`NC>|/)YZ>k!eH}۱$=.,Y::+dnJN&\ ·9b> "7K/]M. sިõّQ$Sf=i-񲍡,A WB^lc&T֔{<@0zH7uZ*N ktTlي.Ed%s\kH3 *Oyl'o.;w}yH^O9L\unkE>tXC)T1Bl1_8\_#e h̻<- o.(4ZA# UInF%sk<-OLr&2-3s!N6mv+#V%ӡٸ'b~R M< ٓn8L-B״D'*C t6@`)rARwiXX򱈀b{ |eߵ9GDvR{?d gNRxfgpZeؙ(qMIu h>w4u 19}"b"09`k V3BGSMNdƋҝ!qD g(N\ F. "^G(5]VTP;2@K iN4Sݼ38=/)3|((LT䱜xt4+f8u8vl$?)sBu[)Vg6-#~}D\Yǚ~4瑉sy:*Ng"ͷAүQfү"Iw&g'}ݸS@K@̤RנhD-!?czX"Kyi᝖4>4-Ų礙d>?l^M JEE#!tQü@'0rg:X+@S0j+K@Lj"c0>/1uX?VZM,m ~AehVET!m) ~*},Pf#5O]24N>U=뭻w :uz$xaIzuy:L{X.VE)wI~ yE|溾 ;.GoIx3溻OiI'q6UFc\[eȩ&4 `Yn+"IQH[Y_aك7gXl8jQ2mAFEDlN9!eTkrZfű>l6W|TWR m; i_UJU߭ =Ud_Kdx޸mA23,1c81ʹ>NN%"8c.M^BD2RN>73?ˮhg#N(AA.`| <\C $$ǹ!5)=)uj3 8 u=!$>}U}Ǣ18+`4ϭUoX TS$%X&y{MX">.C|+8w S a@~"d!ӫ?+oL8\Kq0P]8evȟSQj3JY1?F|\<@N*קC:BE}h2a HL~:nE*[p,5س:^ /ÚUeg9D>As16rLabBOgb~pڮ^!0:"i7Nz3.Եq`S{,}l_}yd-1|ܔEҦ= my$4tG A:>Ի~ 4JM9YtVPj7ՙ#إ+ ` [ƺC1f´ZZ[ B$.BLm+'?:o!&7% ( FHu= neVT|y$L)H'S6r6u?m"0r}sm? |A%Zb!2m0Hy[ Ab :sՀ^ tZJ@kBg;;]>zn8O" F$jTKhDlZAk-|Fte3Lê,ߧ߬U I+fb|xKdhTg1 D7 c¯FsA5<3d0L*Q"rݰgf0|'퐠Hy H \?[g}JW^yv'M hnq5d슅G-fBJ @I9蛼;7^(U-QTJvX`?Fs}Nh~16X_K&7M`lЎq=wzLawa2Z4dBf}(X6H8 yCfj:[݄e`-rձ"V4e F1*`%7ue"Hy6Π "gt3hSE\