selinux-policy-41.34-1.fc42 >t 5 5^ lpt 2!XPȬI^Dg ȬI^Di XN6wna/(a"x9՚Mg8: j[ >u(%`/S 1!|m3 SM7ӜyW턎S4C &giAeRŁ~M֏@ߒό1Pj:wd 3޿.LWeZ0dI ϪSW5oT hԉo\@Sm윛#&fk4|yY91نPQDxLB\; ތ (sUfD1)΢ I"VO4Aճ؏n42ěd$b#+ qG )RK@ >i}]N,_gnprTٗm*.ՏsΊJϑ :8>!S9jI}wF./GHz(OA Q%t'=溕9MY/~mv9 j`&'݉ Hw|4Y6a5faaa8d1570319a6c8221860466953e2e98609fb0f553653fd799305dc1e7c1788596ecf5273c04e68db403d49edf52ff48e3203020462f02aa40047304502203c0bf23f674c9f5c511b17a3f4227a9fd2180361c87f1fd522cb54f983800208022100b48af18a5e01f5a8963ac82e9302204902830d2f7b5fd3766560516bb06e871003020462f02aa4004730450221009bc5996a6ebd15601a99cdc05cdbf9fcbc967000fa66eacc1d6da2c320b781550220259d25e4c8a2be440c881a36c3ca883566dd920dd220c63723953efbd0b8183b03020462f02aa40047304502207176c372b88e7b4455f62a6d25758e17f51b03d7935367249b6a6f26332b152b022100e609b8fe0b1c3d787765092d9cae571ebdf218555f3c1ee9fc297f3f4ff82fa103020462f02aa4004830460221008f6089ea13c6e4fb2f177cab9a1081564e942cfe74091c5dac527c2ee77f67fa022100d74586e0b49ead417fbc2cb9f67ea12e63108667a4bd65c871e5e96f918f43f403020462f02aa400473045022100bb77ba6871f675acc0a9b6200f73efc85934e31a42d84af1490b88e89311053a022030b792bdc4848383b309f1c14550f165715cc3a7b963ccbf05a6dba8d1c2184903020462f02aa40046304402205b2299444c374e42a432037eb3c02d63b50963dba813d3faf1de6f197d197f25022070b1829c3c64d5a2fe2362bc4520f1348e48463a985835c528d43d3b2e2e7cc5QUϭ;4x#}8/>`M~?~ d  ; .:kqx  (   @   X         P     <() * + , - 8(9(:(>w?w@wDw Gwp Hw Iw XwYx \xX ]x ^y; bzd{e{f{l{t{ u{ v|(w| x| y|}0}4}b}z}|}}}}Cselinux-policy41.341.fc42SELinux policy configurationSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.gbuildvm-s390x-04.s390.fedoraproject.org}Fedora ProjectFedora ProjectGPL-2.0-or-laterFedora ProjectUnspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarch if [ $1 -eq 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Initial installation /usr/lib/systemd/systemd-update-helper install-system-units selinux-check-proper-disable.service || : fi if [ ! -s /etc/selinux/config ]; then # # New install so we will default to targeted policy # echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > /etc/selinux/config ln -sf ../selinux/config /etc/sysconfig/selinux /usr/bin/restorecon /etc/selinux/config 2> /dev/null || : else . /etc/selinux/config fi exit 0 if [ $1 -eq 0 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Package removal, not upgrade /usr/lib/systemd/systemd-update-helper remove-system-units selinux-check-proper-disable.service || : fi if [ $1 = 0 ]; then /usr/bin/setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi exit 0  FYA큤A큤AAg7g7g7g7g7g7g7g7g7g7g7g749262cec44d1544f8e14eb3f5846e84ce07807b2929eb9245ccfa56a43272f37b3240fd7982059a65867f81ebab303d478bd1c29b1559bdcb2ba70781916b1ae8a0beca7f576064bfe85859d53e85dfc31157974115cac99b4e52ae31b77b1859f160248f1f51abdc3cd7cf98b41dbf09991098e26bc7932b158095580cde754ce909c918cdaf8957be2e3881cc4be186a9a7b77913ef8836d576cdc273d6313204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994Q@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-41.34-1.fc42.src.rpmconfig(selinux-policy)rpm_macro(_file_context_file)rpm_macro(_file_context_file_pre)rpm_macro(_file_custom_defined_booleans)rpm_macro(_file_custom_defined_booleans_tmp)rpm_macro(_selinux_policy_version)rpm_macro(_selinux_store_path)rpm_macro(_selinux_store_policy_path)rpm_macro(selinux_modules_install)rpm_macro(selinux_modules_uninstall)rpm_macro(selinux_relabel_post)rpm_macro(selinux_relabel_pre)rpm_macro(selinux_requires)rpm_macro(selinux_set_booleans)rpm_macro(selinux_unset_booleans)selinux-policyselinux-policy-base  @       (rpm-plugin-selinux if rpm-libs)/bin/awk/bin/sh/bin/sh/bin/sh/bin/sh/usr/bin/bash/usr/bin/sha512sumconfig(selinux-policy)policycoreutilsrpmlib(BuiltinLuaScripts)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsZstd)rpmlib(RichDependencies)selinux-policy-any41.34-1.fc423.84.2.2-13.0.4-14.6.0-14.0-15.4.18-14.12.0-141.34-1.fc424.20.0/usr/bin/selinuxenabled && /usr/bin/semodule -nB 2> /dev/null exit 0/usr/libexec/selinux/binsbin-convert.sh targeted /usr/bin/restorecon /usr/sbin/fapolicyd*/usr/libexec/selinux/binsbin-convert.sh targeted /usr/bin/restorecon /usr/sbin/usbguard* if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_varrun/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_varrun") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_varrun/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_varrun") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_binsbin/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_binsbin") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_binsbin/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_binsbin") end/usr/libexec/selinux/varrun-convert.sh targeted exit 0/usr/libexec/selinux/varrun-convert.sh targeted exit 0/usr/libexec/selinux/binsbin-convert.sh targeted exit 0/usr/libexec/selinux/binsbin-convert.sh targeted exit 0container-selinuxcontainer-selinuxfapolicyd-selinuxfapolicyd-selinuxfapolicyd-selinuxpcp-selinuxpcp-selinuxpcre2usbguard-selinuxusbguard-selinuxusbguard-selinux  gggRg@gu@g@gw@gaggM@g<}g@g@gB@gg @f@ffffffbf@f@f'@f>@fIff`f@f@fwfwf~fr@fqvfp%@fh<@fb@f]@Zdenek Pytela - 41.34-1Zdenek Pytela - 41.33-1Zdenek Pytela - 41.32-1Zdenek Pytela - 41.31-1Zdenek Pytela - 41.30-1Zdenek Pytela - 41.29-1Zdenek Pytela - 41.28-1Zdenek Pytela - 41.27-1Petr Lautrbach - 41.26-2Zdenek Pytela - 41.26-1Zdenek Pytela - 41.25-1Zdenek Pytela - 41.24-1Zdenek Pytela - 41.23-1Zdenek Pytela - 41.22-1Zdenek Pytela - 41.21-1Zdenek Pytela - 41.20-1Zdenek Pytela - 41.19-1Petr Lautrbach - 41.18-1Zdenek Pytela - 41.17-2Petr Lautrbach - 41.17-1Zdenek Pytela - 41.16-1Zdenek Pytela - 41.15-1Zdenek Pytela - 41.14-1Zdenek Pytela - 41.13-1Zdenek Pytela - 41.12-1Zdenek Pytela - 41.11-1Zdenek Pytela - 41.10-1Fedora Release Engineering - 41.9-2Zdenek Pytela - 41.9-1Petr Lautrbach 41.8-4Zbigniew Jędrzejewski-Szmek - 41.8-3Petr Lautrbach 41.8-2Zdenek Pytela - 41.8-1Zdenek Pytela - 41.7-1Zdenek Pytela - 41.6-1Zdenek Pytela - 41.5-1Zdenek Pytela - 41.4-1Zdenek Pytela - 41.3-1Zdenek Pytela - 41.2-1Zdenek Pytela - 41.1-1- Add context for plymouth debug log files - Allow rlimit inheritance for domains transitioning to local_login_t - Update insights-core policy - Allow insights-core map all non-security files - Allow insights-core map audit config and log files - Allow insights-client manage insights_client_var_log_t files - Remove duplicate dev_rw_dma_dev(xdm_t) - Allow thumbnailer read and write the dma device - Allow named_filetrans_domain filetrans raid/mdadm named content - Allow afterburn to mount and read config drives - Allow mptcpd the net_admin capability- Allow systemd-networkd the sys_admin capability - Update systemd-networkd policy in systemd v257 - Separate insights-core from insights-client - Removed unused insights_client interfaces calls from other modules - Update policy for insights_client wrt new rules for insights_core_t - Add policy for insights-core - Allow systemd-networkd use its private tmpfs files - Allow boothd connect to systemd-machined over a unix socket - Update init_explicit_domain() interface - Allow tlp to read/write nmi_watchdog state information - Allow power-profiles-daemon the bpf capability - Allow svirt_t to connect to nbdkit over a unix stream socket - Update ktlshd policy to read /proc/keys and domain keyrings - Allow virt_domain read hardware state information unconditionally - Allow init mounton crypto sysctl files - Rename winbind_rpcd_* types to samba_dcerpcd_* - Support peer-to-peer migration of vms using ssh- Allow virtqemud use hostdev usb devices conditionally - Allow virtqemud map svirt_image_t plain files - Allow virtqemud work with nvdimm devices - Support saving and restoring a VM to/from a block device - Allow virtnwfilterd dbus chat with firewalld - Dontaudit systemd-logind remove all files - Add the files_dontaudit_read_all_dirs() interface - Add the files_dontaudit_delete_all_files() interface - Allow rhsmcertd notify virt-who - Allow irqbalance to run unconfined scripts conditionally- Allow snapperd execute systemctl in the caller domain - Allow svirt_tcg_t to connect to nbdkit over a unix stream socket - Allow iio-sensor-proxy read iio devices - Label /dev/iio:device[0-9]+ devices - Allow systemd-coredump the sys_admin capability - Allow apcupsd's apccontrol to send messages using wall - contrib/thumb: also allow per-user thumbnailers - contrib/thumb: fix thunar thumbnailer (rhbz#2315893) - Allow virt_domain to use pulseaudio - conditional - Allow pcmsensor read nmi_watchdog state information - Allow init_t nnp domain transition to gssproxy_t- Allow systemd-generator connect to syslog over a unix stream socket - Allow virtqemud manage fixed disk device nodes - Allow iio-sensor-proxy connect to syslog over a unix stream socket - Allow virtstoraged write to sysfs files - Allow power-profiles-daemon write sysfs files - Update iiosensorproxy policy - Allow pcmsensor write nmi_watchdog state information - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type - Add the gpg_read_user_secrets() interface - Allow gnome-remote-desktop read resolv.conf - Update switcheroo policy - Allow nfsidmap connect to systemd-homed over a unix socket - Add the auth_write_motd_var_run_files() interface - Add the bind_exec_named_checkconf() interface - Add the virt_exec_virsh() interface- Allow virtqemud domain transition to nbdkit - Add nbdkit interfaces defined conditionally - Allow samba-bgqd connect to cupsd over an unix domain stream socket - Confine the switcheroo-control service - Allow svirt_t read sysfs files - Add rhsmcertd interfaces - Add the ssh_exec_sshd() interface - Add the gpg_domtrans_agent() interface - Label /usr/bin/dnf5 with rpm_exec_t - Label /dev/pmem[0-9]+ with fixed_disk_device_t - allow kdm to create /root/.kde/ with correct label - Change /usr/sbin entries to use /usr/bin or remove them - Allow systemd-homed get filesystem quotas - Allow login_userdomain getattr nsfs files - Allow virtqemud send a generic signal to the ssh client domain - Dontaudit request-key read /etc/passwd- Update virtqemud policy regarding the svirt_tcg_t domain - Allow virtqemud domain transition on numad execution - Support virt live migration using ssh - Allow virtqemud permissions needed for live migration - Allow virtqemud the getpgid process permission - Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on - Allow virtqemud relabelfrom virt_log_t files - Allow virtqemud relabel tun_socket - Add policy for systemd-import-generator - Confine vsftpd systemd system generator - Allow virtqemud read and write sgx_vepc devices - Allow systemd-networkd list cgroup directories - Allow xdm dbus chat with power-profiles-daemon - Allow ssh_t read systemd config files - Add Valkey rules to Redis module- Update ktlsh policy - Allow request-key to read /etc/passwd - Allow request-key to manage all domains' keys - Add support for the KVM guest memfd anon inodes - Allow auditctl signal auditd - Dontaudit systemd-coredump the sys_resource capability - Allow traceroute_t bind rawip sockets to unreserved ports - Fix the cups_read_pid_files() interface to use read_files_pattern - Allow virtqemud additional permissions for tmpfs_t blk devices - Allow virtqemud rw access to svirt_image_t chr files - Allow virtqemud rw and setattr access to fixed block devices - Label /etc/mdevctl.d/scripts.d with bin_t - Allow virtqemud open svirt_devpts_t char files - Allow virtqemud relabelfrom virt_log_t files - Allow svirt_tcg_t read virtqemud_t fifo_files - Allow virtqemud rw and setattr access to sev devices - Allow virtqemud directly read and write to a fixed disk - Allow virtqemud_t relabel virt_var_lib_t files - Allow virtqemud_t relabel virtqemud_var_run_t sock_files - Add gnome_filetrans_gstreamer_admin_home_content() interface - Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t - Make bootupd_t permissive - Allow init_t nnp domain transition to locate_t - allow gdm and iiosensorproxy talk to each other via D-bus - Allow systemd-journald getattr nsfs files - Allow sendmail to map mail server configuration files - Allow procmail to read mail aliases - Allow cifs.idmap helper to set attributes on kernel keys - Allow irqbalance setpcap capability in the user namespace - Allow sssd_selinux_manager_t the setcap process permission - Allow systemd-sleep manage efivarfs files - Allow systemd-related domains getattr nsfs files - Allow svirt_t the sys_rawio capability - Allow alsa watch generic device directories - Move systemd-homed interfaces to seperate optional_policy block - Update samba-bgqd policy - Update virtlogd policy - Allow svirt_t the sys_rawio capability - Allow qemu-ga the dac_override and dac_read_search capabilities - Allow bacula execute container in the container domain - Allow httpd get attributes of dirsrv unit files - Allow samba-bgqd read cups config files - Add label rshim_var_run_t for /run/rshim.pid- Rebuild with SELinux Userspace 3.8- [5/5][sync from 'mysql-selinux'] Add mariadb-backup - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock' - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2 - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705 - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname' - Allow systemd-networkd read mount pid files - Update policy for samba-bgqd - Allow chronyd read networkmanager's pid files - Allow staff user connect to generic tcp ports - Allow gnome-remote-desktop dbus chat with policykit - Allow tlp the setpgid process permission - Update the bootupd policy - Allow sysadm_t use the io_uring API - Allow sysadm user dbus chat with virt-dbus - Allow virtqemud_t read virsh_t files - Allow virt_dbus_t connect to virtd_t over a unix stream socket - Allow systemd-tpm2-generator read hardware state information - Allow coreos-installer-generator execute generic programs - Allow coreos-installer domain transition on udev execution - Revert "Allow unconfined_t execute kmod in the kmod domain" - Allow iio-sensor-proxy create and use unix dgram socket - Allow virtstoraged read vm sysctls - Support ssh connections via systemd-ssh-generator - Label all semanage store files in /etc as semanage_store_t - Add file transition for nvidia-modeset- Allow dirsrv-snmp map dirsv_tmpfs_t files - Label /usr/lib/node_modules_22/npm/bin with bin_t - Add policy for /usr/libexec/samba/samba-bgqd - Allow gnome-remote-desktop watch /etc directory - Allow rpcd read network sysctls - Allow journalctl connect to systemd-userdbd over a unix socket - Allow some confined users send to lldpad over a unix dgram socket - Allow lldpad send to unconfined_t over a unix dgram socket - Allow lldpd connect to systemd-machined over a unix socket - Confine the ktls service- Allow dirsrv read network sysctls - Label /run/sssd with sssd_var_run_t - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t - Allow unconfined_t execute kmod in the kmod domain - Allow confined users r/w to screen unix stream socket - Label /root/.screenrc and /root/.tmux.conf with screen_home_t - Allow virtqemud read virtd_t files - Allow ping_t read network sysctls- Allow systemd-homework connect to init over a unix socket - Fix systemd-homed blobs directory permissions - Allow virtqemud read sgx_vepc devices - Allow lldpad create and use netlink_generic_socket- Allow systemd-homework write to init pid socket - Allow init create /var/cache/systemd/home - Confine the pcm service - Allow login_userdomain read thumb tmp files - Update power-profiles-daemon policy - Fix the /etc/mdevctl\.d(/.*)? regexp - Grant rhsmcertd chown capability & userdb access - Allow iio-sensor-proxy the bpf capability - Allow systemd-machined the kill user-namespace capability- Remove the fail2ban module sources - Remove the linuxptp module sources - Remove legacy rules for slrnpull - Remove the aiccu module sources - Remove the bcfg2 module sources - Remove the amtu module sources - Remove the rhev module sources - Remove all file context entries for /bin and /lib - Allow ptp4l the sys_admin capability - Confine power-profiles-daemon - Label /var/cache/systemd/home with systemd_homed_cache_t - Allow login_userdomain connect to systemd-homed over a unix socket - Allow boothd connect to systemd-homed over a unix socket - Allow systemd-homed get attributes of a tmpfs filesystem - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - Allow aide connect to systemd-homed over a unix socket - Label /dev/hfi1_[0-9]+ devices - Suppress semodule's stderr- Remove the openct module sources - Remove the timidity module sources - Enable the slrn module - Remove i18n_input module sources - Enable the distcc module - Remove the ddcprobe module sources - Remove the timedatex module sources - Remove the djbdns module sources - Confine iio-sensor-proxy - Allow staff user nlmsg_write - Update policy for xdm with confined users - Allow virtnodedev watch mdevctl config dirs - Allow ssh watch home config dirs - Allow ssh map home configs files - Allow ssh read network sysctls - Allow chronyc sendto to chronyd-restricted - Allow cups sys_ptrace capability in the user namespace- Add policy for systemd-homed - Remove fc entry for /usr/bin/pump - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - Allow accountsd read gnome-initial-setup tmp files - Allow xdm write to gnome-initial-setup fifo files - Allow rngd read and write generic usb devices - Allow qatlib search the content of the kernel debugging filesystem - Allow qatlib connect to systemd-machined over a unix socket- Drop ru man pages - mls/modules.conf - fix typo - Allow unprivileged user watch /run/systemd - Allow boothd connect to kernel over a unix socket- Relabel /etc/mdevctl.d- Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Confine gnome-remote-desktop - Allow virtstoraged execute mount programs in the mount domain - Make mdevctl_conf_t member of the file_type attribute- Label /etc/mdevctl.d with mdevctl_conf_t - Sync users with Fedora targeted users - Update policy for rpc-virtstorage - Allow virtstoraged get attributes of configfs dirs - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command - Update bootupd policy when ESP is not mounted - Allow thumb_t map dri devices - Allow samba use the io_uring API - Allow the sysadm user use the secretmem API - Allow nut-upsmon read systemd-logind session files - Allow sysadm_t to create PF_KEY sockets - Update bootupd policy for the removing-state-file test - Allow coreos-installer-generator manage mdadm_conf_t files- Allow setsebool_t relabel selinux data files - Allow virtqemud relabelfrom virtqemud_var_run_t dirs - Use better escape method for "interface" - Allow init and systemd-logind to inherit fds from sshd - Allow systemd-ssh-generator read sysctl files - Sync modules.conf with Fedora targeted modules - Allow virtqemud relabel user tmp files and socket files - Add missing sys_chroot capability to groupadd policy - Label /run/libvirt/qemu/channel with virtqemud_var_run_t - Allow virtqemud relabelfrom also for file and sock_file - Add virt_create_log() and virt_write_log() interfaces - Call binaries without full path- Update libvirt policy - Add port 80/udp and 443/udp to http_port_t definition - Additional updates stalld policy for bpf usage - Label systemd-pcrextend and systemd-pcrlock properly - Allow coreos_installer_t work with partitions - Revert "Allow coreos-installer-generator work with partitions" - Add policy for systemd-pcrextend - Update policy for systemd-getty-generator - Allow ip command write to ipsec's logs - Allow virt_driver_domain read virtd-lxc files in /proc - Revert "Allow svirt read virtqemud fifo files" - Update virtqemud policy for libguestfs usage - Allow virtproxyd create and use its private tmp files - Allow virtproxyd read network state - Allow virt_driver_domain create and use log files in /var/log - Allow samba-dcerpcd work with ctdb cluster- Allow NetworkManager_dispatcher_t send SIGKILL to plugins - Allow setroubleshootd execute sendmail with a domain transition - Allow key.dns_resolve set attributes on the kernel key ring - Update qatlib policy for v24.02 with new features - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t - Allow tlp status power services - Allow virtqemud domain transition on passt execution - Allow virt_driver_domain connect to systemd-userdbd over a unix socket - Allow boothd connect to systemd-userdbd over a unix socket - Update policy for awstats scripts - Allow bitlbee execute generic programs in system bin directories - Allow login_userdomain read aliases file - Allow login_userdomain read ipsec config files - Allow login_userdomain read all pid files - Allow rsyslog read systemd-logind session files - Allow libvirt-dbus stream connect to virtlxcd- Update bootupd policy - Allow rhsmcertd read/write access to /dev/papr-sysparm - Label /dev/papr-sysparm and /dev/papr-vpd - Allow abrt-dump-journal-core connect to winbindd - Allow systemd-hostnamed shut down nscd - Allow systemd-pstore send a message to syslogd over a unix domain - Allow postfix_domain map postfix_etc_t files - Allow microcode create /sys/devices/system/cpu/microcode/reload - Allow rhsmcertd read, write, and map ica tmpfs files - Support SGX devices - Allow initrc_t transition to passwd_t - Update fstab and cryptsetup generators policy - Allow xdm_t read and write the dma device - Update stalld policy for bpf usage - Allow systemd_gpt_generator to getattr on DOS directories- Make cgroup_memory_pressure_t a part of the file_type attribute - Allow ssh_t to change role to system_r - Update policy for coreos generators - Allow init_t nnp domain transition to firewalld_t - Label /run/modprobe.d with modules_conf_t - Allow virtnodedevd run udev with a domain transition - Allow virtnodedev_t create and use virtnodedev_lock_t - Allow virtstoraged manage files with virt_content_t type - Allow virtqemud unmount a filesystem with extended attributes - Allow svirt_t connect to unconfined_t over a unix domain socket- Update afterburn file transition policy - Allow systemd_generator read attributes of all filesystems - Allow fstab-generator read and write cryptsetup-generator unit file - Allow cryptsetup-generator read and write fstab-generator unit file - Allow systemd_generator map files in /etc - Allow systemd_generator read init's process state - Allow coreos-installer-generator read sssd public files - Allow coreos-installer-generator work with partitions - Label /etc/mdadm.conf.d with mdadm_conf_t - Confine coreos generators - Label /run/metadata with afterburn_runtime_t - Allow afterburn list ssh home directory - Label samba certificates with samba_cert_t - Label /run/coreos-installer-reboot with coreos_installer_var_run_t - Allow virtqemud read virt-dbus process state - Allow staff user dbus chat with virt-dbus - Allow staff use watch /run/systemd - Allow systemd_generator to write kmsg- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild- Allow virtqemud connect to sanlock over a unix stream socket - Allow virtqemud relabel virt_var_run_t directories - Allow svirt_tcg_t read vm sysctls - Allow virtnodedevd connect to systemd-userdbd over a unix socket - Allow svirt read virtqemud fifo files - Allow svirt attach_queue to a virtqemud tun_socket - Allow virtqemud run ssh client with a transition - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket - Update keyutils policy - Allow sshd_keygen_t connect to userdbd over a unix stream socket - Allow postfix-smtpd read mysql config files - Allow locate stream connect to systemd-userdbd - Allow the staff user use wireshark - Allow updatedb connect to userdbd over a unix stream socket - Allow gpg_t set attributes of public-keys.d - Allow gpg_t get attributes of login_userdomain stream - Allow systemd_getty_generator_t read /proc/1/environ - Allow systemd_getty_generator_t to read and write to tty_device_t- Move %postInstall to %posttrans - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` - Drop obsolete modules from config - Install dnf protected files only when policy is built- Relabel files under /usr/bin to fix stale context after sbin merge- Merge -base and -contrib- Drop publicfile module - Remove permissive domain for systemd_nsresourced_t - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t - Allow to create and delete socket files created by rhsm.service - Allow virtnetworkd exec shell when virt_hooks_unconfined is on - Allow unconfined_service_t transition to passwd_t - Support /var is empty - Allow abrt-dump-journal read all non_security socket files - Allow timemaster write to sysfs files - Dontaudit domain write cgroup files - Label /usr/lib/node_modules/npm/bin with bin_t - Allow ip the setexec permission - Allow systemd-networkd write files in /var/lib/systemd/network - Fix typo in systemd_nsresourced_prog_run_bpf()- Confine libvirt-dbus - Allow virtqemud the kill capability in user namespace - Allow rshim get options of the netlink class for KOBJECT_UEVENT family - Allow dhcpcd the kill capability - Allow systemd-networkd list /var/lib/systemd/network - Allow sysadm_t run systemd-nsresourced bpf programs - Update policy for systemd generators interactions - Allow create memory.pressure files with cgroup_memory_pressure_t - Add support for libvirt hooks- Allow certmonger read and write tpm devices - Allow all domains to connect to systemd-nsresourced over a unix socket - Allow systemd-machined read the vsock device - Update policy for systemd generators - Allow ptp4l_t request that the kernel load a kernel module - Allow sbd to trace processes in user namespace - Allow request-key execute scripts - Update policy for haproxyd- Update policy for systemd-nsresourced - Correct sbin-related file context entries- Allow login_userdomain execute systemd-tmpfiles in the caller domain - Allow virt_driver_domain read files labeled unconfined_t - Allow virt_driver_domain dbus chat with policykit - Allow virtqemud manage nfs files when virt_use_nfs boolean is on - Add rules for interactions between generators - Label memory.pressure files with cgroup_memory_pressure_t - Revert "Allow some systemd services write to cgroup files" - Update policy for systemd-nsresourced - Label /usr/bin/ntfsck with fsadm_exec_t - Allow systemd_fstab_generator_t read tmpfs files - Update policy for systemd-nsresourced - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin - Remove a few lines duplicated between {dkim,milter}.fc - Alias /bin → /usr/bin and remove redundant paths - Drop duplicate line for /usr/sbin/unix_chkpwd - Drop duplicate paths for /usr/sbin- Update systemd-generator policy - Remove permissive domain for bootupd_t - Remove permissive domain for coreos_installer_t - Remove permissive domain for afterburn_t - Add the sap module to modules.conf - Move unconfined_domain(sap_unconfined_t) to an optional block - Create the sap module - Allow systemd-coredumpd sys_admin and sys_resource capabilities - Allow systemd-coredump read nsfs files - Allow generators auto file transition only for plain files - Allow systemd-hwdb write to the kernel messages device - Escape "interface" as a file name in a virt filetrans pattern - Allow gnome-software work for login_userdomain - Allow systemd-machined manage runtime sockets - Revert "Allow systemd-machined manage runtime sockets"- Allow postfix_domain connect to postgresql over a unix socket - Dontaudit systemd-coredump sys_admin capability - Allow all domains read and write z90crypt device - Allow tpm2 generator setfscreate - Allow systemd (PID 1) manage systemd conf files - Allow pulseaudio map its runtime files - Update policy for getty-generator - Allow systemd-hwdb send messages to kernel unix datagram sockets - Allow systemd-machined manage runtime sockets- Allow fstab-generator create unit file symlinks - Update policy for cryptsetup-generator - Update policy for fstab-generator - Allow virtqemud read vm sysctls - Allow collectd to trace processes in user namespace - Allow bootupd search efivarfs dirs - Add policy for systemd-mountfsd - Add policy for systemd-nsresourced - Update policy generators - Add policy for anaconda-generator - Update policy for fstab and gpt generators - Add policy for kdump-dep-generator/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh 41.34-1.fc4241.34-1.fc4241.34-1.fc42 selinuxconfigselinuxmacros.selinux-policyselinux-check-proper-disable.serviceselinux-policy.confbinsbin-convert.shvarrun-convert.shselinux-policyCOPYINGselinuxpackages/etc//etc/selinux//etc/sysconfig//usr/lib/rpm/macros.d//usr/lib/systemd/system//usr/lib/tmpfiles.d//usr/libexec/selinux//usr/share/licenses//usr/share/licenses/selinux-policy//usr/share//usr/share/selinux/-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protectioncpiozstd19noarch-redhat-linux-gnudirectoryemptyUnicode text, UTF-8 textASCII textBourne-Again shell script, ASCII text executablePPPPPPPPP P P P P PRRhttps://bugz.fedoraproject.org/selinux-policyselinux-policy-targetedutf-8ff9e08b276f89226a9d308b7fd0bc25ae9967d17c3f594eb3ce5d6cd29fc84718072a9b021a914b0892ca26f4392ad66c708088ce905b49df44ec716500ce063?0(/h5ZL+?VUUU]Ie%կ!L!MgAZW!t6 orp zK⠞C(smʅq]`*x,Ucy0^+ig-wRWP#8üD J@.G !I0 ay+EQVk zЧJxuPmxTMu5.o8u%y?=#fd8ٖE86+eu<1iM1. }OעaէS`΅‡o-{ru8onRp6noȳ5 =^?uF$)X (ถj(8uVm W4do 7AU,eœ6/lg0t KD)5&.C%ppP@h(t;۸f;칤?Y/b/g/ֶ؃l7r\چev~س%1OLDfbQ\F ;}FѴݼ {STEPPn"}VW I+ %Vm89\G(I84i",m\1GgE=c^$Dw+K&|RAM:t>ә8` ``$W(KX V< %~N ~2Y2(bRzD46/=#lz'ψkPohl mEYg&>.ıq>4Ԓ*"8uu _oҞM])kN5g(+F*:i#Kl7.utߢ׷=D_VwȋL ,ۑ =Փ齝1G</(cm~0fjnONϮjJп =Vx8ڹg]i0G=F1gJI{I$k_v̓o >lkmԴ ]uů8" L$ sU>`)v/ƒk-3|'M0Ʉ y`³ŕbɰX`*F@:„[=V(Y?"HAS ٵ  ' ,XMFAm=Śb%Y񄥊IM9"a}vv|)Eo:(ޗH~;94 ݞg`B>AłXPh> ֖ߓ**(*aǚ=}9ޏ20W].*Ȩ`\,E0c* \rq0 RT cT],W`,= (TˢhHׅgi(0gKcp,XFÚXW,h,54UźŲ L,\a].,W.U*V4\p,eUfi2RU,Jc]X0ɠpi6_j]0be\Mƪte25,6+K#Y4a`vqJCɰa T˂ ׫U6?E=x|g۝Eo SɿyBK8~_{&lHCN )NI_է +H~&"w^j5j\[^}^54*Vn\-?E Oo:!@BMIDW"|R16r| fϭMGrK!Х/7\/I+$w([+#? jg`mٓ)[NF"Z$2_eAɔs@ &8]$L'J @0 L0 `mu$Hq4{('oB iJnqj^iPS+T"*ȥći5wBh\s\t- -,C ]qRPf I\9|."{ZPEeImu?%Gp넱 !Lm(vt4 ,ٚp`tO cTQehPlUW.=#F280ˎ6]ډ;jWfaL޴v,>]i8s7aMMߎT%PLҙiMyj] ]Iw=j+搖 hI T/9&}rqT&OHPNyE #(O+D@[:j.\A#|;8߹ýK{{e1lQ (ε$kHVT$,$dv dUDȉ81P11_O ^CF'$V5NpA] ?4:vC# e#H8bsXεTѮdT;i П_o@1iԴ hH3?$lsنGSav`5tOqgѰemo&zV(;_]fxVqf"nf?z0?MX^<嚨AQ|!@K}?}M\ iL6ѯ JY M[ <6(Vn44{ Tܥ^ =<:jC:,<G㋨d+ zf1H9#V,1fڤ:l "qjyO|F\fkuLO_X\+r<;KM26#fڏ72d$uI*pt-DB|)yH#)$f]מ HՏs%!?Dp. Ņ+o2%atvk,i`0l@I&[%H,?E~WEIAN,s ˅̌iRP/k Sjp$,4A U $Qz7A$eT~%۝|86frYǏJV+5̽Y90'*ips !*b{:bCNSA'KSN@;X u7in8|ׅI[GéGB2&Ҩ\$ݸ8ʭ_(0=d9miL`?"dCo$D N-oP@fIffB{(XVv y9E+#ȉ L#AF=*)r^`\M_ lS {1CoDفb [~$󤦉, Jks|m%f#Xc.㖗ʰŹrJB@%dd ht~5 T,hF%Rȴ,so*tV|)I[o q=v:‰N${;ź }ݭFfyYC59&#6PRd>/e;ŜnAGh֮y Fjw1.|c.ptX~k<-C!>wQK,y%wYf׶yϹ#(*s?dUvf=fVfAE>NO[HƙQ ,#h}Xd;an>U>)9*Sr{peZҬxqEO[7wMMb1} DVpŋ4 $Q!Laϰ#"p}Ё uM<)9 Ģӕ{]/-'ȑ|eZ}}+9ݢ:uнw+$1,-T֊(,x9 nw'Y.z Uyeec'[$6RwN%Pi Lߙk\@13k |ٮkl0 0@Hm>.WﺈLx^uq7ǃp2Nbn+2:?|4ѰE-8RFdY@YbtYcϳ^Z0E:k=GEXFn-.a23.aR@ A~ Ъ'%{y!yt.aVH\'Q!2@tpf崷K1/W >RGlJ] S/GU@ŶV.7S]4L4H&=q#׺GH6HEjP4@6?d?a RŤH7~1nҲyI=f ˧kE1^. K~^A,>E70Z`R \LMSlw*ԠpS_yMt:"G"s8_BYb2G''\VroVڭIH&;Q43/*Ŧ/ĕSǏ*V>4aK}PN 7Pdc iO*`l%~< L:^˟vrgjӰH vEM:xtx0@t聰҇; LjۚPuP! B8'.$O?^e`]K m2цMmV@(lvq)ߧ]v?[U;{]nr"k&yK} G])8bS+ODPE7DQ%b\`cAjPFb#dz_:햪^& Mzɥa}6@l3#cHȼ-qn$Lҡ9ɪ_JLDZDj>FNmF)c^w_A\Er*_WwT$VY4|ldjf9T>7 y}.QdG^MPFryVg_x{RAAGa n$M{Z|(w3S'¼I F5 E`B"e#9W &dm{#CT7T`B0 S9ۉ甦NI/kBպ 홨vk _5ڽمPR$Sk d)߈6$() j )f GNCr_'{L[io6yQ:zX P4 1fUH2Gbyf^zTrw\/~3L5.f'AH։xVW!B>o-h!lkd٬ҞM5q06dj{H60f=eAcL䁑P?:A9@#˹Xw]+,'kPhY!J(qYqaEjq#m`JhZȄ]EgI+75pR|5! tLf{I(bv^o7VeSM:S|QkOfXAafM.5zAꋺIB )=4\XNgqPvϞ  ˠHaaJ}pIA8߳~r HU8Ufb2V<;̲4;*YruH-";-]L)QmxCS)DSrD}0 <+ 㠂։d-\' mNIeY%TE]HSA'Z˥X7 o^JD N zͧ3ȋx*p!H+,u,}rxA{//mss(vYD+*|,fǬWވB8ѨCs;Eظ?c`t 2%>:tjC#У>`^!$jGAJ9+tLnEo_y_T&8Ҁ9/VAݠD#