selinux-policy-41.33-1.fc42 >t 6 6_ ptx 3!XPȬI^Dg6 ȬI^Dڬ x l8DRrus|:fv>xٟJ-05E Q*h1Gq-I[pֵVչ$O şCjښi_@+ڠ?)WMy='wp bpH_wrS-]i-_Ht`X>&<&2dO}#+@_) z"$1jj4 R= DCȚcSQG0i+Ha`'}߷e|wecCҒFΈFGhWP-~ꔓaY3++hu= &J`M{?{d  ; .:kqx  (   @   X         P     <() * + , - 8'9':'>t?t@tDt Gu HuD Iut XuYu\u ]v, ^v bwdyGeyLfyQlyTtyl uy vywz4 xzd yzzz{{{ {${*{l{pCselinux-policy41.331.fc42SELinux policy configurationSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.g`buildvm-s390x-08.s390.fedoraproject.org}Fedora ProjectFedora ProjectGPL-2.0-or-laterFedora ProjectUnspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarch if [ $1 -eq 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Initial installation /usr/lib/systemd/systemd-update-helper install-system-units selinux-check-proper-disable.service || : fi if [ ! -s /etc/selinux/config ]; then # # New install so we will default to targeted policy # echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > /etc/selinux/config ln -sf ../selinux/config /etc/sysconfig/selinux /usr/bin/restorecon /etc/selinux/config 2> /dev/null || : else . /etc/selinux/config fi exit 0 if [ $1 -eq 0 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then # Package removal, not upgrade /usr/lib/systemd/systemd-update-helper remove-system-units selinux-check-proper-disable.service || : fi if [ $1 = 0 ]; then /usr/bin/setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi exit 0  FYA큤A큤AAgMgMgMgMgMgMgMgMgMgMgMgM1a91006c8f38188abdca1296f51b67c5d2f3bf64fe5b469edb1dc1dd06e5351cb3240fd7982059a65867f81ebab303d478bd1c29b1559bdcb2ba70781916b1ae8a0beca7f576064bfe85859d53e85dfc31157974115cac99b4e52ae31b77b1859f160248f1f51abdc3cd7cf98b41dbf09991098e26bc7932b158095580cde754ce909c918cdaf8957be2e3881cc4be186a9a7b77913ef8836d576cdc273d6313204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994Q@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-41.33-1.fc42.src.rpmconfig(selinux-policy)rpm_macro(_file_context_file)rpm_macro(_file_context_file_pre)rpm_macro(_file_custom_defined_booleans)rpm_macro(_file_custom_defined_booleans_tmp)rpm_macro(_selinux_policy_version)rpm_macro(_selinux_store_path)rpm_macro(_selinux_store_policy_path)rpm_macro(selinux_modules_install)rpm_macro(selinux_modules_uninstall)rpm_macro(selinux_relabel_post)rpm_macro(selinux_relabel_pre)rpm_macro(selinux_requires)rpm_macro(selinux_set_booleans)rpm_macro(selinux_unset_booleans)selinux-policyselinux-policy-base  @       (rpm-plugin-selinux if rpm-libs)/bin/awk/bin/sh/bin/sh/bin/sh/bin/sh/usr/bin/bash/usr/bin/sha512sumconfig(selinux-policy)policycoreutilsrpmlib(BuiltinLuaScripts)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsZstd)rpmlib(RichDependencies)selinux-policy-any41.33-1.fc423.84.2.2-13.0.4-14.6.0-14.0-15.4.18-14.12.0-141.33-1.fc424.20.0/usr/bin/selinuxenabled && /usr/bin/semodule -nB 2> /dev/null exit 0/usr/libexec/selinux/binsbin-convert.sh targeted /usr/bin/restorecon /usr/sbin/fapolicyd*/usr/libexec/selinux/binsbin-convert.sh targeted /usr/bin/restorecon /usr/sbin/usbguard* if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_varrun/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_varrun") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_varrun/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_varrun") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_binsbin/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_binsbin") end if posix.access ("/var/lib/selinux/targeted/active/modules/400/extra_binsbin/cil", "r") then os.execute ("/usr/bin/rm -rf /var/lib/selinux/targeted/active/modules/400/extra_binsbin") end/usr/libexec/selinux/varrun-convert.sh targeted exit 0/usr/libexec/selinux/varrun-convert.sh targeted exit 0/usr/libexec/selinux/binsbin-convert.sh targeted exit 0/usr/libexec/selinux/binsbin-convert.sh targeted exit 0container-selinuxcontainer-selinuxfapolicyd-selinuxfapolicyd-selinuxfapolicyd-selinuxpcp-selinuxpcp-selinuxpcre2usbguard-selinuxusbguard-selinuxusbguard-selinux  ggRg@gu@g@gw@gaggM@g<}g@g@gB@gg @f@ffffffbf@f@f'@f>@fIff`f@f@fwfwf~fr@fqvfp%@fh<@fb@f]@Zdenek Pytela - 41.33-1Zdenek Pytela - 41.32-1Zdenek Pytela - 41.31-1Zdenek Pytela - 41.30-1Zdenek Pytela - 41.29-1Zdenek Pytela - 41.28-1Zdenek Pytela - 41.27-1Petr Lautrbach - 41.26-2Zdenek Pytela - 41.26-1Zdenek Pytela - 41.25-1Zdenek Pytela - 41.24-1Zdenek Pytela - 41.23-1Zdenek Pytela - 41.22-1Zdenek Pytela - 41.21-1Zdenek Pytela - 41.20-1Zdenek Pytela - 41.19-1Petr Lautrbach - 41.18-1Zdenek Pytela - 41.17-2Petr Lautrbach - 41.17-1Zdenek Pytela - 41.16-1Zdenek Pytela - 41.15-1Zdenek Pytela - 41.14-1Zdenek Pytela - 41.13-1Zdenek Pytela - 41.12-1Zdenek Pytela - 41.11-1Zdenek Pytela - 41.10-1Fedora Release Engineering - 41.9-2Zdenek Pytela - 41.9-1Petr Lautrbach 41.8-4Zbigniew Jędrzejewski-Szmek - 41.8-3Petr Lautrbach 41.8-2Zdenek Pytela - 41.8-1Zdenek Pytela - 41.7-1Zdenek Pytela - 41.6-1Zdenek Pytela - 41.5-1Zdenek Pytela - 41.4-1Zdenek Pytela - 41.3-1Zdenek Pytela - 41.2-1Zdenek Pytela - 41.1-1- Allow systemd-networkd the sys_admin capability - Update systemd-networkd policy in systemd v257 - Separate insights-core from insights-client - Removed unused insights_client interfaces calls from other modules - Update policy for insights_client wrt new rules for insights_core_t - Add policy for insights-core - Allow systemd-networkd use its private tmpfs files - Allow boothd connect to systemd-machined over a unix socket - Update init_explicit_domain() interface - Allow tlp to read/write nmi_watchdog state information - Allow power-profiles-daemon the bpf capability - Allow svirt_t to connect to nbdkit over a unix stream socket - Update ktlshd policy to read /proc/keys and domain keyrings - Allow virt_domain read hardware state information unconditionally - Allow init mounton crypto sysctl files - Rename winbind_rpcd_* types to samba_dcerpcd_* - Support peer-to-peer migration of vms using ssh- Allow virtqemud use hostdev usb devices conditionally - Allow virtqemud map svirt_image_t plain files - Allow virtqemud work with nvdimm devices - Support saving and restoring a VM to/from a block device - Allow virtnwfilterd dbus chat with firewalld - Dontaudit systemd-logind remove all files - Add the files_dontaudit_read_all_dirs() interface - Add the files_dontaudit_delete_all_files() interface - Allow rhsmcertd notify virt-who - Allow irqbalance to run unconfined scripts conditionally- Allow snapperd execute systemctl in the caller domain - Allow svirt_tcg_t to connect to nbdkit over a unix stream socket - Allow iio-sensor-proxy read iio devices - Label /dev/iio:device[0-9]+ devices - Allow systemd-coredump the sys_admin capability - Allow apcupsd's apccontrol to send messages using wall - contrib/thumb: also allow per-user thumbnailers - contrib/thumb: fix thunar thumbnailer (rhbz#2315893) - Allow virt_domain to use pulseaudio - conditional - Allow pcmsensor read nmi_watchdog state information - Allow init_t nnp domain transition to gssproxy_t- Allow systemd-generator connect to syslog over a unix stream socket - Allow virtqemud manage fixed disk device nodes - Allow iio-sensor-proxy connect to syslog over a unix stream socket - Allow virtstoraged write to sysfs files - Allow power-profiles-daemon write sysfs files - Update iiosensorproxy policy - Allow pcmsensor write nmi_watchdog state information - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type - Add the gpg_read_user_secrets() interface - Allow gnome-remote-desktop read resolv.conf - Update switcheroo policy - Allow nfsidmap connect to systemd-homed over a unix socket - Add the auth_write_motd_var_run_files() interface - Add the bind_exec_named_checkconf() interface - Add the virt_exec_virsh() interface- Allow virtqemud domain transition to nbdkit - Add nbdkit interfaces defined conditionally - Allow samba-bgqd connect to cupsd over an unix domain stream socket - Confine the switcheroo-control service - Allow svirt_t read sysfs files - Add rhsmcertd interfaces - Add the ssh_exec_sshd() interface - Add the gpg_domtrans_agent() interface - Label /usr/bin/dnf5 with rpm_exec_t - Label /dev/pmem[0-9]+ with fixed_disk_device_t - allow kdm to create /root/.kde/ with correct label - Change /usr/sbin entries to use /usr/bin or remove them - Allow systemd-homed get filesystem quotas - Allow login_userdomain getattr nsfs files - Allow virtqemud send a generic signal to the ssh client domain - Dontaudit request-key read /etc/passwd- Update virtqemud policy regarding the svirt_tcg_t domain - Allow virtqemud domain transition on numad execution - Support virt live migration using ssh - Allow virtqemud permissions needed for live migration - Allow virtqemud the getpgid process permission - Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on - Allow virtqemud relabelfrom virt_log_t files - Allow virtqemud relabel tun_socket - Add policy for systemd-import-generator - Confine vsftpd systemd system generator - Allow virtqemud read and write sgx_vepc devices - Allow systemd-networkd list cgroup directories - Allow xdm dbus chat with power-profiles-daemon - Allow ssh_t read systemd config files - Add Valkey rules to Redis module- Update ktlsh policy - Allow request-key to read /etc/passwd - Allow request-key to manage all domains' keys - Add support for the KVM guest memfd anon inodes - Allow auditctl signal auditd - Dontaudit systemd-coredump the sys_resource capability - Allow traceroute_t bind rawip sockets to unreserved ports - Fix the cups_read_pid_files() interface to use read_files_pattern - Allow virtqemud additional permissions for tmpfs_t blk devices - Allow virtqemud rw access to svirt_image_t chr files - Allow virtqemud rw and setattr access to fixed block devices - Label /etc/mdevctl.d/scripts.d with bin_t - Allow virtqemud open svirt_devpts_t char files - Allow virtqemud relabelfrom virt_log_t files - Allow svirt_tcg_t read virtqemud_t fifo_files - Allow virtqemud rw and setattr access to sev devices - Allow virtqemud directly read and write to a fixed disk - Allow virtqemud_t relabel virt_var_lib_t files - Allow virtqemud_t relabel virtqemud_var_run_t sock_files - Add gnome_filetrans_gstreamer_admin_home_content() interface - Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t - Make bootupd_t permissive - Allow init_t nnp domain transition to locate_t - allow gdm and iiosensorproxy talk to each other via D-bus - Allow systemd-journald getattr nsfs files - Allow sendmail to map mail server configuration files - Allow procmail to read mail aliases - Allow cifs.idmap helper to set attributes on kernel keys - Allow irqbalance setpcap capability in the user namespace - Allow sssd_selinux_manager_t the setcap process permission - Allow systemd-sleep manage efivarfs files - Allow systemd-related domains getattr nsfs files - Allow svirt_t the sys_rawio capability - Allow alsa watch generic device directories - Move systemd-homed interfaces to seperate optional_policy block - Update samba-bgqd policy - Update virtlogd policy - Allow svirt_t the sys_rawio capability - Allow qemu-ga the dac_override and dac_read_search capabilities - Allow bacula execute container in the container domain - Allow httpd get attributes of dirsrv unit files - Allow samba-bgqd read cups config files - Add label rshim_var_run_t for /run/rshim.pid- Rebuild with SELinux Userspace 3.8- [5/5][sync from 'mysql-selinux'] Add mariadb-backup - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock' - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2 - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705 - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname' - Allow systemd-networkd read mount pid files - Update policy for samba-bgqd - Allow chronyd read networkmanager's pid files - Allow staff user connect to generic tcp ports - Allow gnome-remote-desktop dbus chat with policykit - Allow tlp the setpgid process permission - Update the bootupd policy - Allow sysadm_t use the io_uring API - Allow sysadm user dbus chat with virt-dbus - Allow virtqemud_t read virsh_t files - Allow virt_dbus_t connect to virtd_t over a unix stream socket - Allow systemd-tpm2-generator read hardware state information - Allow coreos-installer-generator execute generic programs - Allow coreos-installer domain transition on udev execution - Revert "Allow unconfined_t execute kmod in the kmod domain" - Allow iio-sensor-proxy create and use unix dgram socket - Allow virtstoraged read vm sysctls - Support ssh connections via systemd-ssh-generator - Label all semanage store files in /etc as semanage_store_t - Add file transition for nvidia-modeset- Allow dirsrv-snmp map dirsv_tmpfs_t files - Label /usr/lib/node_modules_22/npm/bin with bin_t - Add policy for /usr/libexec/samba/samba-bgqd - Allow gnome-remote-desktop watch /etc directory - Allow rpcd read network sysctls - Allow journalctl connect to systemd-userdbd over a unix socket - Allow some confined users send to lldpad over a unix dgram socket - Allow lldpad send to unconfined_t over a unix dgram socket - Allow lldpd connect to systemd-machined over a unix socket - Confine the ktls service- Allow dirsrv read network sysctls - Label /run/sssd with sssd_var_run_t - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t - Allow unconfined_t execute kmod in the kmod domain - Allow confined users r/w to screen unix stream socket - Label /root/.screenrc and /root/.tmux.conf with screen_home_t - Allow virtqemud read virtd_t files - Allow ping_t read network sysctls- Allow systemd-homework connect to init over a unix socket - Fix systemd-homed blobs directory permissions - Allow virtqemud read sgx_vepc devices - Allow lldpad create and use netlink_generic_socket- Allow systemd-homework write to init pid socket - Allow init create /var/cache/systemd/home - Confine the pcm service - Allow login_userdomain read thumb tmp files - Update power-profiles-daemon policy - Fix the /etc/mdevctl\.d(/.*)? regexp - Grant rhsmcertd chown capability & userdb access - Allow iio-sensor-proxy the bpf capability - Allow systemd-machined the kill user-namespace capability- Remove the fail2ban module sources - Remove the linuxptp module sources - Remove legacy rules for slrnpull - Remove the aiccu module sources - Remove the bcfg2 module sources - Remove the amtu module sources - Remove the rhev module sources - Remove all file context entries for /bin and /lib - Allow ptp4l the sys_admin capability - Confine power-profiles-daemon - Label /var/cache/systemd/home with systemd_homed_cache_t - Allow login_userdomain connect to systemd-homed over a unix socket - Allow boothd connect to systemd-homed over a unix socket - Allow systemd-homed get attributes of a tmpfs filesystem - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - Allow aide connect to systemd-homed over a unix socket - Label /dev/hfi1_[0-9]+ devices - Suppress semodule's stderr- Remove the openct module sources - Remove the timidity module sources - Enable the slrn module - Remove i18n_input module sources - Enable the distcc module - Remove the ddcprobe module sources - Remove the timedatex module sources - Remove the djbdns module sources - Confine iio-sensor-proxy - Allow staff user nlmsg_write - Update policy for xdm with confined users - Allow virtnodedev watch mdevctl config dirs - Allow ssh watch home config dirs - Allow ssh map home configs files - Allow ssh read network sysctls - Allow chronyc sendto to chronyd-restricted - Allow cups sys_ptrace capability in the user namespace- Add policy for systemd-homed - Remove fc entry for /usr/bin/pump - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - Allow accountsd read gnome-initial-setup tmp files - Allow xdm write to gnome-initial-setup fifo files - Allow rngd read and write generic usb devices - Allow qatlib search the content of the kernel debugging filesystem - Allow qatlib connect to systemd-machined over a unix socket- Drop ru man pages - mls/modules.conf - fix typo - Allow unprivileged user watch /run/systemd - Allow boothd connect to kernel over a unix socket- Relabel /etc/mdevctl.d- Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Confine gnome-remote-desktop - Allow virtstoraged execute mount programs in the mount domain - Make mdevctl_conf_t member of the file_type attribute- Label /etc/mdevctl.d with mdevctl_conf_t - Sync users with Fedora targeted users - Update policy for rpc-virtstorage - Allow virtstoraged get attributes of configfs dirs - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command - Update bootupd policy when ESP is not mounted - Allow thumb_t map dri devices - Allow samba use the io_uring API - Allow the sysadm user use the secretmem API - Allow nut-upsmon read systemd-logind session files - Allow sysadm_t to create PF_KEY sockets - Update bootupd policy for the removing-state-file test - Allow coreos-installer-generator manage mdadm_conf_t files- Allow setsebool_t relabel selinux data files - Allow virtqemud relabelfrom virtqemud_var_run_t dirs - Use better escape method for "interface" - Allow init and systemd-logind to inherit fds from sshd - Allow systemd-ssh-generator read sysctl files - Sync modules.conf with Fedora targeted modules - Allow virtqemud relabel user tmp files and socket files - Add missing sys_chroot capability to groupadd policy - Label /run/libvirt/qemu/channel with virtqemud_var_run_t - Allow virtqemud relabelfrom also for file and sock_file - Add virt_create_log() and virt_write_log() interfaces - Call binaries without full path- Update libvirt policy - Add port 80/udp and 443/udp to http_port_t definition - Additional updates stalld policy for bpf usage - Label systemd-pcrextend and systemd-pcrlock properly - Allow coreos_installer_t work with partitions - Revert "Allow coreos-installer-generator work with partitions" - Add policy for systemd-pcrextend - Update policy for systemd-getty-generator - Allow ip command write to ipsec's logs - Allow virt_driver_domain read virtd-lxc files in /proc - Revert "Allow svirt read virtqemud fifo files" - Update virtqemud policy for libguestfs usage - Allow virtproxyd create and use its private tmp files - Allow virtproxyd read network state - Allow virt_driver_domain create and use log files in /var/log - Allow samba-dcerpcd work with ctdb cluster- Allow NetworkManager_dispatcher_t send SIGKILL to plugins - Allow setroubleshootd execute sendmail with a domain transition - Allow key.dns_resolve set attributes on the kernel key ring - Update qatlib policy for v24.02 with new features - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t - Allow tlp status power services - Allow virtqemud domain transition on passt execution - Allow virt_driver_domain connect to systemd-userdbd over a unix socket - Allow boothd connect to systemd-userdbd over a unix socket - Update policy for awstats scripts - Allow bitlbee execute generic programs in system bin directories - Allow login_userdomain read aliases file - Allow login_userdomain read ipsec config files - Allow login_userdomain read all pid files - Allow rsyslog read systemd-logind session files - Allow libvirt-dbus stream connect to virtlxcd- Update bootupd policy - Allow rhsmcertd read/write access to /dev/papr-sysparm - Label /dev/papr-sysparm and /dev/papr-vpd - Allow abrt-dump-journal-core connect to winbindd - Allow systemd-hostnamed shut down nscd - Allow systemd-pstore send a message to syslogd over a unix domain - Allow postfix_domain map postfix_etc_t files - Allow microcode create /sys/devices/system/cpu/microcode/reload - Allow rhsmcertd read, write, and map ica tmpfs files - Support SGX devices - Allow initrc_t transition to passwd_t - Update fstab and cryptsetup generators policy - Allow xdm_t read and write the dma device - Update stalld policy for bpf usage - Allow systemd_gpt_generator to getattr on DOS directories- Make cgroup_memory_pressure_t a part of the file_type attribute - Allow ssh_t to change role to system_r - Update policy for coreos generators - Allow init_t nnp domain transition to firewalld_t - Label /run/modprobe.d with modules_conf_t - Allow virtnodedevd run udev with a domain transition - Allow virtnodedev_t create and use virtnodedev_lock_t - Allow virtstoraged manage files with virt_content_t type - Allow virtqemud unmount a filesystem with extended attributes - Allow svirt_t connect to unconfined_t over a unix domain socket- Update afterburn file transition policy - Allow systemd_generator read attributes of all filesystems - Allow fstab-generator read and write cryptsetup-generator unit file - Allow cryptsetup-generator read and write fstab-generator unit file - Allow systemd_generator map files in /etc - Allow systemd_generator read init's process state - Allow coreos-installer-generator read sssd public files - Allow coreos-installer-generator work with partitions - Label /etc/mdadm.conf.d with mdadm_conf_t - Confine coreos generators - Label /run/metadata with afterburn_runtime_t - Allow afterburn list ssh home directory - Label samba certificates with samba_cert_t - Label /run/coreos-installer-reboot with coreos_installer_var_run_t - Allow virtqemud read virt-dbus process state - Allow staff user dbus chat with virt-dbus - Allow staff use watch /run/systemd - Allow systemd_generator to write kmsg- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild- Allow virtqemud connect to sanlock over a unix stream socket - Allow virtqemud relabel virt_var_run_t directories - Allow svirt_tcg_t read vm sysctls - Allow virtnodedevd connect to systemd-userdbd over a unix socket - Allow svirt read virtqemud fifo files - Allow svirt attach_queue to a virtqemud tun_socket - Allow virtqemud run ssh client with a transition - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket - Update keyutils policy - Allow sshd_keygen_t connect to userdbd over a unix stream socket - Allow postfix-smtpd read mysql config files - Allow locate stream connect to systemd-userdbd - Allow the staff user use wireshark - Allow updatedb connect to userdbd over a unix stream socket - Allow gpg_t set attributes of public-keys.d - Allow gpg_t get attributes of login_userdomain stream - Allow systemd_getty_generator_t read /proc/1/environ - Allow systemd_getty_generator_t to read and write to tty_device_t- Move %postInstall to %posttrans - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` - Drop obsolete modules from config - Install dnf protected files only when policy is built- Relabel files under /usr/bin to fix stale context after sbin merge- Merge -base and -contrib- Drop publicfile module - Remove permissive domain for systemd_nsresourced_t - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t - Allow to create and delete socket files created by rhsm.service - Allow virtnetworkd exec shell when virt_hooks_unconfined is on - Allow unconfined_service_t transition to passwd_t - Support /var is empty - Allow abrt-dump-journal read all non_security socket files - Allow timemaster write to sysfs files - Dontaudit domain write cgroup files - Label /usr/lib/node_modules/npm/bin with bin_t - Allow ip the setexec permission - Allow systemd-networkd write files in /var/lib/systemd/network - Fix typo in systemd_nsresourced_prog_run_bpf()- Confine libvirt-dbus - Allow virtqemud the kill capability in user namespace - Allow rshim get options of the netlink class for KOBJECT_UEVENT family - Allow dhcpcd the kill capability - Allow systemd-networkd list /var/lib/systemd/network - Allow sysadm_t run systemd-nsresourced bpf programs - Update policy for systemd generators interactions - Allow create memory.pressure files with cgroup_memory_pressure_t - Add support for libvirt hooks- Allow certmonger read and write tpm devices - Allow all domains to connect to systemd-nsresourced over a unix socket - Allow systemd-machined read the vsock device - Update policy for systemd generators - Allow ptp4l_t request that the kernel load a kernel module - Allow sbd to trace processes in user namespace - Allow request-key execute scripts - Update policy for haproxyd- Update policy for systemd-nsresourced - Correct sbin-related file context entries- Allow login_userdomain execute systemd-tmpfiles in the caller domain - Allow virt_driver_domain read files labeled unconfined_t - Allow virt_driver_domain dbus chat with policykit - Allow virtqemud manage nfs files when virt_use_nfs boolean is on - Add rules for interactions between generators - Label memory.pressure files with cgroup_memory_pressure_t - Revert "Allow some systemd services write to cgroup files" - Update policy for systemd-nsresourced - Label /usr/bin/ntfsck with fsadm_exec_t - Allow systemd_fstab_generator_t read tmpfs files - Update policy for systemd-nsresourced - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin - Remove a few lines duplicated between {dkim,milter}.fc - Alias /bin → /usr/bin and remove redundant paths - Drop duplicate line for /usr/sbin/unix_chkpwd - Drop duplicate paths for /usr/sbin- Update systemd-generator policy - Remove permissive domain for bootupd_t - Remove permissive domain for coreos_installer_t - Remove permissive domain for afterburn_t - Add the sap module to modules.conf - Move unconfined_domain(sap_unconfined_t) to an optional block - Create the sap module - Allow systemd-coredumpd sys_admin and sys_resource capabilities - Allow systemd-coredump read nsfs files - Allow generators auto file transition only for plain files - Allow systemd-hwdb write to the kernel messages device - Escape "interface" as a file name in a virt filetrans pattern - Allow gnome-software work for login_userdomain - Allow systemd-machined manage runtime sockets - Revert "Allow systemd-machined manage runtime sockets"- Allow postfix_domain connect to postgresql over a unix socket - Dontaudit systemd-coredump sys_admin capability - Allow all domains read and write z90crypt device - Allow tpm2 generator setfscreate - Allow systemd (PID 1) manage systemd conf files - Allow pulseaudio map its runtime files - Update policy for getty-generator - Allow systemd-hwdb send messages to kernel unix datagram sockets - Allow systemd-machined manage runtime sockets- Allow fstab-generator create unit file symlinks - Update policy for cryptsetup-generator - Update policy for fstab-generator - Allow virtqemud read vm sysctls - Allow collectd to trace processes in user namespace - Allow bootupd search efivarfs dirs - Add policy for systemd-mountfsd - Add policy for systemd-nsresourced - Update policy generators - Add policy for anaconda-generator - Update policy for fstab and gpt generators - Add policy for kdump-dep-generator/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh 41.33-1.fc4241.33-1.fc4241.33-1.fc42 selinuxconfigselinuxmacros.selinux-policyselinux-check-proper-disable.serviceselinux-policy.confbinsbin-convert.shvarrun-convert.shselinux-policyCOPYINGselinuxpackages/etc//etc/selinux//etc/sysconfig//usr/lib/rpm/macros.d//usr/lib/systemd/system//usr/lib/tmpfiles.d//usr/libexec/selinux//usr/share/licenses//usr/share/licenses/selinux-policy//usr/share//usr/share/selinux/-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protectioncpiozstd19noarch-redhat-linux-gnudirectoryemptyUnicode text, UTF-8 textASCII textBourne-Again shell script, ASCII text executablePPPPPPPPP P P P P PRRhttps://bugz.fedoraproject.org/selinux-policyselinux-policy-targetedutf-81e4ce59009a1bb7aa6b556164a1646998e686f55ae12220d6d674851ec44f98776cc2d60528db3a5e5821eff5aa30bb51661a9371cccbeb5db002c1401a588e7?0(/h5T+?VUUU]Ie%կ!L!MgAZW!t6 orp z bIԳ7`MU0 L`,okE:8m;aN jG0y7haSe4(:$8$S/1ot(jMAT ox@mK%Pgb`]? o Xis qj%$; ѕBAb^")P[(88(T0Kh^{7 &ng4@гI֨O=ae46 p.WGvR2~:묆CCQyC0M"x<k(e5WhTA@NwhDQ! v,@J[].C/c[~10 'Ú©\M5 0벹046岨2*Bgg(-'46J.ƥ .$gqЌ 'ےGچp,=.'&)eoZpv3,t ̹PPeY>ҭR fbyƗvtC3)q  0PHP,S@/+xK0;xp^A-4@񭧇BRSNʾ: LCs9r ;#Rܾ]IEܑRJZg'u RGi3w k$I?{>2Y2(bRzD46/=#lz'ψkPohl mEYg&>.ıq>4Ԓ*"8uu _oҞM])kN5g(+F*:i#Kl7.utߢ׷=D_VwȋL ,ۑ =Փ齝1G</(cm~0fjnONϮjJп =Vx8ڹg]i0G=F1gJI{I$k_v̓o >lkmԴ ]uů8" L$ sU>`)v/ƒk-3|'M0Ʉ y`³ŕbɰX`*F@:„[=V(Y?"HAS ٵ  ' ,XMFAm=Śb%Y񄥊IM9"a}vv|)Eo:(ޗH~;94 ݞg`B>AłXPh> ֖ߓ**(*aǚ=}9ޏ20W].*Ȩ`\,E0c* \rq0 RT cT],W`,= (TˢhHׅgi(0gKcp,XFÚXW,h,54UźŲ L,\a].,W.U*V4\p,eUfi2RU,Jc]X0ɠpi6_j]0be\Mƪte25,6+K#Y4a`vqJCɰa T˂ ׫U6?E=x|g۝Eo SɿyBK8~_{&lHCN )NI_է +H~&"w^j5j\[^}^54*Vn\-?E Oo:!@B' B<ݯM’QGp۫o˜N6(ct4 ް+ْ t ;XTѮVedPUW-i=G180ˎ6wII;j_VLެv,=ui*s7 MMN^p%GL2i[yU ݕWj!m@h!ٚGo a}U*Ý'{< `n: *Ly(_WX8t @#y#xsH?Re&b`Q zDP Hg {ҳ,f(@TDX'I_6s5t̾(aUDqj1abӿ95* NH4U_3dNpAY ?5:v_' -(ഒd8݊dsν!ThɿXA=TskRh?O.$j]=\q Ja<;#Ux@Ku4)7PIמe\r"'PJCDJ:J˒V\BT1<1.63%G).](X"@>{*C8!'DfjɸeJЊCNHzzne 5G0)..]D"Uc3P34(7eT!g ҝD6#\6RK+Zp2}#ܻ8PP<'`4ÍzћAZYYsxF}An@ЯF`6)^f~F t 2BU/8S5T(*z ]`}pFM;_vh2Fx~Rl{hXS3׀}"A\e?@VG/#+^ 0Wd`Z.LBӘ(,(`uJƯtkq)FD}=^ւ py |f ,3?o2V;(yc`Htxٙ璍A¦j@ GS lxQ{{ݪ7pBKQvݻd㩎m&›uDά/m"a{񔇗iy8{ ?u/YX3R6g}ǂJ^8j43Zg20vgݪP ,;pm:.[^X쁣 ;tꔳx<DcŸ6AVTȆ6h{P[U{s*3+i}|ڛ,IYߪh_MT0Uh}S 3L&ÛO` CH7h$CAChJF֕ړvf_ ct?E;SwiuQ-LB3bȕ$W?[f@0V,U:_ϕF I 7/,?TW31?AL9Hsoy$|&ʹ"?ՒZE"5 Tn o.#DL^G0?h$eqP~;ug &E}Ӵi8Irh2D<(u 5*E:A1JIOl1qo79Ǧ\t(U_5D'S; 6̐}s\X,ܔ\e^4Q]ǵi_"Mq:V+ԇ%|R)W޲H$';.k[}m\\ù߲o?3E"XpNPG,$~˪q)bh>l3fsNgY/\5ʾ?4,ti^Q\/VћM'b%i(z h9+ȋ->43l Ϳ\Ir'>tV2ZUgថ|Cpgp@bVJ^Rd*4~g]e Z7ŽBfGF>(tv2 18sD|n7t5%F?pdڀk{Sd~QZV*pBb', MHS]&z'̑odZYh')ݷ:!<V$-UԮ+,x=I,2z `9aW8|Egyk-Do R/bx,E~ a G.h䧸ޞJLZDsYk'Er;&~'^ r`'餑ZƳ(LDrt#t"ix')e!W*nK R!|{htXBcpb#İxNA>a>HF%T3ij5~, SnYOLv`=!ᙐ" CzdvW ?S}4)!<\>%hcd "լ{~9Ɲ@w&ED%*G3l ˀ?f($_ʳT@tQE郆=~MsW̲Nzi/Q&'L40a2^NDt=8rB |L(A~ 3P AC$f>38^xd!xDPQ4V7rK–o㻇T4 ĉlRi秪C裷k@w ڏ 3 QԽ w%j>ᅠX<1Q`sk;dvx[Dl0n=B !LK:mI Xr|ޮ#xi\_G|IRd V`Au2.uwC D{"5*޸=LLӳ(+ncjM]ˀEtцC~Zp~A` +FAObZRÃ\W=[A9ȦO돎x.SENZ?3 ,?ALa| AqED!0P@ic3j>fY ,EUA̻ s Y !k^}KܖS`R^RaNN:[([L$KZUU@?Ido"X̣Ezj =3A<YZ!"j齏zl%m)_G-m4!bc WB`xy,+_JmB;D;N- 8(<e=TSI>~JTE!wIK"1sx6󒗛DaU0#ԶH%nŃIa@TiEɅ22*HI- 5p\= qb=M 3o+hT%Wz: dXȅWnQIHLzFEqz@7MY{IKY /hkt5 p.(']2BX=b 3k1bdޜ}H$PyJ h8'EDO C "g`b{H't9m>$\6C{$Db|{1 풯f~=y!W%%|w TG0i.  |2а0&K;#Lxx3u,34lg$4uXBY̥FDղ<`Ѯ%P\n"*=l Sn$yAq]P%H-0o>RwRȑ$d Vp94yGy`4vXU>lL(+nT$f^'-y9ѣ[ɋ[y(]ڲSV81BspX<)5!&Cq+Z~\M jBY_ђFeJWo³eصېњOk@I11BzV[;,mEnFK|BYg3 %s ځ6l{eWkŢh` 0)!_L zŶ:w #v=zߞ ۶WÆ hT.Z P_gty0y \ruI?1MqUG._m3ȵمMC)NNe7Dgg&BO7{/])wXnG>W W:^ESw,"ouV2{cU4>[|3:̿Ͷ^zXC>IJ^i9 *8G9gʈuX>R6';ÝETg]Sa1{=8A Ot5 'K!$FSt kG!_SiE&T41lmV fԯADQt?)=`jȮpw/z#Fvp͏?g|qA1##D