selinux-policy-sandbox-38.1.35-2.el9_4.2.0.2> M Mv ĉJ4!!%joLne)Ip-Bm5 ']fqreleng@rockylinux.org p-Bm5 ']Myx[q*ڲUO (oU?w EGf|__ kBg6+ 2 *6sᐁX]MAV"%Y1`nHȅ";0"j,N/*1D߻OVJra82M幵9 ]aԍ(@}8߃Pjg#SySpdИԍZ~CGO>2Wp~v0ϲmWS6(2zPy!MC}1dAQe :};P/|CX li}qT6 w[IYu4[; ճ_2cʗ'Ot#()oDyaoGI $JvwHy pEl=ݠ;{xH{wup>n>leإwE*wfmkZ@g^`mȁw7d3830480eed4b6b7a030c10696c8883218bb8df7dfdaef5530ef9cd7fd56eea792ee6d40f264f1cb609067d3c8eb31811be5d0fWg%ۆp#6h;$Z>>~?~d! / F 3?pv}@D F H L  (8595:5>{?{G{H{I{X|Y|\|]| ^|+b|Hd}e}f}l}t}u}v}}}~~D~HCselinux-policy-sandbox38.1.352.el9_4.2.0.2SELinux sandbox policySELinux sandbox policy for use with the sandbox utility.fqpb-d313b546-9769-48b0-9182-afb098b7df2d-b-noarchYRocky Linux 9.4Rocky Enterprise Software FoundationGPLv2+Rocky Linux Build System (Peridot) Unspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarchrm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f /var/lib/selinux/*/active/modules/disabled/sandbox 2>/dev/null /usr/sbin/semodule -n -X 100 -i /usr/share/selinux/packages/sandbox.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; exit 0if [ $1 -eq 0 ] ; then /usr/sbin/semodule -n -d sandbox 2>/dev/null if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; fi; exit 0Yfq60572a303b183f39895b6d3d0b27224daa7a2e5833ba5af0711996da2b9463edrootrootselinux-policy-38.1.35-2.el9_4.2.0.2.src.rpmselinux-policy-sandbox     /bin/sh/bin/shrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsZstd)selinux-policy-baseselinux-policy-targeted3.0.4-14.6.0-14.0-15.4.18-138.1.35-2.el9_4.2.0.238.1.35-2.el9_4.2.0.24.16.1.3fqvf]@fYeeee7@eeM@e)ez@ehy@eSa@e@@e2ke@ddF@d d"d˖ds@dr@dr@d@dp@df@d9@@d"d!@ddcc@c@ck@c@c @cEc{h@ctcdcc@cGc@c @cd@bbbVb>b@b@Release Engineering - 38.1.35-2.0.2Zdenek Pytela - 38.1.35-2.2Zdenek Pytela - 38.1.35-2.1Zdenek Pytela - 38.1.35-2Zdenek Pytela - 38.1.35-1Zdenek Pytela - 38.1.34-1Juraj Marcin - 38.1.33-1Juraj Marcin - 38.1.32-1Juraj Marcin - 38.1.31-1Zdenek Pytela - 38.1.30-1Juraj Marcin - 38.1.29-1Juraj Marcin - 38.1.28-1Juraj Marcin - 38.1.27-1Zdenek Pytela - 38.1.26-1Zdenek Pytela - 38.1.25-1Juraj Marcin - 38.1.24-1Nikola Knazekova - 38.1.23-1Nikola Knazekova - 38.1.22-1Nikola Knazekova - 38.1.21-1Nikola Knazekova - 38.1.20-1Nikola Knazekova - 38.1.19-1Nikola Knazekova - 38.1.18-1Nikola Knazekova - 38.1.17-1Nikola Knazekova - 38.1.16-1Zdenek Pytela - 38.1.15-1Nikola Knazekova - 38.1.14-1Nikola Knazekova - 38.1.13-1Nikola Knazekova - 38.1.12-1Nikola Knazekova - 38.1.11-2Nikola Knazekova - 38.1.11-1Nikola Knazekova - 38.1.10-1Nikola Knazekova - 38.1.9-1Nikola Knazekova - 38.1.8-1Nikola Knazekova - 38.1.7-1Nikola Knazekova - 38.1.6-1Nikola Knazekova - 38.1.5-1Nikola Knazekova - 38.1.4-1Nikola Knazekova - 38.1.3-1Zdenek Pytela - 38.1.2-1Zdenek Pytela - 38.1.1-1Zdenek Pytela - 34.1.47-1Nikola Knazekova - 34.1.46-1Nikola Knazekova - 34.1.45-1Nikola Knazekova - 34.1.44-1Zdenek Pytela - 34.1.43-1Zdenek Pytela - 34.1.42-1Nikola Knazekova - 34.1.41-1Nikola Knazekova - 34.1.40-1Nikola Knazekova - 34.1.39-1Nikola Knazekova - 34.1.38-1Zdenek Pytela - 34.1.37-1Zdenek Pytela - 34.1.36-1Zdenek Pytela - 34.1.35-1- Rebuild package to address build system issue - Ensure that selinux macro matches upstream- Rebuild Resolves: RHEL-36154- Allow svirt_t read vm sysctls Resolves: RHEL-36154 - Allow qemu-ga read vm sysctls Resolves: RHEL-36291- Rebuild Resolves: RHEL-26663- Allow wdmd read hardware state information Resolves: RHEL-26663- Allow wdmd list the contents of the sysfs directories Resolves: RHEL-26663 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-26660- Allow thumb_t to watch and watch_reads mount_var_run_t Resolves: RHEL-26073 - Allow opafm create NFS files and directories Resolves: RHEL-17820 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11250- Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21635 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-24841 - Allow unix dgram sendto between exim processes Resolves: RHEL-21902 - Allow utempter_t use ptmx Resolves: RHEL-24946 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1551 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1551 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1551- Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792- Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-14077 - Allow qatlib set attributes of vfio device files Resolves: RHEL-19051 - Allow qatlib load kernel modules Resolves: RHEL-19051 - Allow qatlib run lspci Resolves: RHEL-19051 - Allow qatlib manage its private runtime socket files Resolves: RHEL-19051 - Allow qatlib read/write vfio devices Resolves: RHEL-19051 - Allow syslog to run unconfined scripts conditionally Resolves: RHEL-11174 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-11174 - Allow sendmail MTA connect to sendmail LDA Resolves: RHEL-15175 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15432 - Allow opafm search nfs directories Resolves: RHEL-17820 - Allow mdadm list stratisd data directories Resolves: RHEL-19276 - Update cyrus_stream_connect() to use sockets in /run Resolves: RHEL-19282 - Allow collectd connect to statsd port Resolves: RHEL-21044 - Allow insights-client transition to sap unconfined domain Resolves: RHEL-21452 - Create the sap module Resolves: RHEL-21452- Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make `bootc` be `install_exec_t` Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174- Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175- Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413- Allow kdump create and use its memfd: objects Resolves: RHEL-14413- Add map_read map_write to kernel_prog_run_bpf Resolves: RHEL-2653 - Allow sysadm_t read nsfs files Resolves: RHEL-5146 - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t Resolves: RHEL-14029 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14110 - Label /run/pcsd.socket with cluster_var_run_t Resolves: RHEL-1664- Allow cupsd_t to use bpf capability Resolves: RHEL-3633 - Label /dev/gnss[0-9] with gnss_device_t Resolves: RHEL-9936 - Dontaudit rhsmcertd write memory device Resolves: RHEL-1547- Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443- Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759- Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526- Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153- Allow qatlib to read sssd public files Resolves: rhbz#2080443 - Fix location for /run/nsd Resolves: rhbz#2181600 - Allow samba-rpcd work with passwords Resolves: rhbz#2107092 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107092 - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty Resolves: rhbz#2223305 - Allow keepalived to manage its tmp files Resolves: rhbz#2179212 - Allow nscd watch system db dirs Resolves: rhbz#2152124- Boolean: Allow virt_qemu_ga create ssh directory Resolves: rhbz#2181402 - Allow virt_qemu_ga_t create .ssh dir with correct label Resolves: rhbz#2181402 - Set default ports for keylime policy Resolves: RHEL-594 - Allow unconfined service inherit signal state from init Resolves: rhbz#2186233 - Allow sa-update connect to systemlog services Resolves: rhbz#2220643 - Allow sa-update manage spamc home files Resolves: rhbz#2220643 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213605 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076933 - Update policy for the sblim-sfcb service Resolves: rhbz#2076933 - Define equivalency for /run/systemd/generator.early Resolves: rhbz#2213516- Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833- Remove permissive from fdo Resolves: rhbz#2026795 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833 - Add policy for FIDO Device Onboard Resolves: rhbz#2026795 - Create policy for qatlib Resolves: rhbz#2080443 - Add policy for boothd Resolves: rhbz#2128833 - Add list_dir_perms to kerberos_read_keytab Resolves: rhbz#2112729 - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t Resolves: rhbz#2209973 - Allow collectd_t read network state symlinks Resolves: rhbz#2209650 - Revert "Allow collectd_t read proc_net link files" Resolves: rhbz#2209650 - Allow insights-client execmem Resolves: rhbz#2207894 - Label udf tools with fsadm_exec_t Resolves: rhbz#2039774- Add fs_delete_pstore_files() interface Resolves: rhbz#2181565 - Add fs_read_pstore_files() interface Resolves: rhbz#2181565 - Allow insights-client getsession process permission Resolves: rhbz#2214581 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2214581 - Allow insights-client map generic log files Resolves: rhbz#2214581 - Allow insights-client read unconfined service semaphores Resolves: rhbz#2214581 - Allow insights-client get quotas of all filesystems Resolves: rhbz#2214581 - Allow haproxy read hardware state information Resolves: rhbz#2164691 - Allow cupsd dbus chat with xdm Resolves: rhbz#2143641 - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file Resolves: rhbz#2165863 - Add none file context for polyinstantiated tmp dirs Resolves: rhbz#2099194 - Add support for the systemd-pstore service Resolves: rhbz#2181565 - Label /dev/userfaultfd with userfaultfd_t Resolves: rhbz#2175290 - Allow collectd_t read proc_net link files Resolves: rhbz#2209650 - Label smtpd with sendmail_exec_t Resolves: rhbz#2213573 - Label msmtp and msmtpd with sendmail_exec_t Resolves: rhbz#2213573 - Allow dovecot-deliver write to the main process runtime fifo files Resolves: rhbz#2211787 - Allow subscription-manager execute ip Resolves: rhbz#2211566 - Allow ftpd read network sysctls Resolves: rhbz#2175856- Allow firewalld rw ica_tmpfs_t files Resolves: rhbz#2207487 - Add chromium_sandbox_t setcap capability Resolves: rhbz#2187893 - Allow certmonger manage cluster library files Resolves: rhbz#2179022 - Allow wireguard to rw network sysctls Resolves: rhbz#2192154 - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t Resolves: rhbz#2188173 - Allow plymouthd_t bpf capability to run bpf programs Resolves: rhbz#2184803 - Update pkcsslotd policy for sandboxing Resolves: rhbz#2209235 - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t Resolves: rhbz#2203201- Allow insights-client work with teamdctl Resolves: rhbz#2190178 - Allow virsh name_connect virt_port_t Resolves: rhzb#2187290 - Allow cupsd to create samba_var_t files Resolves: rhbz#2174445 - Allow dovecot to map files in /var/spool/dovecot Resolves: rhbz#2165863 - Add tunable to allow squid bind snmp port Resolves: rhbz#2151378 - Allow rhsmcert request the kernel to load a module Resolves: rhbz#2203359 - Allow snmpd read raw disk data Resolves: rhbz#2196528- Allow cloud-init domain transition to insights-client domain Resolves: rhbz#2162663 - Allow chronyd send a message to cloud-init over a datagram socket Resolves: rhbz#2162663 - Allow dmidecode write to cloud-init tmp files Resolves: rhbz#2162663 - Allow login_pgm setcap permission Resolves: rhbz#2174331 - Allow tshark the setsched capability Resolves: rhbz#2165634 - Allow chronyc read network sysctls Resolves: rhbz#2173604 - Allow systemd-timedated watch init runtime dir Resolves: rhbz#2175137 - Add journalctl the sys_resource capability Resolves: rhbz#2153782 - Allow system_cronjob_t transition to rpm_script_t Resolves: rhbz#2173685 - Revert "Allow system_cronjob_t domtrans to rpm_script_t" Resolves: rhbz#2173685 - Allow insights-client tcp connect to all ports Resolves: rhbz#2183083 - Allow insights-client work with su and lpstat Resolves: rhbz#2183083 - Allow insights-client manage fsadm pid files Resolves: rhbz#2183083 - Allow insights-client read all sysctls Resolves: rhbz#2183083 - Allow rabbitmq to read network sysctls Resolves: rhbz#2184999- rebuilt Resolves: rhbz#2172268- Allow passt manage qemu pid sock files Resolves: rhbz#2172268 - Exclude passt.if from selinux-policy-devel Resolves: rhbz#2172268- Add support for the passt_t domain Resolves: rhbz#2172268 - Allow virtd_t and svirt_t work with passt Resolves: rhbz#2172268 - Add new interfaces in the virt module Resolves: rhbz#2172268 - Add passt interfaces defined conditionally Resolves: rhbz#2172268- Boolean: allow qemu-ga manage ssh home directory Resolves: rhbz#2178612 - Allow wg load kernel modules, search debugfs dir Resolves: rhbz#2176487- Allow svirt to map svirt_image_t char files Resolves: rhbz#2170482 - Fix opencryptoki file names in /dev/shm Resolves: rhbz#2166283- Allow staff_t getattr init pid chr & blk files and read krb5 Resolves: rhbz#2112729 - Allow firewalld to rw z90crypt device Resolves: rhbz#2166877 - Allow httpd work with tokens in /dev/shm Resolves: rhbz#2166283- Allow modemmanager create hardware state information files Resolves: rhbz#2149560 - Dontaudit ftpd the execmem permission Resolves: rhbz#2164434 - Allow nm-dispatcher plugins read generic files in /proc Resolves: rhbz#2164845 - Label systemd-journald feature LogNamespace Resolves: rhbz#2124797 - Boolean: allow qemu-ga read ssh home directory Resolves: rhbz#1917024- Reuse tmpfs_t also for the ramfs filesystem Resolves: rhbz#2160391 - Allow systemd-resolved watch tmpfs directories Resolves: rhbz#2160391 - Allow hostname_t to read network sysctls. Resolves: rhbz#2161958 - Allow ModemManager all permissions for netlink route socket Resolves: rhbz#2149560 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2160388 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2160388 - Allow nm-cloud-setup dispatcher plugin restart nm services Resolves: rhbz#2154414 - Allow wg to send msg to kernel, write to syslog and dbus connections Resolves: rhbz#2149452 - Allow rshim bpf cap2 and read sssd public files Resolves: rhbz#2080439 - Allow svirt request the kernel to load a module Resolves: rhbz#2144735 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2014606- Add lpr_roles to system_r roles Resolves: rhbz#2152150 - Allow insights client work with gluster and pcp Resolves: rhbz#2152150 - Add interfaces in domain, files, and unconfined modules Resolves: rhbz#2152150 - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t Resolves: rhbz#2152150 - Add insights additional capabilities Resolves: rhbz#2152150 - Revert "Allow insights-client run lpr and allow the proper role" Resolves: rhbz#2152150 - Allow prosody manage its runtime socket files Resolves: rhbz#2157891 - Allow syslogd read network sysctls Resolves: rhbz#2156068 - Allow NetworkManager and wpa_supplicant the bpf capability Resolves: rhbz#2137085 - Allow sysadm_t read/write ipmi devices Resolves: rhbz#2158419 - Allow wireguard to create udp sockets and read net_conf Resolves: rhbz#2149452 - Allow systemd-rfkill the bpf capability Resolves: rhbz#2149390 - Allow load_policy_t write to unallocated ttys Resolves: rhbz#2145181 - Allow winbind-rpcd manage samba_share_t files and dirs Resolves: rhbz#2150680- Allow stalld to read /sys/kernel/security/lockdown file Resolves: rhbz#2140673 - Allow syslog the setpcap capability Resolves: rhbz#2151841 - Allow pulseaudio to write to session_dbusd tmp socket files Resolves: rhbz#2132942 - Allow keepalived to set resource limits Resolves: rhbz#2151212 - Add policy for mptcpd Resolves: bz#1972222 - Add policy for rshim Resolves: rhbz#2080439 - Allow insights-client dbus chat with abrt Resolves: rhbz#2152166 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2152150 - Allow insights-client run lpr and allow the proper role Resolves: rhbz#2152150 - Allow insights-client tcp connect to various ports Resolves: rhbz#2152150 - Allow insights-client dbus chat with various services Resolves: rhbz#2152150 - Allow journalctl relabel with var_log_t and syslogd_var_run_t files Resolves: rhbz#2152823- Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2124549 - Allow insights client read raw memory devices Resolves: rhbz#2124549 - Allow networkmanager_dispatcher_plugin work with nscd Resolves: rhbz#2149317 - Allow ipsec_t only read tpm devices Resolves: rhbz#2147380 - Watch_sb all file type directories. Resolves: rhbz#2139363 - Add watch and watch_sb dosfs interface Resolves: rhbz#2139363 - Revert "define lockdown class and access" Resolves: rhbz#2145266 - Allow postfix/smtpd read kerberos key table Resolves: rhbz#2145266 - Remove the lockdown class from the policy Resolves: rhbz#2145266 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2145266 - Revert "refpolicy: drop unused socket security classes" Resolves: rhbz#2145266- Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2082524- Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2123358 - Allow chronyd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2141255 - Allow unbound connectto unix_stream_socket Resolves: rhbz#2141236 - added policy for systemd-socket-proxyd Resolves: rhbz#2141606 - Allow samba-dcerpcd use NSCD services over a unix stream socket Resolves: rhbz#2121729 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2123358 - Allow insights-client manage generic locks Resolves: rhbz#2123358 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2123358 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2123358 - Disable rpm verification on interface_info Resolves: rhbz#2134515- new version Resolves: rhbz#2134827- Add watch_sb interfaces Resolves: rhbz#2139363 - Add watch interfaces Resolves: rhbz#2139363 - Allow dhcpd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow netutils and traceroute bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pkcs_slotd_t bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow xdm bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pcscd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow lldpad bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow keepalived bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow ipsec bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow fprintd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow iptables list cgroup directories Resolves: rhbz#2134829 - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files Resolves: rhbz#2042515 - Dontaudit dirsrv search filesystem sysctl directories Resolves: rhbz#2134726- Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2126091 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2126091 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2126091 - Allow insights-client manage samba var dirs Resolves: rhbz#2126091 - Allow rhcd compute selinux access vector Resolves: rhbz#2126091 - Add file context entries for insights-client and rhc Resolves: rhbz#2126161 - Allow pulseaudio create gnome content (~/.config) Resolves: rhbz#2132942 - Allow rhsmcertd execute gpg Resolves: rhbz#2130204 - Label ports 10161-10162 tcp/udp with snmp Resolves: rhbz#2133221 - Allow lldpad send to unconfined_t over a unix dgram socket Resolves: rhbz#2112044 - Label port 15354/tcp and 15354/udp with opendnssec Resolves: rhbz#2057501 - Allow aide to connect to systemd_machined with a unix socket. Resolves: bz#2062936 - Allow ftpd map ftpd_var_run files Resolves: bz#2124943 - Allow ptp4l respond to pmc Resolves: rhbz#2131689 - Allow radiusd connect to the radacct port Resolves: rhbz#2132424 - Allow xdm execute gnome-atspi services Resolves: rhbz#2132244 - Allow ptp4l_t name_bind ptp_event_port_t Resolves: rhbz#2130170 - Allow targetclid to manage tmp files Resolves: rhbz#2127408 - Allow sbd the sys_ptrace capability Resolves: rhbz#2124695- Update rhcd policy for executing additional commands 5 Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2119351 - Allow rhcd create rpm hawkey logs with correct label Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 3 Resolves: rhbz#2119351 - Allow sssd to set samba setting Resolves: rhbz#2121125 - Allow journalctl read rhcd fifo files Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2121125 - Confine insights-client systemd unit Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2121125 - Allow rhcd execute all executables Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 2 Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2121125- Label /var/log/rhc-worker-playbook with rhcd_var_log_t Resolves: rhbz#2119351 - Update insights-client policy (auditctl, gpg, journal) Resolves: rhbz#2107363- Allow unconfined domains to bpf all other domains Resolves: RHBZ#2112014 - Allow stalld get and set scheduling policy of all domains. Resolves: rhbz#2105038 - Allow unconfined_t transition to targetclid_home_t Resolves: RHBZ#2106360 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118977 - Allow system_dbusd ioctl kernel with a unix stream sockets Resolves: rhbz#2085392 - Allow chronyd bind UDP sockets to ptp_event ports. Resolves: RHBZ#2118631 - Update tor_bind_all_unreserved_ports interface Resolves: RHBZ#2089486 - Remove permissive domain for rhcd_t Resolves: rhbz#2119351 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2121125 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2121125 - Update rhcd policy for executing additional commands Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Add rpm setattr db files macro Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd Resolves: RHBZ#2088257 - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t Resolves: RHBZ#1976684 - Allow samba-bgqd get a printer list Resolves: rhbz#2112395 - Allow networkmanager to signal unconfined process Resolves: RHBZ#2074414 - Update NetworkManager-dispatcher policy Resolves: RHBZ#2101910 - Allow openvswitch search tracefs dirs Resolves: rhbz#1988164 - Allow openvswitch use its private tmpfs files and dirs Resolves: rhbz#1988164 - Allow openvswitch fsetid capability Resolves: rhbz#1988164- Add support for systemd-network-generator Resolves: RHBZ#2111069 - Allow systemd work with install_t unix stream sockets Resolves: rhbz#2111206 - Allow sa-update to get init status and start systemd files Resolves: RHBZ#2061844- Allow some domains use sd_notify() Resolves: rhbz#2056565 - Revert "Allow rabbitmq to use systemd notify" Resolves: rhbz#2056565 - Update winbind_rpcd_t Resolves: rhbz#2102084 - Update chronyd_pid_filetrans() to allow create dirs Resolves: rhbz#2101910 - Allow keepalived read the contents of the sysfs filesystem Resolves: rhbz#2098130 - Define LIBSEPOL version 3.4-1 Resolves: rhbz#2095688- Allow targetclid read /var/target files Resolves: rhbz#2020169 - Update samba-dcerpcd policy for kerberos usage 2 Resolves: rhbz#2096521 - Allow samba-dcerpcd work with sssd Resolves: rhbz#2096521 - Allow stalld set scheduling policy of kernel threads Resolves: rhbz#2102224- Allow targetclid read generic SSL certificates (fixed) Resolves: rhbz#2020169 - Fix file context pattern for /var/target Resolves: rhbz#2020169 - Use insights_client_etc_t in insights_search_config() Resolves: rhbz#1965013-Add the corecmd_watch_bin_dirs() interface Resolves: rhbz#1965013 - Update rhcd policy Resolves: rhbz#1965013 - Allow rhcd search insights configuration directories Resolves: rhbz#1965013 - Add the kernel_read_proc_files() interface Resolves: rhbz#1965013 - Update insights_client_filetrans_named_content() Resolves: rhbz#2081425 - Allow transition to insights_client named content Resolves: rhbz#2081425 - Add the insights_client_filetrans_named_content() interface Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 3 Resolves: rhbz#2081425 - Allow insights-client execute its private memfd: objects Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 2 Resolves: rhbz#2081425 - Use insights_client_tmp_t instead of insights_client_var_tmp_t Resolves: rhbz#2081425 - Change space indentation to tab in insights-client Resolves: rhbz#2081425 - Use socket permissions sets in insights-client Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands Resolves: rhbz#2081425 - Allow init_t to rw insights_client unnamed pipe Resolves: rhbz#2081425 - Fix insights client Resolves: rhbz#2081425 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling Resolves: rhbz#2081425 - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t Resolves: rhbz#2081425 - Allow stalld get scheduling policy of kernel threads Resolves: rhbz#2096776 - Update samba-dcerpcd policy for kerberos usage Resolves: rhbz#2096521 - Allow winbind_rpcd_t connect to self over a unix_stream_socket Resolves: rhbz#2096255 - Allow dlm_controld send a null signal to a cluster daemon Resolves: rhbz#2095884 - Allow dhclient manage pid files used by chronyd The chronyd_manage_pid_files() interface was added. - Resolves: rhbz#2094155 Allow install_t nnp_domtrans to setfiles_mac_t - Resolves: rhbz#2073010 - Allow rabbitmq to use systemd notify Resolves: rhbz#2056565 - Allow ksmctl create hardware state information files Resolves: rhbz#2021131 - Label /var/target with targetd_var_t Resolves: rhbz#2020169 - Allow targetclid read generic SSL certificates Resolves: rhbz#2020169/bin/sh/bin/sh38.1.35-2.el9_4.2.0.2sandbox.pp/usr/share/selinux/packages/-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpiozstd19noarch-redhat-linux-gnuutf-868d40182059cf7c38ac223837193a41b644d5ca7b3a2b541016a359aa8c6a7a18e76bd49fc4e5792daa6c12575feb936b17b5d068b3b5afe66bdc14d6d6450e0? (/hzwHQ((((( \+WSlmњDW.o"H(6T$ U#1־տ_]byk~ZS{$ѝ?]Lgnαԍڛ\qU-οšT2=&(oMp=-@wg5>Qb'Xc)KOݶ4ۓ A䮊1 rᬦiwnoq&]Ob+~<e4h1v?f.kXC:EEc<"7@h$=xc1#ƨ5xrIS>lP5$$/"5rߢ63u{ml>3Vi@΋nFLg'+4<('!)t+JB._61k,j@j?xw2antmnUh*/zYT~fnjI]1*{ڹNJQ'm}ďzjk;C*kWeu'Fx?-ci㯽D}]q]ߝ崨[Nrc7;6p;Lp}{-KJ0=qAG\v[ùֱuYpc; im?nyd$)\úE:VL; UxnO[.GUǿ us:u>3!g=3:w.܂RsbxɐPҪr7+Ȏve,L yb!Ϙgۭ8d:pfmQ;ٖdP "45Z6,!wμY43 })}sn yhW,Sm"tL]HfLO?X9CK)!bk#$А!#BEqy!: GX ,@ `ZljPLP(0(^O`\N~( U "2#yQ+D?EԊ bd$7]4Y`? xM1{KsYsyW/s rrNdswNU7q;jk_ȿq[e#y6qp|o]b;\%.I*^wq>Md CŐ6Dw5B:_O;E?TNN~SmM:rt6qN'|e?zXHǤÛG+9˸S*zԩ_O4 ҖMVWk63s-uѦRi73  D1B:MB!!BH0""""B&T `B[UEhK%1DaZ4EJh 5\;%vr5  9(9 S҃eC9A [dv=~tAAc}{)śe}E 8Habî\ II;M^%h&eF+Xu(e][0=@q7nXRBO&XQ(sȆ6 Bެҫ_^U sVB  AG!{nOzf_u#%gQbK}Xa{97X syu$n^+&g8314)۵ŰHnc}2<OsAeti\º/f:9]2@p]⌔S SpMSەq颱[n{Yh0zY]GYXhڨJ&),ѷEQE31ph NjGx`U #BupNi+r"X=8 IN!ڠ^9j t4#('~H]q^x㱼wR,~L\[)xT\1j@{dVLA%5)hQ'R5w=> ?DӞP9߻/d@QSdӾt p5Z䑺Ŀ.nb i es&~aR]u}pc;:R$]a p=l Wb#w|IC+77OMW!V[">xwk$$'j-G1]}c,-/]TYb( Kt9G/<=KκT}L G0׶cQq1vES\@mOДX,n& eeQ @ `b9(t* 6!PV/ 6Z!D7fvI?YȻl9iCS΂/ "&(…59KM_]"j 2V"*=#*>xՠHq%ROѰDS^DxM-tneZyp,%~jb@RxI1NI' 1n#\z1!8]L9\7kCLL=>>M 昞dx㫢HA"?nB iNs]*.T|W3f5,/zHdꋂ4lI=6dPxVBҨc2MG26쩽.FZ8Or  W)}JmhcBlHdcLG}0ރ(z}Bצ2Fsm'($ ;i:Ӕ ;—u͎!vWujOc@Wפv@KF/:l$u ]%PJ#V& :7b p}gtvSUyvd䉘kKޭP[koRd^.o0j]m9cv0(SRږiJyH֢fwdAG ҺCaY}ǐYަ"g"-gcFq> ly. d̩^D@իje.i9+-Xv(9q,0J-. l]%#wxF"Qﳪ\0lGKeHox>!\#(?m98Qf2a ;;j`č.7J(5dlX̖nB-R*$ejd!zVrGnUbswlP-J䅤ygT䊲5`v׺m7"1fz#U>7KY!aL3&.ήw!-=EAd#˥TgI$27DMOF|lrSRL6I# 2gᇟ#y)S2|%\OhCxybkm Lafkٞv 1 :";/!„tR!G3;Xo\\UZR #C;*:䍉#h;zFDcUMKKjyLӕ$[}iY8)ҔX[0$!Gz ZDv!pH8q\NUshJl?2"M$a!A:š|d>LڅD0t![4Ux"u uvo]D.X|k^d2`iq\s7hMX{' qZpihXL5?nIL0=2GcPRlmZs_d㜗j **zKTT#i웤|1Կ ƒ':%URz6!ѪY6ژ-L^cN>]mHl<[{A#{i Ul&e>x,F=&)Q.C!_t1Xjlxq#s1m@EPzm:4S%*.tFB@NS0Š1'1[ `'>Ѯ)%׀3swn"Z76-:UQ8}(FfvlT$4l9|j*Ĭ:"4@prjbYYbhѻJ>*J: TEqe'mMpae6Oo6 @;AHv9h sC4.{Pm `g)tg)t:8-cb=Yh°klXaw9"Oϸ *7 Kz>28熄ec[8_CR5Hۑ ڡx^Au N|[DٹYJ?9R?-@ʀ3Dv|͖RR dcOPƕ(e;cc4lUՂ 7KpQFW*qVңj)5~,ePYԥ`agjEjdc}z֪]g}d͡EQ'h~t_/D|N)'sR}= "[,bق]vu!_"-wvhI<,p~(NPs6֗H]xfaRMCpE> X̨RS) 6G4R]?\A#kV& CW2<oErC, sdRL-YUk6bb-gc\ڊ1&+kyFрpoVGK"nL5>4*l isQG*n}*]{Z %_ f86ЉG);W'S`BnƩL wDE^#;uk#v+]'CװS߸}=I-Z۝k|a|%riL9((vԦ%9he9941:50;63<72505614727836-  S @ | :( %  @DS  %@dfI"XPaDhB$N$ nh[?x?Kwx% tkq5f4K$p8X;239Pu-jɷ 񐑈/}8cV#=] e_zbAy򝓰B*E;tyc=ݗ po\t#OVD3YT#i}53*'lCuBK^ +'#5 lE^v)hl ,EA`vt2O1$=1q+9Kp\[Fb(k̲TQ vy*/pI\ VUUU"ΧX>$GBIBT]ZY$$ݚ1uN8@ndr"sȤ´kGE=E8*. 8y=0EFg`H0\ۑnReR|d"%}SM<=ĝ}=ii| -v_3&Qb!J!ZX@xI0߰"F^wEEw^ςtTH< \Pq}{||8,ʖ<ԯbUЙS8ƭ-*˿̽;+g\bQtN)u4z{ᝀS{sm8jɡ3qqZ{]b[-ミ}G0U"|ÅWf=cp+3Gl 'M̠ ‚=JR&dzΧ F2IB>il?ƨS-}fzYW]efZR5jȧ)k;N*Ainv#5j,m>9Md^s1KCDb$cQ5F]I3K T r15tLUaSGY1aWS<\uϣȳX®ưOsjԨ̨XH!^Q.-Yial\j|(Sw TjEf]LRgߔ:s&T …a ЁH(1b2g%y߷O-Jdf6LK+V1*gnf},q2wՠtL1hdhykn`>\zETmI;h²43p,Q L> !9[a4'^Y\jz)Sx`Yրꡳd