�����selinux-policy-sandbox-38.1.45-3.el9_5����>� M Mv�������� ĉJ4!!�%j�o�Lne)Ip-Bm5 ']g4'releng@rockylinux.org p-Bm5 ']�{����U}@Ǫ�oy���&�V*a�0���}�D7zY>����W�d2�������{]�Upؙ uL�>a������U�8�Y� ��}g=*a�;���jQ�`�,j�ϢC7 c�#�u�u��9[S�ݔ�t����? ,���j=wL�8.����!3�ǂ�V]�ê�\� �����Ϲ}����&�`i���P�m�P3�.-����}nz0�q_=��i ۑ$�� �4�����'���_��"�>�� b��.PG�)����Ռ���b���]���@��\��ȝyJ`�v����h�[�ψa�>�Gu~�����O�`V��*A ��� rgPʁ��A����QG�=�>Gрj���̓J�Pha�uzU���Ӝ�C��`��,i��Ux�����B�����SS�#e-x�'q�E�����b��S)#`uΫ����c��7Ʒt���3��LMF��o7�2������6��k�Q�܋/y��[G�NDɚ�}�%[�q#���e92cb8208ae2245af9320a91d28d7fd4f86b5b3a89a2c7e815683db356339fcbf4e2cfe535ff678fce4a5d91cfd836db8f852de3��i�=����H;�>�-6U�Z�>�������>z�?z�d���!� )� @�|������������� /�;�l�ry�<@ B D H � ��������(�8�59�5:�5>xB?xJGxTHxXIx\Xx`Yxd\xt]xx^x�bx�dzez$fz)lz,tzDuzHvzL�zP�zT�zZ�z��z�Cselinux-policy-sandbox38.1.453.el9_5SELinux sandbox policySELinux sandbox policy for use with the sandbox utility.g4�pb-9713d64e-3c9d-4106-8631-9249178e569f-b-noarchY�Rocky Linux 9.5Rocky Enterprise Software FoundationGPLv2+Rocky Linux Build System (Peridot) Unspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarchrm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f /var/lib/selinux/*/active/modules/disabled/sandbox 2>/dev/null /usr/sbin/semodule -n -X 100 -i /usr/share/selinux/packages/sandbox.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; exit 0if [ $1 -eq 0 ] ; then /usr/sbin/semodule -n -d sandbox 2>/dev/null if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; fi; exit 0Y���g460572a303b183f39895b6d3d0b27224daa7a2e5833ba5af0711996da2b9463edrootrootselinux-policy-38.1.45-3.el9_5.src.rpm����selinux-policy-sandbox     /bin/sh/bin/shrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsZstd)selinux-policy-baseselinux-policy-targeted3.0.4-14.6.0-14.0-15.4.18-138.1.45-3.el9_538.1.45-3.el9_54.16.1.3f��f�K�f�b�f��@f�'@f��f��@fqv�fa��fE�@f:�f�e���e���e���e�7@e���e�M@e�)�ez�@ehy@eSa@e@�@e2k�e�@d��d�F@d� �d�"�d˖�d�s@d�r@d�r@d��@dp�@df@d9@@d"��d!�@d��d�c��c��@c��@c�k@c��@c� @c�E�c{h@ct��cd��cc�@cG��Zdenek Pytela - 38.1.45-3Zdenek Pytela - 38.1.45-2Zdenek Pytela - 38.1.45-1Zdenek Pytela - 38.1.44-1Zdenek Pytela - 38.1.43-1Zdenek Pytela - 38.1.42-1Zdenek Pytela - 38.1.41-1Zdenek Pytela - 38.1.40-1Zdenek Pytela - 38.1.39-1Zdenek Pytela - 38.1.38-1Zdenek Pytela - 38.1.37-1Zdenek Pytela - 38.1.36-1Zdenek Pytela - 38.1.35-2Zdenek Pytela - 38.1.35-1Zdenek Pytela - 38.1.34-1Juraj Marcin - 38.1.33-1Juraj Marcin - 38.1.32-1Juraj Marcin - 38.1.31-1Zdenek Pytela - 38.1.30-1Juraj Marcin - 38.1.29-1Juraj Marcin - 38.1.28-1Juraj Marcin - 38.1.27-1Zdenek Pytela - 38.1.26-1Zdenek Pytela - 38.1.25-1Juraj Marcin - 38.1.24-1Nikola Knazekova - 38.1.23-1Nikola Knazekova - 38.1.22-1Nikola Knazekova - 38.1.21-1Nikola Knazekova - 38.1.20-1Nikola Knazekova - 38.1.19-1Nikola Knazekova - 38.1.18-1Nikola Knazekova - 38.1.17-1Nikola Knazekova - 38.1.16-1Zdenek Pytela - 38.1.15-1Nikola Knazekova - 38.1.14-1Nikola Knazekova - 38.1.13-1Nikola Knazekova - 38.1.12-1Nikola Knazekova - 38.1.11-2Nikola Knazekova - 38.1.11-1Nikola Knazekova - 38.1.10-1Nikola Knazekova - 38.1.9-1Nikola Knazekova - 38.1.8-1Nikola Knazekova - 38.1.7-1Nikola Knazekova - 38.1.6-1Nikola Knazekova - 38.1.5-1Nikola Knazekova - 38.1.4-1Nikola Knazekova - 38.1.3-1Zdenek Pytela - 38.1.2-1Zdenek Pytela - 38.1.1-1Zdenek Pytela - 34.1.47-1Nikola Knazekova - 34.1.46-1Nikola Knazekova - 34.1.45-1Nikola Knazekova - 34.1.44-1- Rebuild Resolves: RHEL-55414- Rebuild Resolves: RHEL-55414- Allow setsebool_t relabel selinux data files Resolves: RHEL-55414- Allow coreos-installer-generator work with partitions Resolves: RHEL-38614 - Label /etc/mdadm.conf.d with mdadm_conf_t Resolves: RHEL-38614 - Change file context specification to /var/run/metadata Resolves: RHEL-49735 - Allow initrc_t transition to passwd_t Resolves: RHEL-17404 - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets Resolves: RHEL-25514 - systemd: allow sys_admin capability for systemd_notify_t Resolves: RHEL-25514 - Change systemd-network-generator transition to include class file Resolves: RHEL-47033 - Allow sshd_keygen_t connect to userdbd over a unix stream socket Resolves: RHEL-47033- Allow rhsmcertd read/write access to /dev/papr-sysparm Resolves: RHEL-49599 - Label /dev/papr-sysparm and /dev/papr-vpd Resolves: RHEL-49599 - Allow rhsmcertd read, write, and map ica tmpfs files Resolves: RHEL-50926 - Update afterburn file transition policy Resolves: RHEL-49735 - Label /run/metadata with afterburn_runtime_t Resolves: RHEL-49735 - Allow afterburn list ssh home directory Resolves: RHEL-49735 - Support SGX devices Resolves: RHEL-50922 - Allow systemd-pstore send a message to syslogd over a unix domain Resolves: RHEL-45528 - Allow postfix_domain map postfix_etc_t files Resolves: RHEL-46332 - Allow microcode create /sys/devices/system/cpu/microcode/reload Resolves: RHEL-26821 - Allow svirt_tcg_t map svirt_image_t files Resolves: RHEL-27141 - Allow systemd-hostnamed shut down nscd Resolves: RHEL-45033 - Allow postfix_domain connect to postgresql over a unix socket Resolves: RHEL-6776- Label samba certificates with samba_cert_t Resolves: RHEL-25724 - Allow systemd-coredumpd the sys_chroot capability Resolves: RHEL-45245 - Allow svirt_tcg_t read vm sysctls Resolves: RHEL-27141 - Label /usr/sbin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-25724 - Label /var/run/coreos-installer-reboot with coreos_installer_var_run_t Resolves: RHEL-38614 - Allow coreos-installer add systemd unit file links Resolves: RHEL-38614- Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-31888 - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-25724 - Allow unconfined_service_t transition to passwd_t Resolves: RHEL-17404 - Allow sbd to trace processes in user namespace Resolves: RHEL-44680 - Allow systemd-coredumpd sys_admin and sys_resource capabilities Resolves: RHEL-45245 - Label /usr/lib/node_modules/npm/bin with bin_t Resolves: RHEL-36587 - Support /var is empty Resolves: RHEL-29331 - Allow timemaster write to sysfs files Resolves: RHEL-28777 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-31888 - Transition from sudodomains to crontab_t when executing crontab_exec_t Resolves: RHEL-31888 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-31888- Allow systemd-coredump read nsfs files Resolves: RHEL-39937 - Allow login_userdomain execute systemd-tmpfiles in the caller domain Resolves: RHEL-40374 - Allow ptp4l_t request that the kernel load a kernel module Resolves: RHEL-38905 - Allow collectd to trace processes in user namespace Resolves: RHEL-36293- Add interfaces for watching and reading ifconfig_var_run_t Resolves: RHEL-39408 - Allow dhcpcd use unix_stream_socket Resolves: RHEL-39408 - Allow dhcpc read /run/netns files Resolves: RHEL-39408 - Allow all domains read and write z90crypt device Resolves: RHEL-38833 - Allow bootupd search efivarfs dirs Resolves: RHEL-36289 - Move unconfined_domain(sap_unconfined_t) to an optional block Resolves: RHEL-37663- Add boolean qemu-ga to run unconfined script Resolves: RHEL-31211 - Ensure dbus communication is allowed bidirectionally Resolves: RHEL-35782 - Allow logwatch_mail_t read network sysctls Resolves: RHEL-34135 - Allow sysadm execute dmidecode using sudo Resolves: RHEL-16104 - Allow sudodomain list files in /var Resolves: RHEL-16104 - Allow various services read and write z90crypt device Resolves: RHEL-33361 - Allow system_cronjob_t dbus chat with avahi_t Resolves: RHEL-32290 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-34078 - Remove permissive domain for bootupd_t Resolves: RHEL-22173- Allow numad to trace processes in user namespace Resolves: RHEL-33994 - Remove permissive domain for rshim_t Resolves: RHEL-22173 - Remove permissive domain for mptcpd_t Resolves: RHEL-22173 - Remove permissive domain for coreos_installer_t Resolves: RHEL-22173 - Remove permissive domain for afterburn_t Resolves: RHEL-22173 - Update afterburn policy Resolves: RHEL-22173 - Allow bootupd search EFI directory Resolves: RHEL-22172 - Add the bootupd module Resolves: RHEL-22172 - Add policy for bootupd Resolves: RHEL-22172 - Label /dev/mmcblk0rpmb character device with removable_device_t Resolves: RHEL-28080 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-31888 - Add crontab_admin_domtrans interface Resolves: RHEL-31888 - Add crontab_domtrans interface Resolves: RHEL-31888 - Allow svirt_t read vm sysctls Resolves: RHEL-32296- Allow systemd-timedated get the timemaster service status Resolves: RHEL-25978 - postfix: allow qmgr to delete mails in bounce/ directory Resolves: RHEL-30271 - Allow NetworkManager the sys_ptrace capability in user namespace Resolves: RHEL-24346 - Label /dev/iommu with iommu_device_t Resolves: RHEL-22063 - Allow qemu-ga read vm sysctls Resolves: RHEL-31892 - Update repository link and branches names for c9s Related: RHEL-22960- Rebuild Resolves: RHEL-26663- Allow wdmd read hardware state information Resolves: RHEL-26663- Allow wdmd list the contents of the sysfs directories Resolves: RHEL-26663 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-26660- Allow thumb_t to watch and watch_reads mount_var_run_t Resolves: RHEL-26073 - Allow opafm create NFS files and directories Resolves: RHEL-17820 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11250- Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21635 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-24841 - Allow unix dgram sendto between exim processes Resolves: RHEL-21902 - Allow utempter_t use ptmx Resolves: RHEL-24946 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1551 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1551 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1551- Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792- Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-14077 - Allow qatlib set attributes of vfio device files Resolves: RHEL-19051 - Allow qatlib load kernel modules Resolves: RHEL-19051 - Allow qatlib run lspci Resolves: RHEL-19051 - Allow qatlib manage its private runtime socket files Resolves: RHEL-19051 - Allow qatlib read/write vfio devices Resolves: RHEL-19051 - Allow syslog to run unconfined scripts conditionally Resolves: RHEL-11174 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-11174 - Allow sendmail MTA connect to sendmail LDA Resolves: RHEL-15175 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15432 - Allow opafm search nfs directories Resolves: RHEL-17820 - Allow mdadm list stratisd data directories Resolves: RHEL-19276 - Update cyrus_stream_connect() to use sockets in /run Resolves: RHEL-19282 - Allow collectd connect to statsd port Resolves: RHEL-21044 - Allow insights-client transition to sap unconfined domain Resolves: RHEL-21452 - Create the sap module Resolves: RHEL-21452- Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make `bootc` be `install_exec_t` Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174- Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175- Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413- Allow kdump create and use its memfd: objects Resolves: RHEL-14413- Add map_read map_write to kernel_prog_run_bpf Resolves: RHEL-2653 - Allow sysadm_t read nsfs files Resolves: RHEL-5146 - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t Resolves: RHEL-14029 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14110 - Label /run/pcsd.socket with cluster_var_run_t Resolves: RHEL-1664- Allow cupsd_t to use bpf capability Resolves: RHEL-3633 - Label /dev/gnss[0-9] with gnss_device_t Resolves: RHEL-9936 - Dontaudit rhsmcertd write memory device Resolves: RHEL-1547- Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443- Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759- Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526- Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153- Allow qatlib to read sssd public files Resolves: rhbz#2080443 - Fix location for /run/nsd Resolves: rhbz#2181600 - Allow samba-rpcd work with passwords Resolves: rhbz#2107092 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107092 - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty Resolves: rhbz#2223305 - Allow keepalived to manage its tmp files Resolves: rhbz#2179212 - Allow nscd watch system db dirs Resolves: rhbz#2152124- Boolean: Allow virt_qemu_ga create ssh directory Resolves: rhbz#2181402 - Allow virt_qemu_ga_t create .ssh dir with correct label Resolves: rhbz#2181402 - Set default ports for keylime policy Resolves: RHEL-594 - Allow unconfined service inherit signal state from init Resolves: rhbz#2186233 - Allow sa-update connect to systemlog services Resolves: rhbz#2220643 - Allow sa-update manage spamc home files Resolves: rhbz#2220643 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213605 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076933 - Update policy for the sblim-sfcb service Resolves: rhbz#2076933 - Define equivalency for /run/systemd/generator.early Resolves: rhbz#2213516- Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833- Remove permissive from fdo Resolves: rhbz#2026795 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833 - Add policy for FIDO Device Onboard Resolves: rhbz#2026795 - Create policy for qatlib Resolves: rhbz#2080443 - Add policy for boothd Resolves: rhbz#2128833 - Add list_dir_perms to kerberos_read_keytab Resolves: rhbz#2112729 - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t Resolves: rhbz#2209973 - Allow collectd_t read network state symlinks Resolves: rhbz#2209650 - Revert "Allow collectd_t read proc_net link files" Resolves: rhbz#2209650 - Allow insights-client execmem Resolves: rhbz#2207894 - Label udf tools with fsadm_exec_t Resolves: rhbz#2039774- Add fs_delete_pstore_files() interface Resolves: rhbz#2181565 - Add fs_read_pstore_files() interface Resolves: rhbz#2181565 - Allow insights-client getsession process permission Resolves: rhbz#2214581 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2214581 - Allow insights-client map generic log files Resolves: rhbz#2214581 - Allow insights-client read unconfined service semaphores Resolves: rhbz#2214581 - Allow insights-client get quotas of all filesystems Resolves: rhbz#2214581 - Allow haproxy read hardware state information Resolves: rhbz#2164691 - Allow cupsd dbus chat with xdm Resolves: rhbz#2143641 - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file Resolves: rhbz#2165863 - Add none file context for polyinstantiated tmp dirs Resolves: rhbz#2099194 - Add support for the systemd-pstore service Resolves: rhbz#2181565 - Label /dev/userfaultfd with userfaultfd_t Resolves: rhbz#2175290 - Allow collectd_t read proc_net link files Resolves: rhbz#2209650 - Label smtpd with sendmail_exec_t Resolves: rhbz#2213573 - Label msmtp and msmtpd with sendmail_exec_t Resolves: rhbz#2213573 - Allow dovecot-deliver write to the main process runtime fifo files Resolves: rhbz#2211787 - Allow subscription-manager execute ip Resolves: rhbz#2211566 - Allow ftpd read network sysctls Resolves: rhbz#2175856- Allow firewalld rw ica_tmpfs_t files Resolves: rhbz#2207487 - Add chromium_sandbox_t setcap capability Resolves: rhbz#2187893 - Allow certmonger manage cluster library files Resolves: rhbz#2179022 - Allow wireguard to rw network sysctls Resolves: rhbz#2192154 - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t Resolves: rhbz#2188173 - Allow plymouthd_t bpf capability to run bpf programs Resolves: rhbz#2184803 - Update pkcsslotd policy for sandboxing Resolves: rhbz#2209235 - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t Resolves: rhbz#2203201- Allow insights-client work with teamdctl Resolves: rhbz#2190178 - Allow virsh name_connect virt_port_t Resolves: rhzb#2187290 - Allow cupsd to create samba_var_t files Resolves: rhbz#2174445 - Allow dovecot to map files in /var/spool/dovecot Resolves: rhbz#2165863 - Add tunable to allow squid bind snmp port Resolves: rhbz#2151378 - Allow rhsmcert request the kernel to load a module Resolves: rhbz#2203359 - Allow snmpd read raw disk data Resolves: rhbz#2196528- Allow cloud-init domain transition to insights-client domain Resolves: rhbz#2162663 - Allow chronyd send a message to cloud-init over a datagram socket Resolves: rhbz#2162663 - Allow dmidecode write to cloud-init tmp files Resolves: rhbz#2162663 - Allow login_pgm setcap permission Resolves: rhbz#2174331 - Allow tshark the setsched capability Resolves: rhbz#2165634 - Allow chronyc read network sysctls Resolves: rhbz#2173604 - Allow systemd-timedated watch init runtime dir Resolves: rhbz#2175137 - Add journalctl the sys_resource capability Resolves: rhbz#2153782 - Allow system_cronjob_t transition to rpm_script_t Resolves: rhbz#2173685 - Revert "Allow system_cronjob_t domtrans to rpm_script_t" Resolves: rhbz#2173685 - Allow insights-client tcp connect to all ports Resolves: rhbz#2183083 - Allow insights-client work with su and lpstat Resolves: rhbz#2183083 - Allow insights-client manage fsadm pid files Resolves: rhbz#2183083 - Allow insights-client read all sysctls Resolves: rhbz#2183083 - Allow rabbitmq to read network sysctls Resolves: rhbz#2184999- rebuilt Resolves: rhbz#2172268- Allow passt manage qemu pid sock files Resolves: rhbz#2172268 - Exclude passt.if from selinux-policy-devel Resolves: rhbz#2172268- Add support for the passt_t domain Resolves: rhbz#2172268 - Allow virtd_t and svirt_t work with passt Resolves: rhbz#2172268 - Add new interfaces in the virt module Resolves: rhbz#2172268 - Add passt interfaces defined conditionally Resolves: rhbz#2172268- Boolean: allow qemu-ga manage ssh home directory Resolves: rhbz#2178612 - Allow wg load kernel modules, search debugfs dir Resolves: rhbz#2176487- Allow svirt to map svirt_image_t char files Resolves: rhbz#2170482 - Fix opencryptoki file names in /dev/shm Resolves: rhbz#2166283- Allow staff_t getattr init pid chr & blk files and read krb5 Resolves: rhbz#2112729 - Allow firewalld to rw z90crypt device Resolves: rhbz#2166877 - Allow httpd work with tokens in /dev/shm Resolves: rhbz#2166283- Allow modemmanager create hardware state information files Resolves: rhbz#2149560 - Dontaudit ftpd the execmem permission Resolves: rhbz#2164434 - Allow nm-dispatcher plugins read generic files in /proc Resolves: rhbz#2164845 - Label systemd-journald feature LogNamespace Resolves: rhbz#2124797 - Boolean: allow qemu-ga read ssh home directory Resolves: rhbz#1917024- Reuse tmpfs_t also for the ramfs filesystem Resolves: rhbz#2160391 - Allow systemd-resolved watch tmpfs directories Resolves: rhbz#2160391 - Allow hostname_t to read network sysctls. Resolves: rhbz#2161958 - Allow ModemManager all permissions for netlink route socket Resolves: rhbz#2149560 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2160388 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2160388 - Allow nm-cloud-setup dispatcher plugin restart nm services Resolves: rhbz#2154414 - Allow wg to send msg to kernel, write to syslog and dbus connections Resolves: rhbz#2149452 - Allow rshim bpf cap2 and read sssd public files Resolves: rhbz#2080439 - Allow svirt request the kernel to load a module Resolves: rhbz#2144735 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2014606- Add lpr_roles to system_r roles Resolves: rhbz#2152150 - Allow insights client work with gluster and pcp Resolves: rhbz#2152150 - Add interfaces in domain, files, and unconfined modules Resolves: rhbz#2152150 - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t Resolves: rhbz#2152150 - Add insights additional capabilities Resolves: rhbz#2152150 - Revert "Allow insights-client run lpr and allow the proper role" Resolves: rhbz#2152150 - Allow prosody manage its runtime socket files Resolves: rhbz#2157891 - Allow syslogd read network sysctls Resolves: rhbz#2156068 - Allow NetworkManager and wpa_supplicant the bpf capability Resolves: rhbz#2137085 - Allow sysadm_t read/write ipmi devices Resolves: rhbz#2158419 - Allow wireguard to create udp sockets and read net_conf Resolves: rhbz#2149452 - Allow systemd-rfkill the bpf capability Resolves: rhbz#2149390 - Allow load_policy_t write to unallocated ttys Resolves: rhbz#2145181 - Allow winbind-rpcd manage samba_share_t files and dirs Resolves: rhbz#2150680- Allow stalld to read /sys/kernel/security/lockdown file Resolves: rhbz#2140673 - Allow syslog the setpcap capability Resolves: rhbz#2151841 - Allow pulseaudio to write to session_dbusd tmp socket files Resolves: rhbz#2132942 - Allow keepalived to set resource limits Resolves: rhbz#2151212 - Add policy for mptcpd Resolves: bz#1972222 - Add policy for rshim Resolves: rhbz#2080439 - Allow insights-client dbus chat with abrt Resolves: rhbz#2152166 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2152150 - Allow insights-client run lpr and allow the proper role Resolves: rhbz#2152150 - Allow insights-client tcp connect to various ports Resolves: rhbz#2152150 - Allow insights-client dbus chat with various services Resolves: rhbz#2152150 - Allow journalctl relabel with var_log_t and syslogd_var_run_t files Resolves: rhbz#2152823- Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2124549 - Allow insights client read raw memory devices Resolves: rhbz#2124549 - Allow networkmanager_dispatcher_plugin work with nscd Resolves: rhbz#2149317 - Allow ipsec_t only read tpm devices Resolves: rhbz#2147380 - Watch_sb all file type directories. Resolves: rhbz#2139363 - Add watch and watch_sb dosfs interface Resolves: rhbz#2139363 - Revert "define lockdown class and access" Resolves: rhbz#2145266 - Allow postfix/smtpd read kerberos key table Resolves: rhbz#2145266 - Remove the lockdown class from the policy Resolves: rhbz#2145266 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2145266 - Revert "refpolicy: drop unused socket security classes" Resolves: rhbz#2145266- Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2082524- Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2123358 - Allow chronyd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2141255 - Allow unbound connectto unix_stream_socket Resolves: rhbz#2141236 - added policy for systemd-socket-proxyd Resolves: rhbz#2141606 - Allow samba-dcerpcd use NSCD services over a unix stream socket Resolves: rhbz#2121729 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2123358 - Allow insights-client manage generic locks Resolves: rhbz#2123358 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2123358 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2123358 - Disable rpm verification on interface_info Resolves: rhbz#2134515- new version Resolves: rhbz#2134827- Add watch_sb interfaces Resolves: rhbz#2139363 - Add watch interfaces Resolves: rhbz#2139363 - Allow dhcpd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow netutils and traceroute bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pkcs_slotd_t bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow xdm bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pcscd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow lldpad bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow keepalived bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow ipsec bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow fprintd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow iptables list cgroup directories Resolves: rhbz#2134829 - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files Resolves: rhbz#2042515 - Dontaudit dirsrv search filesystem sysctl directories Resolves: rhbz#2134726- Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2126091 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2126091 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2126091 - Allow insights-client manage samba var dirs Resolves: rhbz#2126091 - Allow rhcd compute selinux access vector Resolves: rhbz#2126091 - Add file context entries for insights-client and rhc Resolves: rhbz#2126161 - Allow pulseaudio create gnome content (~/.config) Resolves: rhbz#2132942 - Allow rhsmcertd execute gpg Resolves: rhbz#2130204 - Label ports 10161-10162 tcp/udp with snmp Resolves: rhbz#2133221 - Allow lldpad send to unconfined_t over a unix dgram socket Resolves: rhbz#2112044 - Label port 15354/tcp and 15354/udp with opendnssec Resolves: rhbz#2057501 - Allow aide to connect to systemd_machined with a unix socket. Resolves: bz#2062936 - Allow ftpd map ftpd_var_run files Resolves: bz#2124943 - Allow ptp4l respond to pmc Resolves: rhbz#2131689 - Allow radiusd connect to the radacct port Resolves: rhbz#2132424 - Allow xdm execute gnome-atspi services Resolves: rhbz#2132244 - Allow ptp4l_t name_bind ptp_event_port_t Resolves: rhbz#2130170 - Allow targetclid to manage tmp files Resolves: rhbz#2127408 - Allow sbd the sys_ptrace capability Resolves: rhbz#2124695/bin/sh/bin/sh38.1.45-3.el9_5sandbox.pp/usr/share/selinux/packages/-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpiozstd19noarch-redhat-linux-gnuutf-81bde9a928695c61b412ad1dabec8d6acbc9befcc5ed1f4245e5d87c65ddd3ecb3583f7e1db20c37271c2387f4795c930ceb3bd4b0837536b5fdf8d33404eb464?��� (�/�h�z:y H�Q(��(��(��(��( \+WSl�m���њDW.��o�"��H(6���T����$ ��U#1־տd`g`)om�����U �{j�T�$�� 5����9��Q{��+���������L?�.i�g��>g�89:��|e�~A;Q��6�(���i���z��-ߏ�:��F�S�SL}��fΧ�����ה<�8T�JF��D��IN���������8�' V����:}�3e� ~��V��f{��2(��U1F�5a[�=��t�; ���1��׺��)���m,Ƹʽ��(0��~l^.���8(k�7�}��1FS��{��O�i4s��_��ǒ�ґ� . . ��)9��a�( �0�E�G$��1ƛ�L��$�ǘ1F�)�Xœ��M���(��>��=g�g�Ї�ET�z��~��^@�E�z��\C�1[~�*�ܲ�<�[��Ʀ�N�=c%��j���ftO�ۚɄJI(}v��rKó��ˈr�~|�B���N��q,��e�f�b�a������NG,� ��]�F���֩Y��&���~_q����E�����o��a+������C�2(��J�yq����6���f+M{OԹ����m�}�����ďzjk;C*k�W���eu'F��x?-����c�i�㯽���˱=N�t�����s�������` �)�C.c,Y���Q�s��f]�y�|��ӱ����v�eII�'Uq��0ΞC��U3H��S��nk8W��YO��t¹�0�)�_�Y����3ڧ��{y8ٝ8��m��?sFV펍`Qm �h�5��[�3�3���]�6���[|�ֿz �Ys����<癮��6��o٣�������Wy���24�)�a��'��U\$�����6F��Q��S�C���cvdA�O���U�[lL�D���ę�hhЩrO#��<�;S�$�\`���I|'Fa&3v���$�AP���0������$����x�u;��W�}�� �W���QYk��۬@��4�A:L }�q� #�BMKU�{S�1b[�\�l'���N�J{,�w��Ae1�m/F�nC�,�4Vc�r��Ȫ\��X� /6������Z���V��հ�;���qEQ8J8x��|�|N�҂` ^(�Q�@�XNx��*.@�����9?o�%��0�3��_g�4��8b,Ǟ�S�(����i����xǗ��9� 1�V|,n��ƛ���V*ˌ?��\j��/e��6��cW�7q�oB1�`�O�#��A�Z'�^G)dv!&��TIV���͆�� K�p�U�@�0uG��U�F��*�s�A?�P��ڔ���TwHg�KS ���Y�W�H,�x���Ř�1c<�8��`/ǝ�&t�V�,�ZS�`5�`=�����ϔ���&n�h����W�"}������5�LJ�=��ߦƏ1��EX$QBs���_tuǜX*����5Q /g�J*a���T�en�)nWƏ���I1�rI�T�Dd`�r�L�)'�!���_�j) ��pa�B�k)��hI!�д�C��gR8q����Qۓ��Áo��a� t�yXfEU� �j?֟pVqN"毃��+P���TG`�����)�4B�/SM�e3֔xr�=!ە�ڎ4�7�stKz�D!0���D͵d�-����%�cƤ׽'Of��R�Bѝ�k F ����$���LN�0��P���t�K�|��S���MN�J���?���}��je�v�"��zS̏1:� 0>�����o*HY�p�A�с�*!�9�z�RK1-�g_� �5�*�O���ؔX{��)���2���p����t��Ċ?Ү���+�FFrF��JV ����.�,�0�l��s��~��6^����×��*���D�Kw���Q�����#����q��P���%�Ys��>����o�8���&�5uT�t��#�X���V.�~�N�1��+��š�;��Ӝ���Q��VS�x�zf\���b����a GyI^�U�αn�G��k����6keB������'��f<�a��0 �K���-�� �y�l�%v �`�M:�H0�P��<� җ�\B��)r�arS�<8&�q�]4՘g�,Rk�Whw�S.Qh�2�_=���Ɓ�����!���ׂ���;5�N\�RYqA�T钚�%Iu@P�E���� T �CC��*�If����z8�o��fm�������n �֙6�f�;J��p��SKӮ~��؞ ��#EY)�LR�Gꕼxm ��N�G�v�B!��5�'�%l*�>�s�^�2�546i��o��\�0ţ�[�A j��3`kM� -�ÿ*6�����j�c�U�K]��I�0�U �n$Pm���B�$V�"7A�0BF�C��$��*��V��&o0����ׂ��4�U�Δ-�*��W�<#LTߠ1�/�!J�[D�+���� �'�]��g������j��'�� �6���CQ��~W.D��:*��ItryL�[���`. �!���,y�Y�(�Kj�Ǩ�q6MB��������L����a�r׽�� ���y��N,��|5G3�G�Y���-^ �r��D�8~�"x��<��5m@�6z�291��ƒvl�<#u�=���,�G�N�y����H���/�,�З��|fI���v㠾FY�|ԔcD W ]&�Â;giA�ts����"��T ����TEd4�6��ZW�;%�"O��?�‹�ۓ]���m8�Q�=sn<7gP���=�P�3C�X,�F��S����(�(���~��B�ғ1�$��v!lLV��Ig��`a����T���w�ԙ��Qu��e�<���J��˂c�m���.�!�1��3��'�����ŸJ��)p�f���cDFyF�?�X�����!�3F��~jl$��+�Vs�N�d�;�����G�h��&�g92�U���'��l`.�5J�" ��T1�0 ��  3n���)=p"m����2\_���w�^��,_{k`��2`@������-��Zn愾c�u� ^B ��t�B��d�w�x��"���h��"�‰��"b��|hG��s��xC��mCg�0��53�X�����%%�<&���T�����Ԭ� O�U_�Ҫ�����;�C�+I��^bA��/�m�n�M���J~�L2�"�:~D�E�Y!�A��p�C�(щ|�L���n���a� �"�h�bU80�^�i��y�v3@x>�N���I9��M����b\�r&��J�A@s�%�@�5!�[]��_,�@��J��IC���8�"���P��Z$�@V{D�A�1���G�9�`��ݶkM�Z���\lq������ͅq&��y*���ټT��}ۛb5��_��6������q?~��l��֢܍r5�$����� �p�1��N�(����������1V���PŒ�B9)��<�������)�មʑw>(�����P��⁨�$��<�k�W���|S�I��BW1S���4_��K��4�h���Z��V�Uh)��o=%�K���������SFkI�9=Ѩ���HR����v��jH1��P�Z�?z��d᫺K̵��?n@�)������H]� l��p��e �U`&�[���,I@�R>��c����� ��^��^9�ΒzL���Ҋy]�:ǵ�OHZ-�ٖ��2���98;�.pܷ��r@����6<��AC"E؂�k��P� L"����Hb\Hz�%kC�-J���t��{��b넞B�3�O�%�I !�a�h� ~0��N��C��d�O;p���^����>�ofH�x����!RHg�'�@B�x�z��Up)�F�=� 众��Hs�3 �V->�Վf�F��e4���'�ٖ�iW�Lj�MO�[�1�֞b�e�Ȟ[')DWy3������zg�?5�����ڋ����朤�<���A��\0u��˔�n�`m���������1Xی��%@!���[�9�"إ�/v��\ ~ T��pQ:��">�����$��r��� ��;3*U�>��`շvA��a�Ų�nL�ƣBfv���n���yR���Q��As�����{��w�7����<�.܌Yj6��TY���7FF+���t=����FS�*m5�t`������یPm�nc�]U����h t��E��D��^�R�S�D�K� mҢ#2X���D��Ȉ�� ��1�l� 6�k��x�0#w�F�fs�*�=o)ۛ���1NH�c�Q�ȩ��&&*�Y�� ���"P�ꉤ5M�{�r���2�R˞�I�Ζf���+���'�F��Y΂M�8�[K��KF���'݃���\=B�E�M�费�3�jQ��:��&�\�FZ�H{�t����"�7���aHz�J��zi:ɦG���� �'�M��v�`V�H*/7A�� ���<"X)Z���a�8�F7��9L��Ͻ����Y�� �Z2J�BA'�7m�k�f��~���L�r��a*�<Z�N�_�h5?�7`b��*���zEd![L��/z�Gw ��01t�h!������M?��hB�X4 J�^�e�W�Yp�S�R!}�E"�٪x��ڈN%��H��_�N\ GY(qJK�w����M�7�5/c6MS�o�ۢ��.��z��b6ɤ�����D�4�^�l���4n c� ��MrF��1�F�H�b��Rf�Le8�z�@���:/�xwL�R�3[ꮟ�h���S ��n��>pPR�qG]���r����t��֞��թ���0�(�W��k��]�2 4�m�� �B�����v����*p�p>W^0�e{���&�#��$�l�ٸFz��W�ݣ��t�u�V�6,�`�}��4 ��E�v��V<�����ӎ7'�7�| 994�1:5�0;6�3<7�250�561�472�783�6- � S @ | :(�� %�  @D�S� � �$�����^ "3ڤ"h�P�1�P"� $F�1������zA4QbS�<����\z�Ɓ �K$~�<L23��y/!��=�n� ePo�G Gn�Ү�� ���j��� ��a7q˒pb:�ٌ<�CV��rè���3״1��e� �����Ȓh��rc�I�[�v�q� ջ�á����k`���"� 53ɲ�hvx�B�+1pI�V���"���*�*Cz�e���o;�D�0�ç�>���lm�ɮ�n�n�V�9�L��u�ALl���8�V!*I��b��#�N�U�S�D�� �L�aD�)i��4�08�> &F�)�r����w�S���B�(9��{Z��~[�`��L5�~a�~a���N���]����Q3��$�1��!J�Ќ��r���'Ϩr�1��م��K��FYV��gn�X�0�@C X Ab��� ��!H�ă"6���ÂC��� e�7��q�T�1Ӓ��lJ+-�6��2Y�gTs1O����]/�2/3��bu�M��|���g�W+�m!#�T�4�ƨ�)��|X�|r�ȼ�3*�b���$��QXM�9 �QU�2D�M��]��׍���� T���rҚQc:'�k�����i̫����)�]H�o<4�q�5ȳkƋ�X���n U٧���Q�F��)3�.R��t����~)��g�C���lVZX��C�?+�˨e�=�CFkcU�"3�.&��oJD�]���io|�}6?C%%�<���Z��6e*{l+4F�tZ�¯�p8�|������;ERGyL f�����ʊ��v�BT�eC�/ �j ZDy�)�׶HO�볽�&@W�?a����o�zx?F�6��^>o)ɝ/�&[�Y �,&� Xd��8��[�k�v��5��r�'w^69��{L�'��s }D��\4����1W.zP,9��W��IF���Mfa��-��ۖϖ$��'��l #M*9NޛD,]���ݟ��>I����Il@i]�����Hƻ��})-����o���^z�}�� �H�E���-~7�R���+� l�Lk){A"��|����Ut�_�^�B ���%�!�׿ĐY�����.NݿV�,�J�0�o-��Ț� �������b5 ���[ ���@���D��:f�D�78%�l_��FH��rD4�cG'� �� b�������p \=��[r����2��/`�j\���EH� ���a�[��`�_� �TH�|���C���P[0Gד�& ���CP<� �;J��&�OdE�(F