Sync from SUSE:SLFO:1.1 selinux-policy revision 83c74b51ba8c89d0ae5a404abe3d2fd9

Sync from SUSE:SLFO:1.1 selinux-policy revision 7a722b3cb20fb54159b41fe0cb8e7eea
Sync from SUSE:SLFO:Main selinux-policy revision 55f05451b4ca0a49bf065d030fc526e6
2025-08-07 09:56:30 +02:00 · 2025-03-04 09:00:34 +01:00 · 2025-02-27 18:47:19 +01:00 · 2025-02-25 17:40:14 +01:00 · 2025-02-20 10:05:20 +01:00 · 2025-01-28 17:47:41 +01:00
16 changed files with 1235 additions and 216 deletions
--- a/4
+++ b/4
@@ -4,8 +4,8 @@
    <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
    <param name="scm">git</param>
    <param name="changesgenerate">enable</param>
-    <param name="revision">alp-1.0</param>
+    <param name="revision">slfo-1.1</param>
-    <param name="match-tag">release-20230523</param>
+    <param name="match-tag">release-20241031</param>
    <param name="versionrewrite-pattern">release-(.*)</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
--- a/4
+++ b/4
@@ -1,6 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">0849f54c7e81665e3dfe7beecd5557b9edb69f2f</param></service><service name="tar_scm">
+              <param name="changesrevision">1f94e96dba65d3c7b7ab949cac03e9755969cb45</param></service></servicedata>
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
--- a/container.fc
+++ b/container.fc
@@ -9,14 +9,19 @@
 /usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubenswrapper.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/kubenswrapper.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/kubensenter.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/kubensenter.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildah		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -59,6 +64,7 @@
 /etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/shared(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -111,15 +117,21 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
-/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
 /var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/kubelet/pod-resources/kubelet.sock		gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
@@ -130,26 +142,25 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
+/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
 /var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
-/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
 /srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
 /var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
--- a/container.if
+++ b/container.if
@@ -522,6 +522,7 @@ interface(`container_filetrans_named_content',`
    files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
    files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
    files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
    files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")
    filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env")
@@ -572,7 +573,7 @@ interface(`container_filetrans_named_content',`
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
    filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
-    files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+    files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')
 ########################################
@@ -997,7 +998,6 @@ interface(`container_kubelet_domtrans',`
 interface(`container_kubelet_run',`
 	gen_require(`
 		type kubelet_t;
 		class dbus send_msg;
 	')
 	container_kubelet_domtrans($1)
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.210.0)
+policy_module(container, 2.232.1)
 gen_require(`
 	class passwd rootok;
@@ -17,6 +17,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 ## <desc>
 ##  <p>
 ##  Allow all container domains to read cert files and directories
 ##  </p>
 ## </desc>
 gen_tunable(container_read_certs, false)
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
@@ -31,6 +38,20 @@ gen_tunable(sshd_launch_containers, false)
 ## </desc>
 gen_tunable(container_use_devices, false)
 ## <desc>
 ##  <p>
 ##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
 ##  </p>
 ## </desc>
 gen_tunable(container_use_xserver_devices, false)
 ## <desc>
 ##  <p>
 ##  Allow containers to use any dri device volume mounted into container
 ##  </p>
 ## </desc>
 gen_tunable(container_use_dri_devices, true)
 ## <desc>
 ## <p>
 ## Allow sandbox containers to manage cgroup (systemd)
@@ -81,7 +102,7 @@ ifdef(`enable_mls',`
 	range_transition container_runtime_t conmon_exec_t:process s0;
 ')
-type spc_t, container_domain;
+type spc_t;
 domain_type(spc_t)
 role system_r types spc_t;
@@ -129,6 +150,7 @@ type container_devpts_t alias docker_devpts_t;
 term_pty(container_devpts_t)
 typealias container_ro_file_t alias { container_share_t docker_share_t };
 typeattribute container_ro_file_t container_file_type, user_home_type;
 files_mountpoint(container_ro_file_t)
 userdom_user_home_content(container_ro_file_t)
@@ -169,6 +191,7 @@ allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
 allow container_runtime_domain self:udp_socket create_socket_perms;
 allow container_runtime_domain self:capability2 block_suspend;
 allow container_runtime_domain container_port_t:tcp_socket name_bind;
 allow container_runtime_domain port_t:icmp_socket name_bind;
 allow container_runtime_domain self:filesystem associate;
 allow container_runtime_domain self:packet_socket create_socket_perms;
 allow container_runtime_domain self:socket create_socket_perms;
@@ -205,19 +228,24 @@ manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t
 manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
 userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
 userdom_manage_user_home_content(container_runtime_domain)
 userdom_map_user_home_files(container_runtime_t)
 manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
 manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")
 manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
 files_manage_generic_locks(container_runtime_domain)
 manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 logging_read_syslog_pid(container_runtime_domain)
 logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
 allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
 allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -243,8 +271,23 @@ manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, containe
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
 can_exec(container_runtime_domain, container_ro_file_t)
 manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
@@ -262,6 +305,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
 files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")
 manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
@@ -270,17 +314,30 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(container_runtime_domain, container_devpts_t)
 term_use_all_ttys(container_runtime_domain)
 term_use_all_inherited_terms(container_runtime_domain)
 mls_file_read_to_clearance(container_runtime_t)
 mls_file_relabel_to_clearance(container_runtime_t)
 mls_file_write_to_clearance(container_runtime_t)
 mls_process_read_to_clearance(container_runtime_t)
 mls_process_write_to_clearance(container_runtime_t)
 mls_socket_read_to_clearance(container_runtime_t)
 mls_socket_write_to_clearance(container_runtime_t)
 mls_sysvipc_read_to_clearance(container_runtime_t)
 mls_sysvipc_write_to_clearance(container_runtime_t)
 kernel_read_network_state(container_runtime_domain)
 kernel_read_all_sysctls(container_runtime_domain)
 kernel_rw_net_sysctls(container_runtime_domain)
 kernel_setsched(container_runtime_domain)
 kernel_rw_all_sysctls(container_runtime_domain)
 kernel_mounton_all_proc(container_runtime_domain)
 fs_getattr_all_fs(container_runtime_domain)
 domain_obj_id_change_exemption(container_runtime_t)
 domain_subj_id_change_exemption(container_runtime_t)
@@ -390,7 +447,10 @@ optional_policy(`
 ')
 optional_policy(`
-	iptables_domtrans(container_runtime_domain)
+	gen_require(`
 		role unconfined_r;
 	')
 	iptables_run(container_runtime_domain, unconfined_r)
 	container_read_pid_files(iptables_t)
 	container_read_state(iptables_t)
@@ -458,33 +518,38 @@ dev_rw_loop_control(container_runtime_domain)
 dev_rw_lvm_control(container_runtime_domain)
 dev_read_mtrr(container_runtime_domain)
 userdom_map_user_home_files(container_runtime_t)
 files_getattr_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_files(container_runtime_domain)
 files_manage_isid_type_symlinks(container_runtime_domain)
 files_manage_isid_type_chr_files(container_runtime_domain)
 files_manage_isid_type_blk_files(container_runtime_domain)
 files_manage_etc_dirs(container_runtime_domain)
 files_manage_etc_files(container_runtime_domain)
 files_exec_isid_files(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 files_mounton_non_security(container_runtime_domain)
 files_mounton_isid_type_chr_file(container_runtime_domain)
 fs_mount_all_fs(container_runtime_domain)
 fs_unmount_all_fs(container_runtime_domain)
 fs_remount_all_fs(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 fs_getattr_all_fs(container_runtime_domain)
 fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_cgroup_dirs(container_runtime_domain)
 fs_manage_cgroup_files(container_runtime_domain)
 fs_rw_nsfs_files(container_runtime_domain)
 fs_relabelfrom_xattr_fs(container_runtime_domain)
 fs_relabelfrom_tmpfs(container_runtime_domain)
 fs_read_tmpfs_symlinks(container_runtime_domain)
 fs_getattr_all_fs(container_runtime_domain)
 fs_rw_inherited_tmpfs_files(container_runtime_domain)
 fs_read_tmpfs_symlinks(container_runtime_domain)
 fs_search_tmpfs(container_runtime_domain)
 fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_hugetlbfs_files(container_runtime_domain)
 fs_mount_all_fs(container_runtime_domain)
 fs_read_tmpfs_symlinks(container_runtime_domain)
 fs_read_tmpfs_symlinks(container_runtime_domain)
 fs_relabelfrom_tmpfs(container_runtime_domain)
 fs_relabelfrom_xattr_fs(container_runtime_domain)
 fs_remount_all_fs(container_runtime_domain)
 fs_rw_inherited_tmpfs_files(container_runtime_domain)
 fs_rw_nsfs_files(container_runtime_domain)
 fs_search_tmpfs(container_runtime_domain)
 fs_set_xattr_fs_quotas(container_runtime_domain)
 fs_unmount_all_fs(container_runtime_domain)
 term_use_generic_ptys(container_runtime_domain)
@@ -518,7 +583,6 @@ tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_symlinks(container_runtime_domain)
 	fs_remount_nfs(container_runtime_domain)
 	fs_mount_nfs(container_runtime_domain)
 	fs_unmount_nfs(container_runtime_domain)
 	fs_exec_nfs_files(container_runtime_domain)
 	kernel_rw_fs_sysctls(container_runtime_domain)
 	allow container_runtime_domain nfs_t:file execmod;
@@ -563,6 +627,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')
 tunable_policy(`container_read_certs',`
 	miscfiles_read_all_certs(container_domain)
 ')
 gen_require(`
 	type ecryptfs_t;
 ')
@@ -580,21 +648,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
 fs_manage_fusefs_files(container_runtime_domain)
 fs_manage_fusefs_symlinks(container_runtime_domain)
 fs_mount_fusefs(container_runtime_domain)
 fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
-optional_policy(`
+files_search_all(container_domain)
-    files_search_all(container_domain)
+container_read_share_files(container_domain)
-    container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
-    container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
-    allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
-    container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
-    container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
    container_spc_stream_connect(container_domain)
    fs_dontaudit_remount_tmpfs(container_domain)
    dev_dontaudit_mounton_sysfs(container_domain)
 ')
 optional_policy(`
 	apache_exec_modules(container_runtime_domain)
@@ -648,12 +711,12 @@ optional_policy(`
 		role unconfined_r;
 	')
 	role unconfined_r types container_user_domain;
 	role unconfined_r types spc_t;
 	unconfined_domain(container_runtime_t)
 	unconfined_run_to(container_runtime_t, container_runtime_exec_t)
 	role_transition unconfined_r container_runtime_exec_t system_r;
 	allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
 	allow container_runtime_domain unconfined_t:fifo_file setattr;
-	allow unconfined_domain_type container_domain:process {transition dyntransition };
+	allow unconfined_domain_type container_domain:process {transition dyntransition};
 	allow unconfined_t unlabeled_t:key manage_key_perms;
 	allow container_runtime_t unconfined_t:process transition;
 	allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -692,7 +755,7 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -700,25 +763,35 @@ domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
 allow spc_t container_file_type:file execmod;
 admin_pattern(spc_t, kubernetes_file_t)
 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;
-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
 allow spc_t unlabeled_t:socket_class_set create_socket_perms;
 fs_fusefs_entrypoint(spc_t)
 corecmd_entrypoint_all_executables(spc_t)
 init_dbus_chat(spc_t)
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
 	systemd_dbus_chat_timedated(spc_t)
 	systemd_dbus_chat_localed(spc_t)
 ')
 domain_transition_all(spc_t)
 anaconda_domtrans_install(spc_t)
 optional_policy(`
 	dbus_chat_system_bus(spc_t)
 	dbus_chat_session_bus(spc_t)
@@ -731,6 +804,7 @@ optional_policy(`
 	# This should eventually be in upstream policy.
 	# https://github.com/fedora-selinux/selinux-policy/pull/806
 	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
 	allow daemon spc_t:dbus send_msg;
 ')
 optional_policy(`
@@ -744,7 +818,10 @@ optional_policy(`
 	gen_require(`
 		attribute virt_domain;
 		type virtd_t;
 		role unconfined_r;
 	')
 	role unconfined_r types virt_domain;
 	role unconfined_r types virtd_t;
 	container_spc_read_state(virt_domain)
 	container_spc_rw_pipes(virt_domain)
 	allow container_runtime_t virtd_t:process transition;
@@ -817,7 +894,7 @@ container_manage_files_template(container, container)
 typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -836,6 +913,7 @@ dontaudit container_domain self:dir { write add_name };
 allow container_domain self:file rw_file_perms;
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
 allow container_domain self:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -855,28 +933,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
 allow container_domain self:unix_stream_socket create_stream_socket_perms;
 dontaudit container_domain self:capability2  block_suspend ;
 allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
+fs_fusefs_entrypoint(spc_t)
 fs_fusefs_entrypoint(container_domain)
 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
 container_use_ptys(container_domain)
 container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
 dev_dontaudit_mounton_sysfs(container_domain)
 dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
 dev_getattr_mtrr_dev(container_domain)
 dev_list_sysfs(container_domain)
 dev_mounton_sysfs(container_t)
 dev_read_mtrr(container_domain)
 dev_read_rand(container_domain)
 dev_read_sysfs(container_domain)
 dev_read_urand(container_domain)
 dev_rw_inherited_dri(container_domain)
 dev_rw_kvm(container_domain)
 dev_rwx_zero(container_domain)
 dev_write_rand(container_domain)
 dev_write_urand(container_domain)
 allow container_domain sysfs_t:dir watch;
 dontaudit container_domain container_runtime_tmpfs_t:dir read;
 allow container_domain container_runtime_tmpfs_t:dir mounton;
-
+can_exec(container_domain, container_runtime_tmpfs_t)
 dev_getattr_mtrr_dev(container_domain)
 dev_list_sysfs(container_domain)
 allow container_domain sysfs_t:dir watch;
 dev_rw_kvm(container_domain)
 dev_rwx_zero(container_domain)
 allow container_domain self:key manage_key_perms;
 dontaudit container_domain container_domain:key search;
@@ -892,7 +975,7 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow container_domain self:passwd rootok;
 allow container_domain self:filesystem associate;
 allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
@@ -909,16 +992,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
 kernel_read_irq_sysctls(container_domain)
 kernel_get_sysvipc_info(container_domain)
 fs_getattr_all_fs(container_domain)
 fs_rw_inherited_tmpfs_files(container_domain)
 fs_read_tmpfs_symlinks(container_domain)
 fs_search_tmpfs(container_domain)
 fs_list_hugetlbfs(container_domain)
 fs_manage_hugetlbfs_files(container_domain)
 fs_exec_hugetlbfs_files(container_domain)
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
 fs_dontaudit_remount_tmpfs(container_domain)
 fs_dontaudit_remount_tmpfs(container_domain)
 fs_exec_fusefs_files(container_domain)
 fs_exec_hugetlbfs_files(container_domain)
 fs_fusefs_entrypoint(container_domain)
 fs_getattr_all_fs(container_domain)
 fs_list_cgroup_dirs(container_domain)
 fs_list_hugetlbfs(container_domain)
 fs_manage_bpf_files(container_domain)
 fs_manage_fusefs_dirs(container_domain)
 fs_manage_fusefs_files(container_domain)
 fs_manage_fusefs_named_pipes(container_domain)
 fs_manage_fusefs_named_sockets(container_domain)
 fs_manage_fusefs_symlinks(container_domain)
 fs_manage_hugetlbfs_files(container_domain)
 fs_mount_fusefs(container_domain)
 fs_unmount_fusefs(container_domain)
 fs_mount_tmpfs(container_domain)
 fs_unmount_tmpfs(container_domain)
 fs_mount_xattr_fs(container_domain)
 fs_unmount_xattr_fs(container_domain)
 fs_mounton_cgroup(container_domain)
 fs_mounton_fusefs(container_domain)
 fs_read_cgroup_files(container_domain)
 fs_read_nsfs_files(container_domain)
 fs_read_tmpfs_symlinks(container_domain)
 fs_remount_xattr_fs(container_domain)
 fs_rw_inherited_tmpfs_files(container_domain)
 fs_rw_onload_sockets(container_domain)
 fs_search_tmpfs(container_domain)
 fs_unmount_cgroup(container_domain)
 fs_unmount_fusefs(container_domain)
 fs_unmount_nsfs(container_domain)
 fs_unmount_xattr_fs(container_domain)
 term_use_all_inherited_terms(container_domain)
@@ -942,18 +1051,6 @@ gen_require(`
 	type cgroup_t;
 ')
 dev_read_sysfs(container_domain)
 dev_read_mtrr(container_domain)
 dev_mounton_sysfs(container_t)
 fs_mounton_cgroup(container_t)
 fs_unmount_cgroup(container_t)
 dev_read_rand(container_domain)
 dev_write_rand(container_domain)
 dev_read_urand(container_domain)
 dev_write_urand(container_domain)
 files_read_kernel_modules(container_domain)
 allow container_file_t cgroup_t:filesystem associate;
@@ -999,7 +1096,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
-
+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1009,9 +1106,6 @@ gen_require(`
 ')
 dontaudit container_domain usermodehelper_t:file write;
 fs_read_cgroup_files(container_domain)
 fs_list_cgroup_dirs(container_domain)
 sysnet_read_config(container_domain)
 allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1039,20 +1133,6 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 fs_manage_fusefs_named_sockets(container_domain)
 fs_manage_fusefs_named_pipes(container_domain)
 fs_manage_fusefs_dirs(container_domain)
 fs_manage_fusefs_files(container_domain)
 fs_manage_fusefs_symlinks(container_domain)
 fs_manage_fusefs_named_sockets(container_domain)
 fs_manage_fusefs_named_pipes(container_domain)
 fs_exec_fusefs_files(container_domain)
 fs_mount_xattr_fs(container_domain)
 fs_unmount_xattr_fs(container_domain)
 fs_remount_xattr_fs(container_domain)
 fs_mount_fusefs(container_domain)
 fs_unmount_fusefs(container_domain)
 fs_mounton_fusefs(container_domain)
 storage_rw_fuse(container_domain)
 allow container_domain fusefs_t:file { mounton execmod };
 allow container_domain fusefs_t:filesystem remount;
@@ -1127,6 +1207,7 @@ dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)
 fs_mount_tmpfs(container_userns_t)
 fs_unmount_tmpfs(container_userns_t)
 fs_relabelfrom_tmpfs(container_userns_t)
 fs_remount_cgroup(container_userns_t)
@@ -1188,6 +1269,8 @@ optional_policy(`
 		attribute userdomain;
 	')
 	allow userdomain container_domain:process transition;
 	can_exec(userdomain, container_runtime_exec_t)
 	container_manage_files(userdomain)
 	container_manage_share_dirs(userdomain)
@@ -1280,6 +1363,7 @@ logging_send_syslog_msg(container_kvm_t)
 optional_policy(`
 	qemu_entry_type(container_kvm_t)
 	qemu_exec(container_kvm_t)
 	allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 ')
 manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@@ -1316,8 +1400,17 @@ optional_policy(`
 ')
 tunable_policy(`container_use_devices',`
-	allow container_domain device_node:chr_file rw_chr_file_perms;
+	allow container_domain device_node:chr_file {rw_chr_file_perms map};
-	allow container_domain device_node:blk_file rw_blk_file_perms;
+	allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')
 tunable_policy(`container_use_xserver_devices',`
 	dev_getattr_xserver_misc_dev(container_t)
 	dev_rw_xserver_misc(container_t)
 ')
 tunable_policy(`container_use_dri_devices',`
 	dev_rw_dri(container_domain)
 ')
 tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -1336,19 +1429,41 @@ fs_mounton_cgroup(container_engine_t)
 fs_unmount_cgroup(container_engine_t)
 fs_manage_cgroup_dirs(container_engine_t)
 fs_manage_cgroup_files(container_engine_t)
 fs_mount_tmpfs(container_engine_t)
 fs_write_cgroup_files(container_engine_t)
-
+fs_remount_cgroup(container_engine_t)
-allow container_engine_t proc_t:file mounton;
+fs_mount_all_fs(container_engine_t)
-allow container_engine_t sysctl_t:file mounton;
+fs_remount_all_fs(container_engine_t)
-allow container_engine_t sysfs_t:filesystem remount;
+fs_unmount_all_fs(container_engine_t)
-
+kernel_mounton_all_sysctls(container_engine_t)
 kernel_mount_proc(container_engine_t)
 kernel_mounton_core_if(container_engine_t)
 kernel_mounton_proc(container_engine_t)
 kernel_mounton_core_if(container_engine_t)
 kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
 term_mount_pty_fs(container_engine_t)
 term_use_generic_ptys(container_engine_t)
 allow container_engine_t container_file_t:chr_file mounton;
 allow container_engine_t filesystem_type:{dir file} mounton;
 allow container_engine_t proc_kcore_t:file mounton;
 allow container_engine_t proc_t:filesystem remount;
 allow container_engine_t sysctl_t:{dir file} mounton;
 allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
 allow container_engine_t fusefs_t:file relabelto;
 allow container_engine_t kernel_t:system module_request;
 allow container_engine_t null_device_t:chr_file mounton;
 allow container_engine_t random_device_t:chr_file mounton;
 allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
 allow container_engine_t urandom_device_t:chr_file mounton;
 allow container_engine_t zero_device_t:chr_file mounton;
 manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 optional_policy(`
 	gen_require(`
 		type devtty_t;
 	')
 	allow container_engine_t devtty_t:chr_file mounton;
 ')
 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@@ -1361,6 +1476,7 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')
 manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
@@ -1384,7 +1500,6 @@ optional_policy(`
 	gen_require(`
 		type sysadm_t;
 		role sysadm_r;
 		attribute userdomain;
 		role unconfined_r;
 	')
@@ -1403,6 +1518,7 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 container_domain_template(container_device_plugin, container)
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
 kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)
 # Standard container which needs to be allowed to use any device and
@@ -1441,3 +1557,46 @@ tunable_policy(`sshd_launch_containers',`
 	container_runtime_domtrans(sshd_t)
 	dontaudit systemd_logind_t iptables_var_run_t:dir read;
 ')
 role container_user_r;
 userdom_restricted_user_template(container_user)
 userdom_manage_home_role(container_user_r, container_user_t)
 allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
 role container_user_r types container_domain;
 role container_user_r types container_user_domain;
 role container_user_r types container_net_domain;
 role container_user_r types container_file_type;
 container_runtime_run(container_user_t, container_user_r)
 unconfined_role_change_to(container_user_r)
 container_use_ptys(container_user_t)
 fs_manage_cgroup_dirs(container_user_t)
 fs_manage_cgroup_files(container_user_t)
 selinux_compute_access_vector(container_user_t)
 systemd_dbus_chat_hostnamed(container_user_t)
 systemd_start_systemd_services(container_user_t)
 allow container_runtime_t container_user_t:process transition;
 allow container_runtime_t container_user_t:process2 nnp_transition;
 allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
 allow container_user_t container_file_t:chr_file manage_chr_file_perms;
 allow container_user_t container_file_t:file entrypoint;
 allow container_domain container_file_t:file entrypoint;
 allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
 allow container_domain container_var_lib_t:file entrypoint;
 allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
 corecmd_entrypoint_all_executables(container_kvm_t)
 allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 allow svirt_sandbox_domain mountpoint:file entrypoint;
 tunable_policy(`deny_ptrace',`',`
 	allow container_domain self:process ptrace;
 	allow spc_t self:process ptrace;
 ')
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -1,5 +1,5 @@
-/run /var/run
+/var/run /run
-/run/lock /var/lock
+/var/lock /run/lock
 /var/run/lock /var/lock
 /lib /usr/lib
 /lib64 /usr/lib
@@ -10,8 +10,13 @@
 /etc/systemd/system /usr/lib/systemd/system
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
 /run/systemd/generator.early /usr/lib/systemd/system
 /run/systemd/generator.late /usr/lib/systemd/system
 /var/lib/xguest/home /home
 /var/run/netconfig /etc
 /var/adm/netconfig/md5/etc /etc
 /var/adm/netconfig/md5/var /var
 /usr/etc /etc
 /bin /usr/bin
 /sbin /usr/bin
 /usr/sbin /usr/bin
--- a/macros.selinux-policy
+++ b/macros.selinux-policy
@@ -28,7 +28,7 @@
 %_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
 %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
-%_file_context_file_pre /run/rpm-state/file_contexts.pre
+%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre
 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
@@ -60,7 +60,11 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  if %{_sbindir}/selinuxenabled; then \
    if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
      %{_sbindir}/load_policy || : \
    fi \
  fi \
 fi \
 %{nil}
@@ -76,7 +80,11 @@ fi \
 if [ $1 -eq 0 ]; then \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    if %{_sbindir}/selinuxenabled; then \
      if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
        %{_sbindir}/load_policy || : \
      fi \
    fi \
  fi \
 fi \
 %{nil}
@@ -92,7 +100,7 @@ if %{_sbindir}/selinuxenabled; then \
    _policytype="targeted" \
  fi \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    mkdir -p /run/rpm-state \
+    mkdir -p $(dirname %{_file_context_file_pre}) \
    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
  fi \
 fi \
@@ -110,8 +118,12 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
+     if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
-     rm -f %{_file_context_file_pre} \
+       %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
       rm -f %{_file_context_file_pre} \
     else \
       touch /etc/selinux/.autorelabel \
     fi \
   fi \
 fi \
 %{nil}
--- a/modules-minimum-contrib.conf
+++ b/modules-minimum-contrib.conf
@@ -1465,13 +1465,6 @@ psad = module
 # 
 ptchown = module
 # Layer: services
 # Module: publicfile
 #
 # publicfile supplies files to the public through HTTP and FTP
 # 
 publicfile = module
 # Layer: apps
 # Module: pulseaudio
 #
--- a/modules-minimum-disable.lst
+++ b/modules-minimum-disable.lst
@@ -1 +1 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
+abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -1034,13 +1034,6 @@ psad = module
 # 
 ptchown = module
 # Layer: services
 # Module: publicfile
 #
 # publicfile supplies files to the public through HTTP and FTP
 # 
 publicfile = module
 # Layer: apps
 # Module: pulseaudio
 #
@@ -1475,6 +1468,13 @@ uucp = module
 # 
 virt = module
 # Layer: services
 # Module: virt_supplementary
 #
 # non-libvirt virtualization libraries
 #
 virt_supplementary = module
 # Layer: apps
 # Module: vmware
 #
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -1472,13 +1472,6 @@ psad = module
 # 
 ptchown = module
 # Layer: services
 # Module: publicfile
 #
 # publicfile supplies files to the public through HTTP and FTP
 # 
 publicfile = module
 # Layer: apps
 # Module: pulseaudio
 #
@@ -2115,6 +2108,13 @@ vhostmd = module
 # 
 virt = module
 # Layer: services
 # Module: virt_supplementary
 #
 # non-libvirt virtualization libraries
 #
 virt_supplementary = module
 # Layer: apps
 # Module: vhostmd
 #
@@ -2692,3 +2692,86 @@ wireguard = module
 #
 keyutils = module
 # Layer: contrib
 # Module: cifsutils
 #
 #  cifsutils - Utilities for managing CIFS mounts
 #
 cifsutils = module
 # Layer: contrib
 # Module: boothd
 #
 #  boothd - Booth cluster ticket manager
 #
 boothd = module
 # Layer: contrib
 # Module: kafs
 #
 #  kafs - Tools for kAFS
 #
 kafs = module
 # Layer: contrib
 # Module: bootupd
 #
 #  bootupd - bootloader update daemon
 #
 bootupd = module
 # Layer: contrib
 # Module: fdo
 #
 #  fdo - fido device onboard protocol for IoT devices
 #
 fdo = module
 # Layer: contrib
 # Module: qatlib
 #
 #  qatlib - Intel QuickAssist technology library and resources management
 #
 qatlib = module
 # Layer: contrib
 # Module: afterburn
 #
 # afterburn
 #
 afterburn = module
 # Layer: contrib
 # Module: nvme_stas
 #
 # nvme_stas
 #
 nvme_stas = module
 # Layer: contrib
 # Module: coreos_installer
 #
 # coreos_installer
 #
 coreos_installer = module
 ## Layer: contrib
 ## Module: libalternatives
 ##
 ## libalternatives
 ##
 libalternatives = module
 ## Layer: contrib
 ## Module: kiwi
 ##
 ## kiw
 ##
 kiwi = module
 # Layer: contrib
 # Module: sap
 #
 # sap
 #
 sap = module
--- a/selinux-policy-20230523+git16.0849f54c.tar.xz
+++ b/selinux-policy-20230523+git16.0849f54c.tar.xz
--- a/selinux-policy-20241031+git8.1f94e96d.tar.xz
+++ b/selinux-policy-20241031+git8.1f94e96d.tar.xz
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,72 +1,830 @@
 -------------------------------------------------------------------
-Tue Apr 30 14:46:09 UTC 2024 - jsegitz@suse.com
+Fri Jun 27 11:23:40 UTC 2025 - cathy.hu@suse.com
- Update to version 20230523+git16.0849f54c:
+- Update to version 20241031+git8.1f94e96d:
-  * allow firewalld access to /dev/random and write HW acceleration 
+  * Revert downstream fix for bsc#1199630 due to regression (bsc#1243242)
    logs (bsc#1215405)
 -------------------------------------------------------------------
-Mon Mar 04 16:13:00 UTC 2024 - cathy.hu@suse.com
+Mon Dec 16 16:18:29 UTC 2024 - cathy.hu@suse.com
- Update to version 20230523+git14.ef49ab54:
+- Update to version 20241031+git6.af97b0a3:
  * Allow vhostmd_t list virtqemud pid dirs (bsc#1230961)
 -------------------------------------------------------------------
 Wed Dec 11 15:16:11 UTC 2024 - cathy.hu@suse.com
 - Update to version 20241031+git4.96add794:
  * Label /run/libvirt/qemu/channel with virtqemud_var_run_t (bsc#1230961)
 -------------------------------------------------------------------
 Fri Nov 29 14:58:18 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
 - Update macros.selinux-policy to trigger a full relabel on transactional
  systems upon module installation. This is rather expensive and will
  hopefully be replaced by a more fine grained solution later on (bsc#1232753)
 -------------------------------------------------------------------
 Tue Nov 05 16:21:02 UTC 2024 - cathy.hu@suse.com
 - Update to version 20241031+git2.f85cbd70:
  * Allow virt_dbus_t to connect to virtd_t over unix_stream_socket (bsc#1232655)
 -------------------------------------------------------------------
 Thu Oct 31 10:34:13 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 - (internal change): created seperate branch to track SLFO:1.1 in
  selinux-policy git repository, change _service file to pull
  from that branch
 -------------------------------------------------------------------
 Wed Sep 25 08:26:34 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git382.24f674cf:
  * Allow snapperd to manage unlabeled_t files (bsc#1230966)
 -------------------------------------------------------------------
 Tue Sep 24 08:50:16 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 - Fix macros.selinux-policy (bsc#1230897)
  - %selinux_relabel_post should not relabel files in
    transactional systems in %post as the policy is not loaded
    into the kernel directly after install, instead the relabelling 
    will happen on the next boot
 -------------------------------------------------------------------
 Thu Sep 12 07:48:02 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git380.95302f48:
  * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
  * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
  * Initial policy for udev-trigger-generator (bsc#1230315)
 -------------------------------------------------------------------
 Wed Sep  4 13:07:52 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 - Fix macros.selinux-policy (bsc#1229132)
  - %selinux_modules_install and %selinux_modules_uninstall will
    now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
    (aka only if they are not in a transactional system)
  - $TRANSACTIONAL_UPDATE is set here:
    https://github.com/openSUSE/transactional-update/blob/bd524d3ddfcd9aeebb7b90d3e0e8eed09b796a86/lib/Transaction.cpp#L428
 -------------------------------------------------------------------
 Thu Aug 15 14:24:41 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git376.0406315d:
  * Dontaudit dac_override of fstab generator (bsc#1229127)
  * Update libvirt policy
  * Add port 80/udp and 443/udp to http_port_t definition
  * Additional updates stalld policy for bpf usage
  * Label systemd-pcrextend and systemd-pcrlock properly
  * Label /run/udev/rules.d as udev_rules_t
  * Provide type for sysstat lock files (bsc#1228247)
  * Allow coreos_installer_t work with partitions
  * Revert "Allow coreos-installer-generator work with partitions"
  * Add policy for systemd-pcrextend
  * Update policy for systemd-getty-generator
  * Allow snapper to delete unlabeled_t files (bsc#1228889)
  * Allow ip command write to ipsec's logs
  * Allow virt_driver_domain read virtd-lxc files in /proc
  * Revert "Allow svirt read virtqemud fifo files"
  * Update virtqemud policy for libguestfs usage
  * Allow virtproxyd create and use its private tmp files
  * Allow virtproxyd read network state
  * Allow virt_driver_domain create and use log files in /var/log (bsc#1227483)
  * Allow samba-dcerpcd work with ctdb cluster
  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
  * Allow setroubleshootd execute sendmail with a domain transition
  * Allow key.dns_resolve set attributes on the kernel key ring
  * Update qatlib policy for v24.02 with new features
  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
  * Allow tlp status power services
  * Allow virtqemud domain transition on passt execution
  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
  * Allow boothd connect to systemd-userdbd over a unix socket
  * Update policy for awstats scripts
  * Allow bitlbee execute generic programs in system bin directories
  * Allow login_userdomain read aliases file
  * Allow login_userdomain read ipsec config files
  * Allow login_userdomain read all pid files
  * Allow rsyslog read systemd-logind session files
  * Allow libvirt-dbus stream connect to virtlxcd
  * Use new kanidm interfaces
  * Initial module for kanidm
  * Update bootupd policy
  * Allow rhsmcertd read/write access to /dev/papr-sysparm
  * Label /dev/papr-sysparm and /dev/papr-vpd
  * Allow abrt-dump-journal-core connect to winbindd
  * Allow systemd-hostnamed shut down nscd
  * Allow systemd-pstore send a message to syslogd over a unix domain
  * Allow postfix_domain map postfix_etc_t files
  * Allow microcode create /sys/devices/system/cpu/microcode/reload
  * Allow rhsmcertd read, write, and map ica tmpfs files
  * Support SGX devices
  * Allow initrc_t transition to passwd_t
  * Update fstab and cryptsetup generators policy
  * Allow xdm_t read and write the dma device
  * Update stalld policy for bpf usage
  * Allow systemd_gpt_generator to getattr on DOS directories
  * Make cgroup_memory_pressure_t a part of the file_type attribute
  * Allow ssh_t to change role to system_r
  * Update policy for coreos generators
  * Allow init_t nnp domain transition to firewalld_t
  * Label /run/modprobe.d with modules_conf_t
  * Allow virtnodedevd run udev with a domain transition
  * Allow virtnodedev_t create and use virtnodedev_lock_t
  * Allow virtstoraged manage files with virt_content_t type
  * Allow virtqemud unmount a filesystem with extended attributes
  * Allow svirt_t connect to unconfined_t over a unix domain socket
  * Update afterburn file transition policy
  * Allow systemd_generator read attributes of all filesystems
  * Allow fstab-generator read and write cryptsetup-generator unit file
  * Allow cryptsetup-generator read and write fstab-generator unit file
  * Allow systemd_generator map files in /etc
  * Allow systemd_generator read init's process state
  * Allow coreos-installer-generator read sssd public files
  * Allow coreos-installer-generator work with partitions
  * Label /etc/mdadm.conf.d with mdadm_conf_t
  * Confine coreos generators
  * Label /run/metadata with afterburn_runtime_t
  * Allow afterburn list ssh home directory
  * Label samba certificates with samba_cert_t
  * Label /run/coreos-installer-reboot with coreos_installer_var_run_t
  * Allow virtqemud read virt-dbus process state
  * Allow staff user dbus chat with virt-dbus
  * Allow staff use watch /run/systemd
  * Allow systemd_generator to write kmsg
  * Allow virtqemud connect to sanlock over a unix stream socket
  * Allow virtqemud relabel virt_var_run_t directories
  * Allow svirt_tcg_t read vm sysctls
  * Allow virtnodedevd connect to systemd-userdbd over a unix socket
  * Allow svirt read virtqemud fifo files
  * Allow svirt attach_queue to a virtqemud tun_socket
  * Allow virtqemud run ssh client with a transition
  * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
  * Update keyutils policy
  * Allow sshd_keygen_t connect to userdbd over a unix stream socket
  * Allow postfix-smtpd read mysql config files
  * Allow locate stream connect to systemd-userdbd
  * Allow the staff user use wireshark
  * Allow updatedb connect to userdbd over a unix stream socket
  * Allow gpg_t set attributes of public-keys.d
  * Allow gpg_t get attributes of login_userdomain stream
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t
  * Drop publicfile module
  * Remove permissive domain for systemd_nsresourced_t
  * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
  * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  * Allow to create and delete socket files created by rhsm.service
  * Allow virtnetworkd exec shell when virt_hooks_unconfined is on
  * Allow unconfined_service_t transition to passwd_t
  * Support /var is empty
  * Allow abrt-dump-journal read all non_security socket files
  * Allow timemaster write to sysfs files
  * Dontaudit domain write cgroup files
  * Label /usr/lib/node_modules/npm/bin with bin_t
  * Allow ip the setexec permission
  * Allow systemd-networkd write files in /var/lib/systemd/network
  * Fix typo in systemd_nsresourced_prog_run_bpf()
 -------------------------------------------------------------------
 Fri Aug 09 12:47:22 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git249.ce3c66e6:
  * Provide type for sysstat lock files (bsc#1228247)
  * Label /run/udev/rules.d as udev_rules_t
  * Allow snapper to delete unlabeled_t files (bsc#1228889)
 -------------------------------------------------------------------
 Mon Aug 05 06:40:05 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git244.3664e356:
  * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745)
  * Fix labels for bind/named
  * Initial policy for ibft-rule-generator (bsc#1228402)
  * Initial policy for systemd-status-mail (bsc#1228402)
  * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385)
  * Allow pppd to manage sysnet directories (bsc#1228385)
  * Allow snapper grub plugin to manage unlabeled_t and read link files
 -------------------------------------------------------------------
 Fri Jul 26 07:56:15 UTC 2024 - cathy.hu@suse.com
 - Enable sap module
 - Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
  * /var/run /run
  * /var/lock /run/lock
 - Move to %posttrans to ensure selinux-policy got updated before
  the commands run (bsc#1221720)
 - Remove "Reference" from the package description. It's not the
  reference policy, but the Fedora branch of the policy
 - Update to version 20240604+git230.eb718617:
  * Initial policy for grub2 snapper plugin (bsc#1228205)
  * Set microos autorelabel script to systemd_autorelabel_generator_t
  * Allow systemd_generator to write kmsg
  * Initial policy for systemd growpart-generator (bsc#1226824)
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Allow manage dosfs_t files to snapperd
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Revert "Add policy for wtmpdb (bsc#1210717)"
  * Allow gnome control center to set autologin (bsc#1222978)
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Dontaudit xdm_t to getattr on root_t (bsc#1223145)
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
  * Allow all domains read and write z90crypt device
  * Allow tpm2 generator setfscreate
  * Allow systemd (PID 1) manage systemd conf files
  * Allow pulseaudio map its runtime files
  * Update policy for getty-generator
  * Allow systemd-hwdb send messages to kernel unix datagram sockets
  * Allow systemd-machined manage runtime sockets
  * Allow fstab-generator create unit file symlinks
  * Update policy for cryptsetup-generator
  * Update policy for fstab-generator
  * Allow virtqemud read vm sysctls
  * Allow collectd to trace processes in user namespace
  * Allow bootupd search efivarfs dirs
  * Add policy for systemd-mountfsd
  * Add policy for systemd-nsresourced
  * Update policy generators
  * Add policy for anaconda-generator
  * Update policy for fstab and gpt generators
  * Add policy for kdump-dep-generator
  * Add policy for a generic generator
  * Add policy for tpm2 generator
  * Add policy for ssh-generator
  * Add policy for second batch of generators
  * Update policy for systemd generators
  * ci: Adjust Cockpit test plans
  * Allow journald read systemd config files and directories
  * Allow systemd_domain read systemd_conf_t dirs
  * Fix bad Python regexp escapes
  * Allow fido services connect to postgres database
  * Revert "Update the README.md file with the c10s branch information"
  * Update the README.md file with the c10s branch information
  * Allow postfix smtpd map aliases file
  * Ensure dbus communication is allowed bidirectionally
  * Label systemd configuration files with systemd_conf_t
  * Label /run/systemd/machine with systemd_machined_var_run_t
  * Allow systemd-hostnamed read the vsock device
  * Allow sysadm execute dmidecode using sudo
  * Allow sudodomain list files in /var
  * Allow setroubleshootd get attributes of all sysctls
  * Allow various services read and write z90crypt device
  * Allow nfsidmap connect to systemd-homed
  * Allow sandbox_x_client_t dbus chat with accountsd
  * Allow system_cronjob_t dbus chat with avahi_t
  * Allow staff_t the io_uring sqpoll permission
  * Allow staff_t use the io_uring API
  * Add support for secretmem anon inode
  * Allow virtqemud read vfio devices
  * Allow virtqemud get attributes of a tmpfs filesystem
  * Allow svirt_t read vm sysctls
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud get attributes of cifs files
  * Allow virtqemud get attributes of filesystems with extended attributes
  * Allow virtqemud get attributes of NFS filesystems
  * Allow virt_domain read and write usb devices conditionally
  * Allow virtstoraged use the io_uring API
  * Allow virtstoraged execute lvm programs in the lvm domain
  * Allow virtnodevd_t map /var/lib files
  * Allow svirt_tcg_t map svirt_image_t files
  * Allow abrt-dump-journal-core connect to systemd-homed
  * Allow abrt-dump-journal-core connect to systemd-machined
  * Allow sssd create and use io_uring
  * Allow selinux-relabel-generator create units dir
  * Allow dbus-broker read/write inherited user ttys
  * Define transitions for /run/libvirt/common and /run/libvirt/qemu
  * Allow systemd-sleep read raw disk data
  * Allow numad to trace processes in user namespace
  * Allow abrt-dump-journal-core connect to systemd-userdbd
  * Allow plymouthd read efivarfs files
  * Update the auth_dontaudit_read_passwd_file() interface
  * Label /dev/mmcblk0rpmb character device with removable_device_t
  * fix hibernate on btrfs swapfile (F40)
  * Allow nut to statfs()
  * Allow system dbusd service status systemd services
  * Allow systemd-timedated get the timemaster service status
  * Allow keyutils-dns-resolver connect to the system log service
  * Allow qemu-ga read vm sysctls
  * postfix: allow qmgr to delete mails in bounce/ directory
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
 - Update container-selinux to a68865582e123856c191fe0ecbbba9301758e591
 -------------------------------------------------------------------
 Tue Jul 16 10:51:43 UTC 2024 - Filippo Bonazzi <filippo.bonazzi@suse.com>
 - Fix systemd generator.early and generator.late file contexts (bsc#1227638)
 -------------------------------------------------------------------
 Tue Jun 04 16:39:04 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240604+git0.ee0114f1:
  * allow firewalld access to /dev/random and write HW acceleration logs
 -------------------------------------------------------------------
 Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com
 - Update to version 20240321:
  * policy module for kiwi (bsc#1221109)
  * dontaudit execmem for modemmanager (bsc#1219363)
 -------------------------------------------------------------------
 Wed Mar 13 11:02:43 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240313:
  * Assign alts_exec_t to files_type
 -------------------------------------------------------------------
 Fri Mar 08 09:05:08 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240308:
  * Support /bin/alts in the policy (bsc#1217530)
  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
 -------------------------------------------------------------------
 Wed Mar 06 15:41:20 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240306:
  * Replace init domtrans rule for confined users to allow exec init
  * Update dbus_role_template() to allow user service status
  * Allow polkit status all systemd services
  * Allow setroubleshootd create and use inherited io_uring
  * Allow load_policy read and write generic ptys
 -------------------------------------------------------------------
 Mon Mar 04 16:19:28 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
 -------------------------------------------------------------------
-Wed Feb 28 16:32:49 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com
- Extend module list for targeted policy
+- Update to version 20240205:
-  * timedatex
+  * Allow gpg manage rpm cache
-  * rrdcached
+  * Allow login_userdomain name_bind to howl and xmsg udp ports
-  * stratisd
+  * Allow rules for confined users logged in plasma
-  * ica (bsc#1215405)
+  * Label /dev/iommu with iommu_device_t
-  * fedoratp
+  * Remove duplicate file context entries in /run
-  * stalld
+  * Dontaudit getty and plymouth the checkpoint_restore capability (bsc#1220361)
-  * rhcd
+  * Allow su domains write login records
-  * wireguard 
+  * Revert "Allow su domains write login records"
-  * keyutils
+  * Allow login_userdomain delete session dbusd tmp socket files
-
+  * Allow unix dgram sendto between exim processes
-------------------------------------------------------------------
+  * Allow su domains write login records
-Mon Feb 26 15:18:05 UTC 2024 - cathy.hu@suse.com
+  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
-
+  * Allow chronyd-restricted read chronyd key files
- Update to version 20230523+git12.05dc86ac:
+  * Allow conntrackd_t to use bpf capability2
-  * Add dontaudit rules for the checkpoint_restore capability used
+  * Allow systemd-networkd manage its runtime socket files
-    by getty and plymouth (bsc#1220361)
+  * Allow init_t nnp domain transition to colord_t
-
+  * Allow polkit status systemd services
-------------------------------------------------------------------
+  * nova: Fix duplicate declarations
-Wed Feb 07 09:02:53 UTC 2024 - cathy.hu@suse.com
+  * Allow httpd work with PrivateTmp
-
+  * Add interfaces for watching and reading ifconfig_var_run_t
- Update to version 20230523+git10.e010174f:
+  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.
 -------------------------------------------------------------------
-Wed Jan 31 08:02:35 UTC 2024 - cathy.hu@suse.com
+Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com
- Update to version 20230523+git8.ab5aa47a:
+- Update to version 20240116:
-  * Allow kdump create and use its memfd: objects (bsc#1219207)
+  * Fix gitolite homedir paths (bsc#1218826)
 -------------------------------------------------------------------
-Tue Nov 28 14:45:47 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
+Tue Jan 09 09:14:44 UTC 2024 - cathy.hu@suse.com
 - Update to version 20240104:
  * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
  * allow rebootmgr to read the system state (bsc#1205931)
 -------------------------------------------------------------------
 Tue Nov 28 14:40:23 UTC 2023 - Hu <cathy.hu@suse.com>
 - Trigger rebuild of the policy when pcre2 gets updated to avoid
  regex version mismatch errors (bsc#1216747).
 -------------------------------------------------------------------
-Thu Oct 12 11:56:20 UTC 2023 - cathy.hu@suse.com
+Fri Nov 24 09:34:20 UTC 2023 - cathy.hu@suse.com
- Update to version 20230523+git6.b3649209:
+- Update to version 20231124:
-  * Allow keepalived to manage its tmp files (bsc#1216060)
+  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
 -------------------------------------------------------------------
-Tue Sep 12 14:51:28 UTC 2023 - cathy.hu@suse.com
+Wed Nov 22 14:37:56 UTC 2023 - Hu <cathy.hu@suse.com>
- Update to version 20230523+git4.261ed027:
+- Add new modules that were missed in the last update to 
  modules-mls-contrib.conf
 -------------------------------------------------------------------
 Wed Nov 22 13:49:14 UTC 2023 - Hu <cathy.hu@suse.com>
 - Add new modules that were missed in the last update to 
  modules-targeted-contrib.conf (bsc#1215405)
 -------------------------------------------------------------------
 Mon Oct 30 10:28:10 UTC 2023 - cathy.hu@suse.com
 - Update to version 20231030:
  * Allow system_mail_t manage exim spool files and dirs
  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  * Label /run/pcsd.socket with cluster_var_run_t
  * ci: Run cockpit tests in PRs
  * Add map_read map_write to kernel_prog_run_bpf
  * Allow systemd-fstab-generator read all symlinks
  * Allow systemd-fstab-generator the dac_override capability
  * Allow rpcbind read network sysctls
  * Support using systemd containers
  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
  * Add policy for coreos installer
  * Add policy for nvme-stas
  * Confine systemd fstab,sysv,rc-local
  * Label /etc/aliases.lmdb with etc_aliases_t
  * Create policy for afterburn
  * Make new virt drivers permissive
  * Split virt policy, introduce virt_supplementary module
  * Allow apcupsd cgi scripts read /sys
  * Allow kernel_t to manage and relabel all files
  * Add missing optional_policy() to files_relabel_all_files()
  * Allow named and ndc use the io_uring api
  * Deprecate common_anon_inode_perms usage
  * Improve default file context(None) of /var/lib/authselect/backups
  * Allow udev_t to search all directories with a filesystem type
  * Implement proper anon_inode support
  * Allow targetd write to the syslog pid sock_file
  * Add ipa_pki_retrieve_key_exec() interface
  * Allow kdumpctl_t to list all directories with a filesystem type
  * Allow udev additional permissions
  * Allow udev load kernel module
  * Allow sysadm_t to mmap modules_object_t files
  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  * Set default file context of HOME_DIR/tmp/.* to <<none>>
  * Allow kernel_generic_helper_t to execute mount(1)
  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
  * Allow systemd-localed create Xserver config dirs
  * Allow sssd read symlinks in /etc/sssd
  * Label /dev/gnss[0-9] with gnss_device_t
  * Allow systemd-sleep read/write efivarfs variables
  * ci: Fix version number of packit generated srpms
  * Dontaudit rhsmcertd write memory device
  * Allow ssh_agent_type create a sockfile in /run/user/USERID
  * Set default file context of /var/lib/authselect/backups to <<none>>
  * Allow prosody read network sysctls
  * Allow cupsd_t to use bpf capability
  * Allow sssd domain transition on passkey_child execution conditionally
  * Allow login_userdomain watch lnk_files in /usr
  * Allow login_userdomain watch video4linux devices
  * Change systemd-network-generator transition to include class file
  * Revert "Change file transition for systemd-network-generator"
  * Allow nm-dispatcher winbind plugin read/write samba var files
  * Allow systemd-networkd write to cgroup files
  * Allow kdump create and use its memfd: objects (bsc#1219207)
  * Allow fedora-third-party get generic filesystem attributes
  * Allow sssd use usb devices conditionally
  * Update policy for qatlib
  * Allow ssh_agent_type manage generic cache home files
  * Change file transition for systemd-network-generator
  * Additional support for gnome-initial-setup
  * Update gnome-initial-setup policy for geoclue
  * Allow openconnect vpn open vhost net device
  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
  * Grant cifs.upcall more required capabilities
  * Allow xenstored map xenfs files
  * Update policy for fdo
  * Allow keepalived watch var_run dirs
  * Allow svirt to rw /dev/udmabuf
  * Allow qatlib  to modify hardware state information.
  * Allow key.dns_resolve connect to avahi over a unix stream socket
  * Allow key.dns_resolve create and use unix datagram socket
  * Use quay.io as the container image source for CI
  * ci: Move srpm/rpm build to packit
  * .copr: Avoid subshell and changing directory
  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
  * Make insights_client_t an unconfined domain
  * Allow insights-client manage user temporary files
  * Allow insights-client create all rpm logs with a correct label
  * Allow insights-client manage generic logs
  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
  * Allow insights-client read and write cluster tmpfs files
  * Allow ipsec read nsfs files
  * Make tuned work with mls policy
  * Remove nsplugin_role from mozilla.if
  * allow mon_procd_t self:cap_userns sys_ptrace
  * Allow pdns name_bind and name_connect all ports
  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
  * ci: Move to actions/checkout@v3 version
  * .copr: Replace chown call with standard workflow safe.directory setting
  * .copr: Enable `set -u` for robustness
  * .copr: Simplify root directory variable
  * Allow rhsmcertd dbus chat with policykit
  * Allow polkitd execute pkla-check-authorization with nnp transition
  * Allow user_u and staff_u get attributes of non-security dirs
  * Allow unconfined user filetrans chrome_sandbox_home_t
  * Allow svnserve execute postdrop with a transition
  * Do not make postfix_postdrop_t type an MTA executable file
  * Allow samba-dcerpc service manage samba tmp files
  * Add use_nfs_home_dirs boolean for mozilla_plugin
  * Fix labeling for no-stub-resolv.conf
  * Revert "Allow winbind-rpcd use its private tmp files"
  * Allow upsmon execute upsmon via a helper script
  * Allow openconnect vpn read/write inherited vhost net device
  * Allow winbind-rpcd use its private tmp files
  * Update samba-dcerpc policy for printing
  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  * Allow nscd watch system db dirs
  * Allow qatlib to read sssd public files
  * Allow fedora-third-party read /sys and proc
  * Allow systemd-gpt-generator mount a tmpfs filesystem
  * Allow journald write to cgroup files
  * Allow rpc.mountd read network sysctls
  * Allow blueman read the contents of the sysfs filesystem
  * Allow logrotate_t to map generic files in /etc
  * Boolean: Allow virt_qemu_ga create ssh directory
  * Allow systemd-network-generator send system log messages
  * Dontaudit the execute permission on sock_file globally
  * Allow fsadm_t the file mounton permission
  * Allow named and ndc the io_uring sqpoll permission
  * Allow sssd io_uring sqpoll permission
  * Fix location for /run/nsd
  * Allow qemu-ga get fixed disk devices attributes
  * Update bitlbee policy
  * Label /usr/sbin/sos with sosreport_exec_t
  * Update policy for the sblim-sfcb service
  * Add the files_getattr_non_auth_dirs() interface
  * Fix the CI to work with DNF5
  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
  * Revert "Allow insights client map cache_home_t"
  * Allow nfsidmapd connect to systemd-machined over a unix socket
  * Allow snapperd connect to kernel over a unix domain stream socket
  * Allow virt_qemu_ga_t create .ssh dir with correct label
  * Allow targetd read network sysctls
  * Set the abrt_handle_event boolean to on
  * Permit kernel_t to change the user identity in object contexts
  * Allow insights client map cache_home_t
  * Label /usr/sbin/mariadbd with mysqld_exec_t
  * Allow httpd tcp connect to redis port conditionally
  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
  * Dontaudit aide the execmem permission
  * Remove permissive from fdo
  * Allow sa-update manage spamc home files
  * Allow sa-update connect to systemlog services
  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
  * Allow bootupd search EFI directory
  * Change init_audit_control default value to true
  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
  * Add the qatlib  module
  * Add the fdo module
  * Add the bootupd module
  * Set default ports for keylime policy
  * Create policy for qatlib
  * Add policy for FIDO Device Onboard
  * Add policy for bootupd
  * Add support for kafs-dns requested by keyutils
  * Allow insights-client execmem
  * Add support for chronyd-restricted
  * Add init_explicit_domain() interface
  * Allow fsadm_t to get attributes of cgroup filesystems
  * Add list_dir_perms to kerberos_read_keytab
  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  * Allow sendmail manage its runtime files
 -------------------------------------------------------------------
 Thu Oct 12 07:59:22 UTC 2023 - cathy.hu@suse.com
 - Update to version 20231012:
  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
 -------------------------------------------------------------------
-Tue May 23 13:38:15 UTC 2023 - cathy.hu@suse.com
+Wed Oct  4 14:40:03 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Initial ALP release using git workflow: 20230523+git0.41d70255
+- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
  directory doesn't exist on SUSE systems (bsc#1213593)
 -------------------------------------------------------------------
 Tue Sep 19 07:57:02 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
 - Modified update.sh to require first parameter "full" to also
  update container-selinux. For maintenance updates you usually
  don't want it to be updated
 -------------------------------------------------------------------
 Fri Jul 28 14:49:04 UTC 2023 - filippo.bonazzi@suse.com
 - Update to version 20230728:
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
  * allow haveged to manage tmpfs directories (bsc#1213594)
 -------------------------------------------------------------------
 Thu Jun 22 12:14:15 UTC 2023 - jsegitz@suse.com
 - Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail
 -------------------------------------------------------------------
 Tue Apr 25 15:12:47 UTC 2023 - cathy.hu@suse.com
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230523+git16.0849f54c
+Version:        20241031+git8.1f94e96d
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
@@ -91,9 +91,9 @@ BuildRequires:  python3-policycoreutils
 # we need selinuxenabled
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre):  pam-config
-Requires(post): pam-config
+Requires(posttrans): pam-config
-Requires(post): selinux-tools
+Requires(posttrans): selinux-tools
-Requires(post): /usr/bin/sha512sum
+Requires(posttrans): /usr/bin/sha512sum
 Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
@@ -292,9 +292,8 @@ for i in $contrib_modules $base_modules; do \
 done;
 %description
-SELinux Reference Policy. A complete SELinux policy that can be used
+A complete SELinux policy that can be used as the system policy for a variety
-as the system policy for a variety of systems and used as the basis for
+of systems and used as the basis for creating other policies.
 creating other policies.
 %files
 %defattr(-,root,root,-)
@@ -527,12 +526,12 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 %description targeted
-SELinux Reference policy targeted base module.
+SELinux policy targeted base module.
 %pre targeted
 %preInstall targeted
-%post targeted
+%posttrans targeted
 %postInstall $1 targeted
 exit 0
@@ -562,7 +561,7 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 %description minimum
-SELinux Reference policy minimum base module.
+SELinux policy minimum base module.
 %pre minimum
 %preInstall minimum
@@ -623,12 +622,12 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 %description mls
-SELinux Reference policy mls base module.
+SELinux policy mls base module.
 %pre mls
 %preInstall mls
-%post mls
+%posttrans mls
 %postInstall $1 mls
 %postun mls
--- a/update.sh
+++ b/update.sh
@@ -2,18 +2,20 @@
 date=$(date '+%Y%m%d')
 base_name_pattern='selinux-policy-*.tar.xz'
 echo Update to $date
 old_tar_file=$(ls -1 $base_name_pattern)
 osc service manualrun
-rm -rf container-selinux
+if [ "$1" = "full" ]; then
-git clone --depth 1 https://github.com/containers/container-selinux.git
+  echo doing full update including container-selinux
-rm -f container.*
+  rm -rf container-selinux
-mv container-selinux/container.* .
+  git clone --depth 1 https://github.com/containers/container-selinux.git
-rm -rf container-selinux
+  rm -f container.*
  mv container-selinux/container.* .
  rm -rf container-selinux
 fi
 # delete old files. Might need a better sanity check
 tar_cnt=$(ls -1 $base_name_pattern  | wc -l)
@@ -24,4 +26,3 @@ if [ $tar_cnt -gt 1 ]; then
 fi
 osc status
Author	SHA256	Message	Date
Adrian Schröter	edf5593988	Sync from SUSE:SLFO:1.1 selinux-policy revision 83c74b51ba8c89d0ae5a404abe3d2fd9	2025-08-07 09:56:30 +02:00
Adrian Schröter	1a950ed27b	Sync from SUSE:SLFO:1.1 selinux-policy revision 7a722b3cb20fb54159b41fe0cb8e7eea	2025-03-04 09:00:34 +01:00
Adrian Schröter	33012d719b	Sync from SUSE:SLFO:Main selinux-policy revision 55f05451b4ca0a49bf065d030fc526e6	2025-02-27 18:47:19 +01:00
Adrian Schröter	b4c4ce1ae9	Sync from SUSE:SLFO:Main selinux-policy revision e3af51ce23fe54611056f27c3ad98eb6	2025-02-25 17:40:14 +01:00
Adrian Schröter	e3b69d27e6	Sync from SUSE:SLFO:Main selinux-policy revision 446dda571c5c8f36f69c031e45e38c15	2025-02-20 10:05:20 +01:00
Adrian Schröter	95055a7411	Sync from SUSE:SLFO:Main selinux-policy revision 1b7db8d79e6f4b7b39687f2df8fa11a2	2025-01-28 17:47:41 +01:00
Adrian Schröter	7e2e3354e7	Sync from SUSE:SLFO:Main selinux-policy revision 96a377383044a511ba7bd2d93f31f734	2024-12-20 16:15:12 +01:00
Adrian Schröter	860c67d1e5	Sync from SUSE:SLFO:Main selinux-policy revision bb4f7fb6bc45c0b731185cf101ecb37e	2024-12-04 09:27:19 +01:00
Adrian Schröter	79cd209949	Sync from SUSE:SLFO:Main selinux-policy revision 51ee63f18b842bf4878414ae10de449f	2024-11-15 15:02:31 +01:00
Adrian Schröter	c49fd242eb	Sync from SUSE:SLFO:Main selinux-policy revision 0c0bf226a1c638414670fa1e3ee216a6	2024-11-04 17:37:00 +01:00
Adrian Schröter	fba2fe2eb3	Sync from SUSE:SLFO:Main selinux-policy revision f9efaebb3ac13de52268ab06acd2f09b	2024-09-30 10:57:10 +02:00
Adrian Schröter	7a3f24a12c	Sync from SUSE:SLFO:Main selinux-policy revision ffc47f4ac73cbed1d57ada06412a7551	2024-09-13 16:28:27 +02:00
Adrian Schröter	efafe4eac5	Sync from SUSE:SLFO:Main selinux-policy revision 447c7b6c983a95fc4cd4720057f687b6	2024-09-06 15:31:19 +02:00
Adrian Schröter	b454af874d	Sync from SUSE:SLFO:Main selinux-policy revision 6ab2d18c2dd003faa59ed5c02f48f14f	2024-08-16 18:25:14 +02:00
Adrian Schröter	92d963df0f	Sync from SUSE:SLFO:Main selinux-policy revision dd04695c66fcc1aea07e545f769236f0	2024-08-09 23:17:48 +02:00
Adrian Schröter	f0cef31984	Sync from SUSE:SLFO:Main selinux-policy revision 5e6c0bb4c04f7cdf68e5ca76c738c1ee	2024-08-06 11:05:25 +02:00
Adrian Schröter	007b7f7f07	Sync from SUSE:SLFO:Main selinux-policy revision 1cc07852d76c83488bba1cb743a5a2fc	2024-08-02 15:17:58 +02:00
Adrian Schröter	03dbb9718e	Sync from SUSE:SLFO:Main selinux-policy revision ab7b2ae489149f3931daa0accda72506	2024-06-14 17:21:15 +02:00
`@@ -1 +1 @@`
	abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs	abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs