1
0
Commit Graph

273 Commits

Author SHA256 Message Date
Ana Guerrero
3752e2304c Accepting request 1200261 from security:SELinux
- Update to version 20240912:
  * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
  * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
  * Initial policy for udev-trigger-generator (bsc#1230315)
- Update to version 20240910:
  * Allow init_t mount syslog socket (bsc#1230134)
  * Allow init_t create syslog files (bsc#1230134)
  * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)

OBS-URL: https://build.opensuse.org/request/show/1200261
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=79
2024-09-12 14:54:06 +00:00
Hu
64c9b9378c - Update to version 20240912:
* Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
  * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
  * Initial policy for udev-trigger-generator (bsc#1230315)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=274
2024-09-12 07:35:07 +00:00
Ana Guerrero
33c24240a2 Accepting request 1199629 from security:SELinux
- Update to version 20240905:
  * Allow coreos-installer-generator manage mdadm_conf_t files
  * Allow setsebool_t relabel selinux data files
  * Allow virtqemud relabelfrom virtqemud_var_run_t dirs
  * Use better escape method for "interface"
  * Allow init and systemd-logind to inherit fds from sshd
  * Allow systemd-ssh-generator read sysctl files
  * Sync modules.conf with Fedora targeted modules
  * Allow virtqemud relabel user tmp files and socket files
  * Add missing sys_chroot capability to groupadd policy
  * Label /run/libvirt/qemu/channel with virtqemud_var_run_t
  * Allow virtqemud relabelfrom also for file and sock_file
  * Add virt_create_log() and virt_write_log() interfaces
  - Sync modules-targeted-contrib.conf with Fedora targeted modules.conf

OBS-URL: https://build.opensuse.org/request/show/1199629
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=78
2024-09-10 19:12:21 +00:00
Hu
b9406bac0c Accepting request 1199900 from home:cahu:branches:security:SELinux
- Update to version 20240910:
  * Allow init_t mount syslog socket (bsc#1230134)
  * Allow init_t create syslog files (bsc#1230134)
  * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)

OBS-URL: https://build.opensuse.org/request/show/1199900
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=272
2024-09-10 15:01:13 +00:00
Hu
2112d5575b - Update to version 20240905:
* Allow coreos-installer-generator manage mdadm_conf_t files
  * Allow setsebool_t relabel selinux data files
  * Allow virtqemud relabelfrom virtqemud_var_run_t dirs
  * Use better escape method for "interface"
  * Allow init and systemd-logind to inherit fds from sshd
  * Allow systemd-ssh-generator read sysctl files
  * Sync modules.conf with Fedora targeted modules
  * Allow virtqemud relabel user tmp files and socket files
  * Add missing sys_chroot capability to groupadd policy
  * Label /run/libvirt/qemu/channel with virtqemud_var_run_t
  * Allow virtqemud relabelfrom also for file and sock_file
  * Add virt_create_log() and virt_write_log() interfaces
  - Sync modules-targeted-contrib.conf with Fedora targeted modules.conf

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=271
2024-09-09 08:08:07 +00:00
Ana Guerrero
b2a6a4d472 Accepting request 1198764 from security:SELinux
- Fix macros.selinux-policy (bsc#1229132)
  - %selinux_modules_install and %selinux_modules_uninstall will
    now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
    (aka only if they are not in a transactional system)
  - $TRANSACTIONAL_UPDATE is set here:
    bd524d3ddf/lib/Transaction.cpp (L428)
- Disable build of the MLS policy. We currently don't know if it works
  and don't want to encourage users to apply it

OBS-URL: https://build.opensuse.org/request/show/1198764
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=77
2024-09-05 13:46:23 +00:00
Hu
3d27365c20 - Fix macros.selinux-policy (bsc#1229132)
- %selinux_modules_install and %selinux_modules_uninstall will
    now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
    (aka only if they are not in a transactional system)
  - $TRANSACTIONAL_UPDATE is set here:
    bd524d3ddf/lib/Transaction.cpp (L428)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=269
2024-09-04 13:57:36 +00:00
Hu
c15b34e13f - Disable build of the MLS policy. We currently don't know if it works
and don't want to encourage users to apply it

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=268
2024-09-03 11:46:59 +00:00
Dominique Leuenberger
7f06e6d1b3 Accepting request 1198426 from security:SELinux
- Update to version 20240903:
  * allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)
- Update to version 20240902:
  * Allow xen to use qemu as dom0 disk backend (bsc#1228540)
  * Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
  * Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)

OBS-URL: https://build.opensuse.org/request/show/1198426
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=76
2024-09-03 11:37:49 +00:00
Hu
9c1224b86d - Update to version 20240903:
* allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=266
2024-09-03 08:04:07 +00:00
Hu
7e521cf496 Accepting request 1198253 from home:cahu:branches:security:SELinux
- Update to version 20240902:
  * Allow xen to use qemu as dom0 disk backend (bsc#1228540)
  * Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
  * Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)

OBS-URL: https://build.opensuse.org/request/show/1198253
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=265
2024-09-02 08:36:23 +00:00
Dominique Leuenberger
81e37981ae Accepting request 1197845 from security:SELinux
- Update to version 20240830:
  * Allow virtstoraged to manage images (bsc#1228742)
  * Allow virtstoraged_t domtrans to udev (bsc#1228742)

OBS-URL: https://build.opensuse.org/request/show/1197845
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=75
2024-09-01 17:20:56 +00:00
Hu
34097e449f - Update to version 20240830:
* Allow virtstoraged to manage images (bsc#1228742)
  * Allow virtstoraged_t domtrans to udev (bsc#1228742)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=263
2024-08-30 11:52:05 +00:00
Dominique Leuenberger
5d9d3aec92 Accepting request 1196426 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1196426
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=74
2024-08-29 13:42:54 +00:00
Hu
9ea4bcbe6d - Update to version 20240828:
* Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=261
2024-08-28 09:10:00 +00:00
Ana Guerrero
1295c6efea Accepting request 1196084 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1196084
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=73
2024-08-27 17:38:31 +00:00
Hu
6514d3f42b - Enable named_write_master_zones boolean by default (bsc#1229479)
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=259
2024-08-26 14:29:53 +00:00
Ana Guerrero
ef2794ca22 Accepting request 1195681 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1195681
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=72
2024-08-25 10:09:35 +00:00
Hu
40eb8e68ec - Update to version 20240823:
* Allow rasdaemon write access to sysfs (bsc#1229587)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=257
2024-08-23 08:42:36 +00:00
Ana Guerrero
4bc48cd130 Accepting request 1194650 from security:SELinux
- Update to version 20240816:
  * Initial policy for syslog-ng (bsc#1229153)

OBS-URL: https://build.opensuse.org/request/show/1194650
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=71
2024-08-20 14:12:40 +00:00
Hu
06983f62a3 - Update to version 20240816:
* Initial policy for syslog-ng (bsc#1229153)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=255
2024-08-16 12:31:26 +00:00
Dominique Leuenberger
3743169a39 Accepting request 1193871 from security:SELinux
- Update to version 20240814:
  * Dontaudit dac_override of fstab generator (bsc#1229127)
- Drop varrun-convert.sh script as it causes issues with
  container-selinux update (bsc#1228951)
- Update to version 20240812:
  * Update libvirt policy
  * Add port 80/udp and 443/udp to http_port_t definition
  * Additional updates stalld policy for bpf usage
  * Label systemd-pcrextend and systemd-pcrlock properly
  * Allow coreos_installer_t work with partitions
  * Revert "Allow coreos-installer-generator work with partitions"
  * Add policy for systemd-pcrextend
  * Update policy for systemd-getty-generator
  * Allow ip command write to ipsec's logs
  * Allow virt_driver_domain read virtd-lxc files in /proc
  * Revert "Allow svirt read virtqemud fifo files"
  * Update virtqemud policy for libguestfs usage
  * Allow virtproxyd create and use its private tmp files
  * Allow virtproxyd read network state
  * Allow virt_driver_domain create and use log files in /var/log
  * Allow samba-dcerpcd work with ctdb cluster
  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
  * Allow setroubleshootd execute sendmail with a domain transition
  * Allow key.dns_resolve set attributes on the kernel key ring
  * Update qatlib policy for v24.02 with new features
  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
  * Allow tlp status power services
  * Allow virtqemud domain transition on passt execution
  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
  * Allow boothd connect to systemd-userdbd over a unix socket
  * Update policy for awstats scripts
  * Allow bitlbee execute generic programs in system bin directories
  * Allow login_userdomain read aliases file
  * Allow login_userdomain read ipsec config files
  * Allow login_userdomain read all pid files
  * Allow rsyslog read systemd-logind session files
  * Allow libvirt-dbus stream connect to virtlxcd

OBS-URL: https://build.opensuse.org/request/show/1193871
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=70
2024-08-15 07:57:36 +00:00
Hu
3425be62a3 - Update to version 20240814:
* Dontaudit dac_override of fstab generator (bsc#1229127)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=253
2024-08-14 12:12:40 +00:00
Hu
4d1c914703 - Drop varrun-convert.sh script as it causes issues with
container-selinux update (bsc#1228951)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=252
2024-08-14 12:09:35 +00:00
Hu
83d1f9398e - Update to version 20240812:
* Update libvirt policy
  * Add port 80/udp and 443/udp to http_port_t definition
  * Additional updates stalld policy for bpf usage
  * Label systemd-pcrextend and systemd-pcrlock properly
  * Allow coreos_installer_t work with partitions
  * Revert "Allow coreos-installer-generator work with partitions"
  * Add policy for systemd-pcrextend
  * Update policy for systemd-getty-generator
  * Allow ip command write to ipsec's logs
  * Allow virt_driver_domain read virtd-lxc files in /proc
  * Revert "Allow svirt read virtqemud fifo files"
  * Update virtqemud policy for libguestfs usage
  * Allow virtproxyd create and use its private tmp files
  * Allow virtproxyd read network state
  * Allow virt_driver_domain create and use log files in /var/log
  * Allow samba-dcerpcd work with ctdb cluster
  * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
  * Allow setroubleshootd execute sendmail with a domain transition
  * Allow key.dns_resolve set attributes on the kernel key ring
  * Update qatlib policy for v24.02 with new features
  * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
  * Allow tlp status power services
  * Allow virtqemud domain transition on passt execution
  * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
  * Allow boothd connect to systemd-userdbd over a unix socket
  * Update policy for awstats scripts
  * Allow bitlbee execute generic programs in system bin directories
  * Allow login_userdomain read aliases file
  * Allow login_userdomain read ipsec config files
  * Allow login_userdomain read all pid files
  * Allow rsyslog read systemd-logind session files
  * Allow libvirt-dbus stream connect to virtlxcd

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=251
2024-08-12 15:39:19 +00:00
Dominique Leuenberger
7ad5616cbb Accepting request 1192931 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1192931
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=69
2024-08-10 17:06:12 +00:00
Hu
2254b47412 - Update to version 20240809:
* Label /run/udev/rules.d as udev_rules_t
  * Provide type for sysstat lock files (bsc#1228247)
  * Allow snapper to delete unlabeled_t files (bsc#1228889)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=249
2024-08-09 12:56:11 +00:00
Hu
fade960df6 - Update to version 20240808:
* Use new kanidm interfaces
  * Initial module for kanidm
  * Update bootupd policy
  * Allow rhsmcertd read/write access to /dev/papr-sysparm
  * Label /dev/papr-sysparm and /dev/papr-vpd
  * Allow abrt-dump-journal-core connect to winbindd
  * Allow systemd-hostnamed shut down nscd
  * Allow systemd-pstore send a message to syslogd over a unix domain
  * Allow postfix_domain map postfix_etc_t files
  * Allow microcode create /sys/devices/system/cpu/microcode/reload
  * Allow rhsmcertd read, write, and map ica tmpfs files
  * Support SGX devices
  * Allow initrc_t transition to passwd_t
  * Update fstab and cryptsetup generators policy
  * Allow xdm_t read and write the dma device
  * Update stalld policy for bpf usage
  * Allow systemd_gpt_generator to getattr on DOS directories
  * Make cgroup_memory_pressure_t a part of the file_type attribute
  * Allow ssh_t to change role to system_r
  * Update policy for coreos generators
  * Allow init_t nnp domain transition to firewalld_t
  * Label /run/modprobe.d with modules_conf_t
  * Allow virtnodedevd run udev with a domain transition
  * Allow virtnodedev_t create and use virtnodedev_lock_t
  * Allow virtstoraged manage files with virt_content_t type
  * Allow virtqemud unmount a filesystem with extended attributes
  * Allow svirt_t connect to unconfined_t over a unix domain socket
  * Update afterburn file transition policy
  * Allow systemd_generator read attributes of all filesystems
  * Allow fstab-generator read and write cryptsetup-generator unit file
  * Allow cryptsetup-generator read and write fstab-generator unit file
  * Allow systemd_generator map files in /etc
  * Allow systemd_generator read init's process state
  * Allow coreos-installer-generator read sssd public files
  * Allow coreos-installer-generator work with partitions
  * Label /etc/mdadm.conf.d with mdadm_conf_t
  * Confine coreos generators
  * Label /run/metadata with afterburn_runtime_t
  * Allow afterburn list ssh home directory
  * Label samba certificates with samba_cert_t
  * Label /run/coreos-installer-reboot with coreos_installer_var_run_t
  * Allow virtqemud read virt-dbus process state
  * Allow staff user dbus chat with virt-dbus
  * Allow staff use watch /run/systemd
  * Allow systemd_generator to write kmsg
  * Allow virtqemud connect to sanlock over a unix stream socket
  * Allow virtqemud relabel virt_var_run_t directories
  * Allow svirt_tcg_t read vm sysctls
  * Allow virtnodedevd connect to systemd-userdbd over a unix socket
  * Allow svirt read virtqemud fifo files
  * Allow svirt attach_queue to a virtqemud tun_socket
  * Allow virtqemud run ssh client with a transition
  * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
  * Update keyutils policy
  * Allow sshd_keygen_t connect to userdbd over a unix stream socket
  * Allow postfix-smtpd read mysql config files
  * Allow locate stream connect to systemd-userdbd
  * Allow the staff user use wireshark
  * Allow updatedb connect to userdbd over a unix stream socket
  * Allow gpg_t set attributes of public-keys.d
  * Allow gpg_t get attributes of login_userdomain stream
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t
  * Drop publicfile module
  * Remove permissive domain for systemd_nsresourced_t
  * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
  * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  * Allow to create and delete socket files created by rhsm.service
  * Allow virtnetworkd exec shell when virt_hooks_unconfined is on
  * Allow unconfined_service_t transition to passwd_t
  * Support /var is empty
  * Allow abrt-dump-journal read all non_security socket files
  * Allow timemaster write to sysfs files
  * Dontaudit domain write cgroup files
  * Label /usr/lib/node_modules/npm/bin with bin_t
  * Allow ip the setexec permission
  * Allow systemd-networkd write files in /var/lib/systemd/network
  * Fix typo in systemd_nsresourced_prog_run_bpf()

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=248
2024-08-08 12:42:54 +00:00
Dominique Leuenberger
013d5e9091 Accepting request 1191606 from security:SELinux
- Update to version 20240802:
  * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745)
- Update to version 20240731:
  * Initial policy for ibft-rule-generator (bsc#1228402)
  * Initial policy for systemd-status-mail (bsc#1228402)

OBS-URL: https://build.opensuse.org/request/show/1191606
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=68
2024-08-07 04:09:59 +00:00
Hu
1436280589 Accepting request 1191198 from home:cahu:branches:security:SELinux
- Update to version 20240802:
  * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745)

OBS-URL: https://build.opensuse.org/request/show/1191198
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=246
2024-08-02 14:03:51 +00:00
Dominique Leuenberger
abf987f230 Accepting request 1190665 from security:SELinux
- Update to version 20240731:
  * Fix labels for bind/named (bsc#1228372)
- Update to version 20240729:
  * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385)
  * Allow pppd to manage sysnet directories (bsc#1228385)

OBS-URL: https://build.opensuse.org/request/show/1190665
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=67
2024-08-01 20:03:52 +00:00
Hu
221bf4c937 Accepting request 1190779 from home:cahu:branches:security:SELinux
- Update to version 20240731:
  * Initial policy for ibft-rule-generator (bsc#1228402)
  * Initial policy for systemd-status-mail (bsc#1228402)

OBS-URL: https://build.opensuse.org/request/show/1190779
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=244
2024-07-31 16:19:05 +00:00
Hu
b0b931a7b7 Accepting request 1190664 from home:cahu:branches:security:SELinux
- Update to version 20240731:
  * Fix labels for bind/named (bsc#1228372)

OBS-URL: https://build.opensuse.org/request/show/1190664
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=243
2024-07-31 12:58:43 +00:00
Dominique Leuenberger
ed825bf91e Accepting request 1189796 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1189796
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=66
2024-07-30 09:53:15 +00:00
Hu
27400b7c6d Accepting request 1190295 from home:cahu:branches:security:SELinux
- Update to version 20240729:
  * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385)
  * Allow pppd to manage sysnet directories (bsc#1228385)

OBS-URL: https://build.opensuse.org/request/show/1190295
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=241
2024-07-29 15:55:16 +00:00
Hu
a861cc4c16 - Update to version 20240726:
* Allow snapper grub plugin to manage unlabeled_t and read link files

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=240
2024-07-26 13:40:33 +00:00
Hu
0893fdafb7 - Update to version 20240725:
* Initial policy for grub2 snapper plugin (bsc#1228205)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=239
2024-07-25 07:52:13 +00:00
Hu
46b2f71015 Accepting request 1187944 from home:cahu:branches:security:SELinux
- Update to version 20240716:
  * Set microos autorelabel script to systemd_autorelabel_generator_t
  * Allow systemd_generator to write kmsg
  * Initial policy for systemd growpart-generator (bsc#1226824)
- Update to version 20240715:
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)
- Enable sap module
- Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
- Update to version 20240710:
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
- Update container-selinux
- Update to version 20240702:
  * Allow manage dosfs_t files to snapperd (bsc#1224120)
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Revert "Add policy for wtmpdb (bsc#1210717)"
- Update to version 20240617:
  * Allow gnome control center to set autologin (bsc#1222978)
  * Dontaudit xdm_t to getattr on root_t (bsc#1223145)
- Update to version 20240613:
  * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
- Update to version 20240612:
  * Allow all domains read and write z90crypt device
  * Allow tpm2 generator setfscreate
  * Allow systemd (PID 1) manage systemd conf files
  * Allow pulseaudio map its runtime files
  * Update policy for getty-generator
  * Allow systemd-hwdb send messages to kernel unix datagram sockets
  * Allow systemd-machined manage runtime sockets
  * Allow fstab-generator create unit file symlinks
  * Update policy for cryptsetup-generator
  * Update policy for fstab-generator
  * Allow virtqemud read vm sysctls
  * Allow collectd to trace processes in user namespace
  * Allow bootupd search efivarfs dirs
  * Add policy for systemd-mountfsd
  * Add policy for systemd-nsresourced
  * Update policy generators
  * Add policy for anaconda-generator
  * Update policy for fstab and gpt generators
  * Add policy for kdump-dep-generator
  * Add policy for a generic generator
  * Add policy for tpm2 generator
  * Add policy for ssh-generator
  * Add policy for second batch of generators
  * Update policy for systemd generators
  * ci: Adjust Cockpit test plans
  * Allow journald read systemd config files and directories
  * Allow systemd_domain read systemd_conf_t dirs
  * Fix bad Python regexp escapes
  * Allow fido services connect to postgres database
  * Revert "Update the README.md file with the c10s branch information"
  * Update the README.md file with the c10s branch information
  * Allow postfix smtpd map aliases file
  * Ensure dbus communication is allowed bidirectionally
  * Label systemd configuration files with systemd_conf_t
  * Label /run/systemd/machine with systemd_machined_var_run_t
  * Allow systemd-hostnamed read the vsock device
  * Allow sysadm execute dmidecode using sudo
  * Allow sudodomain list files in /var
  * Allow setroubleshootd get attributes of all sysctls
  * Allow various services read and write z90crypt device
  * Allow nfsidmap connect to systemd-homed
  * Allow sandbox_x_client_t dbus chat with accountsd
  * Allow system_cronjob_t dbus chat with avahi_t
  * Allow staff_t the io_uring sqpoll permission
  * Allow staff_t use the io_uring API
  * Add support for secretmem anon inode
  * Allow virtqemud read vfio devices
  * Allow virtqemud get attributes of a tmpfs filesystem
  * Allow svirt_t read vm sysctls
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud get attributes of cifs files
  * Allow virtqemud get attributes of filesystems with extended attributes
  * Allow virtqemud get attributes of NFS filesystems
  * Allow virt_domain read and write usb devices conditionally
  * Allow virtstoraged use the io_uring API
  * Allow virtstoraged execute lvm programs in the lvm domain
  * Allow virtnodevd_t map /var/lib files
  * Allow svirt_tcg_t map svirt_image_t files
  * Allow abrt-dump-journal-core connect to systemd-homed
  * Allow abrt-dump-journal-core connect to systemd-machined
  * Allow sssd create and use io_uring
  * Allow selinux-relabel-generator create units dir
  * Allow dbus-broker read/write inherited user ttys
  * Define transitions for /run/libvirt/common and /run/libvirt/qemu
  * Allow systemd-sleep read raw disk data
  * Allow numad to trace processes in user namespace
  * Allow abrt-dump-journal-core connect to systemd-userdbd
  * Allow plymouthd read efivarfs files
  * Update the auth_dontaudit_read_passwd_file() interface
  * Label /dev/mmcblk0rpmb character device with removable_device_t
  * fix hibernate on btrfs swapfile (F40)
  * Allow nut to statfs()
  * Allow system dbusd service status systemd services
  * Allow systemd-timedated get the timemaster service status
  * Allow keyutils-dns-resolver connect to the system log service
  * Allow qemu-ga read vm sysctls
  * postfix: allow qmgr to delete mails in bounce/ directory
- Remove "Reference" from the package description. It's not the
  reference policy, but the Fedora branch of the policy
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
  python36 tooling
- Fixed varrun-convert.sh script to not break because of duplicate
  entries
- Move to %posttrans to ensure selinux-policy got updated before
  the commands run (bsc#1221720)
- Add file contexts "forwarding" to file_contexts.sub_dist
  to fix systemd-gpt-auto-generator and systemd-fstab-generator
  (bsc#1222736):
  * /run/systemd/generator.early /usr/lib/systemd/system
  * /run/systemd/generator.late /usr/lib/systemd/system
- Update to version 20240411:
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
  to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
  a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
- Update to version 20240321:
  * policy module for kiwi (bsc#1221109)
  * dontaudit execmem for modemmanager (bsc#1219363)
- Update to version 20240313:
  * Assign alts_exec_t to files_type
- Update to version 20240308:
  * Support /bin/alts in the policy (bsc#1217530)
  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
- Update to version 20240306:
  * Replace init domtrans rule for confined users to allow exec init
  * Update dbus_role_template() to allow user service status
  * Allow polkit status all systemd services
  * Allow setroubleshootd create and use inherited io_uring
  * Allow load_policy read and write generic ptys
- Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.
- Update to version 20240116:
  * Fix gitolite homedir paths (bsc#1218826)
- Update to version 20240104:
  * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
  * allow rebootmgr to read the system state (bsc#1205931)
- Trigger rebuild of the policy when pcre2 gets updated to avoid
  regex version mismatch errors (bsc#1216747).
- Update to version 20231124:
  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
- Add new modules that were missed in the last update to 
  modules-mls-contrib.conf
- Add new modules that were missed in the last update to 
  modules-targeted-contrib.conf
- Update to version 20231030:
  * Allow system_mail_t manage exim spool files and dirs
  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  * Label /run/pcsd.socket with cluster_var_run_t
  * ci: Run cockpit tests in PRs
  * Add map_read map_write to kernel_prog_run_bpf
  * Allow systemd-fstab-generator read all symlinks
  * Allow systemd-fstab-generator the dac_override capability
  * Allow rpcbind read network sysctls
  * Support using systemd containers
  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
  * Add policy for coreos installer
  * Add policy for nvme-stas
  * Confine systemd fstab,sysv,rc-local
  * Label /etc/aliases.lmdb with etc_aliases_t
  * Create policy for afterburn
  * Make new virt drivers permissive
  * Split virt policy, introduce virt_supplementary module
  * Allow apcupsd cgi scripts read /sys
  * Allow kernel_t to manage and relabel all files
  * Add missing optional_policy() to files_relabel_all_files()
  * Allow named and ndc use the io_uring api
  * Deprecate common_anon_inode_perms usage
  * Improve default file context(None) of /var/lib/authselect/backups
  * Allow udev_t to search all directories with a filesystem type
  * Implement proper anon_inode support
  * Allow targetd write to the syslog pid sock_file
  * Add ipa_pki_retrieve_key_exec() interface
  * Allow kdumpctl_t to list all directories with a filesystem type
  * Allow udev additional permissions
  * Allow udev load kernel module
  * Allow sysadm_t to mmap modules_object_t files
  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  * Set default file context of HOME_DIR/tmp/.* to <<none>>
  * Allow kernel_generic_helper_t to execute mount(1)
  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
  * Allow systemd-localed create Xserver config dirs
  * Allow sssd read symlinks in /etc/sssd
  * Label /dev/gnss[0-9] with gnss_device_t
  * Allow systemd-sleep read/write efivarfs variables
  * ci: Fix version number of packit generated srpms
  * Dontaudit rhsmcertd write memory device
  * Allow ssh_agent_type create a sockfile in /run/user/USERID
  * Set default file context of /var/lib/authselect/backups to <<none>>
  * Allow prosody read network sysctls
  * Allow cupsd_t to use bpf capability
  * Allow sssd domain transition on passkey_child execution conditionally
  * Allow login_userdomain watch lnk_files in /usr
  * Allow login_userdomain watch video4linux devices
  * Change systemd-network-generator transition to include class file
  * Revert "Change file transition for systemd-network-generator"
  * Allow nm-dispatcher winbind plugin read/write samba var files
  * Allow systemd-networkd write to cgroup files
  * Allow kdump create and use its memfd: objects
  * Allow fedora-third-party get generic filesystem attributes
  * Allow sssd use usb devices conditionally
  * Update policy for qatlib
  * Allow ssh_agent_type manage generic cache home files
  * Change file transition for systemd-network-generator
  * Additional support for gnome-initial-setup
  * Update gnome-initial-setup policy for geoclue
  * Allow openconnect vpn open vhost net device
  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
  * Grant cifs.upcall more required capabilities
  * Allow xenstored map xenfs files
  * Update policy for fdo
  * Allow keepalived watch var_run dirs
  * Allow svirt to rw /dev/udmabuf
  * Allow qatlib  to modify hardware state information.
  * Allow key.dns_resolve connect to avahi over a unix stream socket
  * Allow key.dns_resolve create and use unix datagram socket
  * Use quay.io as the container image source for CI
  * ci: Move srpm/rpm build to packit
  * .copr: Avoid subshell and changing directory
  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
  * Make insights_client_t an unconfined domain
  * Allow insights-client manage user temporary files
  * Allow insights-client create all rpm logs with a correct label
  * Allow insights-client manage generic logs
  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
  * Allow insights-client read and write cluster tmpfs files
  * Allow ipsec read nsfs files
  * Make tuned work with mls policy
  * Remove nsplugin_role from mozilla.if
  * allow mon_procd_t self:cap_userns sys_ptrace
  * Allow pdns name_bind and name_connect all ports
  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
  * ci: Move to actions/checkout@v3 version
  * .copr: Replace chown call with standard workflow safe.directory setting
  * .copr: Enable `set -u` for robustness
  * .copr: Simplify root directory variable
  * Allow rhsmcertd dbus chat with policykit
  * Allow polkitd execute pkla-check-authorization with nnp transition
  * Allow user_u and staff_u get attributes of non-security dirs
  * Allow unconfined user filetrans chrome_sandbox_home_t
  * Allow svnserve execute postdrop with a transition
  * Do not make postfix_postdrop_t type an MTA executable file
  * Allow samba-dcerpc service manage samba tmp files
  * Add use_nfs_home_dirs boolean for mozilla_plugin
  * Fix labeling for no-stub-resolv.conf
  * Revert "Allow winbind-rpcd use its private tmp files"
  * Allow upsmon execute upsmon via a helper script
  * Allow openconnect vpn read/write inherited vhost net device
  * Allow winbind-rpcd use its private tmp files
  * Update samba-dcerpc policy for printing
  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  * Allow nscd watch system db dirs
  * Allow qatlib to read sssd public files
  * Allow fedora-third-party read /sys and proc
  * Allow systemd-gpt-generator mount a tmpfs filesystem
  * Allow journald write to cgroup files
  * Allow rpc.mountd read network sysctls
  * Allow blueman read the contents of the sysfs filesystem
  * Allow logrotate_t to map generic files in /etc
  * Boolean: Allow virt_qemu_ga create ssh directory
  * Allow systemd-network-generator send system log messages
  * Dontaudit the execute permission on sock_file globally
  * Allow fsadm_t the file mounton permission
  * Allow named and ndc the io_uring sqpoll permission
  * Allow sssd io_uring sqpoll permission
  * Fix location for /run/nsd
  * Allow qemu-ga get fixed disk devices attributes
  * Update bitlbee policy
  * Label /usr/sbin/sos with sosreport_exec_t
  * Update policy for the sblim-sfcb service
  * Add the files_getattr_non_auth_dirs() interface
  * Fix the CI to work with DNF5
  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
  * Revert "Allow insights client map cache_home_t"
  * Allow nfsidmapd connect to systemd-machined over a unix socket
  * Allow snapperd connect to kernel over a unix domain stream socket
  * Allow virt_qemu_ga_t create .ssh dir with correct label
  * Allow targetd read network sysctls
  * Set the abrt_handle_event boolean to on
  * Permit kernel_t to change the user identity in object contexts
  * Allow insights client map cache_home_t
  * Label /usr/sbin/mariadbd with mysqld_exec_t
  * Allow httpd tcp connect to redis port conditionally
  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
  * Dontaudit aide the execmem permission
  * Remove permissive from fdo
  * Allow sa-update manage spamc home files
  * Allow sa-update connect to systemlog services
  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
  * Allow bootupd search EFI directory
  * Change init_audit_control default value to true
  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
  * Add the qatlib  module
  * Add the fdo module
  * Add the bootupd module
  * Set default ports for keylime policy
  * Create policy for qatlib
  * Add policy for FIDO Device Onboard
  * Add policy for bootupd
  * Add support for kafs-dns requested by keyutils
  * Allow insights-client execmem
  * Add support for chronyd-restricted
  * Add init_explicit_domain() interface
  * Allow fsadm_t to get attributes of cgroup filesystems
  * Add list_dir_perms to kerberos_read_keytab
  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  * Allow sendmail manage its runtime files
- Update to version 20231012:
  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
  directory doesn't exist on SUSE systems (bsc#1213593)
- Modified update.sh to require first parameter "full" to also
  update container-selinux. For maintenance updates you usually
  don't want it to be updated
- Update to version 20230728:
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
  * allow haveged to manage tmpfs directories (bsc#1213594)
- Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail
- Update to version 20230425:
  * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
  * Add policy for wtmpdb (bsc#1210717)
- Update to version 20230425:
  * Add support for lastlog2 (bsc#1210461)
  * allow the chrony client to use unallocated ttys (bsc#1210672)
- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally
  * Allow tshark the setsched capability
  * Allow poweroff create connections to system dbus
  * Allow wg load kernel modules, search debugfs dir
  * Boolean: allow qemu-ga manage ssh home directory
  * Label smtpd with sendmail_exec_t
  * Label msmtp and msmtpd with sendmail_exec_t
  * Allow dovecot to map files in /var/spool/dovecot
  * Confine gnome-initial-setup
  * Allow qemu-guest-agent create and use vsock socket
  * Allow login_pgm setcap permission
  * Allow chronyc read network sysctls
  * Enhancement of the /usr/sbin/request-key helper policy
  * Fix opencryptoki file names in /dev/shm
  * Allow system_cronjob_t transition to rpm_script_t
  * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
  * Add tunable to allow squid bind snmp port
  * Allow staff_t getattr init pid chr & blk files and read krb5
  * Allow firewalld to rw z90crypt device
  * Allow httpd work with tokens in /dev/shm
  * Allow svirt to map svirt_image_t char files
  * Allow sysadm_t run initrc_t script and sysadm_r role access
  * Allow insights-client manage fsadm pid files
  * Allowing snapper to create snapshots of /home/ subvolume/partition
  * Add boolean qemu-ga to run unconfined script
  * Label systemd-journald feature LogNamespace
  * Add none file context for polyinstantiated tmp dirs
  * Allow certmonger read the contents of the sysfs filesystem
  * Add journalctl the sys_resource capability
  * Allow nm-dispatcher plugins read generic files in /proc
- Add debug-build.sh script to make debugging without committing easier
- Update to version 20230321:
  * make kernel_t unconfined again
- Update to version 20230316:
  * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
    path
  * allow kernel_t to relabel etc_t files
  * allow kernel_t to relabel sysnet config files
  * allow kernel_t to relabel systemd hwdb etc files
  * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
  * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
    to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
    management of config files
  * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
    interfaces to allow labeling on etc_t, not on the broader configfiles
    attribute
  * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
    watch permissions reported are already fixed in a current policy.
- Reinstate update.sh and remove container-selinux from the service.
  Having both repos in there causes issues and update.sh makes the update
  process easier in general. Updated README.Update
- Remove erroneous SUSE man page. Will not be created with the
  3.5 toolchain
- Complete packaging rework: Move policy to git repository and
  only use tar_scm obs service to refresh from there: 
  https://gitlab.suse.de/selinux/selinux-policy
  Please use `osc service manualrun` to update this OBS package to the 
  newest git version.
  * Added README.Update describing how to update this package
  * Added _service file that pulls from selinux-policy and 
    upstream container-selinux and tars them
  * Adapted selinux-policy.spec to build selinux-policy with
    container-selinux
  * Removed update.sh as no longer needed
  * Removed suse specific modules as they are now covered by git commits
    * packagekit.te packagekit.if packagekit.fc
    * rebootmgr.te rebootmgr.if rebootmgr.fc
    * rtorrent.te rtorrent.if rtorrent.fc
    * wicked.te wicked.if wicked.fc
  * Removed *.patch as they are now covered by git commits:
    * distro_suse_to_distro_redhat.patch
    * dontaudit_interface_kmod_tmpfs.patch
    * fix_accountsd.patch
    * fix_alsa.patch
    * fix_apache.patch
    * fix_auditd.patch
    * fix_authlogin.patch
    * fix_automount.patch
    * fix_bitlbee.patch
    * fix_chronyd.patch
    * fix_cloudform.patch
    * fix_colord.patch
    * fix_corecommand.patch
    * fix_cron.patch
    * fix_dbus.patch
    * fix_djbdns.patch
    * fix_dnsmasq.patch
    * fix_dovecot.patch
    * fix_entropyd.patch
    * fix_firewalld.patch
    * fix_fwupd.patch
    * fix_geoclue.patch
    * fix_hypervkvp.patch
    * fix_init.patch
    * fix_ipsec.patch
    * fix_iptables.patch
    * fix_irqbalance.patch
    * fix_java.patch
    * fix_kernel.patch
    * fix_kernel_sysctl.patch
    * fix_libraries.patch
    * fix_locallogin.patch
    * fix_logging.patch
    * fix_logrotate.patch
    * fix_mcelog.patch
    * fix_miscfiles.patch
    * fix_nagios.patch
    * fix_networkmanager.patch
    * fix_nis.patch
    * fix_nscd.patch
    * fix_ntp.patch
    * fix_openvpn.patch
    * fix_postfix.patch
    * fix_rpm.patch
    * fix_rtkit.patch
    * fix_screen.patch
    * fix_selinuxutil.patch
    * fix_sendmail.patch
    * fix_smartmon.patch
    * fix_snapper.patch
    * fix_sslh.patch
    * fix_sysnetwork.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_thunderbird.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_userdomain.patch
    * fix_usermanage.patch
    * fix_wine.patch
    * fix_xserver.patch
    * sedoctool.patch
    * systemd_domain_dyntrans_type.patch
- Update to version 20230206. Refreshed:
  * fix_entropyd.patch
  * fix_networkmanager.patch
  * fix_systemd_watch.patch
  * fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
  necessary as plymouth doesn't run in it's own domain in early boot
- Update to version 20230125. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_dnsmasq.patch
  * fix_init.patch
  * fix_ipsec.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd_watch.patch
  * fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
  * Added new interface entropyd_semaphore_filetrans to properly transfer
    semaphore created during early boot. That doesn't work yet, so work
    around with next item
  * Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
  to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
  * Proper labeling for start-ntpd
  * Fixed label rules for chroot path
  * Temporarily allow dac_override for ntpd_t (bsc#1207577)
  * Add interface ntp_manage_pid_files to allow management of pid
    files
- Updated fix_networkmanager.patch to allow managing ntp pid files
- Update fix_container.patch to allow privileged containers to use
  localectl (bsc#1207077)
- Add fix_container.patch to allow privileged containers to use
  timedatectl (bsc#1207054)
- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
  (bnc#1206445)
- Added policy for wicked scripts under /etc/sysconfig/network/scripts
  (bnc#1205770)
- Add fix_sendmail.patch 
  * fix context of custom sendmail startup helper
  * fix context of /var/run/sendmail and add necessary rules to manage
    content in there
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
  nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow  sendto towards
  NetworkManager_dispatcher_custom_t. Added new interface
  networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
- Updated fix_networkmanager.patch to allow NetworkManager to watch
  net_conf_t (bsc#1206109)
- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
- Drop fix_irqbalance.patch: superseded by upstream
- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
  network interface definition instead of /etc/sysconfig/network-scripts/,
  modified sysnetwork.fc to reflect that (bsc#1205580). 
- Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
  so drop the sed statement in the %prep section and add 
  distro_suse_to_distro_redhat.patch to add the necessary changes
  via a patch
- Update fix_networkmanager.patch to ensure NetworkManager chrony
  dispatcher is properly labled and update fix_chronyd.patch to ensure
  chrony helper script has proper label to be used by NetworkManager.
  Also allow NetworkManager_dispatcher_custom_t to query systemd status
  (bsc#1203824)
- Update fix_xserver.patch to add greetd support (bsc#1198559)
- Revamped rtorrent module
- Move SUSE directory from manual page section to html docu
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t 
  and NetworkManager_dispatcher_custom_t to access nscd socket 
  (bsc#1201741)
- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper 
  (bnc#1201015)
- Update to version 20220714. Refreshed:
  * fix_init.patch
  * fix_systemd_watch.patch
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
  systemd_gpt_generator_t (bsc#1200911)
- postfix: Label PID files and some helpers correctly (bsc#1197242)
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
- Update to version 20220624. Refreshed:
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_networkmanager.patch
  * fix_unprivuser.patch
  Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd 
  (bsc#1199630)
- Update to version 20220520 to pass stricter 3.4 toolchain checks
- Update to version 20220428. Refreshed:
  * fix_apache.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_iptables.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unprivuser.patch
  * fix_usermanage.patch
  * fix_wine.patch
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
  (bsc#1199518)
- Modified fix_init.patch to allow init to setup contrained environment
  for accountsservice. This needs a better, more general solution
  (bsc#1197610)
- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
  This happens in certain boot conditions (bsc#1182500)
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
  from unconfined_t (bsc#1197169)
- use %license tag for COPYING file
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
- Fix bitlbee runtime directory (bsc#1193230)
  * add fix_bitlbee.patch
- Update to version 20220124. Refreshed:
  * fix_hadoop.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
- Added fix_hypervkvp.patch to fix issues with hyperv labeling 
  (bsc#1193987)
- Allow colord to use systemd hardenings (bsc#1194631)
- Update to version 20211111. Refreshed:
  * fix_dbus.patch
  * fix_systemd.patch
  * fix_authlogin.patch
  * fix_auditd.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_chronyd.patch
  * fix_unconfineduser.patch
  * fix_unconfined.patch
  * fix_firewalld.patch
  * fix_init.patch
  * fix_xserver.patch
  * fix_logging.patch
  * fix_hadoop.patch
- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
- Fix auditd service start with systemd hardening directives (boo#1190918)
  * add fix_auditd.patch
- Modified fix_systemd.patch to allow systemd gpt generator access to
  udev files (bsc#1189280)
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
  * fix managing /etc/rebootmgr.conf
  * allow rebootmgr_t to cope with systemd and dbus messaging
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
- Added policy module for rebootmgr (jsc#SMO-28) 
- Allow systemd-sysctl to read kernel specific sysctl.conf
  (fix_kernel_sysctl.patch, boo#1184804)
- Fix quoting in postInstall macro
- Update to version 20210716
- Remove interfaces for container module before building the package
  (bsc#1188184)
- Updated
  * fix_init.patch
  * fix_systemd_watch.patch
  to adapt to upstream changes
- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
  here
- Add tabrmd SELinux modules from upstream (bsc#1187925)
  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces
- Update to version 20210419
- Dropped fix_gift.patch, module was removed
- Updated wicked.te to removed dropped interface
- Refreshed:
  * fix_cockpit.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_logrotate.patch
  * fix_networkmanager.patch
  * fix_nscd.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
  that trigger on changes in those.
  Added fix_systemd_watch.patch
- own /usr/share/selinux/packages/$SELINUXTYPE/ and
  /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
  files there
- allow cockpit socket to bind nodes (fix_cockpit.patch)
- use %autosetup to get rid of endless patch lines
- Updated fix_networkmanager.patch to allow NetworkManager to watch
  its configuration directories
- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
- Added Recommends for selinux-autorelabel (bsc#1181837)
- Prevent libreoffice fonts from changing types on every relabel 
  (bsc#1185265). Added fix_libraries.patch
- Transition unconfined users to ldconfig type (bsc#1183121).
  Extended fix_unconfineduser.patch
- Update to version 20210419
- Refreshed:
  * fix_dbus.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_unprivuser.patch
- Adjust fix_init.patch to allow systemd to do sd-listen on 
  tcp socket [bsc#1183177]
- Update to version 20210309
- Refreshed
  * fix_systemd.patch
  * fix_selinuxutil.patch
  * fix_iptables.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_nscd.patch
  * fix_hadoop.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
- Ensure that /usr/etc is labeled according to /etc rules
- Update to version 20210223
- Change name of tar file to a more common schema to allow
  parallel installation of several source versions
- Adjust fix_init.patch
- Update to version 20210111
  - Drop fix_policykit.patch (integrated upstream)
  - Adjust fix_iptables.patch
  - update container policy
- Updated fix_corecommand.patch to set correct types for the OBS
  build tools
- wicked.fc: add libexec directories
- Update to version 20201029
  - update container policy
- Update to version 20201016
- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
  uses python3)
- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
  to be used instead. New default is "permissive" [bsc#1176923].
- Update to version 20200910. Refreshed
  * fix_authlogin.patch
  * fix_nagios.patch
  * fix_systemd.patch
  * fix_usermanage.patch
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
- Cleanup of booleans-* presets
  * Enabled
    user_rw_noexattrfile
    unconfined_chrome_sandbox_transition
    unconfined_mozilla_plugin_transition
    for the minimal policy
  * Disabled
    xserver_object_manager
    for the MLS policy
  * Disabled
    openvpn_enable_homedirs
    privoxy_connect_any
    selinuxuser_direct_dri_enabled
    selinuxuser_ping (aka user_ping)
    squid_connect_any
    telepathy_tcp_connect_generic_network_ports
    for the targeted policy
  Change your local config if you need them
- Build HTML version of manpages for the -devel package
- Drop BuildRequires for python, python-xml. It's not needed anymore
- Drop fix_dbus.patch_orig, was included by accident
- Drop segenxml_interpreter.patch, not used anymore
- macros.selinux-policy: move rpm-state directory to /run and
  make sure it exists 
- Cleanup spec file and follow more closely Fedora
- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf
- Move config to /etc/selinux/config and create during %post install
  to be compatible with upstream and documentation.
- Add RPM macros for SELinux (macros.selinux-policy)
- Install booleans.subs_dist
- Remove unused macros
- Sync make/install macros with Fedora spec file
- Introduce sandbox sub-package
- Add policycoreutils-devel as BuildRequires
- Update to version 20200717. Refreshed
  * fix_fwupd.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_irqbalance.patch
  * fix_logrotate.patch
  * fix_nagios.patch
  * fix_networkmanager.patch
  * fix_postfix.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unprivuser.patch
  * selinux-policy.spec
- Added update.sh to make updating easier
- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
  to accountsd dbus
- New patch:
  * fix_nis.patch
- Updated patches:
  * fix_postfix.patch: Transition is done in distribution specific script
- Added module for wicked
- New patches:
  * fix_authlogin.patch
  * fix_screen.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
  * fix_apache.patch
- Added module for rtorrent
- Enable snapper module in minimum policy to reduce issues on BTRFS
  Updated fix_snapper.patch to prevent relabling of snapshot
- New patches:
  * fix_accountsd.patch
  * fix_automount.patch
  * fix_colord.patch
  * fix_mcelog.patch
  * fix_sslh.patch
  * fix_nagios.patch
  * fix_openvpn.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_smartmon.patch
  * fix_geoclue.patch
  * suse_specific.patch
  Default systems should now work without selinuxuser_execmod
- Removed xdm_entrypoint_pam.patch, necessary change is in
  fix_unconfineduser.patch
- Enable SUSE specific settings again
- Update to version 20200219
  Refreshed fix_hadoop.patch
  Updated 
  * fix_dbus.patch
  * fix_hadoop.patch
  * fix_nscd.patch
  * fix_xserver.patch
  Renamed postfix_paths.patch to fix_postfix.patch
  Added
  * fix_init.patch
  * fix_locallogin.patch
  * fix_policykit.patch
  * fix_iptables.patch
  * fix_irqbalance.patch
  * fix_ntp.patch
  * fix_fwupd.patch
  * fix_firewalld.patch
  * fix_logrotate.patch
  * fix_selinuxutil.patch
  * fix_corecommand.patch
  * fix_snapper.patch
  * fix_systemd.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * xdm_entrypoint_pam.patch
- Removed modules minimum_temp_fixes and targeted_temp_fixes
  from the corresponding policies
- Reduced default module list of minimum policy by removing
  apache inetd nis postfix mta modules
- Adding/removing necessary pam config automatically 
- Minimum and targeted policy: Enable domain_can_mmap_files by default
- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
  selinuxuser_execstack to have safe defaults
- Moved back to fedora policy (20190802)
- Removed spec file conditionals for old SELinux userland
- Removed config.tgz
- Removed patches:
  * label_sysconfig.selinux.patch
  * label_var_run_rsyslog.patch
  * suse_additions_obs.patch
  * suse_additions_sslh.patch
  * suse_modifications_apache.patch
  * suse_modifications_cron.patch
  * suse_modifications_getty.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_virt.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
  * segenxml_interpreter.patch
- Added patches:
  * fix_djbdns.patch
  * fix_dbus.patch
  * fix_gift.patch
  * fix_java.patch
  * fix_hadoop.patch
  * fix_thunderbird.patch
  * postfix_paths.patch
  * fix_nscd.patch
  * fix_sysnetwork.patch
  * fix_logging.patch
  * fix_xserver.patch
  * fix_miscfiles.patch
  to fix problems with the coresponding modules
- Added sedoctool.patch to prevent build failures
- This also adds three modules:
  * packagekit.(te|if|fc)
    Basic (currently permissive) module for packagekit
  * minimum_temp_fixes.(te|if|fc)
    and
  * targeted_temp_fixes.(te|if|fc)
    both are currently necessary to get the systems to boot in 
    enforcing mode. Most of them obviosly stem from mislabeled
    files, so this needs to be worked through and then removed
    eventually
  Also selinuxuser_execstack, selinuxuser_execmod and 
  domain_can_mmap_files need to be enabled. Especially the first
  two are bad and should be removed ASAP
- Update to refpolicy 20190609. New modules for stubby and several
  systemd updates, including initial support for systemd --user
  sessions.
  Refreshed
  * label_var_run_rsyslog.patch
  * suse_modifications_cron.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
- Update to refpolicy 20190201. New modules for chromium, hostapd,
  and sigrok and minor fixes for existing modules.
  Refreshed suse_modifications_usermanage.patch
- Change default state to disabled and disable SELinux after 
  uninstallation of policy to prevent unbootable system 
  (bsc#1108949, bsc#1109590)
- Use refpolicy 20180701 as a base
- Dropped patches
  * allow-local_login_t-read-shadow.patch
  * dont_use_xmllint_in_make_conf.patch
  * label_sysconfig.selinux-policy.patch
  * policy-rawhide-base.patch
  * policy-rawhide-contrib.patch
  * suse_modifications_authlogin.patch
  * suse_modifications_dbus.patch
  * suse_modifications_glusterfs.patch
  * suse_modifications_ipsec.patch
  * suse_modifications_passenger.patch
  * suse_modifications_policykit.patch
  * suse_modifications_postfix.patch
  * suse_modifications_rtkit.patch
  * suse_modifications_selinuxutil.patch
  * suse_modifications_ssh.patch
  * suse_modifications_staff.patch
  * suse_modifications_stapserver.patch
  * suse_modifications_systemd.patch
  * suse_modifications_unconfined.patch
  * suse_modifications_unconfineduser.patch
  * suse_modifications_unprivuser.patch
  * systemd-tmpfiles.patch
  * type_transition_contrib.patch
  * type_transition_file_class.patch
  * useradd-netlink_selinux_socket.patch
  * xconsole.patch
  Rebased the other patches to apply to refpolicy
- Added segenxml_interpreter.patch to not use env in shebang
- Added rpmlintrc to surpress duplicate file warnings
- Add overlayfs as xattr capable (bsc#1073741)
  * add-overlayfs-as-xattr-capable.patch
- Added
  * suse_modifications_glusterfs.patch
  * suse_modifications_passenger.patch
  * suse_modifications_stapserver.patch
  to modify module name to make the current tools happy
- Repair erroneous changes introduced with %_fillupdir macro
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- POLCYVER depends both on the libsemanage/policycoreutils version
  and the kernel. The former is more important for us, kernel seems
  to have all necessary features in Leap 42.1 already.
- Replaced = runtime dependencies on checkpolicy/policycoreutils 
  with "=". 2.5 policy is not supposed to work with 2.3 tools,
  The runtime policy tools need to be same the policy was built with.
- Changes required by policycoreutils update to 2.5
  * lots of spec file content needs to be conditional on
    policycoreutils version.
- Specific policycoreutils 2.5 related changes:
  * modules moved from /etc/selinux to /var/lib/selinux
  (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
  * module path now includes includes priority. Users override default
  policies by setting higher priority. Thus installed policy modules can be
  fully verified by RPM.
  * Installed modules have a different format and path.
  Raw bzip2 doesn't suffice to create them any more, but we can process them
  all in a single semodule -i command.
- Policy version depends on kernel / distro version  
  * do not touch policy.<version>, rather fail if it's not created
- Enabled building mls policy for Leap (not for SLES)
- Other
  * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils
  * Bug: (minimum) additional modules that need to be activated: postfix
  (required by apache), plymouthd (required by getty)
  * Cleanup: /etc -> %{sysconfdir} etc.
- fixed missing role assignment in cron_unconfined_role
- Updated suse_modifications_ipsec.patch, removed dontaudits for 
  ipsec_mgmt_t and granted matching permissions
- Added suse_modifications_ipsec.patch to grant additional privileges
  to ipsec_mgmt_t
- Minor changes for CC evaluation. Allow reading of /dev/random
  and ipc_lock for dbus and dhcp
- Transition from unconfined user to cron admin type
- Allow systemd_timedated_t to talk to unconfined dbus for minimal
  policy (bsc#932826)
- Allow hostnamectl to set the hostname (bsc#933764)
- Removed ability of staff_t and user_t to use svirt. Will reenable
  this later on with a policy upgrade
  Added suse_modifications_staff.patch
- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage
  in make conf. This currently breaks manual builds. 
- Added BuildRequires for libxml2-tools to enable xmllint checks 
  once the issue mentioned above is solved
- adjusted suse_modifications_ntp to match SUSE chroot paths
- Added 
  * suse_additions_obs.patch to allow local builds by OBS
  * suse_additions_sslh.patch to confine sslh
- Added suse_modifications_cron.patch to adjust crontabs contexts
- Modified suse_modifications_postfix.patch to match SUSE paths
- Modified suse_modifications_ssh.patch to bring boolean
  sshd_forward_ports back
- Modified 
  * suse_modifications_dbus.patch
  * suse_modifications_unprivuser.patch
  * suse_modifications_xserver.patch
  to allow users to be confined
- Added
  * suse_modifications_apache.patch 
  * suse_modifications_ntp.patch
  and modified
  * suse_modifications_xserver.patch
  to fix labels on startup scripts used by systemd
- Removed unused and incorrect interface dev_create_all_dev_nodes
  from systemd-tmpfiles.patch
- Removed BuildRequire for selinux-policy-devel
- Major cleanup of the spec file
- removed suse_minimal_cc.patch and splitted them into
  * suse_modifications_dbus.patch
  * suse_modifications_policykit.patch
  * suse_modifications_postfix.patch
  * suse_modifications_rtkit.patch
  * suse_modifications_unconfined.patch
  * suse_modifications_systemd.patch
  * suse_modifications_unconfineduser.patch
  * suse_modifications_selinuxutil.patch
  * suse_modifications_logging.patch
  * suse_modifications_getty.patch
  * suse_modifications_authlogin.patch
  * suse_modifications_xserver.patch
  * suse_modifications_ssh.patch
  * suse_modifications_usermanage.patch
- Added suse_modifications_virt.patch to enable svirt on s390x
- fix bashism in post script
Redid changes done by vcizek@suse.com in SLE12 package
- disable build of MLS policy
- removed outdated description files 
  * Alan_Rouse-openSUSE_with_SELinux.txt
  * Alan_Rouse-Policy_Development_Process.txt
- removed remove_duplicate_filetrans_pattern_rules.patch
- Updated policy to include everything up until 20140730 (refpolicy and
  fedora rawhide improvements). Rebased all patches that are still
  necessary
- Removed permissivedomains.pp. Doesn't work with the new policy
- modified spec file so that all modifications for distro=redhat and
  distro=suse will be used. 
- added selinux-policy-rpmlintrc to suppress some warnings that aren't
  valid for this package
- added suse_minimal_cc.patch to create a suse specific module to prevent
  errors while using the minimum policy. Will rework them in the proper
  places once the minimum policy is reworked to really only confine a 
  minimal set of domains.
- removed source files which were not used
  * modules-minimum.conf, modules-mls.conf, modules-targeted.conf,
    permissivedomains.fc, permissivedomains.if, permissivedomains.te,
    seusers, seusers-mls, seusers-targeted, users_extra-mls,
    users_extra-targeted
- remove duplicate filetrans_pattern rules
  * fixes build with libsepol-2.3
  * added remove_duplicate_filetrans_pattern_rules.patch
- enable build of mls and targeted policies
- fixes to the minimum policy:
- label /var/run/rsyslog correctly
  * label_var_run_rsyslog.patch
- allow systemd-tmpfiles to create devices
  * systemd-tmpfiles.patch
- add rules for sysconfig
  * correctly label /dev/.sysconfig/network
  * added sysconfig_network_scripts.patch
- run restorecon and fixfiles only if if selinux is enabled
- fix console login
  * allow-local_login_t-read-shadow.patch
- allow rsyslog to write to xconsole
  * xconsole.patch
- useradd needs to call selinux_check_access (via pam_rootok)
  * useradd-netlink_selinux_socket.patch
- fix build on factory: newer rpm does not allow to mark
  non-directories as dir anymore (like symlinks in this case) 
- install COPYING
- switch to Fedora as upstream
- added patches:
  * policy-rawhide-base.patch
  * policy-rawhide-contrib.patch
  * type_transition_file_class.patch
  * type_transition_contrib.patch
  * label_sysconfig.selinux-policy.patch
- bump up policy version to 27, due to recent libsepol update
- dropped currently unused policy-rawhide.patch
- fix installing of file_contexts (this enables restorecond to run properly)
- Recommends: audit and setools
- mark included files in source
- update to 2.20120725
- added selinux-policy-run_sepolgen_during_build.patch
- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch
- dropped policygentool and OLPC stuff
- patch license to be in spdx.org format
- use policy created by Alan Rouse
- Adjust selinux-policy.spec so that the policy
  source tree is put in /usr/share/doc/packages/selinux-*
  so users can build the policy [bnc#582404]
- fixed fileperms of /etc/selinux/config to be 644 to allow
  libselinux to read from it (bnc#582399)
  this is also the default file mode in fedora 12
- added config file for /etc/selinux/
- updated to version 2008.12.10
  * Fix consistency of audioentropy and iscsi module naming.
  * Debian file context fix for xen from Russell Coker.
  * Xserver MLS fix from Eamon Walsh.
  * Add omapi port for dhcpcd.
  * Deprecate per-role templates and rolemap support.
  * Implement user-based access control for use as role separations.
  * Move shared library calls from individual modules to the domain module.
  * Enable open permission checks policy capability.
  * Remove hierarchy from portage module as it is not a good example of hieararchy.
  * Remove enableaudit target from modular build as semodule -DB supplants it.
  * Added modules:
    - milter (Paul Howarth)
- updated to version 2008.10.14
  * Debian update for NetworkManager/wpa_supplicant from Martin Orr.
  * Logrotate and Bind updates from Vaclav Ovsik.
  * Init script file and domain support.
  * Glibc 2.7 fix from Vaclav Ovsik.
  * Samba/winbind update from Mike Edenfield.
  * Policy size optimization with a non-security file attribute from James Carter.
  * Database labeled networking update from KaiGai Kohei.
  * Several misc changes from the Fedora policy, cherry picked by David Hardeman.
  * Large whitespace fix from Dominick Grift.
  * Pam_mount fix for local login from Stefan Schulze Frielinghaus.
  * Issuing commands to upstart is over a datagram socket, not the initctl named pipe.
  * Updated init_telinit() to match.
  * Added modules:
    - cyphesis (Dan Walsh)
    - memcached (Dan Walsh)
    - oident (Dominick Grift)
    - w3c (Dan Walsh)
- initial version 2008.07.02 from tresys

OBS-URL: https://build.opensuse.org/request/show/1187944
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=238
2024-07-16 14:40:18 +00:00
Hu
c4e9acf5f1 Accepting request 1187876 from home:cahu:branches:security:SELinux
- Update to version 20240716:
  * Allow systemd_generator to write kmsg
  * Initial policy for systemd growpart-generator (bsc#1226824)

OBS-URL: https://build.opensuse.org/request/show/1187876
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=237
2024-07-16 11:55:49 +00:00
Ana Guerrero
a77f640b09 Accepting request 1187549 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1187549
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=65
2024-07-15 17:46:30 +00:00
Hu
b5589129a3 Accepting request 1187548 from home:cahu:branches:security:SELinux
- Update to version 20240715:
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)

OBS-URL: https://build.opensuse.org/request/show/1187548
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=235
2024-07-15 12:01:23 +00:00
Ana Guerrero
253642ffe5 Accepting request 1186820 from security:SELinux
- Enable sap module
- Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
- Update to version 20240710:
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
- Update container-selinux

OBS-URL: https://build.opensuse.org/request/show/1186820
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=64
2024-07-14 06:48:58 +00:00
Hu
9dc19e60e0 Accepting request 1186574 from home:cahu:security:SELinux:policyupdate072024
- Enable sap module
- Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
- Update to version 20240710:
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
- Update container-selinux

OBS-URL: https://build.opensuse.org/request/show/1186574
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=233
2024-07-10 11:10:28 +00:00
Ana Guerrero
e591737fbd Accepting request 1184840 from security:SELinux
- Update to version 20240702:
  * Allow manage dosfs_t files to snapperd (bsc#1224120)
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Revert "Add policy for wtmpdb (bsc#1210717)"

OBS-URL: https://build.opensuse.org/request/show/1184840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=63
2024-07-03 18:29:10 +00:00
Hu
0af4af012c Accepting request 1184839 from home:cahu:branches:security:SELinux
- Update to version 20240702:
  * Allow manage dosfs_t files to snapperd (bsc#1224120)
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Revert "Add policy for wtmpdb (bsc#1210717)"
- Update to version 20240617:
  * Allow gnome control center to set autologin (bsc#1222978)
  * Dontaudit xdm_t to getattr on root_t (bsc#1223145)
- Update to version 20240613:
  * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
- Update to version 20240612:
  * Allow all domains read and write z90crypt device
  * Allow tpm2 generator setfscreate
  * Allow systemd (PID 1) manage systemd conf files
  * Allow pulseaudio map its runtime files
  * Update policy for getty-generator
  * Allow systemd-hwdb send messages to kernel unix datagram sockets
  * Allow systemd-machined manage runtime sockets
  * Allow fstab-generator create unit file symlinks
  * Update policy for cryptsetup-generator
  * Update policy for fstab-generator
  * Allow virtqemud read vm sysctls
  * Allow collectd to trace processes in user namespace
  * Allow bootupd search efivarfs dirs
  * Add policy for systemd-mountfsd
  * Add policy for systemd-nsresourced
  * Update policy generators
  * Add policy for anaconda-generator
  * Update policy for fstab and gpt generators
  * Add policy for kdump-dep-generator
  * Add policy for a generic generator
  * Add policy for tpm2 generator
  * Add policy for ssh-generator
  * Add policy for second batch of generators
  * Update policy for systemd generators
  * ci: Adjust Cockpit test plans
  * Allow journald read systemd config files and directories
  * Allow systemd_domain read systemd_conf_t dirs
  * Fix bad Python regexp escapes
  * Allow fido services connect to postgres database
  * Revert "Update the README.md file with the c10s branch information"
  * Update the README.md file with the c10s branch information
  * Allow postfix smtpd map aliases file
  * Ensure dbus communication is allowed bidirectionally
  * Label systemd configuration files with systemd_conf_t
  * Label /run/systemd/machine with systemd_machined_var_run_t
  * Allow systemd-hostnamed read the vsock device
  * Allow sysadm execute dmidecode using sudo
  * Allow sudodomain list files in /var
  * Allow setroubleshootd get attributes of all sysctls
  * Allow various services read and write z90crypt device
  * Allow nfsidmap connect to systemd-homed
  * Allow sandbox_x_client_t dbus chat with accountsd
  * Allow system_cronjob_t dbus chat with avahi_t
  * Allow staff_t the io_uring sqpoll permission
  * Allow staff_t use the io_uring API
  * Add support for secretmem anon inode
  * Allow virtqemud read vfio devices
  * Allow virtqemud get attributes of a tmpfs filesystem
  * Allow svirt_t read vm sysctls
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud get attributes of cifs files
  * Allow virtqemud get attributes of filesystems with extended attributes
  * Allow virtqemud get attributes of NFS filesystems
  * Allow virt_domain read and write usb devices conditionally
  * Allow virtstoraged use the io_uring API
  * Allow virtstoraged execute lvm programs in the lvm domain
  * Allow virtnodevd_t map /var/lib files
  * Allow svirt_tcg_t map svirt_image_t files
  * Allow abrt-dump-journal-core connect to systemd-homed
  * Allow abrt-dump-journal-core connect to systemd-machined
  * Allow sssd create and use io_uring
  * Allow selinux-relabel-generator create units dir
  * Allow dbus-broker read/write inherited user ttys
  * Define transitions for /run/libvirt/common and /run/libvirt/qemu
  * Allow systemd-sleep read raw disk data
  * Allow numad to trace processes in user namespace
  * Allow abrt-dump-journal-core connect to systemd-userdbd
  * Allow plymouthd read efivarfs files
  * Update the auth_dontaudit_read_passwd_file() interface
  * Label /dev/mmcblk0rpmb character device with removable_device_t
  * fix hibernate on btrfs swapfile (F40)
  * Allow nut to statfs()
  * Allow system dbusd service status systemd services
  * Allow systemd-timedated get the timemaster service status
  * Allow keyutils-dns-resolver connect to the system log service
  * Allow qemu-ga read vm sysctls
  * postfix: allow qmgr to delete mails in bounce/ directory
- Remove "Reference" from the package description. It's not the
  reference policy, but the Fedora branch of the policy
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
  python36 tooling
- Fixed varrun-convert.sh script to not break because of duplicate
  entries
- Move to %posttrans to ensure selinux-policy got updated before
  the commands run (bsc#1221720)
- Add file contexts "forwarding" to file_contexts.sub_dist
  to fix systemd-gpt-auto-generator and systemd-fstab-generator
  (bsc#1222736):
  * /run/systemd/generator.early /usr/lib/systemd/system
  * /run/systemd/generator.late /usr/lib/systemd/system
- Update to version 20240411:
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
  to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
  a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
- Update to version 20240321:
  * policy module for kiwi (bsc#1221109)
  * dontaudit execmem for modemmanager (bsc#1219363)
- Update to version 20240313:
  * Assign alts_exec_t to files_type
- Update to version 20240308:
  * Support /bin/alts in the policy (bsc#1217530)
  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
- Update to version 20240306:
  * Replace init domtrans rule for confined users to allow exec init
  * Update dbus_role_template() to allow user service status
  * Allow polkit status all systemd services
  * Allow setroubleshootd create and use inherited io_uring
  * Allow load_policy read and write generic ptys
- Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.
- Update to version 20240116:
  * Fix gitolite homedir paths (bsc#1218826)
- Update to version 20240104:
  * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
  * allow rebootmgr to read the system state (bsc#1205931)
- Trigger rebuild of the policy when pcre2 gets updated to avoid
  regex version mismatch errors (bsc#1216747).
- Update to version 20231124:
  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
- Add new modules that were missed in the last update to 
  modules-mls-contrib.conf
- Add new modules that were missed in the last update to 
  modules-targeted-contrib.conf
- Update to version 20231030:
  * Allow system_mail_t manage exim spool files and dirs
  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  * Label /run/pcsd.socket with cluster_var_run_t
  * ci: Run cockpit tests in PRs
  * Add map_read map_write to kernel_prog_run_bpf
  * Allow systemd-fstab-generator read all symlinks
  * Allow systemd-fstab-generator the dac_override capability
  * Allow rpcbind read network sysctls
  * Support using systemd containers
  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
  * Add policy for coreos installer
  * Add policy for nvme-stas
  * Confine systemd fstab,sysv,rc-local
  * Label /etc/aliases.lmdb with etc_aliases_t
  * Create policy for afterburn
  * Make new virt drivers permissive
  * Split virt policy, introduce virt_supplementary module
  * Allow apcupsd cgi scripts read /sys
  * Allow kernel_t to manage and relabel all files
  * Add missing optional_policy() to files_relabel_all_files()
  * Allow named and ndc use the io_uring api
  * Deprecate common_anon_inode_perms usage
  * Improve default file context(None) of /var/lib/authselect/backups
  * Allow udev_t to search all directories with a filesystem type
  * Implement proper anon_inode support
  * Allow targetd write to the syslog pid sock_file
  * Add ipa_pki_retrieve_key_exec() interface
  * Allow kdumpctl_t to list all directories with a filesystem type
  * Allow udev additional permissions
  * Allow udev load kernel module
  * Allow sysadm_t to mmap modules_object_t files
  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  * Set default file context of HOME_DIR/tmp/.* to <<none>>
  * Allow kernel_generic_helper_t to execute mount(1)
  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
  * Allow systemd-localed create Xserver config dirs
  * Allow sssd read symlinks in /etc/sssd
  * Label /dev/gnss[0-9] with gnss_device_t
  * Allow systemd-sleep read/write efivarfs variables
  * ci: Fix version number of packit generated srpms
  * Dontaudit rhsmcertd write memory device
  * Allow ssh_agent_type create a sockfile in /run/user/USERID
  * Set default file context of /var/lib/authselect/backups to <<none>>
  * Allow prosody read network sysctls
  * Allow cupsd_t to use bpf capability
  * Allow sssd domain transition on passkey_child execution conditionally
  * Allow login_userdomain watch lnk_files in /usr
  * Allow login_userdomain watch video4linux devices
  * Change systemd-network-generator transition to include class file
  * Revert "Change file transition for systemd-network-generator"
  * Allow nm-dispatcher winbind plugin read/write samba var files
  * Allow systemd-networkd write to cgroup files
  * Allow kdump create and use its memfd: objects
  * Allow fedora-third-party get generic filesystem attributes
  * Allow sssd use usb devices conditionally
  * Update policy for qatlib
  * Allow ssh_agent_type manage generic cache home files
  * Change file transition for systemd-network-generator
  * Additional support for gnome-initial-setup
  * Update gnome-initial-setup policy for geoclue
  * Allow openconnect vpn open vhost net device
  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
  * Grant cifs.upcall more required capabilities
  * Allow xenstored map xenfs files
  * Update policy for fdo
  * Allow keepalived watch var_run dirs
  * Allow svirt to rw /dev/udmabuf
  * Allow qatlib  to modify hardware state information.
  * Allow key.dns_resolve connect to avahi over a unix stream socket
  * Allow key.dns_resolve create and use unix datagram socket
  * Use quay.io as the container image source for CI
  * ci: Move srpm/rpm build to packit
  * .copr: Avoid subshell and changing directory
  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
  * Make insights_client_t an unconfined domain
  * Allow insights-client manage user temporary files
  * Allow insights-client create all rpm logs with a correct label
  * Allow insights-client manage generic logs
  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
  * Allow insights-client read and write cluster tmpfs files
  * Allow ipsec read nsfs files
  * Make tuned work with mls policy
  * Remove nsplugin_role from mozilla.if
  * allow mon_procd_t self:cap_userns sys_ptrace
  * Allow pdns name_bind and name_connect all ports
  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
  * ci: Move to actions/checkout@v3 version
  * .copr: Replace chown call with standard workflow safe.directory setting
  * .copr: Enable `set -u` for robustness
  * .copr: Simplify root directory variable
  * Allow rhsmcertd dbus chat with policykit
  * Allow polkitd execute pkla-check-authorization with nnp transition
  * Allow user_u and staff_u get attributes of non-security dirs
  * Allow unconfined user filetrans chrome_sandbox_home_t
  * Allow svnserve execute postdrop with a transition
  * Do not make postfix_postdrop_t type an MTA executable file
  * Allow samba-dcerpc service manage samba tmp files
  * Add use_nfs_home_dirs boolean for mozilla_plugin
  * Fix labeling for no-stub-resolv.conf
  * Revert "Allow winbind-rpcd use its private tmp files"
  * Allow upsmon execute upsmon via a helper script
  * Allow openconnect vpn read/write inherited vhost net device
  * Allow winbind-rpcd use its private tmp files
  * Update samba-dcerpc policy for printing
  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  * Allow nscd watch system db dirs
  * Allow qatlib to read sssd public files
  * Allow fedora-third-party read /sys and proc
  * Allow systemd-gpt-generator mount a tmpfs filesystem
  * Allow journald write to cgroup files
  * Allow rpc.mountd read network sysctls
  * Allow blueman read the contents of the sysfs filesystem
  * Allow logrotate_t to map generic files in /etc
  * Boolean: Allow virt_qemu_ga create ssh directory
  * Allow systemd-network-generator send system log messages
  * Dontaudit the execute permission on sock_file globally
  * Allow fsadm_t the file mounton permission
  * Allow named and ndc the io_uring sqpoll permission
  * Allow sssd io_uring sqpoll permission
  * Fix location for /run/nsd
  * Allow qemu-ga get fixed disk devices attributes
  * Update bitlbee policy
  * Label /usr/sbin/sos with sosreport_exec_t
  * Update policy for the sblim-sfcb service
  * Add the files_getattr_non_auth_dirs() interface
  * Fix the CI to work with DNF5
  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
  * Revert "Allow insights client map cache_home_t"
  * Allow nfsidmapd connect to systemd-machined over a unix socket
  * Allow snapperd connect to kernel over a unix domain stream socket
  * Allow virt_qemu_ga_t create .ssh dir with correct label
  * Allow targetd read network sysctls
  * Set the abrt_handle_event boolean to on
  * Permit kernel_t to change the user identity in object contexts
  * Allow insights client map cache_home_t
  * Label /usr/sbin/mariadbd with mysqld_exec_t
  * Allow httpd tcp connect to redis port conditionally
  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
  * Dontaudit aide the execmem permission
  * Remove permissive from fdo
  * Allow sa-update manage spamc home files
  * Allow sa-update connect to systemlog services
  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
  * Allow bootupd search EFI directory
  * Change init_audit_control default value to true
  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
  * Add the qatlib  module
  * Add the fdo module
  * Add the bootupd module
  * Set default ports for keylime policy
  * Create policy for qatlib
  * Add policy for FIDO Device Onboard
  * Add policy for bootupd
  * Add support for kafs-dns requested by keyutils
  * Allow insights-client execmem
  * Add support for chronyd-restricted
  * Add init_explicit_domain() interface
  * Allow fsadm_t to get attributes of cgroup filesystems
  * Add list_dir_perms to kerberos_read_keytab
  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  * Allow sendmail manage its runtime files
- Update to version 20231012:
  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
  directory doesn't exist on SUSE systems (bsc#1213593)
- Modified update.sh to require first parameter "full" to also
  update container-selinux. For maintenance updates you usually
  don't want it to be updated
- Update to version 20230728:
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
  * allow haveged to manage tmpfs directories (bsc#1213594)
- Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail
- Update to version 20230425:
  * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
  * Add policy for wtmpdb (bsc#1210717)
- Update to version 20230425:
  * Add support for lastlog2 (bsc#1210461)
  * allow the chrony client to use unallocated ttys (bsc#1210672)
- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally
  * Allow tshark the setsched capability
  * Allow poweroff create connections to system dbus
  * Allow wg load kernel modules, search debugfs dir
  * Boolean: allow qemu-ga manage ssh home directory
  * Label smtpd with sendmail_exec_t
  * Label msmtp and msmtpd with sendmail_exec_t
  * Allow dovecot to map files in /var/spool/dovecot
  * Confine gnome-initial-setup
  * Allow qemu-guest-agent create and use vsock socket
  * Allow login_pgm setcap permission
  * Allow chronyc read network sysctls
  * Enhancement of the /usr/sbin/request-key helper policy
  * Fix opencryptoki file names in /dev/shm
  * Allow system_cronjob_t transition to rpm_script_t
  * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
  * Add tunable to allow squid bind snmp port
  * Allow staff_t getattr init pid chr & blk files and read krb5
  * Allow firewalld to rw z90crypt device
  * Allow httpd work with tokens in /dev/shm
  * Allow svirt to map svirt_image_t char files
  * Allow sysadm_t run initrc_t script and sysadm_r role access
  * Allow insights-client manage fsadm pid files
  * Allowing snapper to create snapshots of /home/ subvolume/partition
  * Add boolean qemu-ga to run unconfined script
  * Label systemd-journald feature LogNamespace
  * Add none file context for polyinstantiated tmp dirs
  * Allow certmonger read the contents of the sysfs filesystem
  * Add journalctl the sys_resource capability
  * Allow nm-dispatcher plugins read generic files in /proc
- Add debug-build.sh script to make debugging without committing easier
- Update to version 20230321:
  * make kernel_t unconfined again
- Update to version 20230316:
  * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
    path
  * allow kernel_t to relabel etc_t files
  * allow kernel_t to relabel sysnet config files
  * allow kernel_t to relabel systemd hwdb etc files
  * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
  * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
    to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
    management of config files
  * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
    interfaces to allow labeling on etc_t, not on the broader configfiles
    attribute
  * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
    watch permissions reported are already fixed in a current policy.
- Reinstate update.sh and remove container-selinux from the service.
  Having both repos in there causes issues and update.sh makes the update
  process easier in general. Updated README.Update
- Remove erroneous SUSE man page. Will not be created with the
  3.5 toolchain
- Complete packaging rework: Move policy to git repository and
  only use tar_scm obs service to refresh from there: 
  https://gitlab.suse.de/selinux/selinux-policy
  Please use `osc service manualrun` to update this OBS package to the 
  newest git version.
  * Added README.Update describing how to update this package
  * Added _service file that pulls from selinux-policy and 
    upstream container-selinux and tars them
  * Adapted selinux-policy.spec to build selinux-policy with
    container-selinux
  * Removed update.sh as no longer needed
  * Removed suse specific modules as they are now covered by git commits
    * packagekit.te packagekit.if packagekit.fc
    * rebootmgr.te rebootmgr.if rebootmgr.fc
    * rtorrent.te rtorrent.if rtorrent.fc
    * wicked.te wicked.if wicked.fc
  * Removed *.patch as they are now covered by git commits:
    * distro_suse_to_distro_redhat.patch
    * dontaudit_interface_kmod_tmpfs.patch
    * fix_accountsd.patch
    * fix_alsa.patch
    * fix_apache.patch
    * fix_auditd.patch
    * fix_authlogin.patch
    * fix_automount.patch
    * fix_bitlbee.patch
    * fix_chronyd.patch
    * fix_cloudform.patch
    * fix_colord.patch
    * fix_corecommand.patch
    * fix_cron.patch
    * fix_dbus.patch
    * fix_djbdns.patch
    * fix_dnsmasq.patch
    * fix_dovecot.patch
    * fix_entropyd.patch
    * fix_firewalld.patch
    * fix_fwupd.patch
    * fix_geoclue.patch
    * fix_hypervkvp.patch
    * fix_init.patch
    * fix_ipsec.patch
    * fix_iptables.patch
    * fix_irqbalance.patch
    * fix_java.patch
    * fix_kernel.patch
    * fix_kernel_sysctl.patch
    * fix_libraries.patch
    * fix_locallogin.patch
    * fix_logging.patch
    * fix_logrotate.patch
    * fix_mcelog.patch
    * fix_miscfiles.patch
    * fix_nagios.patch
    * fix_networkmanager.patch
    * fix_nis.patch
    * fix_nscd.patch
    * fix_ntp.patch
    * fix_openvpn.patch
    * fix_postfix.patch
    * fix_rpm.patch
    * fix_rtkit.patch
    * fix_screen.patch
    * fix_selinuxutil.patch
    * fix_sendmail.patch
    * fix_smartmon.patch
    * fix_snapper.patch
    * fix_sslh.patch
    * fix_sysnetwork.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_thunderbird.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_userdomain.patch
    * fix_usermanage.patch
    * fix_wine.patch
    * fix_xserver.patch
    * sedoctool.patch
    * systemd_domain_dyntrans_type.patch
- Update to version 20230206. Refreshed:
  * fix_entropyd.patch
  * fix_networkmanager.patch
  * fix_systemd_watch.patch
  * fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
  necessary as plymouth doesn't run in it's own domain in early boot
- Update to version 20230125. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_dnsmasq.patch
  * fix_init.patch
  * fix_ipsec.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd_watch.patch
  * fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
  * Added new interface entropyd_semaphore_filetrans to properly transfer
    semaphore created during early boot. That doesn't work yet, so work
    around with next item
  * Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
  to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
  * Proper labeling for start-ntpd
  * Fixed label rules for chroot path
  * Temporarily allow dac_override for ntpd_t (bsc#1207577)
  * Add interface ntp_manage_pid_files to allow management of pid
    files
- Updated fix_networkmanager.patch to allow managing ntp pid files
- Update fix_container.patch to allow privileged containers to use
  localectl (bsc#1207077)
- Add fix_container.patch to allow privileged containers to use
  timedatectl (bsc#1207054)
- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
  (bnc#1206445)
- Added policy for wicked scripts under /etc/sysconfig/network/scripts
  (bnc#1205770)
- Add fix_sendmail.patch 
  * fix context of custom sendmail startup helper
  * fix context of /var/run/sendmail and add necessary rules to manage
    content in there
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
  nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow  sendto towards
  NetworkManager_dispatcher_custom_t. Added new interface
  networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
- Updated fix_networkmanager.patch to allow NetworkManager to watch
  net_conf_t (bsc#1206109)
- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
- Drop fix_irqbalance.patch: superseded by upstream
- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
  network interface definition instead of /etc/sysconfig/network-scripts/,
  modified sysnetwork.fc to reflect that (bsc#1205580). 
- Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
  so drop the sed statement in the %prep section and add 
  distro_suse_to_distro_redhat.patch to add the necessary changes
  via a patch
- Update fix_networkmanager.patch to ensure NetworkManager chrony
  dispatcher is properly labled and update fix_chronyd.patch to ensure
  chrony helper script has proper label to be used by NetworkManager.
  Also allow NetworkManager_dispatcher_custom_t to query systemd status
  (bsc#1203824)
- Update fix_xserver.patch to add greetd support (bsc#1198559)
- Revamped rtorrent module
- Move SUSE directory from manual page section to html docu
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t 
  and NetworkManager_dispatcher_custom_t to access nscd socket 
  (bsc#1201741)
- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper 
  (bnc#1201015)
- Update to version 20220714. Refreshed:
  * fix_init.patch
  * fix_systemd_watch.patch
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
  systemd_gpt_generator_t (bsc#1200911)
- postfix: Label PID files and some helpers correctly (bsc#1197242)
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
- Update to version 20220624. Refreshed:
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_networkmanager.patch
  * fix_unprivuser.patch
  Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd 
  (bsc#1199630)
- Update to version 20220520 to pass stricter 3.4 toolchain checks
- Update to version 20220428. Refreshed:
  * fix_apache.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_iptables.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unprivuser.patch
  * fix_usermanage.patch
  * fix_wine.patch
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
  (bsc#1199518)
- Modified fix_init.patch to allow init to setup contrained environment
  for accountsservice. This needs a better, more general solution
  (bsc#1197610)
- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
  This happens in certain boot conditions (bsc#1182500)
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
  from unconfined_t (bsc#1197169)
- use %license tag for COPYING file
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
- Fix bitlbee runtime directory (bsc#1193230)
  * add fix_bitlbee.patch
- Update to version 20220124. Refreshed:
  * fix_hadoop.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
- Added fix_hypervkvp.patch to fix issues with hyperv labeling 
  (bsc#1193987)
- Allow colord to use systemd hardenings (bsc#1194631)
- Update to version 20211111. Refreshed:
  * fix_dbus.patch
  * fix_systemd.patch
  * fix_authlogin.patch
  * fix_auditd.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_chronyd.patch
  * fix_unconfineduser.patch
  * fix_unconfined.patch
  * fix_firewalld.patch
  * fix_init.patch
  * fix_xserver.patch
  * fix_logging.patch
  * fix_hadoop.patch
- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
- Fix auditd service start with systemd hardening directives (boo#1190918)
  * add fix_auditd.patch
- Modified fix_systemd.patch to allow systemd gpt generator access to
  udev files (bsc#1189280)
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
  * fix managing /etc/rebootmgr.conf
  * allow rebootmgr_t to cope with systemd and dbus messaging
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
- Added policy module for rebootmgr (jsc#SMO-28) 
- Allow systemd-sysctl to read kernel specific sysctl.conf
  (fix_kernel_sysctl.patch, boo#1184804)
- Fix quoting in postInstall macro
- Update to version 20210716
- Remove interfaces for container module before building the package
  (bsc#1188184)
- Updated
  * fix_init.patch
  * fix_systemd_watch.patch
  to adapt to upstream changes
- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
  here
- Add tabrmd SELinux modules from upstream (bsc#1187925)
  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces
- Update to version 20210419
- Dropped fix_gift.patch, module was removed
- Updated wicked.te to removed dropped interface
- Refreshed:
  * fix_cockpit.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_logrotate.patch
  * fix_networkmanager.patch
  * fix_nscd.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
  that trigger on changes in those.
  Added fix_systemd_watch.patch
- own /usr/share/selinux/packages/$SELINUXTYPE/ and
  /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
  files there
- allow cockpit socket to bind nodes (fix_cockpit.patch)
- use %autosetup to get rid of endless patch lines
- Updated fix_networkmanager.patch to allow NetworkManager to watch
  its configuration directories
- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
- Added Recommends for selinux-autorelabel (bsc#1181837)
- Prevent libreoffice fonts from changing types on every relabel 
  (bsc#1185265). Added fix_libraries.patch
- Transition unconfined users to ldconfig type (bsc#1183121).
  Extended fix_unconfineduser.patch
- Update to version 20210419
- Refreshed:
  * fix_dbus.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_unprivuser.patch
- Adjust fix_init.patch to allow systemd to do sd-listen on 
  tcp socket [bsc#1183177]
- Update to version 20210309
- Refreshed
  * fix_systemd.patch
  * fix_selinuxutil.patch
  * fix_iptables.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_nscd.patch
  * fix_hadoop.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
- Ensure that /usr/etc is labeled according to /etc rules
- Update to version 20210223
- Change name of tar file to a more common schema to allow
  parallel installation of several source versions
- Adjust fix_init.patch
- Update to version 20210111
  - Drop fix_policykit.patch (integrated upstream)
  - Adjust fix_iptables.patch
  - update container policy
- Updated fix_corecommand.patch to set correct types for the OBS
  build tools
- wicked.fc: add libexec directories
- Update to version 20201029
  - update container policy
- Update to version 20201016
- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
  uses python3)
- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
  to be used instead. New default is "permissive" [bsc#1176923].
- Update to version 20200910. Refreshed
  * fix_authlogin.patch
  * fix_nagios.patch
  * fix_systemd.patch
  * fix_usermanage.patch
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
- Cleanup of booleans-* presets
  * Enabled
    user_rw_noexattrfile
    unconfined_chrome_sandbox_transition
    unconfined_mozilla_plugin_transition
    for the minimal policy
  * Disabled
    xserver_object_manager
    for the MLS policy
  * Disabled
    openvpn_enable_homedirs
    privoxy_connect_any
    selinuxuser_direct_dri_enabled
    selinuxuser_ping (aka user_ping)
    squid_connect_any
    telepathy_tcp_connect_generic_network_ports
    for the targeted policy
  Change your local config if you need them
- Build HTML version of manpages for the -devel package
- Drop BuildRequires for python, python-xml. It's not needed anymore
- Drop fix_dbus.patch_orig, was included by accident
- Drop segenxml_interpreter.patch, not used anymore
- macros.selinux-policy: move rpm-state directory to /run and
  make sure it exists 
- Cleanup spec file and follow more closely Fedora
- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf
- Move config to /etc/selinux/config and create during %post install
  to be compatible with upstream and documentation.
- Add RPM macros for SELinux (macros.selinux-policy)
- Install booleans.subs_dist
- Remove unused macros
- Sync make/install macros with Fedora spec file
- Introduce sandbox sub-package
- Add policycoreutils-devel as BuildRequires
- Update to version 20200717. Refreshed
  * fix_fwupd.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_irqbalance.patch
  * fix_logrotate.patch
  * fix_nagios.patch
  * fix_networkmanager.patch
  * fix_postfix.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unprivuser.patch
  * selinux-policy.spec
- Added update.sh to make updating easier
- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
  to accountsd dbus
- New patch:
  * fix_nis.patch
- Updated patches:
  * fix_postfix.patch: Transition is done in distribution specific script
- Added module for wicked
- New patches:
  * fix_authlogin.patch
  * fix_screen.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
  * fix_apache.patch
- Added module for rtorrent
- Enable snapper module in minimum policy to reduce issues on BTRFS
  Updated fix_snapper.patch to prevent relabling of snapshot
- New patches:
  * fix_accountsd.patch
  * fix_automount.patch
  * fix_colord.patch
  * fix_mcelog.patch
  * fix_sslh.patch
  * fix_nagios.patch
  * fix_openvpn.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_smartmon.patch
  * fix_geoclue.patch
  * suse_specific.patch
  Default systems should now work without selinuxuser_execmod
- Removed xdm_entrypoint_pam.patch, necessary change is in
  fix_unconfineduser.patch
- Enable SUSE specific settings again
- Update to version 20200219
  Refreshed fix_hadoop.patch
  Updated 
  * fix_dbus.patch
  * fix_hadoop.patch
  * fix_nscd.patch
  * fix_xserver.patch
  Renamed postfix_paths.patch to fix_postfix.patch
  Added
  * fix_init.patch
  * fix_locallogin.patch
  * fix_policykit.patch
  * fix_iptables.patch
  * fix_irqbalance.patch
  * fix_ntp.patch
  * fix_fwupd.patch
  * fix_firewalld.patch
  * fix_logrotate.patch
  * fix_selinuxutil.patch
  * fix_corecommand.patch
  * fix_snapper.patch
  * fix_systemd.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * xdm_entrypoint_pam.patch
- Removed modules minimum_temp_fixes and targeted_temp_fixes
  from the corresponding policies
- Reduced default module list of minimum policy by removing
  apache inetd nis postfix mta modules
- Adding/removing necessary pam config automatically 
- Minimum and targeted policy: Enable domain_can_mmap_files by default
- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
  selinuxuser_execstack to have safe defaults
- Moved back to fedora policy (20190802)
- Removed spec file conditionals for old SELinux userland
- Removed config.tgz
- Removed patches:
  * label_sysconfig.selinux.patch
  * label_var_run_rsyslog.patch
  * suse_additions_obs.patch
  * suse_additions_sslh.patch
  * suse_modifications_apache.patch
  * suse_modifications_cron.patch
  * suse_modifications_getty.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_virt.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
  * segenxml_interpreter.patch
- Added patches:
  * fix_djbdns.patch
  * fix_dbus.patch
  * fix_gift.patch
  * fix_java.patch
  * fix_hadoop.patch
  * fix_thunderbird.patch
  * postfix_paths.patch
  * fix_nscd.patch
  * fix_sysnetwork.patch
  * fix_logging.patch
  * fix_xserver.patch
  * fix_miscfiles.patch
  to fix problems with the coresponding modules
- Added sedoctool.patch to prevent build failures
- This also adds three modules:
  * packagekit.(te|if|fc)
    Basic (currently permissive) module for packagekit
  * minimum_temp_fixes.(te|if|fc)
    and
  * targeted_temp_fixes.(te|if|fc)
    both are currently necessary to get the systems to boot in 
    enforcing mode. Most of them obviosly stem from mislabeled
    files, so this needs to be worked through and then removed
    eventually
  Also selinuxuser_execstack, selinuxuser_execmod and 
  domain_can_mmap_files need to be enabled. Especially the first
  two are bad and should be removed ASAP
- Update to refpolicy 20190609. New modules for stubby and several
  systemd updates, including initial support for systemd --user
  sessions.
  Refreshed
  * label_var_run_rsyslog.patch
  * suse_modifications_cron.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
- Update to refpolicy 20190201. New modules for chromium, hostapd,
  and sigrok and minor fixes for existing modules.
  Refreshed suse_modifications_usermanage.patch
- Change default state to disabled and disable SELinux after 
  uninstallation of policy to prevent unbootable system 
  (bsc#1108949, bsc#1109590)
- Use refpolicy 20180701 as a base
- Dropped patches
  * allow-local_login_t-read-shadow.patch
  * dont_use_xmllint_in_make_conf.patch
  * label_sysconfig.selinux-policy.patch
  * policy-rawhide-base.patch
  * policy-rawhide-contrib.patch
  * suse_modifications_authlogin.patch
  * suse_modifications_dbus.patch
  * suse_modifications_glusterfs.patch
  * suse_modifications_ipsec.patch
  * suse_modifications_passenger.patch
  * suse_modifications_policykit.patch
  * suse_modifications_postfix.patch
  * suse_modifications_rtkit.patch
  * suse_modifications_selinuxutil.patch
  * suse_modifications_ssh.patch
  * suse_modifications_staff.patch
  * suse_modifications_stapserver.patch
  * suse_modifications_systemd.patch
  * suse_modifications_unconfined.patch
  * suse_modifications_unconfineduser.patch
  * suse_modifications_unprivuser.patch
  * systemd-tmpfiles.patch
  * type_transition_contrib.patch
  * type_transition_file_class.patch
  * useradd-netlink_selinux_socket.patch
  * xconsole.patch
  Rebased the other patches to apply to refpolicy
- Added segenxml_interpreter.patch to not use env in shebang
- Added rpmlintrc to surpress duplicate file warnings
- Add overlayfs as xattr capable (bsc#1073741)
  * add-overlayfs-as-xattr-capable.patch
- Added
  * suse_modifications_glusterfs.patch
  * suse_modifications_passenger.patch
  * suse_modifications_stapserver.patch
  to modify module name to make the current tools happy
- Repair erroneous changes introduced with %_fillupdir macro
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- POLCYVER depends both on the libsemanage/policycoreutils version
  and the kernel. The former is more important for us, kernel seems
  to have all necessary features in Leap 42.1 already.
- Replaced = runtime dependencies on checkpolicy/policycoreutils 
  with "=". 2.5 policy is not supposed to work with 2.3 tools,
  The runtime policy tools need to be same the policy was built with.
- Changes required by policycoreutils update to 2.5
  * lots of spec file content needs to be conditional on
    policycoreutils version.
- Specific policycoreutils 2.5 related changes:
  * modules moved from /etc/selinux to /var/lib/selinux
  (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
  * module path now includes includes priority. Users override default
  policies by setting higher priority. Thus installed policy modules can be
  fully verified by RPM.
  * Installed modules have a different format and path.
  Raw bzip2 doesn't suffice to create them any more, but we can process them
  all in a single semodule -i command.
- Policy version depends on kernel / distro version  
  * do not touch policy.<version>, rather fail if it's not created
- Enabled building mls policy for Leap (not for SLES)
- Other
  * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils
  * Bug: (minimum) additional modules that need to be activated: postfix
  (required by apache), plymouthd (required by getty)
  * Cleanup: /etc -> %{sysconfdir} etc.
- fixed missing role assignment in cron_unconfined_role
- Updated suse_modifications_ipsec.patch, removed dontaudits for 
  ipsec_mgmt_t and granted matching permissions
- Added suse_modifications_ipsec.patch to grant additional privileges
  to ipsec_mgmt_t
- Minor changes for CC evaluation. Allow reading of /dev/random
  and ipc_lock for dbus and dhcp
- Transition from unconfined user to cron admin type
- Allow systemd_timedated_t to talk to unconfined dbus for minimal
  policy (bsc#932826)
- Allow hostnamectl to set the hostname (bsc#933764)
- Removed ability of staff_t and user_t to use svirt. Will reenable
  this later on with a policy upgrade
  Added suse_modifications_staff.patch
- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage
  in make conf. This currently breaks manual builds. 
- Added BuildRequires for libxml2-tools to enable xmllint checks 
  once the issue mentioned above is solved
- adjusted suse_modifications_ntp to match SUSE chroot paths
- Added 
  * suse_additions_obs.patch to allow local builds by OBS
  * suse_additions_sslh.patch to confine sslh
- Added suse_modifications_cron.patch to adjust crontabs contexts
- Modified suse_modifications_postfix.patch to match SUSE paths
- Modified suse_modifications_ssh.patch to bring boolean
  sshd_forward_ports back
- Modified 
  * suse_modifications_dbus.patch
  * suse_modifications_unprivuser.patch
  * suse_modifications_xserver.patch
  to allow users to be confined
- Added
  * suse_modifications_apache.patch 
  * suse_modifications_ntp.patch
  and modified
  * suse_modifications_xserver.patch
  to fix labels on startup scripts used by systemd
- Removed unused and incorrect interface dev_create_all_dev_nodes
  from systemd-tmpfiles.patch
- Removed BuildRequire for selinux-policy-devel
- Major cleanup of the spec file
- removed suse_minimal_cc.patch and splitted them into
  * suse_modifications_dbus.patch
  * suse_modifications_policykit.patch
  * suse_modifications_postfix.patch
  * suse_modifications_rtkit.patch
  * suse_modifications_unconfined.patch
  * suse_modifications_systemd.patch
  * suse_modifications_unconfineduser.patch
  * suse_modifications_selinuxutil.patch
  * suse_modifications_logging.patch
  * suse_modifications_getty.patch
  * suse_modifications_authlogin.patch
  * suse_modifications_xserver.patch
  * suse_modifications_ssh.patch
  * suse_modifications_usermanage.patch
- Added suse_modifications_virt.patch to enable svirt on s390x
- fix bashism in post script
Redid changes done by vcizek@suse.com in SLE12 package
- disable build of MLS policy
- removed outdated description files 
  * Alan_Rouse-openSUSE_with_SELinux.txt
  * Alan_Rouse-Policy_Development_Process.txt
- removed remove_duplicate_filetrans_pattern_rules.patch
- Updated policy to include everything up until 20140730 (refpolicy and
  fedora rawhide improvements). Rebased all patches that are still
  necessary
- Removed permissivedomains.pp. Doesn't work with the new policy
- modified spec file so that all modifications for distro=redhat and
  distro=suse will be used. 
- added selinux-policy-rpmlintrc to suppress some warnings that aren't
  valid for this package
- added suse_minimal_cc.patch to create a suse specific module to prevent
  errors while using the minimum policy. Will rework them in the proper
  places once the minimum policy is reworked to really only confine a 
  minimal set of domains.
- removed source files which were not used
  * modules-minimum.conf, modules-mls.conf, modules-targeted.conf,
    permissivedomains.fc, permissivedomains.if, permissivedomains.te,
    seusers, seusers-mls, seusers-targeted, users_extra-mls,
    users_extra-targeted
- remove duplicate filetrans_pattern rules
  * fixes build with libsepol-2.3
  * added remove_duplicate_filetrans_pattern_rules.patch
- enable build of mls and targeted policies
- fixes to the minimum policy:
- label /var/run/rsyslog correctly
  * label_var_run_rsyslog.patch
- allow systemd-tmpfiles to create devices
  * systemd-tmpfiles.patch
- add rules for sysconfig
  * correctly label /dev/.sysconfig/network
  * added sysconfig_network_scripts.patch
- run restorecon and fixfiles only if if selinux is enabled
- fix console login
  * allow-local_login_t-read-shadow.patch
- allow rsyslog to write to xconsole
  * xconsole.patch
- useradd needs to call selinux_check_access (via pam_rootok)
  * useradd-netlink_selinux_socket.patch
- fix build on factory: newer rpm does not allow to mark
  non-directories as dir anymore (like symlinks in this case) 
- install COPYING
- switch to Fedora as upstream
- added patches:
  * policy-rawhide-base.patch
  * policy-rawhide-contrib.patch
  * type_transition_file_class.patch
  * type_transition_contrib.patch
  * label_sysconfig.selinux-policy.patch
- bump up policy version to 27, due to recent libsepol update
- dropped currently unused policy-rawhide.patch
- fix installing of file_contexts (this enables restorecond to run properly)
- Recommends: audit and setools
- mark included files in source
- update to 2.20120725
- added selinux-policy-run_sepolgen_during_build.patch
- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch
- dropped policygentool and OLPC stuff
- patch license to be in spdx.org format
- use policy created by Alan Rouse
- Adjust selinux-policy.spec so that the policy
  source tree is put in /usr/share/doc/packages/selinux-*
  so users can build the policy [bnc#582404]
- fixed fileperms of /etc/selinux/config to be 644 to allow
  libselinux to read from it (bnc#582399)
  this is also the default file mode in fedora 12
- added config file for /etc/selinux/
- updated to version 2008.12.10
  * Fix consistency of audioentropy and iscsi module naming.
  * Debian file context fix for xen from Russell Coker.
  * Xserver MLS fix from Eamon Walsh.
  * Add omapi port for dhcpcd.
  * Deprecate per-role templates and rolemap support.
  * Implement user-based access control for use as role separations.
  * Move shared library calls from individual modules to the domain module.
  * Enable open permission checks policy capability.
  * Remove hierarchy from portage module as it is not a good example of hieararchy.
  * Remove enableaudit target from modular build as semodule -DB supplants it.
  * Added modules:
    - milter (Paul Howarth)
- updated to version 2008.10.14
  * Debian update for NetworkManager/wpa_supplicant from Martin Orr.
  * Logrotate and Bind updates from Vaclav Ovsik.
  * Init script file and domain support.
  * Glibc 2.7 fix from Vaclav Ovsik.
  * Samba/winbind update from Mike Edenfield.
  * Policy size optimization with a non-security file attribute from James Carter.
  * Database labeled networking update from KaiGai Kohei.
  * Several misc changes from the Fedora policy, cherry picked by David Hardeman.
  * Large whitespace fix from Dominick Grift.
  * Pam_mount fix for local login from Stefan Schulze Frielinghaus.
  * Issuing commands to upstart is over a datagram socket, not the initctl named pipe.
  * Updated init_telinit() to match.
  * Added modules:
    - cyphesis (Dan Walsh)
    - memcached (Dan Walsh)
    - oident (Dominick Grift)
    - w3c (Dan Walsh)
- initial version 2008.07.02 from tresys

OBS-URL: https://build.opensuse.org/request/show/1184839
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=231
2024-07-02 11:23:15 +00:00
Hu
290de72460 Accepting request 1184825 from home:cahu:branches:security:SELinux
- Update to version 20240702:
  * Allow manage dosfs_t files to snapperd
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Revert "Add policy for wtmpdb (bsc#1210717)"

OBS-URL: https://build.opensuse.org/request/show/1184825
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=230
2024-07-02 10:36:37 +00:00
Ana Guerrero
2777860370 Accepting request 1181332 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1181332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=62
2024-06-18 20:51:01 +00:00
Hu
860070d5d6 Accepting request 1181331 from home:cahu:branches:security:SELinux
- Update to version 20240617:
  * Allow gnome control center to set autologin (bsc#1222978)
  * Dontaudit xdm_t to getattr on root_t (bsc#1223145)

OBS-URL: https://build.opensuse.org/request/show/1181331
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=228
2024-06-17 14:37:28 +00:00
Ana Guerrero
1caa35060d Accepting request 1180332 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1180332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=61
2024-06-14 16:57:11 +00:00
Hu
ee6d23dd06 - Update to version 20240613:
* Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=226
2024-06-13 08:13:40 +00:00