Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2025-07-06 17:00:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1903 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Sun Jul 6 17:00:05 2025 rev:118 rq:1290168 version:20250703
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2025-06-20 16:48:17.741494140 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1903/selinux-policy.changes
2025-07-06 17:00:10.139717415 +0200
@@ -1,0 +2,57 @@
+Thu Jul 03 09:28:49 UTC 2025 - cathy...@suse.com
+
+- Update to version 20250703:
+ * Drop SUSE-specific /usr/etc = /etc equivalency
+ * Allow irqbalance execute shell if irqbalance_run_unconfined is on
+ * Allow openvswitch ioctl vduse devices
+ * Label /dev/vduse/control and /dev/vduse/NAME devices
+ * Allow virtstoraged the sys_rawio capability
+ * Allow virtqemud read insights-core state files
+ * Allow virtnodedev create mdevctl config dirs
+ * Allow virtqemud additional permissions on scsi generic chr files
+ * Allow local login execute gnome keyring daemon
+ * Allow virtqemud send a generic signal to passt
+ * Allow svirt-tcg read init state
+ * Allow irqbalance execute shell if irqbalance_run_unconfined is on
+ * Label /run/opendkim with dkim_milter_data_t
+ * Allow sa-update status systemd services
+ * Introduce new cluster_service_transition_to_unconfined_user boolean
(bsc#1244495)
+ * Allow updpwd logging send audit messages
+ * Temporary dontaudit iio-sensor-proxy sys_admin.
+ * Allow iio-sensor-proxy sendto to journald over a unix datagram socket
+ * Revert "Allow iio-sensor-proxy sendto to journald over a unix datagram
socket"
+ * virt: allow QEMU use of the qgs daemon for attestation
+ * qgs: add contrib module for TDX "qgs" daemon
+ * kernel: add interfaces for using SGX enclaves
+ * Define file equivalency for /usr/etc
+ * Allow mongod to receive pressure stall information
+ * Dontaudit systemd_generator read sssd public files
+ * Allow plymouthd read/write input event devices
+ * Label 99-nvme-nbft-connect.sh with NetworkManager_dispatcher_nvme_script_t
+ * Allow systemd-user-runtime-dir sendto to syslogd
+ * Remove pcp module
+ * Update irqbalance policy for using unconfined scripts
+ * Allow utempter use terminal multiplexor
+ * Allow virtqemud execute ovs-vsctl with a domain transition
+ * Update the files_search_mnt() interface
+ * Allow nmbd read network sysctls
+ * Allow iio-sensor-proxy sendto to journald over a unix datagram socket
+ * Allow logrotate stop all systemd services
+ * systemd: rework systemd_manage_random_seed
+ * Allow tuned-ppd connect to sssd over a unix stream socket
+ * Drop config for /run/random-seed
+ * Update file location for systemd random-seed file
+ * Allow tomcat execute cracklib-check with a domain transition
+ * Allow sssd watch lib dirs
+ * Confine systemd-hibernate-resume
+ * Allow login_userdomain create /run/tlog directory with user_tmp_t
+ * Allow login_pgm read filesystem sysctls
+ * Allow gconfd connect to system dbus
+ * Allow NetworkManager manage NetworkManager_etc_rw_t symlinks
+- Syncing with upstream rawhide selinux-policy up to:
+ * 23514206ea45e1d1d2f8a4c08288065c813fcc91
+- Update embedded container-selinux version to commit:
+ * 36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c (version 2.238.0)
+
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20250618.tar.xz
New:
----
selinux-policy-20250703.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.BAGQSB/_old 2025-07-06 17:00:12.347808886 +0200
+++ /var/tmp/diff_new_pack.BAGQSB/_new 2025-07-06 17:00:12.347808886 +0200
@@ -36,7 +36,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20250618
+Version: 20250703
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.BAGQSB/_old 2025-07-06 17:00:12.431812366 +0200
+++ /var/tmp/diff_new_pack.BAGQSB/_new 2025-07-06 17:00:12.435812532 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">1805634d61369054e3a36424c5772993fc0163d1</param></service></servicedata>
+ <param
name="changesrevision">e6cb43eff1dbcc1c2327f6dcb680984ad0a88465</param></service></servicedata>
(No newline at EOF)
++++++ container.te ++++++
--- /var/tmp/diff_new_pack.BAGQSB/_old 2025-07-06 17:00:12.487814686 +0200
+++ /var/tmp/diff_new_pack.BAGQSB/_new 2025-07-06 17:00:12.491814851 +0200
@@ -1,7 +1,8 @@
-policy_module(container, 2.237.0)
+policy_module(container, 2.238.0)
gen_require(`
class passwd rootok;
+ type system_conf_t;
')
########################################
@@ -1627,3 +1628,7 @@
allow spc_t self:process ptrace;
')
+# netavark needs to write to /run/sysctl.d and needs the right label for
systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")
+
++++++ selinux-policy-20250618.tar.xz -> selinux-policy-20250703.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/config/file_contexts.subs_dist
new/selinux-policy-20250703/config/file_contexts.subs_dist
--- old/selinux-policy-20250618/config/file_contexts.subs_dist 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/config/file_contexts.subs_dist 2025-07-03
11:26:04.000000000 +0200
@@ -32,6 +32,7 @@
/var/usrlocal /usr/local
/var/mnt /mnt
/bin /usr/bin
+/usr/etc /etc
/usr/sbin /usr/bin
# SUSE-specific section
@@ -46,8 +47,5 @@
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
-## for transactional systems
-/usr/etc /etc
-
## for krb5
/var/lib/kerberos /var/kerberos
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250618/dist/mls/modules.conf
new/selinux-policy-20250703/dist/mls/modules.conf
--- old/selinux-policy-20250618/dist/mls/modules.conf 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/dist/mls/modules.conf 2025-07-03
11:26:04.000000000 +0200
@@ -1398,6 +1398,13 @@
#
pulseaudio = module
+# Layer: service
+# Module: qgs
+#
+# TDX QGS Daemon
+#
+qgs = module
+
# Layer: services
# Module: qmail
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-policy-20250618/dist/targeted/modules.conf
new/selinux-policy-20250703/dist/targeted/modules.conf
--- old/selinux-policy-20250618/dist/targeted/modules.conf 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/dist/targeted/modules.conf 2025-07-03
11:26:04.000000000 +0200
@@ -1824,6 +1824,13 @@
#
pwauth = module
+# Layer: service
+# Module: qgs
+#
+# TDX QGS Daemon
+#
+qgs = module
+
# Layer: services
# Module: qmail
#
@@ -2678,13 +2685,6 @@
snapper = module
# Layer: contrib
-# Module: pcp
-#
-# pcp policy
-#
-pcp = module
-
-# Layer: contrib
# Module: geoclue
#
# Add policy for Geoclue. Geoclue is a D-Bus service that provides location
information
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/admin/usermanage.if
new/selinux-policy-20250703/policy/modules/admin/usermanage.if
--- old/selinux-policy-20250618/policy/modules/admin/usermanage.if
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/admin/usermanage.if
2025-07-03 11:26:04.000000000 +0200
@@ -377,3 +377,22 @@
files_search_var($1)
read_files_pattern($1, crack_db_t, crack_db_t)
')
+
+########################################
+## <summary>
+## Execute crack in the crack domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_crack',`
+ gen_require(`
+ type crack_t, crack_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, crack_exec_t, crack_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/gnome.te
new/selinux-policy-20250703/policy/modules/contrib/gnome.te
--- old/selinux-policy-20250618/policy/modules/contrib/gnome.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/gnome.te 2025-07-03
11:26:04.000000000 +0200
@@ -122,8 +122,6 @@
dev_read_urand(gconfd_t)
-
-
logging_send_syslog_msg(gconfd_t)
userdom_manage_user_tmp_sockets(gconfd_t)
@@ -131,6 +129,11 @@
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
+ dbus_system_bus_client(gconfd_t)
+ dbus_write_session_tmp_sock_files(gconfd_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/iiosensorproxy.te
new/selinux-policy-20250703/policy/modules/contrib/iiosensorproxy.te
--- old/selinux-policy-20250618/policy/modules/contrib/iiosensorproxy.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/iiosensorproxy.te
2025-07-03 11:26:04.000000000 +0200
@@ -13,6 +13,11 @@
allow iiosensorproxy_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iiosensorproxy_t self:unix_dgram_socket create_socket_perms;
+# temporary don't audit because of kernel commit: d4e89d212d, requiring
CAP_SYS_ADMIN
+dontaudit iiosensorproxy_t self:capability sys_admin;
+
+kernel_dgram_send(iiosensorproxy_t)
+
dev_read_iio_dev(iiosensorproxy_t)
dev_read_input(iiosensorproxy_t)
dev_create_sysfs_files(iiosensorproxy_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/insights_core.if
new/selinux-policy-20250703/policy/modules/contrib/insights_core.if
--- old/selinux-policy-20250618/policy/modules/contrib/insights_core.if
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/insights_core.if
2025-07-03 11:26:04.000000000 +0200
@@ -59,3 +59,22 @@
read_files_pattern($1, insights_core_var_lib_t, insights_core_var_lib_t)
allow $1 insights_core_var_lib_t:file map;
')
+
+########################################
+## <summary>
+## Allow the specified domain to read insights-core state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`insights_core_read_state',`
+ gen_require(`
+ type insights_core_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, insights_core_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/irqbalance.te
new/selinux-policy-20250703/policy/modules/contrib/irqbalance.te
--- old/selinux-policy-20250618/policy/modules/contrib/irqbalance.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/irqbalance.te
2025-07-03 11:26:04.000000000 +0200
@@ -64,6 +64,10 @@
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+optional_policy(`
+ auth_dontaudit_read_passwd(irqbalance_t)
+')
+
ifdef(`hide_broken_symptoms',`
dontaudit irqbalance_t self:capability sys_module;
')
@@ -82,12 +86,16 @@
#
tunable_policy(`irqbalance_run_unconfined',`
+ allow irqbalance_t irqbalance_unconfined_script_t:process2
nnp_transition;
+
+ corecmd_exec_shell(irqbalance_t)
domtrans_pattern(irqbalance_t, irqbalance_unconfined_script_exec_t,
irqbalance_unconfined_script_t)
- #allow irqbalance_t irqbalance_unconfined_script_t:process2
nnp_transition;
',`
can_exec(irqbalance_t, irqbalance_unconfined_script_exec_t)
')
+allow irqbalance_t irqbalance_unconfined_script_exec_t:dir { getattr search };
+
optional_policy(`
unconfined_domain(irqbalance_unconfined_script_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/logrotate.te
new/selinux-policy-20250703/policy/modules/contrib/logrotate.te
--- old/selinux-policy-20250618/policy/modules/contrib/logrotate.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/logrotate.te
2025-07-03 11:26:04.000000000 +0200
@@ -378,6 +378,10 @@
')
optional_policy(`
+ systemd_stop_all_services(logrotate_t)
+')
+
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/milter.fc
new/selinux-policy-20250703/policy/modules/contrib/milter.fc
--- old/selinux-policy-20250618/policy/modules/contrib/milter.fc
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/milter.fc
2025-07-03 11:26:04.000000000 +0200
@@ -15,6 +15,7 @@
/var/lib/spamass-milter(/.*)?
gen_context(system_u:object_r:spamass_milter_state_t,s0)
/run/opendmarc(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/opendkim(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
/run/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/milter-greylist\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/spamass(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/mongodb.te
new/selinux-policy-20250703/policy/modules/contrib/mongodb.te
--- old/selinux-policy-20250618/policy/modules/contrib/mongodb.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/mongodb.te
2025-07-03 11:26:04.000000000 +0200
@@ -68,6 +68,7 @@
## also typically has symlinks (e.g. /proc/net/snmp).
kernel_list_proc(mongod_t)
kernel_read_proc_symlinks(mongod_t)
+kernel_read_psi(mongod_t)
kernel_read_system_state(mongod_t)
kernel_read_network_state(mongod_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/networkmanager.fc
new/selinux-policy-20250703/policy/modules/contrib/networkmanager.fc
--- old/selinux-policy-20250618/policy/modules/contrib/networkmanager.fc
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/networkmanager.fc
2025-07-03 11:26:04.000000000 +0200
@@ -30,6 +30,7 @@
/usr/lib/NetworkManager/dispatcher\.d/30-winbind --
gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/50-ddclient --
gen_context(system_u:object_r:NetworkManager_dispatcher_ddclient_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/90-nm-cloud-setup\.sh --
gen_context(system_u:object_r:NetworkManager_dispatcher_cloud_script_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/99-nvme-nbft-connect\.sh --
gen_context(system_u:object_r:NetworkManager_dispatcher_nvme_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/99tlp-rdw-nm --
gen_context(system_u:object_r:NetworkManager_dispatcher_tlp_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/no-wait\.d/90-nm-cloud-setup\.sh --
gen_context(system_u:object_r:NetworkManager_dispatcher_cloud_script_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/networkmanager.te
new/selinux-policy-20250703/policy/modules/contrib/networkmanager.te
--- old/selinux-policy-20250618/policy/modules/contrib/networkmanager.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/networkmanager.te
2025-07-03 11:26:04.000000000 +0200
@@ -57,6 +57,7 @@
networkmanager_dispatcher_plugin_template(dhclient)
networkmanager_dispatcher_plugin_template(dnssec)
networkmanager_dispatcher_plugin_template(iscsid)
+networkmanager_dispatcher_plugin_template(nvme)
networkmanager_dispatcher_plugin_template(sendmail)
networkmanager_dispatcher_plugin_template(tlp)
networkmanager_dispatcher_plugin_template(winbind)
@@ -139,6 +140,7 @@
read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
+manage_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t,
NetworkManager_etc_rw_t, { dir file })
allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms;
@@ -719,6 +721,7 @@
systemd_exec_systemctl(NetworkManager_dispatcher_cloud_t)
systemd_exec_systemctl(NetworkManager_dispatcher_ddclient_t)
systemd_exec_systemctl(NetworkManager_dispatcher_iscsid_t)
+ systemd_exec_systemctl(NetworkManager_dispatcher_nvme_t)
systemd_exec_systemctl(NetworkManager_dispatcher_sendmail_t)
systemd_exec_systemctl(NetworkManager_dispatcher_winbind_t)
systemd_exec_systemctl(NetworkManager_dispatcher_custom_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/openvswitch.te
new/selinux-policy-20250703/policy/modules/contrib/openvswitch.te
--- old/selinux-policy-20250618/policy/modules/contrib/openvswitch.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/openvswitch.te
2025-07-03 11:26:04.000000000 +0200
@@ -98,6 +98,7 @@
corecmd_exec_bin(openvswitch_t)
corecmd_exec_shell(openvswitch_t)
+dev_ioctl_vduse(openvswitch_t)
dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
dev_rw_sysfs(openvswitch_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/passt.if
new/selinux-policy-20250703/policy/modules/contrib/passt.if
--- old/selinux-policy-20250618/policy/modules/contrib/passt.if 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/passt.if 2025-07-03
11:26:04.000000000 +0200
@@ -38,3 +38,13 @@
allow $1 passt_t:unix_stream_socket connectto;
')
')
+
+ifndef(`passt_signal',`
+ interface(`passt_signal',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 passt_t:process signal;
+ ')
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/pcp.if
new/selinux-policy-20250703/policy/modules/contrib/pcp.if
--- old/selinux-policy-20250618/policy/modules/contrib/pcp.if 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/pcp.if 2025-07-03
11:26:04.000000000 +0200
@@ -40,12 +40,14 @@
## </summary>
## </param>
#
-interface(`pcp_read_lib_files',`
- gen_require(`
- type pcp_var_lib_t;
- ')
- files_search_var_lib($1)
- read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
+ifndef(`pcp_read_lib_files',`
+ interface(`pcp_read_lib_files',`
+ gen_require(`
+ type pcp_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
+ ')
')
########################################
@@ -60,36 +62,38 @@
## </param>
## <rolecap/>
#
-interface(`pcp_admin',`
- gen_require(`
- type pcp_pmcd_t;
- type pcp_pmlogger_t;
- type pcp_pmproxy_t;
- type pcp_pmie_t;
- type pcp_var_run_t;
- ')
-
- allow $1 pcp_pmcd_t:process signal_perms;
- ps_process_pattern($1, pcp_pmcd_t)
-
- allow $1 pcp_pmlogger_t:process signal_perms;
- ps_process_pattern($1, pcp_pmlogger_t)
-
- allow $1 pcp_pmproxy_t:process signal_perms;
- ps_process_pattern($1, pcp_pmproxy_t)
-
- allow $1 pcp_pmie_t:process signal_perms;
- ps_process_pattern($1, pcp_pmie_t)
-
- tunable_policy(`deny_ptrace',`',`
- allow $1 pcp_pmcd_t:process ptrace;
- allow $1 pcp_pmlogger_t:process ptrace;
- allow $1 pcp_pmproxy_t:process ptrace;
- allow $1 pcp_pmie_t:process ptrace;
- ')
+ifndef(`pcp_admin',`
+ interface(`pcp_admin',`
+ gen_require(`
+ type pcp_pmcd_t;
+ type pcp_pmlogger_t;
+ type pcp_pmproxy_t;
+ type pcp_pmie_t;
+ type pcp_var_run_t;
+ ')
+
+ allow $1 pcp_pmcd_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmcd_t)
+
+ allow $1 pcp_pmlogger_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmlogger_t)
+
+ allow $1 pcp_pmproxy_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmproxy_t)
+
+ allow $1 pcp_pmie_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmie_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pcp_pmcd_t:process ptrace;
+ allow $1 pcp_pmlogger_t:process ptrace;
+ allow $1 pcp_pmproxy_t:process ptrace;
+ allow $1 pcp_pmie_t:process ptrace;
+ ')
- files_search_pids($1)
- admin_pattern($1, pcp_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, pcp_var_run_t)
+ ')
')
########################################
@@ -103,13 +107,15 @@
## </summary>
## </param>
#
-interface(`pcp_pmie_exec',`
- gen_require(`
- type pcp_pmie_exec_t;
- ')
+ifndef(`pcp_pmie_exec',`
+ interface(`pcp_pmie_exec',`
+ gen_require(`
+ type pcp_pmie_exec_t;
+ ')
- corecmd_search_bin($1)
- can_exec($1, pcp_pmie_exec_t)
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t)
+ ')
')
########################################
@@ -123,13 +129,15 @@
## </summary>
## </param>
#
-interface(`pcp_pmlogger_exec',`
- gen_require(`
- type pcp_pmlogger_exec_t;
- ')
+ifndef(`pcp_pmlogger_exec',`
+ interface(`pcp_pmlogger_exec',`
+ gen_require(`
+ type pcp_pmlogger_exec_t;
+ ')
- corecmd_search_bin($1)
- can_exec($1, pcp_pmlogger_exec_t)
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmlogger_exec_t)
+ ')
')
#######################################
@@ -142,11 +150,13 @@
## </summary>
## </param>
#
-interface(`pcp_filetrans_named_content',`
- gen_require(`
- type pcp_var_run_t;
- ')
- files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
+ifndef(`pcp_filetrans_named_content',`
+ interface(`pcp_filetrans_named_content',`
+ gen_require(`
+ type pcp_var_run_t;
+ ')
+ files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
+ ')
')
#######################################
@@ -159,11 +169,13 @@
## </summary>
## </param>
#
-interface(`pcp_write_pid_sock_file',`
- gen_require(`
- type pcp_var_run_t;
- ')
+ifndef(`pcp_write_pid_sock_file',`
+ interface(`pcp_write_pid_sock_file',`
+ gen_require(`
+ type pcp_var_run_t;
+ ')
- files_search_pids($1)
- write_sock_files_pattern($1, pcp_var_run_t, pcp_var_run_t)
+ files_search_pids($1)
+ write_sock_files_pattern($1, pcp_var_run_t, pcp_var_run_t)
+ ')
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/pcp.te
new/selinux-policy-20250703/policy/modules/contrib/pcp.te
--- old/selinux-policy-20250618/policy/modules/contrib/pcp.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/pcp.te 1970-01-01
01:00:00.000000000 +0100
@@ -1,320 +0,0 @@
-policy_module(pcp, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-
-## <desc>
-## <p>
-## Allow pcp to bind to all unreserved_ports
-## </p>
-## </desc>
-gen_tunable(pcp_bind_all_unreserved_ports, false)
-
-## <desc>
-## <p>
-## Allow pcp to read generic logs
-## </p>
-## </desc>
-gen_tunable(pcp_read_generic_logs, false)
-
-attribute pcp_domain;
-
-pcp_domain_template(pmcd)
-pcp_domain_template(pmlogger)
-pcp_domain_template(pmproxy)
-pcp_domain_template(pmie)
-pcp_domain_template(plugin)
-
-type pcp_log_t;
-logging_log_file(pcp_log_t)
-
-type pcp_var_lib_t;
-files_type(pcp_var_lib_t)
-
-type pcp_var_run_t;
-files_pid_file(pcp_var_run_t)
-
-type pcp_tmp_t;
-files_tmp_file(pcp_tmp_t)
-
-type pcp_tmpfs_t;
-files_tmpfs_file(pcp_tmpfs_t)
-
-########################################
-#
-# pcp domain local policy
-#
-
-allow pcp_domain self:capability { setuid setgid dac_read_search };
-allow pcp_domain self:process signal_perms;
-allow pcp_domain self:tcp_socket create_stream_socket_perms;
-allow pcp_domain self:udp_socket create_socket_perms;
-allow pcp_domain self:netlink_route_socket create_socket_perms;
-allow pcp_domain self:unix_stream_socket connectto;
-
-corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
-
-manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
-manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
-logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
-
-manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
-manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
-manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
-manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
-exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
-files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
-
-manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
-
-manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
-manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
-manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
-files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
-manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
-fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
-can_exec(pcp_domain, pcp_tmpfs_t)
-
-dev_read_urand(pcp_domain)
-
-files_read_etc_files(pcp_domain)
-
-fs_getattr_all_fs(pcp_domain)
-
-miscfiles_read_generic_certs(pcp_domain)
-
-sysnet_read_config(pcp_domain)
-
-tunable_policy(`pcp_bind_all_unreserved_ports',`
- corenet_sendrecv_all_server_packets(pcp_pmcd_t)
- corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
- corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
- corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
-
-')
-
-
-########################################
-#
-# pcp_pmcd local policy
-#
-
-allow pcp_pmcd_t self:capability { dac_read_search dac_override ipc_owner
net_admin sys_admin sys_ptrace };
-allow pcp_pmcd_t self:process { setsched };
-allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
-allow pcp_pmcd_t self:cap_userns sys_ptrace;
-
-kernel_get_sysvipc_info(pcp_pmcd_t)
-kernel_manage_perf_event(pcp_pmcd_t)
-kernel_read_debugfs(pcp_pmcd_t)
-kernel_read_network_state(pcp_pmcd_t)
-kernel_read_system_state(pcp_pmcd_t)
-kernel_read_state(pcp_pmcd_t)
-kernel_read_fs_sysctls(pcp_pmcd_t)
-kernel_read_rpc_sysctls(pcp_pmcd_t)
-kernel_search_network_sysctl(pcp_pmcd_t)
-kernel_read_net_sysctls(pcp_pmcd_t)
-
-corecmd_exec_bin(pcp_pmcd_t)
-
-corenet_tcp_bind_amqp_port(pcp_pmcd_t)
-corenet_tcp_connect_amqp_port(pcp_pmcd_t)
-corenet_tcp_connect_http_port(pcp_pmcd_t)
-corenet_udp_bind_statsd_port(pcp_pmcd_t)
-
-dev_read_sysfs(pcp_pmcd_t)
-dev_rw_lvm_control(pcp_pmcd_t)
-
-domain_read_all_domains_state(pcp_pmcd_t)
-domain_getattr_all_domains(pcp_pmcd_t)
-
-dev_getattr_all_blk_files(pcp_pmcd_t)
-dev_getattr_all_chr_files(pcp_pmcd_t)
-dev_read_sysfs(pcp_pmcd_t)
-dev_read_urand(pcp_pmcd_t)
-
-fs_getattr_all_fs(pcp_pmcd_t)
-fs_getattr_all_dirs(pcp_pmcd_t)
-fs_list_cgroup_dirs(pcp_pmcd_t)
-fs_read_cgroup_files(pcp_pmcd_t)
-fs_read_nfsd_files(pcp_pmcd_t)
-fs_search_tracefs_dirs(pcp_pmcd_t)
-
-init_read_utmp(pcp_pmcd_t)
-
-logging_send_syslog_msg(pcp_pmcd_t)
-
-lvm_domtrans(pcp_pmcd_t)
-
-storage_getattr_fixed_disk_dev(pcp_pmcd_t)
-storage_raw_read_fixed_disk(pcp_pmcd_t)
-
-userdom_read_user_tmp_files(pcp_pmcd_t)
-userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)
-
-optional_policy(`
- acct_search_data(pcp_pmcd_t)
-')
-
-optional_policy(`
- cron_read_pid_files(pcp_pmcd_t)
-')
-
-optional_policy(`
- container_manage_lib_files(pcp_pmcd_t)
-')
-
-optional_policy(`
- mock_read_lib_files(pcp_pmcd_t)
-')
-
-optional_policy(`
- mysql_stream_connect(pcp_pmcd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(pcp_pmcd_t)
-
- optional_policy(`
- avahi_dbus_chat(pcp_pmcd_t)
- ')
-')
-
-optional_policy(`
- postfix_read_config(pcp_pmcd_t)
- postfix_search_spool(pcp_pmcd_t)
-')
-
-optional_policy(`
- raid_domtrans_mdadm(pcp_pmcd_t)
- raid_access_check_mdadm(pcp_pmcd_t)
-')
-
-tunable_policy(`pcp_read_generic_logs',`
- logging_read_generic_logs(pcp_pmcd_t)
-
-')
-
-########################################
-#
-# pcp_pmproxy local policy
-#
-
-allow pcp_pmproxy_t self:process setsched;
-allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
-
-kernel_search_network_sysctl(pcp_pmproxy_t)
-
-logging_send_syslog_msg(pcp_pmproxy_t)
-
-optional_policy(`
- dbus_system_bus_client(pcp_pmproxy_t)
-
- optional_policy(`
- avahi_dbus_chat(pcp_pmproxy_t)
- ')
-')
-
-########################################
-#
-# pcp_pmie local policy
-#
-allow pcp_pmie_t self:capability { chown fsetid sys_ptrace };
-allow pcp_pmie_t self:cap_userns sys_ptrace;
-allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
-
-allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
-
-allow pcp_pmie_t pcp_pmcd_t:process signal;
-
-kernel_read_net_sysctls(pcp_pmie_t)
-kernel_read_network_state(pcp_pmie_t)
-kernel_read_system_state(pcp_pmie_t)
-kernel_dontaudit_request_load_module(pcp_pmie_t)
-
-can_exec(pcp_pmie_t, pcp_pmie_exec_t)
-
-corecmd_exec_bin(pcp_pmie_t)
-corecmd_getattr_all_executables(pcp_pmie_t)
-
-domain_read_all_domains_state(pcp_pmie_t)
-
-fs_search_cgroup_dirs(pcp_pmie_t)
-
-init_status(pcp_pmie_t)
-
-logging_send_syslog_msg(pcp_pmie_t)
-
-systemd_exec_systemctl(pcp_pmie_t)
-systemd_read_unit_files(pcp_pmie_t)
-systemd_search_unit_dirs(pcp_pmie_t)
-
-userdom_read_user_tmp_files(pcp_pmie_t)
-
-########################################
-#
-# pcp_pmlogger local policy
-#
-
-allow pcp_pmlogger_t self:capability { dac_read_search dac_override chown
fowner sys_ptrace };
-allow pcp_pmlogger_t self:process setpgid;
-allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read
};
-
-allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
-allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
-
-allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
-
-dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };
-
-kernel_read_system_state(pcp_pmlogger_t)
-kernel_read_network_state(pcp_pmlogger_t)
-kernel_read_all_sysctls(pcp_pmlogger_t)
-
-corecmd_exec_bin(pcp_pmlogger_t)
-
-corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
-corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
-corenet_tcp_bind_generic_node(pcp_pmlogger_t)
-
-domain_read_all_domains_state(pcp_pmlogger_t)
-
-fs_mount_tracefs(pcp_pmlogger_t)
-fs_getattr_all_fs(pcp_pmlogger_t)
-
-init_read_utmp(pcp_pmlogger_t)
-init_status(pcp_pmlogger_t)
-
-logging_send_syslog_msg(pcp_pmlogger_t)
-
-systemd_exec_systemctl(pcp_pmlogger_t)
-systemd_getattr_unit_files(pcp_pmlogger_t)
-
-optional_policy(`
- hostname_exec(pcp_pmlogger_t)
-')
-
-optional_policy(`
- rpm_script_signal(pcp_pmlogger_t)
-')
-
-########################################
-#
-# pcp_plugin local policy
-#
-
-domtrans_pattern(pcp_domain, pcp_plugin_exec_t, pcp_plugin_t)
-
-optional_policy(`
- unconfined_domain(pcp_plugin_t)
-')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/plymouthd.te
new/selinux-policy-20250703/policy/modules/contrib/plymouthd.te
--- old/selinux-policy-20250618/policy/modules/contrib/plymouthd.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/plymouthd.te
2025-07-03 11:26:04.000000000 +0200
@@ -71,6 +71,7 @@
dev_map_framebuffer(plymouthd_t)
dev_read_kmsg(plymouthd_t)
dev_write_kmsg(plymouthd_t)
+dev_rw_input_dev(plymouthd_t)
dev_rw_xserver_misc(plymouthd_t)
domain_use_interactive_fds(plymouthd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/qgs.fc
new/selinux-policy-20250703/policy/modules/contrib/qgs.fc
--- old/selinux-policy-20250618/policy/modules/contrib/qgs.fc 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20250703/policy/modules/contrib/qgs.fc 2025-07-03
11:26:04.000000000 +0200
@@ -0,0 +1,6 @@
+/etc/qgs\.conf -- gen_context(system_u:object_r:qgs_etc_t,s0)
+
+/usr/bin/qgs -- gen_context(system_u:object_r:qgs_exec_t,s0)
+
+/var/lib/qgs(/.*)? gen_context(system_u:object_r:qgs_var_lib_t,s0)
+/run/tdx-qgs(/.*)? gen_context(system_u:object_r:qgs_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/qgs.if
new/selinux-policy-20250703/policy/modules/contrib/qgs.if
--- old/selinux-policy-20250618/policy/modules/contrib/qgs.if 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20250703/policy/modules/contrib/qgs.if 2025-07-03
11:26:04.000000000 +0200
@@ -0,0 +1,97 @@
+## <summary>policy for qgs</summary>
+
+########################################
+## <summary>
+## Execute qgs_exec_t in the qgs domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qgs_domtrans',`
+ gen_require(`
+ type qgs_t, qgs_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qgs_exec_t, qgs_t)
+')
+
+######################################
+## <summary>
+## Execute qgs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qgs_exec',`
+ gen_require(`
+ type qgs_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, qgs_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an qgs environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qgs_admin',`
+ gen_require(`
+ type qgs_t;
+ type qgs_var_lib_t;
+ type qgs_var_run_t;
+ ')
+
+ allow $1 qgs_t:process { signal_perms };
+ ps_process_pattern($1, qgs_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 qgs_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, qgs_var_lib_t)
+ admin_pattern($1, qgs_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+## <summary>
+## Connect to qgs over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qgs_stream_connect',`
+ gen_require(`
+ type qgs_t, qgs_var_run_t;
+ ')
+
+ stream_connect_pattern($1, qgs_var_run_t, qgs_var_run_t, qgs_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/qgs.te
new/selinux-policy-20250703/policy/modules/contrib/qgs.te
--- old/selinux-policy-20250618/policy/modules/contrib/qgs.te 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20250703/policy/modules/contrib/qgs.te 2025-07-03
11:26:04.000000000 +0200
@@ -0,0 +1,71 @@
+policy_module(qgs, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qgs_t;
+type qgs_exec_t;
+init_daemon_domain(qgs_t, qgs_exec_t)
+
+permissive qgs_t;
+
+type qgs_var_lib_t;
+files_type(qgs_var_lib_t);
+
+type qgs_var_run_t;
+files_pid_file(qgs_var_run_t);
+
+# Config file exclusively for SGX
+type qgs_etc_t;
+
+########################################
+#
+# qgs local policy
+#
+allow qgs_t self:fifo_file rw_fifo_file_perms;
+allow qgs_t self:unix_stream_socket create_stream_socket_perms;
+
+# /var/lib/qgs is the $HOME for 'qgs' and it caches some
+# data under subdirs
+manage_dirs_pattern(qgs_t, qgs_var_lib_t, qgs_var_lib_t)
+manage_files_pattern(qgs_t, qgs_var_lib_t, qgs_var_lib_t)
+manage_lnk_files_pattern(qgs_t, qgs_var_lib_t, qgs_var_lib_t)
+
+# /run/tdx/qgs is where 'qgs' creates UNIX socket
+manage_dirs_pattern(qgs_t, qgs_var_run_t, qgs_var_run_t)
+manage_files_pattern(qgs_t, qgs_var_run_t, qgs_var_run_t)
+manage_sock_files_pattern(qgs_t, qgs_var_run_t, qgs_var_run_t)
+files_pid_filetrans(qgs_t, qgs_var_run_t, { dir })
+
+domain_use_interactive_fds(qgs_t)
+
+# To read /etc/qgs.conf for its configuration
+files_config_file(qgs_etc_t)
+read_files_pattern(qgs_t, qgs_etc_t, qgs_etc_t)
+
+corenet_tcp_connect_http_port(qgs_t)
+
+# It loads enclaves with ...
+dev_rw_sgx_provision(qgs_t)
+
+# ...and executes enclaves to create quotes
+dev_rwx_sgx_enclave(qgs_t)
+
+optional_policy(`
+ logging_send_syslog_msg(qgs_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(qgs_t)
+')
+
+# It connects to intel.com to acquire certificates
+optional_policy(`
+ miscfiles_read_generic_certs(qgs_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(qgs_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/rhcs.te
new/selinux-policy-20250703/policy/modules/contrib/rhcs.te
--- old/selinux-policy-20250618/policy/modules/contrib/rhcs.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/rhcs.te 2025-07-03
11:26:04.000000000 +0200
@@ -49,6 +49,13 @@
## </desc>
gen_tunable(haproxy_connect_any, false)
+## <desc>
+## <p>
+## allow cluster_t transition to the unconfined user domain
+## </p>
+## </desc>
+gen_tunable(cluster_service_transition_to_unconfined_user, false)
+
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
@@ -370,6 +377,12 @@
xen_domtrans_xm(cluster_t)
')
+optional_policy(`
+ tunable_policy(`cluster_service_transition_to_unconfined_user',`
+ unconfined_domtrans(cluster_t)
+ ')
+')
+
#####################################
#
# dlm_controld local policy
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/samba.te
new/selinux-policy-20250703/policy/modules/contrib/samba.te
--- old/selinux-policy-20250618/policy/modules/contrib/samba.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/samba.te 2025-07-03
11:26:04.000000000 +0200
@@ -757,6 +757,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
+kernel_read_net_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/spamassassin.te
new/selinux-policy-20250703/policy/modules/contrib/spamassassin.te
--- old/selinux-policy-20250618/policy/modules/contrib/spamassassin.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/spamassassin.te
2025-07-03 11:26:04.000000000 +0200
@@ -681,6 +681,7 @@
optional_policy(`
systemd_exec_systemctl(spamd_update_t)
+ systemd_status_systemd_services(spamd_update_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/sssd.te
new/selinux-policy-20250703/policy/modules/contrib/sssd.te
--- old/selinux-policy-20250618/policy/modules/contrib/sssd.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/sssd.te 2025-07-03
11:26:04.000000000 +0200
@@ -128,6 +128,7 @@
files_read_etc_runtime_files(sssd_t)
files_list_var_lib(sssd_t)
files_watch_etc_dirs(sssd_t)
+files_watch_lib_dirs(sssd_t)
fs_getattr_cgroup(sssd_t)
fs_search_cgroup_dirs(sssd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/tomcat.te
new/selinux-policy-20250703/policy/modules/contrib/tomcat.te
--- old/selinux-policy-20250618/policy/modules/contrib/tomcat.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/tomcat.te
2025-07-03 11:26:04.000000000 +0200
@@ -61,6 +61,10 @@
')
optional_policy(`
+ usermanage_domtrans_crack(tomcat_t)
+')
+
+optional_policy(`
ipa_read_lib(tomcat_t)
ipa_read_tmp(tomcat_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/tuned.te
new/selinux-policy-20250703/policy/modules/contrib/tuned.te
--- old/selinux-policy-20250618/policy/modules/contrib/tuned.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/tuned.te 2025-07-03
11:26:04.000000000 +0200
@@ -217,6 +217,7 @@
optional_policy(`
sssd_read_public_files(tuned_ppd_t)
+ sssd_stream_connect(tuned_ppd_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/contrib/virt.te
new/selinux-policy-20250703/policy/modules/contrib/virt.te
--- old/selinux-policy-20250618/policy/modules/contrib/virt.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/contrib/virt.te 2025-07-03
11:26:04.000000000 +0200
@@ -590,6 +590,8 @@
ps_process_pattern(svirt_tcg_t, virtd_t)
+init_read_state(svirt_tcg_t)
+
virt_dontaudit_read_state(svirt_tcg_t)
optional_policy(`
@@ -1383,6 +1385,10 @@
xserver_rw_shm(virt_domain)
')
+optional_policy(`
+ qgs_stream_connect(svirt_t)
+')
+
########################################
#
# xm local policy
@@ -2069,6 +2075,7 @@
files_map_var_lib_files(virtnodedevd_t)
files_etc_filetrans_mdevctl_conf(virtnodedevd_t)
files_etc_filetrans_mdevctl_conf_scripts(virtnodedevd_t)
+files_create_mdevctl_conf_dirs(virtnodedevd_t)
files_manage_mdevctl_conf_files(virtnodedevd_t)
files_watch_mdevctl_conf_dirs(virtnodedevd_t)
@@ -2326,6 +2333,10 @@
selinux_compute_create_context(virtqemud_t)
storage_manage_fixed_disk(virtqemud_t)
+storage_read_scsi_generic(virtqemud_t)
+storage_write_scsi_generic(virtqemud_t)
+storage_delete_scsi_generic_dev(virtqemud_t)
+storage_setattr_scsi_generic_dev(virtqemud_t)
sysnet_exec_ifconfig(virtqemud_t)
sysnet_manage_config(virtqemud_t)
@@ -2355,6 +2366,10 @@
')
optional_policy(`
+ insights_core_read_state(virtqemud_t)
+')
+
+optional_policy(`
nbdkit_domtrans(virtqemud_t)
')
@@ -2363,11 +2378,16 @@
')
optional_policy(`
+ openvswitch_domtrans(virtqemud_t)
+')
+
+optional_policy(`
qemu_exec(virtqemud_t)
')
optional_policy(`
passt_domtrans(virtqemud_t)
+ passt_signal(virtqemud_t)
')
optional_policy(`
@@ -2430,7 +2450,7 @@
#
# virtstoraged local policy
#
-allow virtstoraged_t self:capability { dac_override dac_read_search fsetid
ipc_lock };
+allow virtstoraged_t self:capability { dac_override dac_read_search fsetid
ipc_lock sys_rawio};
allow virtstoraged_t self:process { setsched };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/devices.fc
new/selinux-policy-20250703/policy/modules/kernel/devices.fc
--- old/selinux-policy-20250618/policy/modules/kernel/devices.fc
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/devices.fc
2025-07-03 11:26:04.000000000 +0200
@@ -242,6 +242,9 @@
/dev/usb/scanner.* -c
gen_context(system_u:object_r:scanner_device_t,s0)
/dev/userfaultfd -c
gen_context(system_u:object_r:userfaultfd_device_t,s0)
+/dev/vduse -d gen_context(system_u:object_r:vduse_device_t,s0)
+/dev/vduse/control -c
gen_context(system_u:object_r:vduse_control_device_t,s0)
+/dev/vduse/.+ -c gen_context(system_u:object_r:vduse_device_t,s0)
/dev/vmbus/hv_vss -c
gen_context(system_u:object_r:hypervvssd_device_t,s0)
/dev/vmbus/hv_kvp -c
gen_context(system_u:object_r:hypervkvp_device_t,s0)
/dev/v4l-subdev[0-9]+ -c gen_context(system_u:object_r:v4l_device_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/devices.if
new/selinux-policy-20250703/policy/modules/kernel/devices.if
--- old/selinux-policy-20250618/policy/modules/kernel/devices.if
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/devices.if
2025-07-03 11:26:04.000000000 +0200
@@ -6253,6 +6253,25 @@
########################################
## <summary>
+## ioctl the vduse devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_ioctl_vduse',`
+ gen_require(`
+ type vduse_device_t;
+ ')
+
+ allow $1 vduse_device_t:dir search_dir_perms;
+ allow $1 vduse_device_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
## Read and write VMWare devices.
## </summary>
## <param name="domain">
@@ -6899,6 +6918,43 @@
')
########################################
+## <summary>
+## Allow read and write the sgx_enclave devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_sgx_enclave',`
+ gen_require(`
+ type device_t, sgx_enclave_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, sgx_enclave_device_t)
+ allow $1 sgx_enclave_device_t:chr_file { map execute };
+')
+
+########################################
+## <summary>
+## Allow read and write the sgx_provision devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_sgx_provision',`
+ gen_require(`
+ type device_t, sgx_provision_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, sgx_provision_device_t)
+')
+
+########################################
## <summary>
## Allow read the hfi1_[0-9]+ devices
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/devices.te
new/selinux-policy-20250703/policy/modules/kernel/devices.te
--- old/selinux-policy-20250618/policy/modules/kernel/devices.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/devices.te
2025-07-03 11:26:04.000000000 +0200
@@ -460,6 +460,14 @@
dev_node(vmci_device_t)
#
+# vduse_device_t is the type for /dev/vduse/control and /dev/vduse/NAME
+#
+type vduse_device_t;
+dev_node(vduse_device_t)
+type vduse_control_device_t;
+dev_node(vduse_control_device_t)
+
+#
# vhost_device_t is the type for /dev/vhost-net
#
type vhost_device_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/files.fc
new/selinux-policy-20250703/policy/modules/kernel/files.fc
--- old/selinux-policy-20250618/policy/modules/kernel/files.fc 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/files.fc 2025-07-03
11:26:04.000000000 +0200
@@ -262,8 +262,6 @@
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/lost\+found -d
gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/files.if
new/selinux-policy-20250703/policy/modules/kernel/files.if
--- old/selinux-policy-20250618/policy/modules/kernel/files.if 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/files.if 2025-07-03
11:26:04.000000000 +0200
@@ -5659,6 +5659,7 @@
')
allow $1 mnt_t:dir search_dir_perms;
+ allow $1 mnt_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -6198,6 +6199,25 @@
')
#######################################
+## <summary>
+## Create mdevctl configuration dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_mdevctl_conf_dirs',`
+ gen_require(`
+ type mdevctl_conf_t;
+ ')
+
+ files_search_etc(mdevctl_conf_t)
+ allow $1 mdevctl_conf_t:dir create_dir_perms;
+')
+
+#######################################
## <summary>
## Watch mdevctl configuration dirs
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/kernel/storage.if
new/selinux-policy-20250703/policy/modules/kernel/storage.if
--- old/selinux-policy-20250618/policy/modules/kernel/storage.if
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/kernel/storage.if
2025-07-03 11:26:04.000000000 +0200
@@ -565,6 +565,25 @@
########################################
## <summary>
+## Allow the caller to unlink the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_delete_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms;
+ dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/services/ssh.te
new/selinux-policy-20250703/policy/modules/services/ssh.te
--- old/selinux-policy-20250618/policy/modules/services/ssh.te 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/services/ssh.te 2025-07-03
11:26:04.000000000 +0200
@@ -334,7 +334,6 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
-kernel_read_fs_sysctls(sshd_t)
kernel_read_net_sysctls(sshd_t)
files_search_all(sshd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/services/xserver.te
new/selinux-policy-20250703/policy/modules/services/xserver.te
--- old/selinux-policy-20250618/policy/modules/services/xserver.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/services/xserver.te
2025-07-03 11:26:04.000000000 +0200
@@ -569,7 +569,6 @@
kernel_read_system_state(xdm_t)
kernel_read_device_sysctls(xdm_t)
kernel_read_sysctl(xdm_t)
-kernel_read_fs_sysctls(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/authlogin.te
new/selinux-policy-20250703/policy/modules/system/authlogin.te
--- old/selinux-policy-20250618/policy/modules/system/authlogin.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/authlogin.te
2025-07-03 11:26:04.000000000 +0200
@@ -400,6 +400,7 @@
auth_etc_filetrans_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
+logging_send_audit_msgs(updpwd_t)
logging_send_syslog_msg(updpwd_t)
userdom_use_inherited_user_terminals(updpwd_t)
@@ -438,6 +439,8 @@
logging_search_logs(utempter_t)
+term_use_ptmx(utempter_t)
+
userdom_append_stream_userdomain(utempter_t)
userdom_use_inherited_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
@@ -637,6 +640,7 @@
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_search_network_sysctl(login_pgm)
kernel_rw_afs_state(login_pgm)
+kernel_read_fs_sysctls(login_pgm)
tunable_policy(`authlogin_radius',`
corenet_udp_bind_all_unreserved_ports(login_pgm)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/init.fc
new/selinux-policy-20250703/policy/modules/system/init.fc
--- old/selinux-policy-20250618/policy/modules/system/init.fc 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/init.fc 2025-07-03
11:26:04.000000000 +0200
@@ -68,7 +68,6 @@
/run/systemd/initctl/fifo -p
gen_context(system_u:object_r:initctl_t,s0)
/run/utmp --
gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/runlevel\.dir
gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/random-seed --
gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/setmixer_flag --
gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/systemd/machine-id --
gen_context(system_u:object_r:machineid_t,s0)
/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/init.if
new/selinux-policy-20250703/policy/modules/system/init.if
--- old/selinux-policy-20250618/policy/modules/system/init.if 2025-06-18
17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/init.if 2025-07-03
11:26:04.000000000 +0200
@@ -3469,7 +3469,6 @@
')
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
- files_pid_filetrans($1, init_var_run_t, file, "random-seed")
files_etc_filetrans($1, machineid_t, file, "machine-id" )
files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/locallogin.te
new/selinux-policy-20250703/policy/modules/system/locallogin.te
--- old/selinux-policy-20250618/policy/modules/system/locallogin.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/locallogin.te
2025-07-03 11:26:04.000000000 +0200
@@ -189,6 +189,10 @@
')
optional_policy(`
+ gnome_exec_keyringd(local_login_t)
+')
+
+optional_policy(`
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/systemd.fc
new/selinux-policy-20250703/policy/modules/system/systemd.fc
--- old/selinux-policy-20250618/policy/modules/system/systemd.fc
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/systemd.fc
2025-07-03 11:26:04.000000000 +0200
@@ -53,6 +53,7 @@
/usr/lib/systemd/system/.*shutdown.*\.(service|target) --
gen_context(system_u:object_r:power_unit_file_t,s0)
/usr/lib/systemd/system/.*suspend.*\.(service|target) --
gen_context(system_u:object_r:power_unit_file_t,s0)
/usr/lib/systemd/system/systemd-userdbd\.(service|socket) --
gen_context(system_u:object_r:systemd_userdbd_unit_file_t,s0)
+/usr/lib/systemd/systemd-hibernate-resume --
gen_context(system_u:object_r:systemd_hibernate_resume_exec_t,s0)
/usr/lib/systemd/systemd-hostnamed --
gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
/usr/lib/systemd/systemd-machined --
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-mountfsd --
gen_context(system_u:object_r:systemd_mountfsd_exec_t,s0)
@@ -113,19 +114,18 @@
/var/lib/portables(/.*)?
gen_context(system_u:object_r:systemd_importd_var_lib_t,s0)
/var/lib/machines(/.*)?
gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)?
gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
-/var/lib/systemd/network(/.*)?
gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)
-/var/lib/systemd/pstore(/.*)?
gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
-/var/lib/systemd/rfkill(/.*)?
gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
-/var/lib/systemd/linger(/.*)?
gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
-/var/lib/systemd/sleep(/.*)?
gen_context(system_u:object_r:systemd_sleep_var_lib_t,s0)
-/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
+/var/lib/systemd/network(/.*)?
gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)
+/var/lib/systemd/pstore(/.*)?
gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
+/var/lib/systemd/random-seed
gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+/var/lib/systemd/rfkill(/.*)?
gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
+/var/lib/systemd/linger(/.*)?
gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
+/var/lib/systemd/sleep(/.*)?
gen_context(system_u:object_r:systemd_sleep_var_lib_t,s0)
+/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
/var/lib/systemd/pcrlock.* --
gen_context(system_u:object_r:systemd_pcrlock_var_lib_t,s0)
/var/lib/pcrlock\.d(/.*)?
gen_context(system_u:object_r:systemd_pcrlock_var_lib_t,s0)
/var/lib/private/systemd/journal-upload(/.*)?
gen_context(system_u:object_r:systemd_journal_upload_var_lib_t,s0)
/var/lib/private/systemd/timesync(/.*)?
gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
-/var/lib/random-seed
gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
/usr/lib/systemd/resolv.* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/var/lib/random-seed
gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
/run/systemd/.+\.conf -- gen_context(system_u:object_r:systemd_conf_t,s0)
/run/systemd/.+\.conf\.d -d
gen_context(system_u:object_r:systemd_conf_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/systemd.if
new/selinux-policy-20250703/policy/modules/system/systemd.if
--- old/selinux-policy-20250618/policy/modules/system/systemd.if
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/systemd.if
2025-07-03 11:26:04.000000000 +0200
@@ -1572,6 +1572,24 @@
allow $1 systemd_unit_file_type:service start;
')
+########################################
+## <summary>
+## Allow the specified domain to stop all systemd services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_stop_all_services',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ allow $1 systemd_unit_file_type:service stop;
+')
+
#######################################
## <summary>
## Allow the specified domain to reload all systemd services.
@@ -1718,7 +1736,7 @@
')
allow $1 random_seed_t:file manage_file_perms;
- files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
+ init_var_lib_filetrans($1, random_seed_t, file, "random-seed");
')
########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/systemd.te
new/selinux-policy-20250703/policy/modules/system/systemd.te
--- old/selinux-policy-20250618/policy/modules/system/systemd.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/systemd.te
2025-07-03 11:26:04.000000000 +0200
@@ -69,6 +69,8 @@
type systemd_coredump_var_lib_t;
files_type(systemd_coredump_var_lib_t)
+systemd_domain_template(systemd_hibernate_resume)
+
systemd_domain_template(systemd_hwdb)
type systemd_hwdb_unit_file_t;
@@ -1334,6 +1336,15 @@
#######################################
#
+# systemd_hibernate domain
+#
+permissive systemd_hibernate_resume_t;
+
+#allow systemd_hibernate_resume_t efivarfs_t:file unlink;
+
+
+#######################################
+#
# systemd_hwdb domain
#
dontaudit systemd_hwdb_t self:capability dac_override;
@@ -1385,6 +1396,7 @@
')
optional_policy(`
+ sssd_dontaudit_read_public_files(systemd_generator)
sssd_dontaudit_search_lib(systemd_generator)
')
@@ -2119,6 +2131,10 @@
')
optional_policy(`
+ logging_dgram_send(systemd_user_runtimedir_t)
+')
+
+optional_policy(`
userdom_manage_tmp_dirs(systemd_user_runtimedir_t)
userdom_mounton_tmp_dirs(systemd_user_runtimedir_t)
userdom_relabel_user_tmp_dirs(systemd_user_runtimedir_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/userdomain.fc
new/selinux-policy-20250703/policy/modules/system/userdomain.fc
--- old/selinux-policy-20250618/policy/modules/system/userdomain.fc
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/userdomain.fc
2025-07-03 11:26:04.000000000 +0200
@@ -30,6 +30,8 @@
/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+/run/tlog(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+
/run/user -d gen_context(system_u:object_r:user_tmp_t,s0)
/run/user/[^/]+ -d gen_context(system_u:object_r:user_tmp_t,s0)
/run/user/[^/]+/.+ <<none>>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20250618/policy/modules/system/userdomain.te
new/selinux-policy-20250703/policy/modules/system/userdomain.te
--- old/selinux-policy-20250618/policy/modules/system/userdomain.te
2025-06-18 17:59:23.000000000 +0200
+++ new/selinux-policy-20250703/policy/modules/system/userdomain.te
2025-07-03 11:26:04.000000000 +0200
@@ -386,6 +386,7 @@
create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+files_pid_filetrans(login_userdomain, user_tmp_t, dir, "tlog")
tunable_policy(`deny_bluetooth',`',`
allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
