From a72b9af09762dcc19a862e27982ba855711133f3 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 30 Sep 2024 16:38:16 +0000
Subject: [PATCH] import CS selinux-policy-38.1.44-1.el9

---
 .gitignore                            |   2 +-
 .selinux-policy.metadata              |   4 +-
 SOURCES/modules-targeted-contrib.conf |   7 +
 SPECS/selinux-policy.spec             | 190 +++++++++++++++++++++++++-
 4 files changed, 198 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 60c7e81e..65a0fdc4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-d1f3f7d.tar.gz
+SOURCES/selinux-policy-b98a9aa.tar.gz
diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index c7598a2e..60324da2 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,2 +1,2 @@
-648298cca69b51546fe991f56fb6b965d35f3f70 SOURCES/container-selinux.tgz
-b24565482a167a86d3b3973ee8d4b2e299ba4895 SOURCES/selinux-policy-d1f3f7d.tar.gz
+83e255994e12003389147092377c0b3d5f51f7c3 SOURCES/container-selinux.tgz
+045b58e800983c60b5994d3d765544ccfc787c6d SOURCES/selinux-policy-b98a9aa.tar.gz
diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 2b6228a3..9aa8fabd 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -2740,3 +2740,10 @@ afterburn = module
 #  sap_unconfined
 #
 sap = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 86a6da01..b2b9c574 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -1,6 +1,6 @@
 # github repo with selinux-policy sources
 %global giturl https://github.com/fedora-selinux/selinux-policy
-%global commit d1f3f7d9fe7f0759f7f2a3f721616aa211b27274
+%global commit b98a9aa153fa314a437f7f979d06efdb191f5a24
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 
 %define distro redhat
@@ -23,7 +23,7 @@
 %define CHECKPOLICYVER 3.2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 38.1.33
+Version: 38.1.44
 Release: 1%{?dist}
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
@@ -809,6 +809,192 @@ exit 0
 %endif
 
 %changelog
+* Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1
+- Allow coreos-installer-generator work with partitions
+Resolves: RHEL-38614
+- Label /etc/mdadm.conf.d with mdadm_conf_t
+Resolves: RHEL-38614
+- Change file context specification to /var/run/metadata
+Resolves: RHEL-49735
+- Allow initrc_t transition to passwd_t
+Resolves: RHEL-17404
+- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
+Resolves: RHEL-25514
+- systemd: allow sys_admin capability for systemd_notify_t
+Resolves: RHEL-25514
+- Change systemd-network-generator transition to include class file
+Resolves: RHEL-47033
+- Allow sshd_keygen_t connect to userdbd over a unix stream socket
+Resolves: RHEL-47033
+
+* Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.43-1
+- Allow rhsmcertd read/write access to /dev/papr-sysparm
+Resolves: RHEL-49599
+- Label /dev/papr-sysparm and /dev/papr-vpd
+Resolves: RHEL-49599
+- Allow rhsmcertd read, write, and map ica tmpfs files
+Resolves: RHEL-50926
+- Update afterburn file transition policy
+Resolves: RHEL-49735
+- Label /run/metadata with afterburn_runtime_t
+Resolves: RHEL-49735
+- Allow afterburn list ssh home directory
+Resolves: RHEL-49735
+- Support SGX devices
+Resolves: RHEL-50922
+- Allow systemd-pstore send a message to syslogd over a unix domain
+Resolves: RHEL-45528
+- Allow postfix_domain map postfix_etc_t files
+Resolves: RHEL-46332
+- Allow microcode create /sys/devices/system/cpu/microcode/reload
+Resolves: RHEL-26821
+- Allow svirt_tcg_t map svirt_image_t files
+Resolves: RHEL-27141
+- Allow systemd-hostnamed shut down nscd
+Resolves: RHEL-45033
+- Allow postfix_domain connect to postgresql over a unix socket
+Resolves: RHEL-6776
+
+* Thu Jul 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.42-1
+- Label samba certificates with samba_cert_t
+Resolves: RHEL-25724
+- Allow systemd-coredumpd the sys_chroot capability
+Resolves: RHEL-45245
+- Allow svirt_tcg_t read vm sysctls
+Resolves: RHEL-27141
+- Label /usr/sbin/samba-gpupdate with samba_gpupdate_exec_t
+Resolves: RHEL-25724
+- Label /var/run/coreos-installer-reboot with coreos_installer_var_run_t
+Resolves: RHEL-38614
+- Allow coreos-installer add systemd unit file links
+Resolves: RHEL-38614
+
+* Sun Jul 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.41-1
+- Differentiate between staff and sysadm when executing crontab with sudo
+Resolves: RHEL-31888
+- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
+Resolves: RHEL-25724
+- Allow unconfined_service_t transition to passwd_t
+Resolves: RHEL-17404
+- Allow sbd to trace processes in user namespace
+Resolves: RHEL-44680
+- Allow systemd-coredumpd sys_admin and sys_resource capabilities
+Resolves: RHEL-45245
+- Label /usr/lib/node_modules/npm/bin with bin_t
+Resolves: RHEL-36587
+- Support /var is empty
+Resolves: RHEL-29331
+- Allow timemaster write to sysfs files
+Resolves: RHEL-28777
+- Don't audit crontab_domain write attempts to user home
+Resolves: RHEL-31888
+- Transition from sudodomains to crontab_t when executing crontab_exec_t
+Resolves: RHEL-31888
+- Fix label of pseudoterminals created from sudodomain
+Resolves: RHEL-31888
+
+* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.40-1
+- Allow systemd-coredump read nsfs files
+Resolves: RHEL-39937
+- Allow login_userdomain execute systemd-tmpfiles in the caller domain
+Resolves: RHEL-40374
+- Allow ptp4l_t request that the kernel load a kernel module
+Resolves: RHEL-38905
+- Allow collectd to trace processes in user namespace
+Resolves: RHEL-36293
+
+* Thu Jun 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.39-1
+- Add interfaces for watching and reading ifconfig_var_run_t
+Resolves: RHEL-39408
+- Allow dhcpcd use unix_stream_socket
+Resolves: RHEL-39408
+- Allow dhcpc read /run/netns files
+Resolves: RHEL-39408
+- Allow all domains read and write z90crypt device
+Resolves: RHEL-38833
+- Allow bootupd search efivarfs dirs
+Resolves: RHEL-36289
+- Move unconfined_domain(sap_unconfined_t) to an optional block
+Resolves: RHEL-37663
+
+* Thu May 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.38-1
+- Add boolean qemu-ga to run unconfined script
+Resolves: RHEL-31211
+- Ensure dbus communication is allowed bidirectionally
+Resolves: RHEL-35782
+- Allow logwatch_mail_t read network sysctls
+Resolves: RHEL-34135
+- Allow sysadm execute dmidecode using sudo
+Resolves: RHEL-16104
+- Allow sudodomain list files in /var
+Resolves: RHEL-16104
+- Allow various services read and write z90crypt device
+Resolves: RHEL-33361
+- Allow system_cronjob_t dbus chat with avahi_t
+Resolves: RHEL-32290
+- Allow setroubleshootd get attributes of all sysctls
+Resolves: RHEL-34078
+- Remove permissive domain for bootupd_t
+Resolves: RHEL-22173
+
+* Tue May 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.37-1
+- Allow numad to trace processes in user namespace
+Resolves: RHEL-33994
+- Remove permissive domain for rshim_t
+Resolves: RHEL-22173
+- Remove permissive domain for mptcpd_t
+Resolves: RHEL-22173
+- Remove permissive domain for coreos_installer_t
+Resolves: RHEL-22173
+- Remove permissive domain for afterburn_t
+Resolves: RHEL-22173
+- Update afterburn policy
+Resolves: RHEL-22173
+- Allow bootupd search EFI directory
+Resolves: RHEL-22172
+- Add the bootupd module
+Resolves: RHEL-22172
+- Add policy for bootupd
+Resolves: RHEL-22172
+- Label /dev/mmcblk0rpmb character device with removable_device_t
+Resolves: RHEL-28080
+- Differentiate between staff and sysadm when executing crontab with sudo
+Resolves: RHEL-31888
+- Add crontab_admin_domtrans interface
+Resolves: RHEL-31888
+- Add crontab_domtrans interface
+Resolves: RHEL-31888
+- Allow svirt_t read vm sysctls
+Resolves: RHEL-32296
+
+* Mon Apr 15 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.36-1
+- Allow systemd-timedated get the timemaster service status
+Resolves: RHEL-25978
+- postfix: allow qmgr to delete mails in bounce/ directory
+Resolves: RHEL-30271
+- Allow NetworkManager the sys_ptrace capability in user namespace
+Resolves: RHEL-24346
+- Label /dev/iommu with iommu_device_t
+Resolves: RHEL-22063
+- Allow qemu-ga read vm sysctls
+Resolves: RHEL-31892
+- Update repository link and branches names for c9s
+Related: RHEL-22960
+
+* Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2
+- Rebuild
+Resolves: RHEL-26663
+
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1
+- Allow wdmd read hardware state information
+Resolves: RHEL-26663
+
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1
+- Allow wdmd list the contents of the sysfs directories
+Resolves: RHEL-26663
+- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+Resolves: RHEL-26660
+
 * Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1
 - Allow thumb_t to watch and watch_reads mount_var_run_t
 Resolves: RHEL-26073