import CS selinux-policy-38.1.53-2.el9

2025-03-10 14:08:47 +00:00 · 2025-03-10 14:08:47 +00:00 · eb5a63439c
commit eb5a63439c
parent a72b9af097
10 changed files with 3531 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-b98a9aa.tar.gz
+SOURCES/selinux-policy-cc59490.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,2 +1,2 @@
-83e255994e12003389147092377c0b3d5f51f7c3 SOURCES/container-selinux.tgz
-045b58e800983c60b5994d3d765544ccfc787c6d SOURCES/selinux-policy-b98a9aa.tar.gz
+a6acf76b8744f1607164ec6d69706cd02d618948 SOURCES/container-selinux.tgz
+b05ddf5a0fa6d702fd1bbb0f041c19ecda799ea2 SOURCES/selinux-policy-cc59490.tar.gz
--- a/SOURCES/booleans-automotive.conf
+++ b/SOURCES/booleans-automotive.conf
@ -0,0 +1,15 @@
+gssd_read_tmp = true
+httpd_builtin_scripting = true
+httpd_enable_cgi = true
+kerberos_enabled = true
+mount_anyfile = true
+nfs_export_all_ro = true
+nfs_export_all_rw = true
+pppd_can_insmod = false
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+use_virtualbox = true
--- a/SOURCES/modules-automotive-base.conf
+++ b/SOURCES/modules-automotive-base.conf
@ -0,0 +1,604 @@
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+#
+application = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+#
+auditadm = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: contrib
+# Module: fwupd
+#
+# fwupd is a daemon to allow session software to update device firmware.
+#
+fwupd = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+games = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: contrib
+# Module: journalctl
+#
+# journalctl policy
+#
+journalctl = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+#
+logadm = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: contrib
+# Module: mandb
+#
+# Policy for mandb
+#
+mandb = module
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+#
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+#
+netlabel = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+#
+oddjob = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+#
+rpc = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+#
+secadm = module
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+#
+setrans = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+#
+seunshare = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm_secadm = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+#
+systemd = module
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+#
+#
+ubac = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfined = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfineduser = module
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+#
+userhelper = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+#
+virt = module
+
+# Layer: apps
+# Module: vhostmd
+#
+# vlock - Virtual Console lock program
+#
+vlock = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+#
+xserver = module
+
--- a/SOURCES/modules-automotive-contrib.conf
+++ b/SOURCES/modules-automotive-contrib.conf
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -2747,3 +2747,24 @@ sap = module
 #  bootupd - bootloader update daemon
 #
 bootupd = module
+
+# Layer: contrib
+# Module: iiosensorproxy
+#
+# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
+#
+iiosensorproxy = module
+
+# Layer: system
+# Module: powerprofiles
+#
+# Policy for power-profiles-daemon - power profiles handling over D-Bus
+#
+powerprofiles = module
+
+# Layer: system
+# Module: switcheroo
+#
+# Policy for switcheroo-control: D-Bus service to check dual GPU availability
+#
+switcheroo = module
--- a/SOURCES/securetty_types-automotive
+++ b/SOURCES/securetty_types-automotive
@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t
--- a/SOURCES/setrans-automotive.conf
+++ b/SOURCES/setrans-automotive.conf
@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
--- a/SOURCES/users-automotive
+++ b/SOURCES/users-automotive
@ -0,0 +1,39 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix will not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,6 +1,6 @@
 # github repo with selinux-policy sources
 %global giturl https://github.com/fedora-selinux/selinux-policy
-%global commit b98a9aa153fa314a437f7f979d06efdb191f5a24
+%global commit cc594909ed91e01158de01b5d43673ba2e5c8967
 %global shortcommit %(c=%{commit}; echo ${c:0:7})

 %define distro redhat
@ -18,13 +18,16 @@
 %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
 %define BUILD_MLS 1
 %endif
+%if %{?BUILD_AUTOMOTIVE:0}%{!?BUILD_AUTOMOTIVE:1}
+%define BUILD_AUTOMOTIVE 1
+%endif
 %define POLICYVER 33
 %define POLICYCOREUTILSVER 3.4-1
 %define CHECKPOLICYVER 3.2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 38.1.44
-Release: 1%{?dist}
+Version: 38.1.53
+Release: 2%{?dist}
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 Source1: modules-targeted-base.conf
@ -61,6 +64,13 @@ Source35: container-selinux.tgz

 Source36: selinux-check-proper-disable.service

+Source37: modules-automotive-base.conf
+Source38: modules-automotive-contrib.conf
+Source39: booleans-automotive.conf
+Source40: users-automotive
+Source41: setrans-automotive.conf
+Source42: securetty_types-automotive
+
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros

@ -169,6 +179,7 @@ This package contains manual pages and documentation of the policy modules.
 %files doc
 %{_mandir}/man*/*
 %{_mandir}/ru/*/*
+%exclude %{_mandir}/man8/container_selinux.8.gz
 %doc %{_datadir}/doc/%{name}

 %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -407,7 +418,7 @@ end
 tar -C policy/modules/contrib -xf %{SOURCE35}

 mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32} %{SOURCE37} %{SOURCE38} %{SOURCE39} %{SOURCE40} %{SOURCE41} %{SOURCE42};do
 cp $i selinux_config
 done

@ -424,8 +435,8 @@ mkdir -p %{buildroot}%{_bindir}
 install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/

 # Always create policy module package directories
-mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
-mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,automotive,modules}/
+mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,automotive,modules}/

 mkdir -p %{buildroot}%{_datadir}/selinux/packages

@ -465,8 +476,17 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %nonBaseModulesList mls
 %endif

+%if %{BUILD_AUTOMOTIVE}
+# Build automotive policy
+%makeCmds automotive mcs allow
+%makeModulesConf automotive base contrib
+%installCmds automotive mcs allow
+%modulesList automotive
+%nonBaseModulesList automotive
+%endif
+
 # remove leftovers when save-previous=true (semanage.conf) is used
-rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls,automotive}/previous

 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
@ -738,6 +758,83 @@ exit 0
 %fileList minimum
 %endif

+%if %{BUILD_AUTOMOTIVE}
+%package automotive
+Summary: SELinux automotive policy
+Provides: selinux-policy-any = %{version}-%{release}
+Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Conflicts:  seedit
+Conflicts: container-selinux <= 1.9.0-9
+
+%description automotive
+SELinux automotive policy package.
+
+%pretrans automotive -p <lua>
+%backupConfigLua
+
+%pre automotive
+%preInstall automotive
+if [ $1 -ne 1 ]; then
+    %{_sbindir}/semodule -s automotive --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/automotive/instmodules.lst
+fi
+
+%post automotive
+%checkConfigConsistency automotive
+contribpackages=`cat %{_datadir}/selinux/automotive/modules-contrib.lst`
+basepackages=`cat %{_datadir}/selinux/automotive/modules-base.lst`
+if [ ! -d %{_sharedstatedir}/selinux/automotive/active/modules/disabled ]; then
+    mkdir %{_sharedstatedir}/selinux/automotive/active/modules/disabled
+fi
+if [ $1 -eq 1 ]; then
+for p in $contribpackages; do
+    touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+for p in $basepackages apache dbus inetd kerberos mta nis; do
+    rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
+%{_sbindir}/semodule -B -s automotive
+else
+instpackages=`cat %{_datadir}/selinux/automotive/instmodules.lst`
+for p in $contribpackages; do
+    touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+for p in $instpackages apache dbus inetd kerberos mta nis; do
+    rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+%{_sbindir}/semodule -B -s automotive
+%relabel automotive
+fi
+exit 0
+
+%posttrans automotive
+%checkConfigConsistency automotive
+
+%postun automotive
+if [ $1 = 0 ]; then
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
+    if [ "$SELINUXTYPE" = "automotive" ]; then
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+%files automotive -f %{buildroot}%{_datadir}/selinux/automotive/nonbasemodules.lst
+%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/sysadm_u
+%fileList automotive
+%endif
+
 %if %{BUILD_MLS}
 %package mls
 Summary: SELinux MLS policy
@ -809,6 +906,165 @@ exit 0
 %endif

 %changelog
+* Fri Feb 07 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.53-1
+- Allow svirt_t to connect to nbdkit over a unix stream socket
+Resolves: RHEL-56029
+- Allow power-profiles-daemon the bpf capability
+Resolves: RHEL-61117
+- Allow systemd-machined the kill user-namespace capability
+Resolves: RHEL-76352
+
+* Fri Jan 31 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.52-1
+- Add the files_read_root_files() interface
+Resolves: RHEL-70849
+- Dontaudit systemd-logind remove all files
+Resolves: RHEL-59145
+- Add the files_dontaudit_read_all_dirs() interface
+Resolves: RHEL-59145
+- Add the files_dontaudit_delete_all_files() interface
+Resolves: RHEL-59145
+- Allow rhsmcertd notify virt-who
+Resolves: RHEL-77152
+- Allow irqbalance to run unconfined scripts conditionally
+Resolves: RHEL-1556
+- Backport bootupd policy from current Fedora rawhide
+Resolves: RHEL-70849
+- Support using systemd containers
+Resolves: RHEL-76352
+- Allow svirt_t connect to unconfined_t over a unix domain socket
+Resolves: RHEL-37539
+- Allow virt_domain to use pulseaudio - conditional
+Resolves: RHEL-1379
+- Allow telnetd read network sysctls
+Resolves: RHEL-58825
+- Allow alsa watch generic device directories
+Resolves: RHEL-61472
+- Update switcheroo policy
+Resolves: RHEL-24268
+
+* Wed Jan 15 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.51-1
+- Allow rsyslog read systemd-logind session files
+Resolves: RHEL-73839
+- Allow samba-bgqd connect to cupsd over an unix domain stream socket
+Resolves: RHEL-72860
+- Allow svirt_t read sysfs files
+Resolves: RHEL-70839
+- Allow xdm dbus chat with power-profiles-daemon
+Resolves: RHEL-61117
+- Update power-profiles-daemon policy
+Resolves: RHEL-61117
+- Confine power-profiles-daemon
+Resolves: RHEL-61117
+- Allow virtqemud domain transition to nbdkit
+Resolves: RHEL-56029
+- Add nbdkit interfaces defined conditionally
+Resolves: RHEL-56029
+- Confine the switcheroo-control service
+Resolves: RHEL-24268
+
+* Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.50-1
+- Allow auditctl signal auditd
+Resolves: RHEL-68969
+- Fix the cups_read_pid_files() interface to use read_files_pattern
+Resolves: RHEL-69517
+- Dontaudit systemd-coredump the sys_resource capability
+Resolves: RHEL-46339
+- Allow rpcd read network sysctls
+Resolves: RHEL-1558
+- Allow irqbalance setpcap capability in the user namespace
+Resolves: RHEL-69564
+- Allow traceroute_t bind rawip sockets to unreserved ports
+Resolves: RHEL-54561
+- Allow svirt_t the sys_rawio capability
+Resolves: RHEL-56955
+- Change /run/sysctl\.d(/.*)? fc entry to /var/run/sysctl\.d(/.*)?
+Resolves: RHEL-56988
+- Exclude container-selinux manpage from selinux-policy-doc
+Resolves: RHEL-69916
+
+* Fri Dec 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.49-1
+- Update virtlogd policy
+Resolves: RHEL-69433
+- Allow svirt_t the sys_rawio capability
+Resolves: RHEL-56955
+- Allow qemu-ga the dac_override and dac_read_search capabilities
+Resolves: RHEL-52476
+- Allow ip the setexec permission
+Resolves: RHEL-62923
+- Allow alsa get attributes filesystems with extended attributes
+Resolves: RHEL-61472
+- Allow bacula execute container in the container domain
+Resolves: RHEL-21168
+- Allow httpd get attributes of dirsrv unit files
+Resolves: RHEL-46808
+- Update samba-bgqd policy
+Resolves: RHEL-69517
+- Allow samba-bgqd read cups config files
+Resolves: RHEL-69517
+- Update policy for samba-bgqd
+Resolves: RHEL-69517
+- Update bootupd policy for the removing-state-file test
+Resolves: RHEL-66584
+- Allow qatlib search the content of the kernel debugging filesystem
+Resolves: RHEL-53864
+- Allow qatlib connect to systemd-machined over a unix socket
+Resolves: RHEL-53864
+- Update qatlib policy for v24.02 with new features
+Resolves: RHEL-53864
+
+* Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.48-1
+- Revert "Allow unconfined_t execute kmod in the kmod domain"
+Resolves: RHEL-65008
+- Add policy for /usr/libexec/samba/samba-bgqd
+Resolves: RHEL-53124
+
+* Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.47-1
+- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
+Resolves: RHEL-56988
+- Allow lldpad create and use netlink_generic_socket
+Resolves: RHEL-61832
+- Allow unconfined_t execute kmod in the kmod domain
+Resolves: RHEL-54710
+- Allow confined users r/w to screen unix stream socket
+Resolves: RHEL-50379
+- Label /root/.screenrc and /root/.tmux.conf with screen_home_t
+Resolves: RHEL-50375
+- Allow iio-sensor-proxy the bpf capability
+Resolves: RHEL-17346
+
+* Fri Oct 11 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.46-1
+- Rebuild
+
+* Thu Oct 10 2024 Zdenek Pytela <zpytela@redhat.com> - 35.1.46-1
+- Label /run/modprobe.d with modules_conf_t
+Resolves: RHEL-61453
+- Allow boothd connect to kernel over a unix socket
+Resolves: RHEL-57104
+- Allow boothd connect to systemd-userdbd over a unix socket
+Resolves: RHEL-57104
+- Additional updates stalld policy for bpf usage
+Resolves: RHEL-57075
+- Update stalld policy for bpf usage
+Resolves: RHEL-57075
+- Allow ptp4l the sys_admin capability
+Resolves: RHEL-55133
+- Label /dev/hfi1_[0-9]+ devices
+Resolves: RHEL-54996
+- Confine iio-sensor-proxy
+Resolves: RHEL-17346
+
+* Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-3
+- Rebuild
+Resolves: RHEL-55414
+
+* Wed Sep 04 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-2
+- Rebuild
+Resolves: RHEL-55414
+
+* Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-1
+- Allow setsebool_t relabel selinux data files
+Resolves: RHEL-55414
+
 * Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1
 - Allow coreos-installer-generator work with partitions
 Resolves: RHEL-38614