3 changed files with 335 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-69f08ca.tar.gz
-SOURCES/selinux-policy-contrib-58ad0c6.tar.gz
+SOURCES/selinux-policy-552905c.tar.gz
+SOURCES/selinux-policy-contrib-635888d.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-c756a5380431581b13d6c68417202e00015a7ef7 SOURCES/container-selinux.tgz
-8a5ddc921e8fdcf4b4aa42d472d064e3b64ef414 SOURCES/selinux-policy-69f08ca.tar.gz
-7bc2148eecd91474263b434a411e26732319fe6f SOURCES/selinux-policy-contrib-58ad0c6.tar.gz
+e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
+ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
+1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 69f08cae339813fbcaaad35e75a033f7ecd66037
+%global commit0 552905cb94a7790fb51586b7778d303be21692a4
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 58ad0c627362a116b66219ac502261b07800e898
+%global commit1 635888d8ead909d158ac612b59e518534c9104f4
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 114%{?dist}
+Release: 139%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -165,6 +165,7 @@ SELinux policy documentation package
 %files doc
 %{_mandir}/man*/*
 %{_mandir}/ru/*/*
+%exclude %{_mandir}/man8/container_selinux.8.gz
 %doc %{_usr}/share/doc/%{name}

 %define makeCmds() \
@ -442,7 +443,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu

 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
-sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy


@ -717,6 +718,331 @@ exit 0
 %endif

 %changelog
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
+- Allow wdmd read hardware state information
+Resolves: RHEL-27507
+
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
+- Allow wdmd list the contents of the sysfs directories
+Resolves: RHEL-27507
+- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+Resolves: RHEL-27394
+
+* Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
+- Differentiate between staff and sysadm when executing crontab with sudo
+Resolves: RHEL-1388
+- Allow su domains write login records
+Resolves: RHEL-2606
+- Revert "Allow su domains write login records"
+Resolves: RHEL-2606
+- Add crontab_admin_domtrans interface
+Resolves: RHEL-1388
+- Allow gpg manage rpm cache
+Resolves: RHEL-11249
+
+* Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
+- Transition from sudodomains to crontab_t when executing crontab_exec_t
+Resolves: RHEL-1388
+- Fix label of pseudoterminals created from sudodomain
+Resolves: RHEL-1388
+- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
+Resolves: RHEL-22500
+- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
+Resolves: RHEL-23442
+- Allow admin user read/write on fixed_disk_device_t
+Resolves: RHEL-23434
+- Only allow confined user domains to login locally without unconfined_login
+Resolves: RHEL-1628
+- Add userdom_spec_domtrans_confined_admin_users interface
+Resolves: RHEL-1628
+- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
+Resolves: RHEL-1628
+- Add userdom_spec_domtrans_admin_users interface
+Resolves: RHEL-1628
+- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
+Resolves: RHEL-1628
+- Allow utempter_t use ptmx
+Resolves: RHEL-25002
+- Dontaudit subscription manager setfscreate and read file contexts
+Resolves: RHEL-21639
+- Don't audit crontab_domain write attempts to user home
+Resolves: RHEL-1388
+- Add crontab_domtrans interface
+Resolves: RHEL-1388
+- Add dbus_manage_session_tmp_files interface
+Resolves: RHEL-22500
+- Allow httpd read network sysctls
+Resolves: RHEL-22748
+- Allow keepalived_unconfined_script_t dbus chat with init
+Resolves: RHEL-22843
+
+* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
+- Label /tmp/libdnf.* with user_tmp_t
+Resolves: RHEL-11249
+- Allow su domains write login records
+Resolves: RHEL-2606
+- Allow gpg read rpm cache
+Resolves: RHEL-11249
+- Allow unix dgram sendto between exim processes
+Resolves: RHEL-21903
+- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
+Resolves: RHEL-17687
+- Add interface for write-only access to NetworkManager rw conf
+Resolves: RHEL-17687
+- Allow conntrackd_t to use sys_admin capability
+Resolves: RHEL-22276
+
+* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
+- Allow syslog to run unconfined scripts conditionally
+Resolves: RHEL-10087
+- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
+Resolves: RHEL-10087
+- Allow collectd connect to statsd port
+Resolves: RHEL-19482
+- Allow collectd_t read network state symlinks
+Resolves: RHEL-19482
+- Allow collectd_t domain to create netlink_generic_socket sockets
+Resolves: RHEL-19482
+- Allow opafm search nfs directories
+Resolves: RHEL-19426
+- Allow mdadm list stratisd data directories
+Resolves: RHEL-21374
+
+* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
+- Label /dev/acpi_thermal_rel char device with acpi_device_t
+Resolves: RHEL-18027
+- Allow sysadm execute traceroute in sysadm_t domain using sudo
+Resolves: RHEL-9947
+- Allow sysadm execute tcpdump in sysadm_t domain using sudo
+Resolves: RHEL-15398
+- Add support for syslogd unconfined scripts
+Resolves: RHEL-10087
+- Label /dev/wmi/dell-smbios as acpi_device_t
+Resolves: RHEL-18027
+- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
+Resolves: RHEL-1954
+- Dontaudit rhsmcertd write memory device
+Resolves: RHEL-17721
+
+* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
+- Allow sudodomain read var auth files
+Resolves: RHEL-16567
+- Update cifs interfaces to include fs_search_auto_mountpoints()
+Resolves: RHEL-14072
+- Allow systemd-localed create Xserver config dirs
+Resolves: RHEL-16715
+- Label /var/run/auditd.state as auditd_var_run_t
+Resolves: RHEL-14376
+- Allow auditd read all domains process state
+Resolves: RHEL-14471
+- Allow sudo userdomain to run rpm related commands
+Resolves: RHEL-1679
+- Remove insights_client_watch_lib_dirs() interface
+Resolves: RHEL-16185
+
+* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
+- Additional permissions for ip-vrf
+Resolves: RHEL-9981
+- Allow ip an explicit domain transition to other domains
+Resolves: RHEL-9981
+- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
+Resolves: RHEL-5845
+- Allow system_mail_t manage exim spool files and dirs
+Resolves: RHEL-14186
+
+* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
+- Label msmtp and msmtpd with sendmail_exec_t
+Resolves: RHEL-1678
+- Set default file context of HOME_DIR/tmp/.* to <<none>>
+Resolves: RHEL-1099
+- Improve default file context(None) of /var/lib/authselect/backups
+Resolves: RHEL-3539
+
+* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
+- Set default file context of /var/lib/authselect/backups to <<none>>
+Resolves: RHEL-3539
+- Add file context specification for /usr/libexec/realmd
+Resolves: RHEL-2147
+- Add numad the ipc_owner capability
+Resolves: RHEL-2415
+
+* Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
+- Allow ssh_agent_type manage generic cache home files
+Resolves: rhbz#2177704
+- Add chromium_sandbox_t setcap capability
+Resolves: rhbz#2221573
+
+* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
+- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
+Resolves: rhbz#2229726
+
+* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
+- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
+Resolves: rhbz#2229726
+- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
+Resolves: rhbz#2177704
+- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
+Resolves: rhbz#2229726
+- Make insights_client_t an unconfined domain
+Resolves: rhbz#2225527
+- Allow insights-client create all rpm logs with a correct label
+Resolves: rhbz#2229559
+- Allow insights-client manage generic logs
+Resolves: rhbz#2229559
+
+* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
+- Allow user_u and staff_u get attributes of non-security dirs
+Resolves: rhbz#2216151
+- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
+Resolves: rhbz#2221573
+- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
+Resolves: rhbz#2221573
+- Allow insights-client execmem
+Resolves: rhbz#2225233
+- Allow svnserve execute postdrop with a transition
+Resolves: rhbz#2004843
+- Do not make postfix_postdrop_t type an MTA executable file
+Resolves: rhbz#2004843
+- Allow samba-dcerpc service manage samba tmp files
+Resolves: rhbz#2210771
+- Update samba-dcerpc policy for printing
+Resolves: rhbz#2210771
+
+* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
+- Add the files_getattr_non_auth_dirs() interface
+Resolves: rhbz#2076937
+- Update policy for the sblim-sfcb service
+Resolves: rhbz#2076937
+- Dontaudit sfcbd sys_ptrace cap_userns
+Resolves: rhbz#2076937
+- Label /usr/sbin/sos with sosreport_exec_t
+Resolves: rhbz#2167731
+- Allow sa-update manage spamc home files
+Resolves: rhbz#2222200
+- Allow sa-update connect to systemlog services
+Resolves: rhbz#2222200
+- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
+Resolves: rhbz#2222200
+
+* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
+- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
+Resolves: rhbz#2213606
+- Allow httpd tcp connect to redis port conditionally
+Resolves: rhbz#2213965
+- Exclude container-selinux manpage from selinux-policy-doc
+Resolves: rhbz#2218362
+
+* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
+- Update cyrus_stream_connect() to use sockets in /run
+Resolves: rhbz#2165752
+- Allow insights-client map generic log files
+Resolves: rhbz#2214572
+- Allow insights-client work with pipe and socket tmp files
+Resolves: rhbz#2207819
+- Allow insights-client getsession process permission
+Resolves: rhbz#2207819
+- Allow keepalived to manage its tmp files
+Resolves: rhbz#2179335
+
+* Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
+- Update pkcsslotd policy for sandboxing 2/2
+Resolves: rhbz#2208162
+- Update pkcsslotd policy for sandboxing 1/2
+Resolves: rhbz#2208162
+- Allow abrt_t read kernel persistent storage files
+Resolves: rhbz#2207914
+- Add allow rules for lttng-sessiond domain
+Resolves: rhbz#2203509
+- Allow rpcd_lsad setcap and use generic ptys
+Resolves: rhbz#2107106
+- Allow samba-dcerpcd connect to systemd_machined over a unix socket
+Resolves: rhbz#2107106
+- Dontaudit targetd search httpd config dirs
+Resolves: rhbz#2203720
+
+* Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
+- Allow unconfined service inherit signal state from init
+Resolves: rhbz#2177254
+- Allow systemd-pstore delete kernel persistent storage files
+Resolves: rhbz#2181558
+- Add fs_delete_pstore_files() interface
+Resolves: rhbz#2181558
+- Allow certmonger manage cluster library files
+Resolves: rhbz#2177836
+- Allow samba-rpcd work with passwords
+Resolves: rhbz#2107106
+- Allow snmpd read raw disk data
+Resolves: rhbz#2160000
+- Allow cluster_t dbus chat with various services
+Resolves: rhbz#2196524
+
+* Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
+- Add unconfined_server_read_semaphores() interface
+Resolves: rhbz#2183351
+- Allow systemd-pstore read kernel persistent storage files
+Resolves: rhbz#2181558
+- Add fs_read_pstore_files() interface
+Resolves: rhbz#2181558
+- Allow insights-client work with teamdctl
+Resolves: rhbz#2185158
+- Allow insights-client read unconfined service semaphores
+Resolves: rhbz#2183351
+- Allow insights-client get quotas of all filesystems
+Resolves: rhbz#2183351
+
+* Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
+- Allow login_pgm setcap permission
+Resolves: rhbz#2172541
+- Label /run/fsck with fsadm_var_run_t
+Resolves: rhbz#2184348
+- Add boolean qemu-ga to run unconfined script
+Resolves: rhbz#2028762
+- Allow dovecot-deliver write to the main process runtime fifo files
+Resolves: rhbz#2170495
+- Allow certmonger dbus chat with the cron system domain
+Resolves: rhbz#2173289
+- Allow insights-client read all sysctls
+Resolves: rhbz#2177607
+
+* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
+- Fix opencryptoki file names in /dev/shm
+Resolves: rhbz#2028637
+- Allow system_cronjob_t transition to rpm_script_t
+Resolves: rhbz#2154242
+- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
+Resolves: rhbz#2154242
+- Allow httpd work with tokens in /dev/shm
+Resolves: rhbz#2028637
+- Allow keepalived to set resource limits
+Resolves: rhbz#2168638
+- Allow insights-client manage fsadm pid files
+
+* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
+- Allow sysadm_t run initrc_t script and sysadm_r role access
+Resolves: rhbz#2039662
+- Allow insights-client manage fsadm pid files
+Resolves: rhbz#2166802
+- Add journalctl the sys_resource capability
+Resolves: rhbz#2136189
+
+* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
+- Fix syntax problem in redis.te
+Resolves: rhbz#2112228
+- Allow unconfined user filetransition for sudo log files
+Resolves: rhbz#2164047
+- Allow winbind-rpcd make a TCP connection to the ldap port
+Resolves: rhbz#2152642
+- Allow winbind-rpcd manage samba_share_t files and dirs
+Resolves: rhbz#2152642
+- Allow insights-client work with su and lpstat
+Resolves: rhbz#2134125
+- Allow insights-client read nvme devices
+Resolves: rhbz#2143878
+- Allow insights-client tcp connect to all ports
+Resolves: rhbz#2143878
+- Allow redis-sentinel execute a notification script
+Resolves: rhbz#2112228
+
 * Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
 - Add interfaces in domain, files, and unconfined modules
 Resolves: rhbz#2141311