Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2025-11-05 16:17:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Nov 5 16:17:56 2025 rev:134 rq:1315475 version:20251104 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2025-10-23 16:35:51.950398206 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1980/selinux-policy.changes 2025-11-05 16:20:02.018440131 +0100 @@ -1,0 +2,29 @@ +Tue Nov 04 10:49:30 UTC 2025 - Robert Frohl <[email protected]> + +- Update to version 20251104: + * Fix syntax error in userdomain.if + * Allow nnp_transition for OpenSMTPD (bsc#1252431) + * Allow ras-mc-ctl get attributes of the kmod executable + * Define file equivalency for /var/opt + * Allow virtnodedev_t the perfmon capability + * Allow nut_upsdrvctl_t the sys_ptrace capability + * Label /usr/lib/systemd/user/graphical-session-pre.target with xdm_unit_file_t + * systemd-sysctl: allow rw on binfm_misc_fs_t to set binfmt_misc status + * Allow cupsd to manage cupsd_rw_etc_t lnk_files + * Set temporary no-stub resolv.conf file from NetworkManager as net_conf_t + * Allow spamc read aliases file + * Mark configfs_t as mountpoint (bsc#1246080) + * Allow systemd-machined watch cgroup files + * Allow sshd-auth read generic proc files + * Allow sshd-auth read and write user domain ptys + * Allow logwatch read and write sendmail unix stream sockets + * Allow logwatch domain transition on rpm execution + * Allow thumb_t mounton its private tmpfs files + * Allow thumb_t create permission in the user namespace + * Allow corenet_unconfined_type name_bind to icmp_socket + * Allow systemd-networkd to manage systemd_networkd_var_lib_t files + * Allow sshd-session get attributes of sshd vsock socket +- Syncing with upstream rawhide selinux-policy up to: + * 95151e3c777301fd291f4db363a6bb24cad8c414 + +------------------------------------------------------------------- Old: ---- selinux-policy-20251021.tar.xz New: ---- selinux-policy-20251104.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.IWtxAk/_old 2025-11-05 16:20:03.338495562 +0100 +++ /var/tmp/diff_new_pack.IWtxAk/_new 2025-11-05 16:20:03.338495562 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20251021 +Version: 20251104 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.IWtxAk/_old 2025-11-05 16:20:03.414498753 +0100 +++ /var/tmp/diff_new_pack.IWtxAk/_new 2025-11-05 16:20:03.426499257 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">d6c73e869d97cca1ef6c45c3e888339d57c887c5</param></service></servicedata> + <param name="changesrevision">ccddfe7e5f5e9e07bdcbca1818bf024900816684</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20251021.tar.xz -> selinux-policy-20251104.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/config/file_contexts.subs_dist new/selinux-policy-20251104/config/file_contexts.subs_dist --- old/selinux-policy-20251021/config/file_contexts.subs_dist 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/config/file_contexts.subs_dist 2025-11-04 11:48:20.000000000 +0100 @@ -35,6 +35,7 @@ /bin /usr/bin /usr/etc /etc /usr/sbin /usr/bin +/var/opt /opt # SUSE-specific section /var/run/lock /var/lock diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/antivirus.fc new/selinux-policy-20251104/policy/modules/contrib/antivirus.fc --- old/selinux-policy-20251021/policy/modules/contrib/antivirus.fc 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/antivirus.fc 2025-11-04 11:48:20.000000000 +0100 @@ -27,7 +27,6 @@ /var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) -/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) /var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/apache.fc new/selinux-policy-20251104/policy/modules/contrib/apache.fc --- old/selinux-policy-20251021/policy/modules/contrib/apache.fc 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/apache.fc 2025-11-04 11:48:20.000000000 +0100 @@ -133,7 +133,6 @@ /var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -162,7 +161,7 @@ /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/php-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -183,7 +182,6 @@ /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) /run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) /run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/cups.te new/selinux-policy-20251104/policy/modules/contrib/cups.te --- old/selinux-policy-20251021/policy/modules/contrib/cups.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/cups.te 2025-11-04 11:48:20.000000000 +0100 @@ -160,6 +160,7 @@ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) cups_filetrans_named_content(cupsd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/logwatch.te new/selinux-policy-20251104/policy/modules/contrib/logwatch.te --- old/selinux-policy-20251021/policy/modules/contrib/logwatch.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/logwatch.te 2025-11-04 11:48:20.000000000 +0100 @@ -182,11 +182,16 @@ ') optional_policy(` + rpm_domtrans(logwatch_t) +') + +optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') optional_policy(` + sendmail_rw_unix_stream_sockets(logwatch_t) sendmail_stream_connect(logwatch_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/mta.if new/selinux-policy-20251104/policy/modules/contrib/mta.if --- old/selinux-policy-20251021/policy/modules/contrib/mta.if 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/mta.if 2025-11-04 11:48:20.000000000 +0100 @@ -229,6 +229,7 @@ ') init_system_domain($1, sendmail_exec_t) + init_nnp_daemon_domain($1) typeattribute $1 mailserver_domain; ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/nut.te new/selinux-policy-20251104/policy/modules/contrib/nut.te --- old/selinux-policy-20251021/policy/modules/contrib/nut.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/nut.te 2025-11-04 11:48:20.000000000 +0100 @@ -127,7 +127,7 @@ # Local policy for upsdrvctl # -allow nut_upsdrvctl_t self:capability { kill }; +allow nut_upsdrvctl_t self:capability { kill sys_ptrace }; allow nut_upsdrvctl_t self:fd use; allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsdrvctl_t self:udp_socket create_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/rasdaemon.te new/selinux-policy-20251104/policy/modules/contrib/rasdaemon.te --- old/selinux-policy-20251021/policy/modules/contrib/rasdaemon.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/rasdaemon.te 2025-11-04 11:48:20.000000000 +0100 @@ -42,7 +42,7 @@ fs_mount_tracefs(rasdaemon_t) fs_unmount_tracefs(rasdaemon_t) -modutils_dontaudit_exec_kmod(rasdaemon_t) # more info here #1030277 +modutils_getattr_kmod_exec(rasdaemon_t) auth_use_nsswitch(rasdaemon_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/redis.fc new/selinux-policy-20251104/policy/modules/contrib/redis.fc --- old/selinux-policy-20251021/policy/modules/contrib/redis.fc 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/redis.fc 2025-11-04 11:48:20.000000000 +0100 @@ -20,6 +20,3 @@ /run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) /run/valkey(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) - - -/var/opt/rh/rh-redis32/redis(/.*)? -- gen_context(system_u:object_r:redis_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/spamassassin.te new/selinux-policy-20251104/policy/modules/contrib/spamassassin.te --- old/selinux-policy-20251021/policy/modules/contrib/spamassassin.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/spamassassin.te 2025-11-04 11:48:20.000000000 +0100 @@ -371,6 +371,10 @@ ') optional_policy(` + mta_read_aliases(spamc_t) +') + +optional_policy(` milter_manage_spamass_state(spamc_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/thumb.te new/selinux-policy-20251104/policy/modules/contrib/thumb.te --- old/selinux-policy-20251021/policy/modules/contrib/thumb.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/thumb.te 2025-11-04 11:48:20.000000000 +0100 @@ -43,6 +43,7 @@ allow thumb_t self:tcp_socket create_socket_perms; allow thumb_t self:shm create_shm_perms; allow thumb_t self:sem create_sem_perms; +allow thumb_t self:user_namespace create; manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) @@ -63,7 +64,7 @@ manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file }) -allow thumb_t thumb_tmpfs_t:file execute; +allow thumb_t thumb_tmpfs_t:file { execute mounton }; can_exec(thumb_t, thumb_exec_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/contrib/virt.te new/selinux-policy-20251104/policy/modules/contrib/virt.te --- old/selinux-policy-20251021/policy/modules/contrib/virt.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/contrib/virt.te 2025-11-04 11:48:20.000000000 +0100 @@ -2054,6 +2054,7 @@ # virtnodedevd local policy # allow virtnodedevd_t self:capability { net_admin sys_admin }; +allow virtnodedevd_t self:capability2 perfmon; allow virtnodedevd_t self:netlink_generic_socket create_socket_perms; allow virtnodedevd_t self:process { setsched }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/kernel/corenetwork.te.in new/selinux-policy-20251104/policy/modules/kernel/corenetwork.te.in --- old/selinux-policy-20251021/policy/modules/kernel/corenetwork.te.in 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/kernel/corenetwork.te.in 2025-11-04 11:48:20.000000000 +0100 @@ -476,7 +476,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. -allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind; +allow corenet_unconfined_type port_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } name_bind; allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; # Infiniband diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/services/ssh.te new/selinux-policy-20251104/policy/modules/services/ssh.te --- old/selinux-policy-20251021/policy/modules/services/ssh.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/services/ssh.te 2025-11-04 11:48:20.000000000 +0100 @@ -94,6 +94,7 @@ allow sshd_net_t sshd_session_t:unix_stream_socket { read write }; allow sshd_session_t sshd_t:tcp_socket { getattr getopt read setopt write }; allow sshd_session_t sshd_t:unix_stream_socket { read write }; +allow sshd_session_t sshd_t:vsock_socket { getattr }; allow sshd_session_t ssh_home_t:dir relabelto; allow sshd_session_t ssh_home_t:file relabelto; @@ -172,6 +173,8 @@ allow sshd_auth_t sshd_t:tcp_socket { getattr read write }; allow sshd_auth_t sshd_session_t:unix_stream_socket { read write }; +kernel_read_proc_files(sshd_auth_t) + optional_policy(` auth_use_nsswitch(sshd_auth_t) ') @@ -181,6 +184,10 @@ seutil_read_config(sshd_auth_t) ') +optional_policy(` + userdom_use_user_ptys(sshd_auth_t) +') + ### ### End of policy for session and auth ### diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/services/xserver.fc new/selinux-policy-20251104/policy/modules/services/xserver.fc --- old/selinux-policy-20251021/policy/modules/services/xserver.fc 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/services/xserver.fc 2025-11-04 11:48:20.000000000 +0100 @@ -93,6 +93,7 @@ # /usr/lib/systemd/user/.*gnome.*\.(service|target) -- gen_context(system_u:object_r:xdm_unit_file_t,s0) +/usr/lib/systemd/user/graphical-session-pre.target -- gen_context(system_u:object_r:xdm_unit_file_t,s0) /usr/lib/systemd/user/plasma-.*\.(service|target) -- gen_context(system_u:object_r:xdm_unit_file_t,s0) /usr/bin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/system/authlogin.fc new/selinux-policy-20251104/policy/modules/system/authlogin.fc --- old/selinux-policy-20251021/policy/modules/system/authlogin.fc 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/system/authlogin.fc 2025-11-04 11:48:20.000000000 +0100 @@ -48,8 +48,6 @@ /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/system/modutils.if new/selinux-policy-20251104/policy/modules/system/modutils.if --- old/selinux-policy-20251021/policy/modules/system/modutils.if 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/system/modutils.if 2025-11-04 11:48:20.000000000 +0100 @@ -200,6 +200,25 @@ ######################################## ## <summary> +## Get attributes of the kmod executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`modutils_getattr_kmod_exec',` + gen_require(` + type kmod_exec_t; + ') + + corecmd_search_bin($1) + allow $1 kmod_exec_t:file getattr; +') + +######################################## +## <summary> ## Unconditionally execute insmod in the insmod domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/system/sysnetwork.if new/selinux-policy-20251104/policy/modules/system/sysnetwork.if --- old/selinux-policy-20251021/policy/modules/system/sysnetwork.if 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/system/sysnetwork.if 2025-11-04 11:48:20.000000000 +0100 @@ -1199,6 +1199,7 @@ optional_policy(` networkmanager_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf") + networkmanager_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf.tmp") networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/system/systemd.te new/selinux-policy-20251104/policy/modules/system/systemd.te --- old/selinux-policy-20251021/policy/modules/system/systemd.te 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/system/systemd.te 2025-11-04 11:48:20.000000000 +0100 @@ -600,6 +600,7 @@ fs_read_nsfs_files(systemd_machined_t) fs_read_tmpfs_symlinks(systemd_machined_t) fs_cgroup_write_memory_pressure(systemd_machined_t) +fs_watch_cgroup_files(systemd_machined_t) fs_write_tmpfs_socket_files(systemd_machined_t) init_dbus_chat(systemd_machined_t) @@ -678,7 +679,7 @@ allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms; allow systemd_networkd_t systemd_networkd_var_lib_t:dir {create_dir_perms list_dir_perms}; -create_files_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t) +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t) manage_files_pattern(systemd_networkd_t, systemd_networkd_tmpfs_t, systemd_networkd_tmpfs_t) fs_tmpfs_filetrans(systemd_networkd_t, systemd_networkd_tmpfs_t, file) @@ -1315,6 +1316,9 @@ files_read_system_conf_files(systemd_sysctl_t) +# fs.binfmt_misc.status +fs_register_binary_executable_type(systemd_sysctl_t) + dev_write_kmsg(systemd_sysctl_t) domain_use_interactive_fds(systemd_sysctl_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20251021/policy/modules/system/userdomain.if new/selinux-policy-20251104/policy/modules/system/userdomain.if --- old/selinux-policy-20251021/policy/modules/system/userdomain.if 2025-10-21 11:05:47.000000000 +0200 +++ new/selinux-policy-20251104/policy/modules/system/userdomain.if 2025-11-04 11:48:20.000000000 +0100 @@ -6078,7 +6078,7 @@ ## </param> # template(`userdom_read_home_certs_tunable',` - tunable_policy($1, ` + tunable_policy(`$1', ` userdom_read_home_certs_common($2) ')
