Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2026-05-16 19:23:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Sat May 16 19:23:47 2026 rev:158 rq:1353333 version:20260508 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2026-05-05 15:16:01.656814856 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1966/selinux-policy.changes 2026-05-16 19:24:10.117161725 +0200 @@ -1,0 +2,25 @@ +Fri May 08 08:16:46 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 20260508: + * Add boolean ntp_refclock_access (bsc#1262711) + * Add /var/log/ntp in ntp named filetrans interface (bsc#1262711) + * Allow thump_t setattr on thumb_tmp_t lnk_files + * Allow accounts-daemon read accountsd_share_t symlinks (bsc#1262502) + * Label /usr/bin/sudo-rs and /usr/bin/su-rs + * Allow pwupdd to read cracklib (bsc#1259138) + * Allow pwupdd to log to audit log (bsc#1259138) + * Move accountutils_pwaccessd_varlink_socket_connect from auth_use_pam (bsc#1259138) + * Allow gpsd the setcap process capability + * Add note about the process to merge template + * Add mgetty_allow_sendfax boolean (bsc#1258666) + * Do not backslash-escape underscores in file context specifications + * Label /var/log/mgetty.* getty_log_t (bsc#1258666) + * Allow systemd_homework_t to delete systemd_homed_record_t dirs (bsc#1261359) + * Allow sshd-auth/sshd-session get attributes of their sshd parent + * Allow systemd-tmpfiles to adjust resource limits + * Allow logwatch to getattr nsfs files + * Allow xdm dbus chat with rhsmcertd + * Allow dhcpc_hook_t unix_dgram_socket and module_request + * Allow accountsd list accountsd_share_t dirs + +------------------------------------------------------------------- Old: ---- selinux-policy-20260414.tar.xz New: ---- selinux-policy-20260508.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.VfFpEl/_old 2026-05-16 19:24:11.309210510 +0200 +++ /var/tmp/diff_new_pack.VfFpEl/_new 2026-05-16 19:24:11.309210510 +0200 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20260414 +Version: 20260508 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.VfFpEl/_old 2026-05-16 19:24:11.389213784 +0200 +++ /var/tmp/diff_new_pack.VfFpEl/_new 2026-05-16 19:24:11.393213948 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">8ccf71e134fe4abf3548618c2cf9355af242c5d6</param></service></servicedata> + <param name="changesrevision">fe697f497b48735dcd1335b50baf1aa5c2b009ff</param></service></servicedata> (No newline at EOF) ++++++ selinux-policy-20260414.tar.xz -> selinux-policy-20260508.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/.gitlab/merge_request_templates/default.md new/selinux-policy-20260508/.gitlab/merge_request_templates/default.md --- old/selinux-policy-20260414/.gitlab/merge_request_templates/default.md 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/.gitlab/merge_request_templates/default.md 2026-05-08 10:15:50.000000000 +0200 @@ -5,3 +5,6 @@ - [ ] if N/A, add a short statement why: TODO - [ ] verified if a backport is needed (e.g. to branches like slfo-1.2) +<!--- +NOTE: If you open the PR, then it is expected that you merge it after the review. +--> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/admin/su.fc new/selinux-policy-20260508/policy/modules/admin/su.fc --- old/selinux-policy-20260414/policy/modules/admin/su.fc 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/admin/su.fc 2026-05-08 10:15:50.000000000 +0200 @@ -1,3 +1,4 @@ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su-rs -- gen_context(system_u:object_r:su_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/admin/sudo.fc new/selinux-policy-20260508/policy/modules/admin/sudo.fc --- old/selinux-policy-20260414/policy/modules/admin/sudo.fc 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/admin/sudo.fc 2026-05-08 10:15:50.000000000 +0200 @@ -1,5 +1,6 @@ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) +/usr/bin/sudo-rs -- gen_context(system_u:object_r:sudo_exec_t,s0) /var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/account-utils.te new/selinux-policy-20260508/policy/modules/contrib/account-utils.te --- old/selinux-policy-20260414/policy/modules/contrib/account-utils.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/account-utils.te 2026-05-08 10:15:50.000000000 +0200 @@ -123,12 +123,15 @@ logging_create_devlog_dev(pwupdd_t) logging_read_syslog_pid(pwupdd_t) +logging_send_audit_msgs(pwupdd_t) logging_write_syslog_pid_socket(pwupdd_t) selinux_compute_access_vector(pwupdd_t) selinux_read_security_files(pwupdd_t) selinux_set_enforce_mode(pwupdd_t) +usermanage_read_crack_db(pwupdd_t) + accountutils_pwaccessd_varlink_socket_connect(pwupdd_t) permissive pwupdd_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/accountsd.te new/selinux-policy-20260508/policy/modules/contrib/accountsd.te --- old/selinux-policy-20260414/policy/modules/contrib/accountsd.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/accountsd.te 2026-05-08 10:15:50.000000000 +0200 @@ -38,6 +38,8 @@ allow accountsd_t self:passwd { rootok passwd chfn chsh }; read_files_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) +read_lnk_files_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) +list_dirs_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) watch_dirs_pattern(accountsd_t, accountsd_share_t, accountsd_share_t) manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/gpsd.te new/selinux-policy-20260508/policy/modules/contrib/gpsd.te --- old/selinux-policy-20260414/policy/modules/contrib/gpsd.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/gpsd.te 2026-05-08 10:15:50.000000000 +0200 @@ -33,7 +33,7 @@ allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; dontaudit gpsd_t self:capability { sys_ptrace dac_read_search }; allow gpsd_t self:cap_userns sys_ptrace; -allow gpsd_t self:process { setsched signal_perms getsession }; +allow gpsd_t self:process { setcap setsched signal_perms getsession }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; allow gpsd_t self:tcp_socket { accept listen }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/kerberos.fc new/selinux-policy-20260508/policy/modules/contrib/kerberos.fc --- old/selinux-policy-20260414/policy/modules/contrib/kerberos.fc 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/kerberos.fc 2026-05-08 10:15:50.000000000 +0200 @@ -21,12 +21,12 @@ /usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/bin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/bin/_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) /usr/bin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) -/usr/bin/\_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) +/usr/bin/_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) /usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/logwatch.te new/selinux-policy-20260508/policy/modules/contrib/logwatch.te --- old/selinux-policy-20260414/policy/modules/contrib/logwatch.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/logwatch.te 2026-05-08 10:15:50.000000000 +0200 @@ -93,6 +93,7 @@ fs_getattr_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) fs_getattr_all_dirs(logwatch_t) +fs_getattr_nsfs_files(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) storage_dontaudit_getattr_fixed_disk_dev(logwatch_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/ntp.if new/selinux-policy-20260508/policy/modules/contrib/ntp.if --- old/selinux-policy-20260414/policy/modules/contrib/ntp.if 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/ntp.if 2026-05-08 10:15:50.000000000 +0200 @@ -310,11 +310,13 @@ gen_require(` type ntp_conf_t; type ntp_drift_t; + type ntpd_log_t; ') files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") files_etc_filetrans($1, ntp_conf_t, dir, "ntp") files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") + logging_log_filetrans($1, ntpd_log_t, file, "ntp") ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/ntp.te new/selinux-policy-20260508/policy/modules/contrib/ntp.te --- old/selinux-policy-20260414/policy/modules/contrib/ntp.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/ntp.te 2026-05-08 10:15:50.000000000 +0200 @@ -5,6 +5,14 @@ # Declarations # +## <desc> +## <p> +## Allow ntpd to access refclock devices +## </p> +## </desc> +# +gen_tunable(ntpd_refclock_access, false) + attribute_role ntpd_roles; type ntp_drift_t; @@ -167,6 +175,19 @@ ') optional_policy(` + tunable_policy(`ntpd_refclock_access',` + # /dev/pps0 clock_device_t + dev_rw_realtime_clock(ntpd_t) + # /dev/ttyUSB0 usbtty_device_t + term_use_usb_ttys(ntpd_t) + # /dev/ttyS0 tty_device_t + term_use_unallocated_ttys(ntpd_t) + # also /dev/gps0 /dev/refclock-0 might be needed, but they are device_t and + # people should really use chrony, so not taking that effort atm + ') +') + +optional_policy(` timemaster_read_pid_files(ntpd_t) timemaster_rw_shm(ntpd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/contrib/thumb.te new/selinux-policy-20260508/policy/modules/contrib/thumb.te --- old/selinux-policy-20260414/policy/modules/contrib/thumb.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/contrib/thumb.te 2026-05-08 10:15:50.000000000 +0200 @@ -56,6 +56,7 @@ userdom_rw_inherited_user_tmp_files(thumb_t) userdom_manage_home_texlive(thumb_t) +allow thumb_t thumb_tmp_t:lnk_file setattr; manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/services/ssh.te new/selinux-policy-20260508/policy/modules/services/ssh.te --- old/selinux-policy-20260414/policy/modules/services/ssh.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/services/ssh.te 2026-05-08 10:15:50.000000000 +0200 @@ -95,7 +95,7 @@ allow sshd_net_t sshd_session_t:fifo_file write; allow sshd_net_t sshd_session_t:unix_stream_socket { ioctl read write }; allow sshd_session_t sshd_t:tcp_socket { getattr getopt read setopt write }; -allow sshd_session_t sshd_t:unix_stream_socket { read write }; +allow sshd_session_t sshd_t:unix_stream_socket { getattr read write }; allow sshd_session_t sshd_t:vsock_socket { getattr }; allow sshd_session_t sshd_auth_t:process signal; @@ -181,6 +181,7 @@ allow sshd_auth_t self:unix_dgram_socket { create ioctl }; allow sshd_auth_t sshd_t:tcp_socket { getattr read write getopt setopt }; +allow sshd_auth_t sshd_t:unix_stream_socket getattr; allow sshd_auth_t sshd_t:vsock_socket getattr; allow sshd_auth_t sshd_session_t:unix_stream_socket { read write }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/services/xserver.te new/selinux-policy-20260508/policy/modules/services/xserver.te --- old/selinux-policy-20260414/policy/modules/services/xserver.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/services/xserver.te 2026-05-08 10:15:50.000000000 +0200 @@ -1061,6 +1061,10 @@ ') optional_policy(` + rhsmcertd_dbus_chat(xdm_t) +') + +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/authlogin.if new/selinux-policy-20260508/policy/modules/system/authlogin.if --- old/selinux-policy-20260414/policy/modules/system/authlogin.if 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/authlogin.if 2026-05-08 10:15:50.000000000 +0200 @@ -75,10 +75,6 @@ userdom_search_user_tmp_dirs($1) optional_policy(` - accountutils_pwaccessd_varlink_socket_connect($1) - ') - - optional_policy(` dbus_system_bus_client($1) optional_policy(` @@ -460,6 +456,10 @@ miscfiles_read_generic_certs($1) optional_policy(` + accountutils_pwaccessd_varlink_socket_connect($1) + ') + + optional_policy(` kerberos_read_keytab($1) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/getty.fc new/selinux-policy-20260508/policy/modules/system/getty.fc --- old/selinux-policy-20260414/policy/modules/system/getty.fc 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/getty.fc 2026-05-08 10:15:50.000000000 +0200 @@ -5,7 +5,7 @@ /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) +/var/log/mgetty.* -- gen_context(system_u:object_r:getty_log_t,s0) /var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) /run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/getty.te new/selinux-policy-20260508/policy/modules/system/getty.te --- old/selinux-policy-20260414/policy/modules/system/getty.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/getty.te 2026-05-08 10:15:50.000000000 +0200 @@ -5,6 +5,13 @@ # Declarations # +## <desc> +## <p> +## Allow mgetty and sendfax to work together. +## </p> +## </desc> +gen_tunable(mgetty_allow_sendfax, false) + type getty_t; type getty_exec_t; init_domain(getty_t, getty_exec_t) @@ -142,6 +149,20 @@ ') optional_policy(` + tunable_policy(`mgetty_allow_sendfax',` + # Hack: sendfax is started as unconfined_t + # and named filetrans will not work out + # for /var/lock/LCK..*. As this use case + # will only affect a small amount of users, + # this should be fine. + files_manage_generic_locks(getty_t) + # Hack: sendfax is started as unconfined_t + unconfined_read_files(getty_t) + unconfined_signull(getty_t) + ') +') + +optional_policy(` cockpit_read_pid_files(getty_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/init.te new/selinux-policy-20260508/policy/modules/system/init.te --- old/selinux-policy-20260414/policy/modules/system/init.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/init.te 2026-05-08 10:15:50.000000000 +0200 @@ -972,10 +972,6 @@ userdom_rw_stream(init_t) ') -optional_policy(` - accountutils_pwaccessd_varlink_socket_connect(init_t) -') - ######################################## # # Init script local policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/sysnetwork.te new/selinux-policy-20260508/policy/modules/system/sysnetwork.te --- old/selinux-policy-20260414/policy/modules/system/sysnetwork.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/sysnetwork.te 2026-05-08 10:15:50.000000000 +0200 @@ -321,6 +321,9 @@ domtrans_pattern(dhcpc_t, dhcpc_hook_exec_t, dhcpc_hook_t) allow dhcpc_hook_t self:netlink_route_socket create_netlink_socket_perms; +allow dhcpc_hook_t self:unix_dgram_socket { create ioctl }; + +kernel_request_load_module(dhcpc_hook_t) manage_dirs_pattern(dhcpc_hook_t, dhcpc_var_run_t, dhcpc_var_run_t) manage_files_pattern(dhcpc_hook_t, dhcpc_var_run_t, dhcpc_var_run_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/systemd-homed.te new/selinux-policy-20260508/policy/modules/system/systemd-homed.te --- old/selinux-policy-20260414/policy/modules/system/systemd-homed.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/systemd-homed.te 2026-05-08 10:15:50.000000000 +0200 @@ -190,6 +190,7 @@ files_search_home(systemd_homework_t) files_home_filetrans(systemd_homework_t, systemd_homed_crypto_luks_t, file) delete_files_pattern(systemd_homework_t, systemd_homed_record_t, systemd_homed_record_t) +delete_dirs_pattern(systemd_homework_t, systemd_homed_record_t, systemd_homed_record_t) # unlabeled home directories files_manage_isid_type_dirs(systemd_homework_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20260414/policy/modules/system/systemd.te new/selinux-policy-20260508/policy/modules/system/systemd.te --- old/selinux-policy-20260414/policy/modules/system/systemd.te 2026-04-14 10:05:26.000000000 +0200 +++ new/selinux-policy-20260508/policy/modules/system/systemd.te 2026-05-08 10:15:50.000000000 +0200 @@ -839,7 +839,7 @@ # Local policy # -allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin sys_resource }; allow systemd_tmpfiles_t self:process { setrlimit setfscreate }; allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
