Accepting request 833509 from home:jsegitz:branches:security:SELinux

- Update to version 20200910. Refreshed * fix_authlogin.patch * fix_nagios.patch * fix_systemd.patch * fix_usermanage.patch - Delete suse_specific.patch, moved content into fix_selinuxutil.patch - Cleanup of booleans-* presets * Enabled user_rw_noexattrfile unconfined_chrome_sandbox_transition unconfined_mozilla_plugin_transition for the minimal policy * Disabled xserver_object_manager for the MLS policy * Disabled openvpn_enable_homedirs privoxy_connect_any selinuxuser_direct_dri_enabled selinuxuser_ping (aka user_ping) squid_connect_any telepathy_tcp_connect_generic_network_ports for the targeted policy Change your local config if you need them - Build HTML version of manpages for the -devel package OBS-URL: https://build.opensuse.org/request/show/833509 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=83
2020-09-10 15:07:50 +00:00 · 2020-09-10 15:07:50 +00:00 · 6fa6803f18
commit 6fa6803f18
parent ded584ab59
16 changed files with 549 additions and 123 deletions
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -4,19 +4,19 @@ allow_execmem = false

 # Allow making a modified private filemapping executable (text relocation).
 # 
-allow_execmod = false
+selinuxuser_execmod = false

 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+selinuxuser_execstack = false

 # Allow ftpd to read cifs directories.
 # 
-allow_ftpd_use_cifs = false
+ftpd_use_cifs = false

 # Allow ftpd to read nfs directories.
 # 
-allow_ftpd_use_nfs = false
+ftpd_use_nfs = false

 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
@ -24,7 +24,7 @@ allow_ftpd_anon_write = false

 # Allow gssd to read temp directory.
 # 
-allow_gssd_read_tmp = true
+gssd_read_tmp = true

 # Allow Apache to modify public filesused for public file transfer services.
 # 
@ -32,7 +32,7 @@ allow_httpd_anon_write = false

 # Allow Apache to use mod_auth_pam module
 # 
-allow_httpd_mod_auth_pam = false
+httpd_mod_auth_pam = false

 # Allow system to run with kerberos
 # 
@ -44,7 +44,7 @@ allow_rsync_anon_write = false

 # Allow sasl to read shadow
 # 
-allow_saslauthd_read_shadow = false
+saslauthd_read_shadow  = false

 # Allow samba to modify public filesused for public file transfer services.
 # 
@ -56,7 +56,7 @@ allow_ypbind = false

 # Allow zebra to write it own configuration files
 # 
-allow_zebra_write_config = false
+zebra_write_config = false

 # Enable extra rules in the cron domainto support fcron.
 # 
@ -148,55 +148,35 @@ user_ping = false

 # allow host key based authentication
 # 
-allow_ssh_keysign = false
+ssh_keysign = false

 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false

-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false

-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
-user_rw_noexattrfile = false
+user_rw_noexattrfile = true

 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false

-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
 # Allow all domains to talk to ttys
 # 
-allow_daemons_use_tty = false
+daemons_use_tty = false

 # Allow login domains to polyinstatiate directories
 # 
-allow_polyinstantiation = false
+polyinstantiation_enabled = false

 # Allow all domains to dump core
 # 
-allow_daemons_dump_core = true
+daemons_dump_core = true

 # Allow samba to act as the domain controller
 # 
@ -208,36 +188,24 @@ samba_run_unconfined = false

 # Allows XServer to execute writable memory
 # 
-allow_xserver_execmem = false
+xserver_execmem = false

 # disallow guest accounts to execute files that they can create 
 # 
-allow_guest_exec_content = false
-allow_xguest_exec_content = false
-
-# Only allow browser to use the web
-# 
-browser_confine_xguest=false
+guest_exec_content = false
+xguest_exec_content = false

 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=false
+postfix_local_write_mail_spool = false

 # Allow common users to read/write noexattrfile systems
 # 
-user_rw_noexattrfile=true
+user_rw_noexattrfile = true

 # Allow qemu to connect fully to the network
 # 
-qemu_full_network=true
-
-# Allow nsplugin execmem/execstack for bad plugins
-# 
-allow_nsplugin_execmem=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-allow_unconfined_nsplugin_transition=true
+qemu_full_network = true

 # System uses init upstart program
 # 
@ -245,9 +213,20 @@ init_upstart = true

 # Allow mount to mount any file/dir
 # 
-allow_mount_anyfile = true
+mount_anyfile = true

 # Allow all domains to mmap files
 # 
 domain_can_mmap_files = true

+# Allow confined applications to use nscd shared memory
+#
+nscd_use_shm = true
+
+# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+#
+unconfined_chrome_sandbox_transition = true
+
+# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+#
+unconfined_mozilla_plugin_transition = true
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@ -1,6 +1,232 @@
-kerberos_enabled = true
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+selinuxuser_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+selinuxuser_execstack = false
+
+# Allow ftpd to read cifs directories.
+# 
+ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+saslauthd_read_shadow  = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+# 
+zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = true
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow all domains to talk to ttys
+# 
+daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+polyinstantiation_enabled = false
+
+# Allow all domains to dump core
+# 
+daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+guest_exec_content = false
+xguest_exec_content = false
+
+# Allow postfix locat to write to mail spool
+# 
+postfix_local_write_mail_spool = false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile = true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network = true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
 mount_anyfile = true
-polyinstantiation_enabled = true
-ftpd_is_daemon = true
-selinuxuser_ping = true
-xserver_object_manager = true
+
+# Allow all domains to mmap files
+# 
+domain_can_mmap_files = true
+
+# Allow confined applications to use nscd shared memory
+#
+nscd_use_shm = true
+
+# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+#
+unconfined_chrome_sandbox_transition = false
+
+# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+#
+unconfined_mozilla_plugin_transition = false
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -1,23 +1,232 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+selinuxuser_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+selinuxuser_execstack = false
+
+# Allow ftpd to read cifs directories.
+# 
+ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
 gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+saslauthd_read_shadow  = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+# 
+zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
 httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
 httpd_enable_cgi = true
-kerberos_enabled = true
-mount_anyfile = true
-nfs_export_all_ro = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
 nfs_export_all_rw = true
-nscd_use_shm = true
-openvpn_enable_homedirs = true
-postfix_local_write_mail_spool= true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
 pppd_can_insmod = false
-privoxy_connect_any = true
-selinuxuser_direct_dri_enabled = true
-selinuxuser_rw_noexattrfile = true
-selinuxuser_ping = true
-squid_connect_any = true
-telepathy_tcp_connect_generic_network_ports=true
-unconfined_chrome_sandbox_transition=true
-unconfined_mozilla_plugin_transition=true
-xguest_exec_content = true
-mozilla_plugin_can_network_connect = true
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = true
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow all domains to talk to ttys
+# 
+daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+polyinstantiation_enabled = false
+
+# Allow all domains to dump core
+# 
+daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+guest_exec_content = false
+xguest_exec_content = false
+
+# Allow postfix locat to write to mail spool
+# 
+postfix_local_write_mail_spool = false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile = true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network = true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
+mount_anyfile = true
+
 # Allow all domains to mmap files
+# 
 domain_can_mmap_files = true
+
+# Allow confined applications to use nscd shared memory
+#
+nscd_use_shm = true
+
+# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+#
+unconfined_chrome_sandbox_transition = true
+
+# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+#
+unconfined_mozilla_plugin_transition = true
--- a/fedora-policy.20200717.tar.bz2
+++ b/fedora-policy.20200717.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
-size 752394
--- a/fedora-policy.20200910.tar.bz2
+++ b/fedora-policy.20200910.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e8acb185a5abf179037ca0531d312d327df52c0b201128e84d22afe730c8b96
+size 738509
--- a/fix_authlogin.patch
+++ b/fix_authlogin.patch
@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/system/authlogin.fc
 ===================================================================
 --- fedora-policy.orig/policy/modules/system/authlogin.fc
 +++ fedora-policy/policy/modules/system/authlogin.fc
-@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
+@@ -49,6 +49,7 @@ ifdef(`distro_gentoo', `
 /usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 
 /usr/libexec/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
--- a/fix_nagios.patch
+++ b/fix_nagios.patch
@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/nagios.te
 +++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
+@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
 manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
 manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
--- a/fix_selinuxutil.patch
+++ b/fix_selinuxutil.patch
@ -24,3 +24,16 @@ Index: fedora-policy/policy/modules/system/selinuxutil.te
     cloudform_dontaudit_write_cloud_log(setfiles_t)
 ')
 
+Index: fedora-policy/policy/modules/system/selinuxutil.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy/policy/modules/system/selinuxutil.if
+@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
+ 
+ 	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ 	dontaudit $1 selinux_config_t:file read_file_perms;
+	# /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
+	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/systemd.te
 	apache_read_tmp_files(systemd_logind_t)
 ')
 
-@@ -823,6 +827,10 @@ optional_policy(`
+@@ -828,6 +832,10 @@ optional_policy(`
         dbus_connect_system_bus(systemd_hostnamed_t)
 ')
 
--- a/fix_usermanage.patch
+++ b/fix_usermanage.patch
@ -10,7 +10,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te
 
 fs_getattr_xattr_fs(groupadd_t)
 fs_search_auto_mountpoints(groupadd_t)
-@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
+@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te
 
 manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
 manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
+@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@ -392,13 +392,6 @@ udev = module
 # 
 unconfined = module

-# Layer: system
-# Module: kdbus
-#
-# Policy for kdbus.
-#
-kdbus = module
-
 # Layer: admin
 # Module: rpm
 #
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -392,13 +392,6 @@ udev = module
 # 
 unconfined = module

-# Layer: system
-# Module: kdbus
-#
-# Policy for kdbus.
-#
-kdbus = module
-
 # Layer: contrib
 # Module: packagekit
 #
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 20200910. Refreshed
+  * fix_authlogin.patch
+  * fix_nagios.patch
+  * fix_systemd.patch
+  * fix_usermanage.patch
+- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
+- Cleanup of booleans-* presets
+  * Enabled
+    user_rw_noexattrfile
+    unconfined_chrome_sandbox_transition
+    unconfined_mozilla_plugin_transition
+    for the minimal policy
+  * Disabled
+    xserver_object_manager
+    for the MLS policy
+  * Disabled
+    openvpn_enable_homedirs
+    privoxy_connect_any
+    selinuxuser_direct_dri_enabled
+    selinuxuser_ping (aka user_ping)
+    squid_connect_any
+    telepathy_tcp_connect_generic_network_ports
+    for the targeted policy
+  Change your local config if you need them
+- Build HTML version of manpages for the -devel package
+
 -------------------------------------------------------------------
 Thu Sep  3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -15,7 +15,6 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

-# TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
 # ones used by redhat and include also the SUSE specific ones (see sed statement below)
 %define distro redhat
@ -33,7 +32,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20200717
+Version:        20200910
 Release:        0
 Source:         fedora-policy.%{version}.tar.bz2
 Source1:        selinux-policy-rpmlintrc
@ -65,7 +64,6 @@ Source52:       users-minimum

 Source60:       selinux-policy.conf

-Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
 #Source93:       config.tgz
@ -123,7 +121,7 @@ Patch039:       fix_cron.patch
 Patch040:       fix_usermanage.patch
 Patch041:       fix_smartmon.patch
 Patch042:       fix_geoclue.patch
-Patch043:       suse_specific.patch
+#Patch043:       suse_specific.patch
 Patch044:       fix_authlogin.patch
 Patch045:       fix_screen.patch
 Patch046:       fix_unprivuser.patch
@ -154,6 +152,7 @@ Recommends:     selinux-tools
 # for audit2allow
 Recommends:     python3-policycoreutils
 Recommends:     policycoreutils-python-utils
+Recommends:     container-selinux

 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024

@ -351,7 +350,6 @@ creating other policies.
 %dir %{_datadir}/selinux/packages
 %dir %{_sysconfdir}/selinux
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
-#%ghost %{_sysconfdir}/sysconfig/selinux-policy
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy

@ -426,7 +424,7 @@ exit 0
 %patch040 -p1
 %patch041 -p1
 %patch042 -p1
-%patch043 -p1
+#% patch043 -p1
 %patch044 -p1
 %patch045 -p1
 %patch046 -p1
@ -442,8 +440,6 @@ find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 touch %{buildroot}%{_sysconfdir}/selinux/config
-#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
-#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy
 mkdir -p %{buildroot}%{_tmpfilesdir}
 cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}

@ -512,11 +508,10 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
-#XXX what's missing for html?
-#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
-#mkdir %{buildroot}%{_datadir}/selinux/devel/html
-#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
-#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
+%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
+mkdir %{buildroot}%{_datadir}/selinux/devel/html
+mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
+mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html

 %post
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -525,7 +520,6 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
    if [ -f  %{_sysconfdir}/sysconfig/selinux-policy ]; then
 	mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
    else
-	# XXX right default for SELINUXTYPE?
 	echo "
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@ -594,7 +588,10 @@ SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %doc %{_datadir}/man/ru/man8/*
+%doc %{_datadir}/man/man8/*
 %dir %{_datadir}/selinux/devel
+%dir %{_datadir}/selinux/devel/html/
+%doc %{_datadir}/selinux/devel/html/*
 %dir %{_datadir}/selinux/devel/include
 %{_datadir}/selinux/devel/include/*
 %{_datadir}/selinux/devel/Makefile
--- a/suse_specific.patch
+++ b/suse_specific.patch
@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/system/selinuxutil.if
-===================================================================
--- fedora-policy.orig/policy/modules/system/selinuxutil.if
-+++ fedora-policy/policy/modules/system/selinuxutil.if
-@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
- 
- 	dontaudit $1 selinux_config_t:dir search_dir_perms;
- 	dontaudit $1 selinux_config_t:file read_file_perms;
-+	# /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
-+	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
--- a/update.sh
+++ b/update.sh
@ -13,7 +13,7 @@ git clone --depth 1 https://github.com/containers/container-selinux.git
 mv selinux-policy fedora-policy
 rm -rf fedora-policy/.git*
 mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
-mv container-selinux/* fedora-policy/policy/modules/contrib/
+mv container-selinux/container.* fedora-policy/policy/modules/contrib/

 rm -f fedora-policy.$date.tar*
 tar cf fedora-policy.$date.tar fedora-policy