Accepting request 734854 from home:jsegitz:branches:security:SELinux

- Moved back to fedora policy (20190802)
- Removed spec file conditionals for old SELinux userland
- Removed config.tgz
- Removed patches:
  * label_sysconfig.selinux.patch
  * label_var_run_rsyslog.patch
  * suse_additions_obs.patch
  * suse_additions_sslh.patch
  * suse_modifications_apache.patch
  * suse_modifications_cron.patch
  * suse_modifications_getty.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_virt.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
  * segenxml_interpreter.patch
- Added patches:
  * fix_djbdns.patch
  * fix_dbus.patch
  * fix_gift.patch
  * fix_java.patch
  * fix_hadoop.patch
  * fix_thunderbird.patch
  * postfix_paths.patch
  * fix_nscd.patch
  * fix_sysnetwork.patch
  * fix_logging.patch
  * fix_xserver.patch

OBS-URL: https://build.opensuse.org/request/show/734854
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=73

booleans.subs_dist

@@ -0,0 +1,54 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+virt_sandbox_use_nfs virt_use_nfs

config.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:652101e6cd75232a223d53d498a9190f0c21d513c9587d34956805fd56545ee2
-size 3189

fedora-policy.20190802.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3
+size 730294

fix_dbus.patch

@@ -0,0 +1,35 @@
+Index: fedora-policy/policy/modules/contrib/evolution.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/evolution.te	2019-08-05 09:39:48.641670181 +0200
++++ fedora-policy/policy/modules/contrib/evolution.te	2019-08-05 09:57:29.695474175 +0200
+@@ -228,7 +228,6 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(evolution_t)
+-	dbus_all_session_bus_client(evolution_t)
+ ')
+ 
+ optional_policy(`
+@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	dbus_all_session_bus_client(evolution_alarm_t)
+-')
+-
+-optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+ 
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te	2019-08-05 09:39:48.681670851 +0200
++++ fedora-policy/policy/modules/contrib/thunderbird.te	2019-08-05 09:57:38.503622198 +0200
+@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(thunderbird_t)
+-	dbus_all_session_bus_client(thunderbird_t)
+ 
+ 	optional_policy(`
+ 		cups_dbus_chat(thunderbird_t)

fix_djbdns.patch

@@ -0,0 +1,33 @@
+Index: fedora-policy/policy/modules/contrib/djbdns.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/djbdns.te	2019-08-05 09:39:48.641670181 +0200
++++ fedora-policy/policy/modules/contrib/djbdns.te	2019-08-05 09:53:08.383084236 +0200
+@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi
+ allow djbdns_domain self:tcp_socket create_stream_socket_perms;
+ allow djbdns_domain self:udp_socket create_socket_perms;
+ 
+-corenet_all_recvfrom_unlabeled(djbdns_domain)
+-corenet_all_recvfrom_netlabel(djbdns_domain)
+-corenet_tcp_sendrecv_generic_if(djbdns_domain)
+-corenet_udp_sendrecv_generic_if(djbdns_domain)
+-corenet_tcp_sendrecv_generic_node(djbdns_domain)
+-corenet_udp_sendrecv_generic_node(djbdns_domain)
+-corenet_tcp_sendrecv_all_ports(djbdns_domain)
+-corenet_udp_sendrecv_all_ports(djbdns_domain)
+-corenet_tcp_bind_generic_node(djbdns_domain)
+-corenet_udp_bind_generic_node(djbdns_domain)
+-
+-corenet_sendrecv_dns_server_packets(djbdns_domain)
+-corenet_tcp_bind_dns_port(djbdns_domain)
+-corenet_udp_bind_dns_port(djbdns_domain)
+-
+-corenet_sendrecv_dns_client_packets(djbdns_domain)
+-corenet_tcp_connect_dns_port(djbdns_domain)
+-
+-corenet_sendrecv_generic_server_packets(djbdns_domain)
+-corenet_tcp_bind_generic_port(djbdns_domain)
+-corenet_udp_bind_generic_port(djbdns_domain)
+-
+ files_search_var(djbdns_domain)
+ 
+ daemontools_ipc_domain(djbdns_axfrdns_t)

fix_gift.patch

@@ -0,0 +1,9 @@
+Index: fedora-policy/policy/modules/contrib/gift.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/gift.te	2019-08-05 09:39:48.645670248 +0200
++++ fedora-policy/policy/modules/contrib/gift.te	2019-08-05 10:05:44.787808191 +0200
+@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
+ sysnet_dns_name_resolve(giftd_t)
+ 
+ userdom_use_inherited_user_terminals(giftd_t)
+-userdom_home_manager(gitd_t)

fix_hadoop.patch

@@ -0,0 +1,30 @@
+Index: fedora-policy/policy/modules/roles/sysadm.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/sysadm.te	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/roles/sysadm.te	2019-08-05 14:11:28.416872543 +0200
+@@ -282,10 +282,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	hadoop_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+     iotop_run(sysadm_t, sysadm_r)
+ ')
+ 
+Index: fedora-policy/policy/modules/roles/unprivuser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/roles/unprivuser.te	2019-08-05 14:11:22.908782828 +0200
+@@ -192,10 +192,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		hadoop_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		irc_role(user_r, user_t)
+ 	')
+ 

fix_java.patch

@@ -0,0 +1,41 @@
+Index: fedora-policy/policy/modules/contrib/java.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/java.te	2019-08-05 13:50:32.925673660 +0200
++++ fedora-policy/policy/modules/contrib/java.te	2019-08-05 14:06:51.896425229 +0200
+@@ -21,6 +21,7 @@ roleattribute system_r java_roles;
+ attribute_role unconfined_java_roles;
+ 
+ type java_t, java_domain;
++typealias java_t alias java_domain_t;
+ type java_exec_t;
+ userdom_user_application_domain(java_t, java_exec_t)
+ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java
+ kernel_read_all_sysctls(java_domain)
+ kernel_search_vm_sysctl(java_domain)
+ kernel_read_network_state(java_domain)
+-kernel_read_system_state(java_domain)
+ 
+ corecmd_search_bin(java_domain)
+ 
+-corenet_all_recvfrom_unlabeled(java_domain)
+-corenet_all_recvfrom_netlabel(java_domain)
+-corenet_tcp_sendrecv_generic_if(java_domain)
+-corenet_tcp_sendrecv_generic_node(java_domain)
+-
+-corenet_sendrecv_all_client_packets(java_domain)
+-corenet_tcp_connect_all_ports(java_domain)
+-corenet_tcp_sendrecv_all_ports(java_domain)
+-
+ dev_read_sound(java_domain)
+ dev_write_sound(java_domain)
+ dev_read_urand(java_domain)
+@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain
+ fs_getattr_all_fs(java_domain)
+ fs_dontaudit_rw_tmpfs_files(java_domain)
+ 
+-logging_send_syslog_msg(java_domain)
+-
+ miscfiles_read_localization(java_domain)
+ miscfiles_read_fonts(java_domain)
+ 

fix_logging.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/logging.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/logging.fc	2019-08-22 11:28:09.250979768 +0200
++++ fedora-policy/policy/modules/system/logging.fc	2019-08-22 11:45:28.360015899 +0200
+@@ -3,6 +3,7 @@
+ /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog.d(/.*)?		gen_context(system_u:object_r:syslog_conf_t,s0)
++/var//run/rsyslog/additional-log-sockets.conf 	--		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)

fix_miscfiles.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/miscfiles.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/miscfiles.fc	2019-08-05 09:39:39.117510678 +0200
++++ fedora-policy/policy/modules/system/miscfiles.fc	2019-08-22 12:44:01.678484113 +0200
+@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
+ /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
+ 
+ /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
++/var/lib/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)

fix_nscd.patch

@@ -0,0 +1,16 @@
+Index: fedora-policy/policy/modules/contrib/nscd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc	2019-08-05 09:39:48.661670516 +0200
++++ fedora-policy/policy/modules/contrib/nscd.fc	2019-08-15 14:13:18.681607730 +0200
+@@ -8,8 +8,10 @@
+ /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
+ 
+ /var/run/nscd\.pid	--	gen_context(system_u:object_r:nscd_var_run_t,s0)
+-/var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
++/var/run/nscd/socket		-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
++/var/lib/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+ /var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
+ /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
++

fix_sysnetwork.patch

@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/system/sysnetwork.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/sysnetwork.fc	2019-08-05 09:39:39.121510745 +0200
++++ fedora-policy/policy/modules/system/sysnetwork.fc	2019-08-21 13:47:17.253328905 +0200
+@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
+ /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+ ')
+ 
++/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
++
+ /var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+ /etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+ 

fix_thunderbird.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:54.325021721 +0200
++++ fedora-policy/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:58.249085986 +0200
+@@ -138,7 +138,6 @@ optional_policy(`
+ optional_policy(`
+ 	gnome_stream_connect_gconf(thunderbird_t)
+ 	gnome_domtrans_gconfd(thunderbird_t)
+-	gnome_manage_generic_home_content(thunderbird_t)
+ ')
+ 
+ optional_policy(`

fix_xserver.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/services/xserver.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/services/xserver.fc	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/services/xserver.fc	2019-08-22 11:44:16.178832073 +0200
+@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
+ /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ 
++/usr/lib/X11/display-manager 	-- 	gen_context(system_u:object_r:xdm_exec_t,s0)
+ ifndef(`distro_debian',`
+ /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+ ')

label_sysconfig.selinux.patch

@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/system/selinuxutil.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/selinuxutil.fc	2018-11-27 11:44:18.621994420 +0100
-+++ refpolicy/policy/modules/system/selinuxutil.fc	2018-11-27 11:45:11.406831098 +0100
-@@ -13,6 +13,7 @@
- /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
- /etc/selinux/([^/]*/)?users(/.*)?		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/sysconfig/selinux-policy			-- 	gen_context(system_u:object_r:selinux_config_t,s0)
- 
- #
- # /root

label_var_run_rsyslog.patch

@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/system/logging.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.fc	2019-07-11 14:31:20.605624453 +0200
-@@ -62,6 +62,7 @@ ifdef(`distro_suse', `
- /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- /var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/log/syslog(/.*)? 		gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- 
- ifndef(`distro_gentoo',`
- /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)

minimum_temp_fixes.if

@@ -0,0 +1 @@
+## <summary></summary>

minimum_temp_fixes.te

@@ -0,0 +1,95 @@
+policy_module(minimum_temp_fixes, 1.0)
+
+require {
+	type sshd_t;
+	type lib_t;
+	type init_t;
+	type unconfined_t;
+	type systemd_localed_t;
+	type systemd_logind_t;
+	type unconfined_service_t;
+	type chkpwd_t;
+	type bin_t;
+	type fsadm_t;
+	type getty_t;
+	type systemd_tmpfiles_t;
+	type systemd_systemctl_exec_t;
+	type unconfined_dbusd_t;
+	type rtkit_daemon_t;
+	type system_dbusd_t;
+	class dir mounton;
+	class dbus { acquire_svc send_msg };
+	class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
+	class process { execmem transition };
+	class file { entrypoint execmod };
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
+files_map_var_lib_files(chkpwd_t)
+files_read_var_lib_files(chkpwd_t)
+files_write_generic_pid_sockets(chkpwd_t)
+
+#============= fsadm_t ==============
+allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
+
+#============= getty_t ==============
+allow getty_t unconfined_service_t:nscd shmemgrp;
+files_map_var_lib_files(getty_t)
+files_read_var_lib_files(getty_t)
+files_write_generic_pid_sockets(getty_t)
+
+#============= init_t ==============
+allow init_t bin_t:dir mounton;
+allow init_t lib_t:dir mounton;
+allow init_t self:process execmem;
+allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
+allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
+files_manage_generic_spool(init_t)
+corenet_udp_bind_generic_node(init_t)
+files_map_var_lib_files(init_t)
+files_read_var_files(init_t)
+files_manage_var_files(init_t)
+storage_raw_read_removable_device(init_t)
+
+#============= sshd_t ==============
+allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
+files_exec_generic_pid_files(sshd_t)
+files_map_var_lib_files(sshd_t)
+files_read_var_lib_files(sshd_t)
+files_write_generic_pid_sockets(sshd_t)
+unconfined_server_dbus_chat(sshd_t)
+
+#============= systemd_localed_t ==============
+allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
+files_write_generic_pid_sockets(systemd_localed_t)
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
+allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
+files_map_var_lib_files(systemd_logind_t)
+files_read_var_lib_files(systemd_logind_t)
+files_write_generic_pid_sockets(systemd_logind_t)
+systemd_dbus_chat_logind(systemd_logind_t)
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
+files_map_var_lib_files(systemd_tmpfiles_t)
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unconfined_t:process transition;
+init_dbus_chat(unconfined_service_t)
+unconfined_server_dbus_chat(unconfined_service_t)
+
+#============= unconfined_t ==============
+allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
+allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
+
+#============= unconfined_dbusd_t ==============
+allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
+
+#============= rtkit_daemon_t ==============
+allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };

modules-minimum-base.conf

@@ -0,0 +1,429 @@
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+# 
+auditadm = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+# 
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+# 
+secadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Module: staff
+#
+# admin account 
+# 
+staff = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+# 
+sysadm = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = module
+
+# Layer: system
+# Module: kdbus
+#
+# Policy for kdbus.
+#
+kdbus = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: contrib
+# Module: minimum_temp_fixes
+#
+# Temporary fixes for the minimum policy.
+#
+minimum_temp_fixes = module
+
+# Layer: contrib
+# Module: packagekit
+#
+# Temporary permissive module for packagekit
+#
+packagekit = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+

modules-minimum-disable.lst

@@ -1 +1 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nscd nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
+abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 

packagekit.fc

@@ -0,0 +1,44 @@
+/usr/lib/systemd/system/packagekit.*  --  gen_context(system_u:object_r:packagekit_unit_file_t,s0)
+
+/usr/bin/packagekit                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+
+#/var/lib/PackageKit(/.*)?                 gen_context(system_u:object_r:packagekit_var_lib_t,s0)
+
+/usr/bin/pkcon                  	--  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/bin/pkmon				--  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/packagekit-direct             --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/packagekitd                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/pk-offline-update                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+
+#/etc/PackageKit
+#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
+#/usr/lib/tmpfiles.d
+#/usr/lib/tmpfiles.d/PackageKit.conf
+#/usr/lib64/packagekit-backend
+#/usr/lib64/packagekit-backend/libpk_backend_dummy.so
+#/usr/sbin/rcpackagekit
+#/usr/sbin/rcpackagekit-offline-update
+#/usr/share/PackageKit
+#/usr/share/PackageKit/helpers
+#/usr/share/PackageKit/helpers/test_spawn
+#/usr/share/PackageKit/helpers/test_spawn/search-name.sh
+#/usr/share/PackageKit/packagekit-background.sh
+#/usr/share/PackageKit/pk-upgrade-distro.sh
+#/usr/share/PackageKit/transactions.db
+#/usr/share/bash-completion/completions/pkcon
+#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml
+#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml
+#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service
+#/usr/share/doc/packages/PackageKit
+#/usr/share/doc/packages/PackageKit/AUTHORS
+#/usr/share/doc/packages/PackageKit/HACKING
+#/usr/share/doc/packages/PackageKit/NEWS
+#/usr/share/doc/packages/PackageKit/README
+#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules
+#/usr/share/licenses/PackageKit
+#/usr/share/licenses/PackageKit/COPYING
+#/usr/share/man/man1/pkcon.1.gz
+#/usr/share/man/man1/pkmon.1.gz
+#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
+#/var/cache/PackageKit
+

packagekit.if

@@ -0,0 +1,2 @@
+## <summary>A temporary policy for packagekit.</summary>
+

packagekit.te

@@ -0,0 +1,37 @@
+policy_module(packagekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type packagekit_t;
+type packagekit_exec_t;
+init_daemon_domain(packagekit_t,packagekit_exec_t)
+
+permissive packagekit_t;
+
+type packagekit_unit_file_t;
+systemd_unit_file(packagekit_unit_file_t)
+
+type packagekit_var_lib_t;
+files_type(packagekit_var_lib_t)
+
+#allow packagekit_t self:tcp_socket create_stream_socket_perms;
+#
+#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir)
+#
+#kernel_read_unix_sysctls(packagekit_t)
+#kernel_read_net_sysctls(packagekit_t)
+#
+#corenet_tcp_bind_generic_node(packagekit_t)
+#
+#corenet_tcp_bind_kubernetes_port(packagekit_t)
+#corenet_tcp_bind_afs3_callback_port(packagekit_t)
+#
+#fs_getattr_xattr_fs(packagekit_t)
+#
+#logging_send_syslog_msg(packagekit_t)

postfix_paths.patch

@@ -0,0 +1,63 @@
+Index: fedora-policy/policy/modules/contrib/postfix.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc	2019-08-05 09:39:48.669670650 +0200
++++ fedora-policy/policy/modules/contrib/postfix.fc	2019-08-14 11:11:26.195163409 +0200
+@@ -1,36 +1,19 @@
+ # postfix
+ /etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+ /etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
+-ifdef(`distro_redhat', `
+-/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+-', `
+ /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-')
++/usr/lib/postfix/bin/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib/postfix/bin/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib/postfix/bin/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib/postfix/bin/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib/postfix/bin/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib/postfix/bin/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib/postfix/bin/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+ /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+@@ -44,6 +27,9 @@ ifdef(`distro_redhat', `
+ /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+ /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ 
++/etc/postfix/system/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/etc/postfix/system/update_postmaps	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
++
+ /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
+ 
+ /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)

refpolicy-2.20190609.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f
-size 555882

sedoctool.patch

@@ -0,0 +1,22 @@
+Index: fedora-policy/support/sedoctool.py
+===================================================================
+--- fedora-policy.orig/support/sedoctool.py	2019-08-21 13:54:02.175947408 +0200
++++ fedora-policy/support/sedoctool.py	2019-08-21 13:57:57.323782524 +0200
+@@ -810,7 +810,7 @@ if booleans:
+ 	namevalue_list = []
+ 	if os.path.exists(booleans):
+ 		try:
+-			conf = open(booleans, 'r')
++			conf = open(booleans, 'r', errors='replace')
+ 		except:
+ 			error("Could not open booleans file for reading")
+ 
+@@ -831,7 +831,7 @@ if modules:
+ 	namevalue_list = []
+ 	if os.path.exists(modules):
+ 		try:
+-			conf = open(modules, 'r')
++			conf = open(modules, 'r', errors='replace')
+ 		except:
+ 			error("Could not open modules file for reading")
+ 		namevalue_list = get_conf(conf)	

selinux-policy.changes

@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Mon Aug  9 12:11:28 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
+
+- Moved back to fedora policy (20190802)
+- Removed spec file conditionals for old SELinux userland
+- Removed config.tgz
+- Removed patches:
+  * label_sysconfig.selinux.patch
+  * label_var_run_rsyslog.patch
+  * suse_additions_obs.patch
+  * suse_additions_sslh.patch
+  * suse_modifications_apache.patch
+  * suse_modifications_cron.patch
+  * suse_modifications_getty.patch
+  * suse_modifications_logging.patch
+  * suse_modifications_ntp.patch
+  * suse_modifications_usermanage.patch
+  * suse_modifications_virt.patch
+  * suse_modifications_xserver.patch
+  * sysconfig_network_scripts.patch
+  * segenxml_interpreter.patch
+- Added patches:
+  * fix_djbdns.patch
+  * fix_dbus.patch
+  * fix_gift.patch
+  * fix_java.patch
+  * fix_hadoop.patch
+  * fix_thunderbird.patch
+  * postfix_paths.patch
+  * fix_nscd.patch
+  * fix_sysnetwork.patch
+  * fix_logging.patch
+  * fix_xserver.patch
+  * fix_miscfiles.patch
+  to fix problems with the coresponding modules
+- Added sedoctool.patch to prevent build failures
+- This also adds three modules:
+  * packagekit.(te|if|fc)
+    Basic (currently permissive) module for packagekit
+  * minimum_temp_fixes.(te|if|fc)
+    and
+  * targeted_temp_fixes.(te|if|fc)
+    both are currently necessary to get the systems to boot in 
+    enforcing mode. Most of them obviosly stem from mislabeled
+    files, so this needs to be worked through and then removed
+    eventually
+  Also selinuxuser_execstack, selinuxuser_execmod and 
+  domain_can_mmap_files need to be enabled. Especially the first
+  two are bad and should be removed ASAP
+
 -------------------------------------------------------------------
 Thu Jul 11 12:29:29 UTC 2019 -  <jsegitz@suse.com>
 

selinux-policy.spec

@@ -24,7 +24,7 @@
 # TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
 # ones used by redhat and include also the SUSE specific ones (see sed statement below)
-%define distro suse
+%define distro redhat
 %define ubac n
 %define polyinstatiate n
 %define monolithic n
@@ -38,10 +38,6 @@
 
 %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else  print "0" end }
 
-# conditional stuff depending on policycoreutils version
-# See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
-%if %{coreutils_ge 2.5}
-
 # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
 # It depends on the kernel, but apparently more so on the libsemanage version.
 %define POLICYVER 30
@@ -69,54 +65,6 @@
     %dir %{module_store %%1}/active/modules/disabled \
     %{module_disabled %%1 sandbox}
 %global files_dot_bin() %nil
-%global rm_selinux_mod() rm -rf %%1
-
-%else
-# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
-# It depends on the kernel, but apparently more so on the libsemanage version.
-%define POLICYVER 29
-
-%global module_store() %{_sysconfdir}/selinux/%%{1}/modules
-%global module_dir active/modules
-%global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled
-
-# FixMe 170315: Why is bzip2 used here rather than semodule -i?
-%global install_pp() \
-	(cd  %{buildroot}/%{_usr}/share/selinux/%%1/ \
-	 bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \
-	 rm -f base.pp \
-	 for i in *.pp; do \
-	    bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \
-	 done \
-         rm -f *pp* );
-
-# FixMe 170315:
-# Why is base.pp installed in a different path than other modules?
-# Requirement of policycoreutils 2.3 ??
-%global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp
-
-# FixMe 170315: do we really need these?
-%global touch_file_contexts() \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin;
-
-%global mkdir_other() %nil
-
-# FixMe 170315: do we really need these?
-%global files_file_contexts() \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template
-
-# FixMe 170315: do we really need these?
-%global files_other() \
-    %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts
-
-%global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin
-%global rm_selinux_mod() rm -f %%{1}.pp
-
-%endif
 
 Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
@@ -124,11 +72,15 @@ Group:          System/Management
 Name:           selinux-policy
 Version:        20190609
 Release:        0
-Source:         https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
+Source:         fedora-policy.20190802.tar.bz2
 
 Source10:       modules-targeted-base.conf
+Source11:       modules-targeted-contrib.conf
 Source12:       modules-mls-base.conf
-Source13:       modules-minimum-disable.lst
+Source13:       modules-mls-contrib.conf
+Source14:       modules-minimum-base.conf
+Source15:       modules-minimum-contrib.conf
+Source18:       modules-minimum-disable.lst
 
 Source20:       booleans-targeted.conf
 Source21:       booleans-mls.conf
@@ -152,23 +104,35 @@ Source61:       selinux-policy.sysconfig
 Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
-Source93:       config.tgz
+#Source93:       config.tgz
 Source94:       file_contexts.subs_dist
 
-Patch001:      label_sysconfig.selinux.patch
+Source100:      minimum_temp_fixes.te
-Patch002:      label_var_run_rsyslog.patch
+Source101:      minimum_temp_fixes.if
-Patch003:      suse_additions_obs.patch
+Source102:      minimum_temp_fixes.fc
-Patch004:      suse_additions_sslh.patch
+
-Patch005:      suse_modifications_apache.patch
+Source110:      targeted_temp_fixes.te
-Patch007:      suse_modifications_cron.patch
+Source111:      targeted_temp_fixes.if
-Patch009:      suse_modifications_getty.patch
+Source112:      targeted_temp_fixes.fc
-Patch012:      suse_modifications_logging.patch
+    
-Patch013:      suse_modifications_ntp.patch
+Source120:      packagekit.te
-Patch021:      suse_modifications_usermanage.patch
+Source121:      packagekit.if
-Patch022:      suse_modifications_virt.patch
+Source122:      packagekit.fc
-Patch023:      suse_modifications_xserver.patch
+
-Patch024:      sysconfig_network_scripts.patch
+Patch001:       fix_djbdns.patch
-Patch025:      segenxml_interpreter.patch
+Patch002:       fix_dbus.patch
+Patch003:       fix_gift.patch
+Patch004:       fix_java.patch
+Patch005:       fix_hadoop.patch
+Patch006:       fix_thunderbird.patch
+Patch007: 	postfix_paths.patch
+Patch008: 	fix_nscd.patch
+Patch009: 	fix_sysnetwork.patch
+Patch010: 	fix_logging.patch
+Patch011:       fix_xserver.patch
+Patch012:       fix_miscfiles.patch
+
+Patch100: 	sedoctool.patch
 
 Url:            http://oss.tresys.com/repos/refpolicy/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -195,26 +159,24 @@ Recommends:     selinux-tools
 Recommends:     python3-policycoreutils
 Recommends:     policycoreutils
 
-%global makeCmds() \
+%global makeConfig() \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
 cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
-#cp -f selinux_config/users-%1 ./policy/users \
+cp -f selinux_config/users-%1 ./policy/users \
-#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
+cp -f selinux_config/modules-%1-base.conf ./policy/modules-base.conf \
-
+cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
-%global makeModulesConf() \
+if [ "%5" = "contrib" ];then \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
+  cp selinux_config/modules-%1-%5.conf ./policy/modules-contrib.conf; \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
+  cat selinux_config/modules-%1-%5.conf >> ./policy/modules.conf; \
-#if [ "%3" = "contrib" ];then \
+fi; \
-#  cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
-#  cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
-#fi; \
 
 %global installCmds() \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
-make %{?_smp_mflags} validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
+make %{?_smp_mflags} validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+mkdir -p %{buildroot}/var/lib/selinux/%1 \
+/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
 %{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
@@ -235,7 +197,6 @@ touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
 touch %{buildroot}%{module_store %%{1}}/active/users.local \
 %install_pp %%1 \
 touch %{buildroot}%{module_disabled %%1 sandbox} \
-/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
 /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %nil
@@ -243,6 +204,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %global fileList() \
 %defattr(-,root,root) \
 %dir %{_usr}/share/selinux/%1 \
+%{_usr}/share/selinux/%1/* \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
@@ -278,13 +240,15 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
 %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/openrc_contexts \
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
@@ -294,10 +258,10 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/* 
 
 %define relabel() \
-. %{_sysconfdir}/sysconfig/selinux-policy; \
+. %{_sysconfdir}/selinux/config; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 if selinuxenabled; then \
   if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
@@ -329,7 +293,6 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%%2/.rebuild; \
-  (cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \
   /usr/sbin/semodule -B -n -s %%2; \
 else \
   touch %{module_disabled %%2 sandbox} \
@@ -356,7 +319,7 @@ fi;
 %define modulesList() \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
 if [ -e ./policy/modules-contrib.conf ];then \
-  awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
 fi;
 
 %files
@@ -373,31 +336,30 @@ SELinux Reference Policy. A complete SELinux policy that can be used as the syst
 systems and used as the basis for creating other policies. 
 
 %prep
-%setup -n refpolicy
+%setup -n fedora-policy
 %patch001 -p1
 %patch002 -p1
 %patch003 -p1
 %patch004 -p1
 %patch005 -p1
+%patch006 -p1
 %patch007 -p1
+%patch008 -p1
 %patch009 -p1
+%patch010 -p1
+%patch011 -p1
 %patch012 -p1
-%patch013 -p1
+
-%patch021 -p1
+%patch100 -p1
-%patch022 -p1
-%patch023 -p1
-%patch024 -p1
-%patch025 -p1
 
 %build
 
 %install
 mkdir selinux_config
-for i in %{SOURCE10} %{SOURCE12} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
+for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
  cp $i selinux_config
 done
-tar zxvf selinux_config/config.tgz
+#tar zxvf selinux_config/config.tgz
-# Build targeted policy
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
@@ -406,40 +368,45 @@ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
 
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122}; do
+ cp $i policy/modules/contrib
+done
+
 make clean
 %if %{BUILD_TARGETED}
-# Build targeted policy
+for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
-mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
+ cp $i policy/modules/contrib
-%makeCmds targeted mcs n allow
+done
-%makeModulesConf targeted base contrib
+%makeConfig targeted mcs n deny contrib
 %installCmds targeted mcs n allow
 %modulesList targeted
 %endif
-
+for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
-%if %{BUILD_MINIMUM}
+ rm policy/modules/contrib/$(basename $i)
-# Build minimum policy
+done
-mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
-%makeCmds minimum mcs n allow
-%makeModulesConf targeted base contrib
-%installCmds minimum mcs n allow
-install -m0644 %{SOURCE13} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
-%modulesList minimum
-%endif
 
 %if %{BUILD_MLS}
-# Build mls policy
+%makeConfig mls mls n deny contrib
-mkdir -p %{buildroot}%{_usr}/share/selinux/mls
-%makeCmds mls mls n deny
-%makeModulesConf mls base contrib
 %installCmds mls mls n deny
 %modulesList mls
 %endif
 
+%if %{BUILD_MINIMUM}
+for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do
+ cp $i policy/modules/contrib
+done
+%makeConfig minimum mcs n deny contrib
+%installCmds minimum mcs n allow
+install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
+%modulesList minimum
+%endif
+
+
 # Install devel
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
-make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
-make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
@@ -466,6 +433,7 @@ else
   [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/
   [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
 fi
+%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
 exit 0
 
 %global post_un() \
@@ -495,7 +463,6 @@ SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %doc /usr/share/man/ru/man8/*
-%doc /usr/share/man/man8/*
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
@@ -539,7 +506,6 @@ exit 0
 %files targeted
 %defattr(-,root,root,-)
 %fileList targeted
-%{_usr}/share/selinux/targeted/modules-base.lst
 
 %postun targeted
 %post_un $1
@@ -566,28 +532,40 @@ if [ $1 -ne 1 ]; then
 fi
 
 %post minimum
-contribpackages=`cat /usr/share/selinux/minimum/modules-minimum-disable.lst`
+contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
+basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
+if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
+    mkdir /var/lib/selinux/minimum/active/modules/disabled
+fi
 if [ $1 -eq 1 ]; then
-  for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
+for p in $contribpackages; do
-    touch %{module_disabled minimum $p}
+    touch /var/lib/selinux/minimum/active/modules/disabled/$p
-  done
+done
-  /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
+for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do
-  /usr/sbin/semodule -B -s minimum
+    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+/usr/sbin/semanage import -S minimum -f - << __eof
+login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
+login -m  -s unconfined_u -r s0-s0:c0.c1023 root
+__eof
+/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
+/usr/sbin/semodule -B -s minimum
 else
-  instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
+instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
-  for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
+for p in $contribpackages; do
-    touch %{module_disabled minimum $p}
+    touch /var/lib/selinux/minimum/active/modules/disabled/$p
-  done
+done
-  /usr/sbin/semodule -B -s minimum
+for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do
-  %relabel minimum
+    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+/usr/sbin/semodule -B -s minimum
+%relabel minimum
 fi
 exit 0
 
 %files minimum
 %defattr(-,root,root,-)
 %fileList minimum
-%{_usr}/share/selinux/minimum/modules-base.lst
-/usr/share/selinux/minimum/modules-minimum-disable.lst
 
 %postun minimum
 %post_un $1
@@ -598,7 +576,6 @@ exit 0
 Summary:        SELinux mls base policy
 Group:          System/Management
 Provides:       selinux-policy-base = %{version}-%{release}
-Obsoletes:      selinux-policy-mls-sources < 2
 Requires:       policycoreutils-newrole >= %{POLICYCOREUTILSVER}
 Requires:       setransd
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -619,7 +596,6 @@ SELinux Reference policy mls base module.
 %files mls
 %defattr(-,root,root,-)
 %fileList mls
-%{_usr}/share/selinux/mls/modules-base.lst
 
 %postun mls
 %post_un $1

suse_additions_obs.patch

@@ -1,96 +0,0 @@
-Index: serefpolicy-contrib-20140730/obs.fc
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.fc
-@@ -0,0 +1,63 @@
-+/usr/lib/build/Build(/.*)?                      -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/build/Build.pm                         -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/build/configs(/.*)?                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/baselibs_global.conf             -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/baselibs_global-deb.conf         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg                        -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-arch                   -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-deb                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-rpm                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-arch                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-dsc                 -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-kiwi                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-livebuild           -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-mock                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-preinstallimage     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-spec                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm                         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-ec2                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-emulator                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-kvm                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-lxc                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-openstack               -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-qemu                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-uml                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-xen                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-zvm                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/lxc.conf                         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/qemu-reg                         -- gen_context(system_u:object_r:etc_t,s0)
-+
-+/usr/lib/build/emulator/.*                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/build                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/changelog2spec                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/common_functions                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/computeblocklists                -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createarchdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createdebdeps                    -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createrepomddeps                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createrpmdeps                    -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createyastdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createzyppdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransform                     -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransformbz2                  -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransformzip                  -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/download                         -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/expanddeps                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/extractbuild                     -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/getbinaryid                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/init_buildsystem                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/killchroot                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/mkbaselibs                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/mkdrpms                          -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/order                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/queryconfig                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/signdummy                        -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spec2changelog                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spec_add_patch                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spectool                         -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/substitutedeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/unrpm                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/vc                               -- gen_context(system_u:object_r:bin_t,s0)
-+
-Index: serefpolicy-contrib-20140730/obs.if
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.if
-@@ -0,0 +1 @@
-+#
-Index: serefpolicy-contrib-20140730/obs.te
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.te
-@@ -0,0 +1,17 @@
-+policy_module(obs, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+# work out a real policy later on
-+#type obs_t;
-+#type obs_exec_t;
-+#application_domain(obs_t, obs_exec_t)
-+#
-+#type obs_conf_t;
-+#files_config_file(obs_conf_t)
-+#
-+#permissive obs_t;
-+

suse_additions_sslh.patch

@@ -1,149 +0,0 @@
-Index: serefpolicy-contrib-20140730/sslh.fc
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.fc
-@@ -0,0 +1,9 @@
-+/etc/conf.d/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
-+/etc/default/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
-+
-+/etc/init.d/sslh 			-- 	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
-+/usr/lib/systemd/system/sslh.service  	-- 	gen_context(system_u:object_r:sslh_unit_file_t,s0)
-+
-+#/usr/sbin/rcsslh			--	gen_context(system_u:object_r:sslh_exec_t,s0)
-+/usr/sbin/sslh				--	gen_context(system_u:object_r:sslh_exec_t,s0)
-+
-Index: serefpolicy-contrib-20140730/sslh.if
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.if
-@@ -0,0 +1,77 @@
-+## <summary>sslh Applicative Protocol Multiplexer</summary>
-+
-+#######################################
-+## <summary>
-+##  Allow a domain to getattr on sslh binary.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed to transition.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_getattr_exec',`
-+	gen_require(`
-+		type sslh_exec_t;
-+	')
-+
-+	allow $1 sslh_exec_t:file getattr;
-+')
-+
-+#######################################
-+## <summary>
-+##  Read sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_read_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
-+    read_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-+
-+######################################
-+## <summary>
-+##  Write sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_write_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    write_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-+
-+####################################
-+## <summary>
-+##  Manage sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_manage_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-Index: serefpolicy-contrib-20140730/sslh.te
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.te
-@@ -0,0 +1,48 @@
-+policy_module(sslh, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sslh_t;
-+type sslh_exec_t;
-+init_daemon_domain(sslh_t, sslh_exec_t)
-+
-+type sslh_initrc_exec_t;
-+init_script_file(sslh_initrc_exec_t)
-+
-+type sslh_conf_t;
-+files_config_file(sslh_conf_t)
-+
-+type sslh_unit_file_t;
-+systemd_unit_file(sslh_unit_file_t)
-+
-+########################################
-+#
-+# sslh local policy
-+#
-+
-+allow sslh_t self:capability { setuid net_bind_service setgid };
-+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-+allow sslh_t self:process { setcap signal };
-+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
-+
-+corenet_tcp_bind_generic_node(sslh_t)
-+corenet_tcp_bind_all_ports(sslh_t)
-+corenet_tcp_connect_all_ports(sslh_t)
-+
-+corenet_udp_bind_all_ports(sslh_t)
-+corenet_udp_send_generic_if(sslh_t)
-+corenet_udp_receive_generic_if(sslh_t)
-+
-+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
-+
-+nscd_shm_use(sslh_t)
-+
-+allow sslh_t nscd_var_run_t:file read;
-+
-+# dontaudit?
-+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
-+#allow sshd_t unconfined_t:process { siginh noatsecure };
-+

suse_modifications_apache.patch

@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/services/apache.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/apache.fc	2018-11-27 13:33:30.059837794 +0100
-+++ refpolicy/policy/modules/services/apache.fc	2018-11-27 13:34:07.964446972 +0100
-@@ -84,6 +84,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
- 
- ifdef(`distro_suse',`
- /usr/sbin/httpd2-.*					--	gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/start_apache2					--	gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
- 
- /usr/share/dirsrv(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)

suse_modifications_cron.patch

@@ -1,60 +0,0 @@
-Index: refpolicy/policy/modules/services/cron.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.fc	2019-07-11 14:31:20.905629406 +0200
-@@ -69,7 +69,9 @@ ifdef(`distro_gentoo',`
- ')
- 
- ifdef(`distro_suse',`
--/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
--/var/spool/cron/tabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/tabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-+/var/spool/cron/tabs/[^/]*	--	gen_context(system_u:object_r:user_cron_spool_t,s0)
- ')
-Index: refpolicy/policy/modules/services/cron.te
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.te	2019-07-11 14:31:20.909629472 +0200
-@@ -788,3 +788,9 @@ tunable_policy(`cron_userdomain_transiti
- optional_policy(`
- 	unconfined_domain(unconfined_cronjob_t)
- ')
-+
-+ifdef(`distro_suse',`
-+	files_read_default_symlinks(crontab_t)
-+	userdom_manage_user_home_dirs(crontab_t)
-+	xserver_non_drawing_client(crontab_t)
-+')
-Index: refpolicy/policy/modules/services/cron.if
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.if	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.if	2019-07-11 14:31:20.909629472 +0200
-@@ -139,7 +139,7 @@ interface(`cron_role',`
- #
- interface(`cron_unconfined_role',`
- 	gen_require(`
--		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-+		type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
- 		type crond_t, user_cron_spool_t;
- 		bool cron_userdomain_transition;
- 	')
-@@ -149,14 +149,14 @@ interface(`cron_unconfined_role',`
- 	# Declarations
- 	#
- 
--	role $1 types { unconfined_cronjob_t crontab_t };
-+	role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
- 
- 	##############################
- 	#
- 	# Local policy
- 	#
- 
--	domtrans_pattern($2, crontab_exec_t, crontab_t)
-+	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
- 
- 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- 	allow $2 crond_t:process sigchld;

suse_modifications_getty.patch

@@ -1,15 +0,0 @@
-Index: refpolicy/policy/modules/system/getty.te
-===================================================================
---- refpolicy.orig/policy/modules/system/getty.te	2017-08-07 00:45:21.000000000 +0200
-+++ refpolicy/policy/modules/system/getty.te	2018-11-27 14:50:03.798977971 +0100
-@@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t)
- 
- miscfiles_read_localization(getty_t)
- 
-+allow getty_t var_run_t:sock_file write;
-+plymouthd_exec_plymouth(getty_t)
-+kernel_stream_connect(getty_t)
-+
- ifdef(`distro_gentoo',`
- 	# Gentoo default /etc/issue makes agetty
- 	# do a DNS lookup for the hostname

suse_modifications_logging.patch

@@ -1,14 +0,0 @@
-Index: refpolicy/policy/modules/system/logging.te
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.te	2019-07-11 14:31:20.937629934 +0200
-@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
- 	udev_read_pid_files(syslogd_t)
- ')
- 
-+allow syslogd_t var_run_t:file { read getattr open };
-+allow syslogd_t var_run_t:sock_file write;
-+
- ifdef(`distro_gentoo',`
- 	# default gentoo syslog-ng config appends kernel
- 	# and high priority messages to /dev/tty12

suse_modifications_ntp.patch

@@ -1,18 +0,0 @@
-Index: refpolicy/policy/modules/services/ntp.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/ntp.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/ntp.fc	2019-07-11 14:31:20.957630264 +0200
-@@ -39,3 +39,13 @@
- /var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
-+
-+# SUSE chroot
-+/var/lib/ntp/etc/ntpd?.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/var/lib/ntp(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/run/ntp(/.*)?			gen_context(system_u:object_r:ntpd_var_run_t,s0)

suse_modifications_usermanage.patch

@@ -1,24 +0,0 @@
-Index: refpolicy/policy/modules/admin/usermanage.te
-===================================================================
---- refpolicy.orig/policy/modules/admin/usermanage.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/admin/usermanage.te	2019-07-11 14:31:20.965630396 +0200
-@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
- # for when /root is the cwd
- userdom_dontaudit_search_user_home_dirs(groupadd_t)
- 
-+allow groupadd_t self:netlink_selinux_socket { create bind };
-+allow groupadd_t var_run_t:sock_file write;
-+
- optional_policy(`
- 	apt_use_fds(groupadd_t)
- ')
-@@ -571,6 +574,9 @@ optional_policy(`
- 	puppet_rw_tmp(useradd_t)
- ')
- 
-+allow useradd_t var_run_t:sock_file write;
-+selinux_compute_access_vector(useradd_t)
-+
- optional_policy(`
- 	tunable_policy(`samba_domain_controller',`
- 		samba_append_log(useradd_t)

suse_modifications_virt.patch

@@ -1,13 +0,0 @@
-Index: refpolicy/policy/modules/services/virt.te
-===================================================================
---- refpolicy.orig/policy/modules/services/virt.te	2018-07-01 17:02:32.000000000 +0200
-+++ refpolicy/policy/modules/services/virt.te	2018-11-27 15:03:42.792334942 +0100
-@@ -1235,6 +1235,8 @@ optional_policy(`
- 	rpm_read_db(svirt_lxc_net_t)
- ')
- 
-+allow svirt_t qemu_exec_t:file execmod;
-+
- #######################################
- #
- # Prot exec local policy

suse_modifications_xserver.patch

@@ -1,36 +0,0 @@
-Index: refpolicy/policy/modules/services/xserver.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/xserver.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.fc	2019-07-11 14:31:20.989630792 +0200
-@@ -77,6 +77,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
- /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
- /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- 
-+#/usr/lib/gdm/.* 	-- 	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/X11/display-manager	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+
- /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /usr/lib/xorg/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-Index: refpolicy/policy/modules/services/xserver.te
-===================================================================
---- refpolicy.orig/policy/modules/services/xserver.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.te	2019-07-11 14:31:20.989630792 +0200
-@@ -912,6 +912,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
- 
- init_use_fds(xserver_t)
- 
-+ifndef(`distro_suse',`
-+	# this is a neverallow, maybe dontaudit it
-+	#allow xdm_t proc_kcore_t:file getattr;
-+	allow xdm_t var_run_t:lnk_file create;
-+	allow xdm_t var_lib_t:lnk_file read;
-+
-+	dev_getattr_all_blk_files( xdm_t )
-+	dev_getattr_all_chr_files( xdm_t )
-+	logging_r_xconsole(xdm_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(xserver_t)
- 	fs_manage_nfs_files(xserver_t)

sysconfig_network_scripts.patch

@@ -1,70 +0,0 @@
-Index: refpolicy/policy/modules/system/sysnetwork.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/sysnetwork.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.fc	2019-07-11 14:31:20.997630924 +0200
-@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
- /dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
- ')
- 
-+# SUSE
-+# sysconfig network files are stored in /dev/.sysconfig
-+/dev/.sysconfig/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+# label netconfig files in /var/adm and /var/lib and /var/run
-+/var/adm/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+/var/lib/ntp/var(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+
-+
- #
- # /etc
- #
-@@ -34,6 +43,10 @@ ifdef(`distro_redhat',`
- /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- ')
- 
-+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
-+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /usr
- #
-Index: refpolicy/policy/modules/system/sysnetwork.te
-===================================================================
---- refpolicy.orig/policy/modules/system/sysnetwork.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.te	2019-07-11 14:31:21.001630990 +0200
-@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
- #
- # DHCP client local policy
- #
--allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
-+# need sys_admin to set hostname/domainname
-+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
- dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-@@ -80,6 +81,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
- sysnet_manage_config(dhcpc_t)
- files_etc_filetrans(dhcpc_t, net_conf_t, file)
- 
-+# allow relabel of /dev/.sysconfig
-+dev_associate(net_conf_t)
-+
-+# allow mv /etc/resolv.conf.netconfig
-+allow dhcpc_t etc_runtime_t:file unlink;
-+
- # create temp files
- manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
- manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
-Index: refpolicy/policy/modules/kernel/devices.fc
-===================================================================
---- refpolicy.orig/policy/modules/kernel/devices.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/kernel/devices.fc	2019-07-11 14:31:21.001630990 +0200
-@@ -2,6 +2,7 @@
- /dev			-d	gen_context(system_u:object_r:device_t,s0)
- /dev/.*				gen_context(system_u:object_r:device_t,s0)
- 
-+/dev/.sysconfig(/.*)?	-d	gen_context(system_u:object_r:net_conf_t,s0)
- /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)

targeted_temp_fixes.if

@@ -0,0 +1 @@
+## <summary></summary>

targeted_temp_fixes.te

@@ -0,0 +1,54 @@
+policy_module(targeted_temp_fixes, 1.0)
+
+require {
+	type iptables_t;
+	type nscd_t;
+	type lib_t;
+	type bin_t;
+	type init_t;
+	type irqbalance_t;
+	type iptables_var_lib_t;
+	type postfix_master_t;
+	type firewalld_t;
+	type postfix_map_exec_t;
+        type xdm_t;
+        type groupadd_t;
+        type useradd_t;
+        class netlink_selinux_socket { bind create };
+	class dir { add_name mounton write };
+	class file { create execute execute_no_trans getattr ioctl lock open read };
+}
+
+#============= firewalld_t ==============
+allow firewalld_t iptables_var_lib_t:dir { add_name write };
+allow firewalld_t iptables_var_lib_t:file { create lock open read };
+
+#============= init_t ==============
+allow init_t bin_t:dir mounton;
+allow init_t lib_t:dir mounton;
+allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
+files_rw_var_files(init_t)
+fwupd_manage_cache_dirs(init_t)
+ntp_read_drift_files(init_t)
+
+#============= iptables_t ==============
+kernel_rw_pipes(iptables_t)
+
+#============= irqbalance_t ==============
+init_nnp_daemon_domain(irqbalance_t)
+
+#============= nscd_t ==============
+files_exec_generic_pid_files(nscd_t)
+
+#============= postfix_master_t ==============
+files_read_var_lib_files(postfix_master_t)
+files_read_var_lib_symlinks(postfix_master_t)
+
+#============= xdm_t ==============
+# KDE write to home directories
+userdom_manage_user_home_content_files(xdm_t)
+
+#============= groupadd_t ==============                                                                                                                                                       allow groupadd_t self:netlink_selinux_socket { bind create };
+allow useradd_t self:netlink_selinux_socket { bind create };                                                                                                                                   
+selinux_compute_access_vector(groupadd_t)
+selinux_compute_access_vector(useradd_t) 

users-minimum

@@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-mls

@@ -27,3 +27,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-targeted

@@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)