Accepting request 785956 from home:jsegitz:branches:security:SELinux

- New patches: * fix_accountsd.patch * fix_automount.patch * fix_colord.patch * fix_mcelog.patch * fix_sslh.patch * fix_nagios.patch * fix_openvpn.patch * fix_cron.patch * fix_usermanage.patch * fix_smartmon.patch * fix_geoclue.patch * suse_specific.patch Default systems should now work without selinuxuser_execmod - Removed xdm_entrypoint_pam.patch, necessary change is in fix_unconfineduser.patch - Enable SUSE specific settings again OBS-URL: https://build.opensuse.org/request/show/785956 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=75
2020-03-17 14:46:20 +00:00 · 2020-03-17 14:46:20 +00:00 · cf699a6f0f
commit cf699a6f0f
parent 1fd70ac29b
23 changed files with 437 additions and 86 deletions
--- a/fix_accountsd.patch
+++ b/fix_accountsd.patch
@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/accountsd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/accountsd.fc
+++ fedora-policy/policy/modules/contrib/accountsd.fc
+@@ -1,6 +1,7 @@
+ /usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+ 
+ /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+/usr/lib/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+ 
+ /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+ 
--- a/fix_automount.patch
+++ b/fix_automount.patch
@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/contrib/automount.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/automount.te
+++ fedora-policy/policy/modules/contrib/automount.te
+@@ -154,6 +154,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	networkmanager_read_pid_files(automount_t)
+')
+
+optional_policy(`
+ 	fstools_domtrans(automount_t)
+ ')
+ 
--- a/fix_colord.patch
+++ b/fix_colord.patch
@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/colord.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/colord.fc
+++ fedora-policy/policy/modules/contrib/colord.fc
+@@ -6,6 +6,8 @@
+ 
+ /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
+ /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
+ 
+ /usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+ 
--- a/fix_corecommand.patch
+++ b/fix_corecommand.patch
@ -1,8 +1,20 @@
 Index: fedora-policy/policy/modules/kernel/corecommands.fc
 ===================================================================
--- fedora-policy.orig/policy/modules/kernel/corecommands.fc	2020-02-24 08:46:26.205153437 +0000
-+++ fedora-policy/policy/modules/kernel/corecommands.fc	2020-02-24 13:44:00.711915017 +0000
-@@ -251,6 +251,21 @@ ifdef(`distro_gentoo',`
+--- fedora-policy.orig/policy/modules/kernel/corecommands.fc
+++ fedora-policy/policy/modules/kernel/corecommands.fc
+@@ -86,7 +86,10 @@ ifdef(`distro_redhat',`
+ 
+ /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
+ 
+-/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/netconfig.d/.*		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mcelog/.*-error.*-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',`
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gnome-settings-daemon/.* --	gen_context(system_u:object_r:bin_t,s0)
@ -24,7 +36,16 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc
 /usr/lib/gvfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -391,6 +406,7 @@ ifdef(`distro_debian',`
+@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',`
+ 
+ /usr/lib/xen/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib'
+/usr/lib/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -391,6 +411,7 @@ ifdef(`distro_debian',`
 /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
 ')
--- a/fix_cron.patch
+++ b/fix_cron.patch
@ -0,0 +1,36 @@
+Index: fedora-policy/policy/modules/contrib/cron.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/cron.fc
+++ fedora-policy/policy/modules/contrib/cron.fc
+@@ -34,7 +34,7 @@
+ 
+ /var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
+/var/spool/cron/tabs/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
+ 
+ /var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.*	--	<<none>>
+@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',`
+ /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]*	--	<<none>>
+ ')
+-
+-ifdef(`distro_suse', `
+-/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun/[^/]*	--	<<none>>
+-/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-')
+Index: fedora-policy/policy/modules/contrib/cron.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/cron.if
+++ fedora-policy/policy/modules/contrib/cron.if
+@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo
+ #
+ interface(`cron_system_spool_entrypoint',`
+ 	gen_require(`
+-		attribute system_cron_spool_t;
+		type system_cron_spool_t;
+ 	')
+ 	allow $1 system_cron_spool_t:file entrypoint;
+ ')
--- a/fix_geoclue.patch
+++ b/fix_geoclue.patch
@ -0,0 +1,10 @@
+Index: fedora-policy/policy/modules/contrib/geoclue.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/geoclue.fc
+++ fedora-policy/policy/modules/contrib/geoclue.fc
+@@ -1,4 +1,4 @@
+-
+/usr/lib/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+ /usr/libexec/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+ 
+ /var/lib/geoclue(/.*)?		gen_context(system_u:object_r:geoclue_var_lib_t,s0)
--- a/fix_init.patch
+++ b/fix_init.patch
@ -10,7 +10,15 @@ Index: fedora-policy/policy/modules/system/init.te
 
 dev_create_all_files(init_t)
 dev_create_all_chr_files(init_t)
-@@ -419,10 +420,15 @@ ifdef(`distro_redhat',`
+@@ -370,6 +371,7 @@ logging_manage_audit_config(init_t)
+ logging_create_syslog_netlink_audit_socket(init_t)
+ logging_write_var_log_dirs(init_t)
+ logging_manage_var_log_symlinks(init_t)
+logging_dgram_accept(init_t)
+ 
+ seutil_read_config(init_t)
+ seutil_read_login_config(init_t)
+@@ -419,10 +421,15 @@ ifdef(`distro_redhat',`
 corecmd_shell_domtrans(init_t, initrc_t)
 
 storage_raw_rw_fixed_disk(init_t)
@ -26,7 +34,7 @@ Index: fedora-policy/policy/modules/system/init.te
     bootloader_domtrans(init_t)
 ')
 
-@@ -536,7 +542,7 @@ tunable_policy(`init_create_dirs',`
+@@ -536,7 +543,7 @@ tunable_policy(`init_create_dirs',`
 allow init_t self:system all_system_perms;
 allow init_t self:system module_load;
 allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@ -35,7 +43,7 @@ Index: fedora-policy/policy/modules/system/init.te
 allow init_t self:process { getcap setcap };
 allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
 allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-@@ -598,6 +604,7 @@ files_delete_all_spool_sockets(init_t)
+@@ -598,6 +605,7 @@ files_delete_all_spool_sockets(init_t)
 files_create_var_lib_dirs(init_t)
 files_create_var_lib_symlinks(init_t)
 files_read_var_lib_symlinks(init_t)
@ -43,7 +51,7 @@ Index: fedora-policy/policy/modules/system/init.te
 files_manage_urandom_seed(init_t)
 files_list_locks(init_t)
 files_list_spool(init_t)
-@@ -689,6 +696,7 @@ systemd_userdbd_runtime_manage_symlinks(
+@@ -689,6 +697,7 @@ systemd_userdbd_runtime_manage_symlinks(
 create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 
 create_dirs_pattern(init_t, var_log_t, var_log_t)
@ -51,7 +59,7 @@ Index: fedora-policy/policy/modules/system/init.te
 
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
-@@ -1525,6 +1533,8 @@ optional_policy(`
+@@ -1525,6 +1534,8 @@ optional_policy(`
 
 optional_policy(`
 	postfix_list_spool(initrc_t)
@ -60,3 +68,15 @@ Index: fedora-policy/policy/modules/system/init.te
 ')
 
 optional_policy(`
+Index: fedora-policy/policy/modules/system/init.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/init.if
+++ fedora-policy/policy/modules/system/init.if
+@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content'
+ 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ 	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
+	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+ ')
+ 
--- a/fix_irqbalance.patch
+++ b/fix_irqbalance.patch
@ -1,13 +1,18 @@
 Index: fedora-policy/policy/modules/contrib/irqbalance.te
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/irqbalance.te	2020-02-19 09:36:31.792283559 +0000
-+++ fedora-policy/policy/modules/contrib/irqbalance.te	2020-02-21 12:18:36.155848163 +0000
-@@ -28,6 +28,8 @@ allow irqbalance_t self:udp_socket creat
- manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
- files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+--- fedora-policy.orig/policy/modules/contrib/irqbalance.te
+++ fedora-policy/policy/modules/contrib/irqbalance.te
+@@ -25,8 +25,12 @@ dontaudit irqbalance_t self:capability s
+ allow irqbalance_t self:process { getcap getsched setcap signal_perms };
+ allow irqbalance_t self:udp_socket create_socket_perms;
 
-+init_nnp_daemon_domain(irqbalance_t)
+manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+ manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+-files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+manage_sock_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, { dir file sock_file })
 +
+init_nnp_daemon_domain(irqbalance_t)
+ 
 kernel_read_network_state(irqbalance_t)
 kernel_read_system_state(irqbalance_t)
- kernel_read_kernel_sysctls(irqbalance_t)
--- a/fix_logging.patch
+++ b/fix_logging.patch
@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/system/logging.fc
 ===================================================================
--- fedora-policy.orig/policy/modules/system/logging.fc	2020-02-24 08:53:21.924002716 +0000
-+++ fedora-policy/policy/modules/system/logging.fc	2020-02-24 13:33:16.353371311 +0000
+--- fedora-policy.orig/policy/modules/system/logging.fc
+++ fedora-policy/policy/modules/system/logging.fc
@@ -3,6 +3,8 @@
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@ -19,3 +19,30 @@ Index: fedora-policy/policy/modules/system/logging.fc
 /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+Index: fedora-policy/policy/modules/system/logging.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/logging.if
+++ fedora-policy/policy/modules/system/logging.if
+@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',`
+ 
+ 	allow $1 syslogd_t:unix_dgram_socket sendto;
+ ')
+
+########################################
+## <summary>
+##	Accept a message to syslogd over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_dgram_accept',`
+	gen_require(`
+		type syslogd_t;
+	')
+
+	allow $1 syslogd_t:unix_dgram_socket accept;
+')
--- a/fix_mcelog.patch
+++ b/fix_mcelog.patch
@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/mcelog.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/mcelog.te
+++ fedora-policy/policy/modules/contrib/mcelog.te
+@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t)
+ # Local policy
+ #
+ 
+-allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:capability { sys_admin setgid };
+ allow mcelog_t self:unix_stream_socket connected_socket_perms;
+ 
+ allow mcelog_t mcelog_etc_t:dir list_dir_perms;
--- a/fix_nagios.patch
+++ b/fix_nagios.patch
@ -0,0 +1,24 @@
+Index: fedora-policy/policy/modules/contrib/nagios.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nagios.fc
+++ fedora-policy/policy/modules/contrib/nagios.fc
+@@ -24,6 +24,7 @@
+ /var/log/pnp4nagios(/.*)?                   gen_context(system_u:object_r:nagios_log_t,s0)
+ 
+ /var/lib/pnp4nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
+/var/lib/nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
+ 
+ /var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
+ 
+Index: fedora-policy/policy/modules/contrib/nagios.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nagios.te
+++ fedora-policy/policy/modules/contrib/nagios.te
+@@ -155,6 +155,7 @@ allow nagios_t nagios_spool_t:file map;
+ manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
+ 
+ kernel_read_system_state(nagios_t)
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@ -12,13 +12,17 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te
 tunable_policy(`use_nfs_home_dirs',`
     fs_read_nfs_files(NetworkManager_t)
 ')
-@@ -250,6 +253,10 @@ optional_policy(`
+@@ -250,6 +253,14 @@ optional_policy(`
 ')
 
 optional_policy(`
 +	packagekit_dbus_chat(NetworkManager_t)
 +')
 +
+optional_policy(`
+    networkmanager_dbus_chat(NetworkManager_t)
+')
+
 +optional_policy(`
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)
--- a/fix_openvpn.patch
+++ b/fix_openvpn.patch
@ -0,0 +1,41 @@
+Index: fedora-policy/policy/modules/contrib/openvpn.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/openvpn.te
+++ fedora-policy/policy/modules/contrib/openvpn.te
+@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal
+ ## </desc>
+ gen_tunable(openvpn_can_network_connect, true)
+ 
+## <desc>
+##	<p>
+##	Determine whether openvpn can
+##	change sysctl values (e.g. rp_filter)
+##	</p>
+## </desc>
+gen_tunable(openvpn_allow_changing_sysctls, false)
+
+ attribute_role openvpn_roles;
+ 
+ type openvpn_t;
+@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t
+ userdom_read_inherited_user_tmp_files(openvpn_t)
+ userdom_read_inherited_user_home_content_files(openvpn_t)
+ 
+tunable_policy(`openvpn_allow_changing_sysctls',`
+        kernel_rw_net_sysctls(openvpn_t)
+')
+
+ tunable_policy(`openvpn_enable_homedirs',`
+ 	userdom_search_user_home_dirs(openvpn_t)
+ ')
+@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn
+ ')
+ 
+ optional_policy(`
+	firewalld_dbus_chat(openvpn_t)
+')
+
+optional_policy(`
+ 	brctl_domtrans(openvpn_t)
+ ')
+ 
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@ -1,11 +1,12 @@
 Index: fedora-policy/policy/modules/contrib/postfix.fc
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/postfix.fc	2020-02-25 10:34:35.875376865 +0000
-+++ fedora-policy/policy/modules/contrib/postfix.fc	2020-02-25 10:34:37.719407494 +0000
-@@ -2,36 +2,19 @@
- /etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
- /etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
- /etc/postfix/chroot-update --	gen_context(system_u:object_r:postfix_exec_t,s0)
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc
+++ fedora-policy/policy/modules/contrib/postfix.fc
+@@ -1,37 +1,20 @@
+ # postfix
+-/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+-/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
+-/etc/postfix/chroot-update --	gen_context(system_u:object_r:postfix_exec_t,s0)
 -ifdef(`distro_redhat', `
 -/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 -/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@ -22,7 +23,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 -/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 -', `
- /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 -/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 -/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 -/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -36,7 +37,11 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 -/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 -/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -')
-+/usr/lib/postfix/bin/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/etc/rc\.d/init\.d/postfix    --  	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 +/usr/lib/postfix/bin/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
@ -63,13 +68,14 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
 Index: fedora-policy/policy/modules/contrib/postfix.te
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/postfix.te	2020-02-19 09:36:31.820284005 +0000
-+++ fedora-policy/policy/modules/contrib/postfix.te	2020-02-25 10:35:55.544700764 +0000
-@@ -447,6 +447,12 @@ logging_send_syslog_msg(postfix_map_t)
+--- fedora-policy.orig/policy/modules/contrib/postfix.te
+++ fedora-policy/policy/modules/contrib/postfix.te
+@@ -447,6 +447,13 @@ logging_send_syslog_msg(postfix_map_t)
 
 userdom_use_inherited_user_ptys(postfix_map_t)
 
 +corecmd_exec_bin(postfix_map_t)
+init_ioctl_stream_sockets(postfix_map_t)
 +
 +optional_policy(`
 +	mta_read_aliases(postfix_map_t)
--- a/fix_smartmon.patch
+++ b/fix_smartmon.patch
@ -0,0 +1,9 @@
+Index: fedora-policy/policy/modules/contrib/smartmon.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/smartmon.fc
+++ fedora-policy/policy/modules/contrib/smartmon.fc
+@@ -5,3 +5,4 @@
+ /var/run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+ 
+ /var/lib/smartmontools(/.*)?	gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
+/var/lib/smartmontools/smartd_opts      --      gen_context(system_u:object_r:etc_t,s0)
--- a/fix_sslh.patch
+++ b/fix_sslh.patch
@ -0,0 +1,33 @@
+Index: fedora-policy/policy/modules/contrib/sslh.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/sslh.te
+++ fedora-policy/policy/modules/contrib/sslh.te
+@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals
+ type sslh_t;
+ type sslh_exec_t;
+ init_daemon_domain(sslh_t, sslh_exec_t)
+init_nnp_daemon_domain(sslh_t)
+ 
+ type sslh_config_t;
+ files_config_file(sslh_config_t)
+@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por
+     # allow sslh to connect to any port
+     corenet_tcp_sendrecv_all_ports(sslh_t) 
+     corenet_tcp_connect_all_ports(sslh_t)
+    corenet_tcp_connect_all_ports(sslh_t)
+ ')
+ 
+ tunable_policy(`sslh_can_bind_any_port',`
+Index: fedora-policy/policy/modules/contrib/sslh.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/sslh.fc
+++ fedora-policy/policy/modules/contrib/sslh.fc
+@@ -4,6 +4,8 @@
+ /etc/rc\.d/init\.d/sslh 	--	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+ /etc/sslh(/.*)?                         gen_context(system_u:object_r:sslh_config_t,s0)
+ /etc/sslh\.cfg 			-- 	gen_context(system_u:object_r:sslh_config_t,s0)
+/etc/conf\.d/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
+/etc/default/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
+ /etc/sysconfig/sslh		-- 	gen_context(system_u:object_r:sslh_config_t,s0)
+ /usr/lib/systemd/system/sslh.*  --	gen_context(system_u:object_r:sslh_unit_file_t,s0)
+ /var/run/sslh.* 			gen_context(system_u:object_r:sslh_var_run_t,s0)
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/system/systemd.te
 ===================================================================
--- fedora-policy.orig/policy/modules/system/systemd.te	2020-02-19 09:36:25.444182470 +0000
-+++ fedora-policy/policy/modules/system/systemd.te	2020-02-24 10:56:11.762848157 +0000
+--- fedora-policy.orig/policy/modules/system/systemd.te
+++ fedora-policy/policy/modules/system/systemd.te
@@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system
 xserver_dbus_chat(systemd_logind_t)
 
@ -12,4 +12,3 @@ Index: fedora-policy/policy/modules/system/systemd.te
 +optional_policy(`
 	apache_read_tmp_files(systemd_logind_t)
 ')
- 
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@ -1,8 +1,31 @@
 Index: fedora-policy/policy/modules/roles/unconfineduser.te
 ===================================================================
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te	2020-02-19 09:36:25.436182342 +0000
-+++ fedora-policy/policy/modules/roles/unconfineduser.te	2020-02-25 08:24:07.992702226 +0000
-@@ -244,6 +244,10 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy/policy/modules/roles/unconfineduser.te
+@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all'
+     domain_dyntrans(unconfined_t)
+ ')
+ 
+# FIXME this is probably caused by some wierd PAM interaction
+corecmd_entrypoint_all_executables(unconfined_t)
+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative
+files_execmod_tmp(unconfined_t)
+
+ optional_policy(`
+ 	gen_require(`
+ 		type unconfined_t;
+@@ -210,6 +215,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+    cron_system_spool_entrypoint(unconfined_t)
+')
+
+optional_policy(`
+ 	chrome_role_notrans(unconfined_r, unconfined_t)
+ 
+ 	tunable_policy(`unconfined_chrome_sandbox_transition',`
+@@ -244,6 +253,10 @@ optional_policy(`
 	dbus_stub(unconfined_t)
 
 	optional_policy(`
--- a/fix_usermanage.patch
+++ b/fix_usermanage.patch
@ -0,0 +1,29 @@
+Index: fedora-policy/policy/modules/admin/usermanage.te
+===================================================================
+--- fedora-policy.orig/policy/modules/admin/usermanage.te
+++ fedora-policy/policy/modules/admin/usermanage.te
+@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
+ allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+ allow groupadd_t self:unix_dgram_socket sendto;
+ allow groupadd_t self:unix_stream_socket connectto;
+allow groupadd_t self:netlink_selinux_socket create_socket_perms;
+ 
+ fs_getattr_xattr_fs(groupadd_t)
+ fs_search_auto_mountpoints(groupadd_t)
+@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
+ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
+allow useradd_t self:netlink_selinux_socket create_socket_perms;
+ 
+ manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+ manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+ 
+selinux_compute_access_vector(useradd_t)
+
+ corecmd_exec_shell(useradd_t)
+ # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+ corecmd_exec_bin(useradd_t)
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon Mar  9 09:01:22 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- New patches:
+  * fix_accountsd.patch
+  * fix_automount.patch
+  * fix_colord.patch
+  * fix_mcelog.patch
+  * fix_sslh.patch
+  * fix_nagios.patch
+  * fix_openvpn.patch
+  * fix_cron.patch
+  * fix_usermanage.patch
+  * fix_smartmon.patch
+  * fix_geoclue.patch
+  * suse_specific.patch
+  Default systems should now work without selinuxuser_execmod
+- Removed xdm_entrypoint_pam.patch, necessary change is in
+  fix_unconfineduser.patch
+- Enable SUSE specific settings again
+
 -------------------------------------------------------------------
 Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz <jsegitz@suse.de>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -38,10 +38,6 @@

 %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else  print "0" end }

-# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
-# It depends on the kernel, but apparently more so on the libsemanage version.
-%define POLICYVER 30
-
 # macros calling module_store have to be defined using global, not define, and
 # "lazy" evaluation
 %global module_store() %{_localstatedir}/lib/selinux/%%{1}
@ -140,11 +136,22 @@ Patch027:       fix_unconfined.patch
 Patch028:       fix_unconfineduser.patch
 Patch029:       fix_chronyd.patch
 Patch030:       fix_networkmanager.patch
-Patch031:       xdm_entrypoint_pam.patch
+Patch032:       fix_accountsd.patch
+Patch033:       fix_automount.patch
+Patch034:       fix_colord.patch
+Patch035:       fix_mcelog.patch
+Patch036:       fix_sslh.patch
+Patch037:       fix_nagios.patch
+Patch038:       fix_openvpn.patch
+Patch039:       fix_cron.patch
+Patch040:       fix_usermanage.patch
+Patch041:       fix_smartmon.patch
+Patch042:       fix_geoclue.patch
+Patch043:       suse_specific.patch

 Patch100: 	sedoctool.patch

-Url:            http://oss.tresys.com/repos/refpolicy/
+Url:            https://github.com/fedora-selinux/selinux-policy.git
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 BuildRequires:  %fillup_prereq
@ -378,9 +385,22 @@ systems and used as the basis for creating other policies.
 %patch028 -p1
 %patch029 -p1
 %patch030 -p1
-%patch031 -p1
+#% patch031 -p1
+%patch032 -p1
+%patch033 -p1
+%patch034 -p1
+%patch035 -p1
+%patch036 -p1
+%patch037 -p1
+%patch038 -p1
+%patch039 -p1
+%patch040 -p1
+%patch041 -p1
+%patch042 -p1
+%patch043 -p1

 %patch100 -p1
+find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;

 %build

--- a/suse_specific.patch
+++ b/suse_specific.patch
@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/system/selinuxutil.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy/policy/modules/system/selinuxutil.if
+@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
+ 
+ 	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ 	dontaudit $1 selinux_config_t:file read_file_perms;
+	# /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
+	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
--- a/xdm_entrypoint_pam.patch
+++ b/xdm_entrypoint_pam.patch
@ -1,43 +0,0 @@
-Index: fedora-policy/policy/modules/roles/unconfineduser.te
-===================================================================
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy/policy/modules/roles/unconfineduser.te
-@@ -126,6 +126,10 @@ optional_policy(`
- 	')
- 
- 	optional_policy(`
-+		xdm_entrypoint(unconfined_t)
-+	')
-+
-+	optional_policy(`
- 		abrt_dbus_chat(unconfined_t)
- 		abrt_run_helper(unconfined_t, unconfined_r)
- 	')
-Index: fedora-policy/policy/modules/services/xserver.if
-===================================================================
--- fedora-policy.orig/policy/modules/services/xserver.if
-+++ fedora-policy/policy/modules/services/xserver.if
-@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',`
- 	domtrans_pattern($1, xdm_exec_t, xdm_t)
- ')
- 
-+########################################
-+## <summary>
-+##      Allow any xdm_exec_t to be an entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`xdm_entrypoint',`
-+        gen_require(`
-+                type xdm_exec_t;
-+        ')
-+        allow $1 xdm_exec_t:file entrypoint;
-+')
- 
- ########################################
- ## <summary>