diff --git a/booleans-minimum.conf b/booleans-minimum.conf
index 26b0dc4..2e00a7a 100644
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@@ -246,3 +246,8 @@ init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
+
+# Allow all domains to mmap files
+#
+domain_can_mmap_files = true
+
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index d943d04..d8cf568 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -7,14 +7,11 @@ nfs_export_all_ro = true
nfs_export_all_rw = true
nscd_use_shm = true
openvpn_enable_homedirs = true
-postfix_local_write_mail_spool=true
+postfix_local_write_mail_spool= true
pppd_can_insmod = false
privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true
-selinuxuser_execmem = true
-selinuxuser_execmod = true
-selinuxuser_execstack = true
-selinuxuser_rw_noexattrfile=true
+selinuxuser_rw_noexattrfile = true
selinuxuser_ping = true
squid_connect_any = true
telepathy_tcp_connect_generic_network_ports=true
@@ -22,3 +19,5 @@ unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true
xguest_exec_content = true
mozilla_plugin_can_network_connect = true
+# Allow all domains to mmap files
+domain_can_mmap_files = true
diff --git a/fedora-policy.20190802.tar.bz2 b/fedora-policy.20190802.tar.bz2
deleted file mode 100644
index 409383d..0000000
--- a/fedora-policy.20190802.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3
-size 730294
diff --git a/fedora-policy.20200219.tar.bz2 b/fedora-policy.20200219.tar.bz2
new file mode 100644
index 0000000..258bc73
--- /dev/null
+++ b/fedora-policy.20200219.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62cd90fa977ee00fd42a249690e13ad8fb87de95d06a1f12e86d05695544844d
+size 735114
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index dcb0062..10c5abe 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -11,3 +11,4 @@
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/var/lib/xguest/home /home
+/var/run/netconfig /etc
diff --git a/fix_chronyd.patch b/fix_chronyd.patch
new file mode 100644
index 0000000..49d5345
--- /dev/null
+++ b/fix_chronyd.patch
@@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/contrib/chronyd.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/chronyd.te 2020-02-19 09:36:31.776283304 +0000
++++ fedora-policy/policy/modules/contrib/chronyd.te 2020-02-25 10:33:09.169920838 +0000
+@@ -136,6 +136,10 @@ systemd_exec_systemctl(chronyd_t)
+ userdom_dgram_send(chronyd_t)
+
+ optional_policy(`
++ networkmanager_read_pid_files(chronyd_t)
++')
++
++optional_policy(`
+ cron_dgram_send(chronyd_t)
+ ')
+
diff --git a/fix_corecommand.patch b/fix_corecommand.patch
new file mode 100644
index 0000000..6ee1497
--- /dev/null
+++ b/fix_corecommand.patch
@@ -0,0 +1,34 @@
+Index: fedora-policy/policy/modules/kernel/corecommands.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/kernel/corecommands.fc 2020-02-24 08:46:26.205153437 +0000
++++ fedora-policy/policy/modules/kernel/corecommands.fc 2020-02-24 13:44:00.711915017 +0000
+@@ -251,6 +251,21 @@ ifdef(`distro_gentoo',`
+ /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -391,6 +406,7 @@ ifdef(`distro_debian',`
+ /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
++/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_gentoo', `
+ /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/fix_dbus.patch b/fix_dbus.patch
index 39f1fc6..0387af9 100644
--- a/fix_dbus.patch
+++ b/fix_dbus.patch
@@ -1,35 +1,12 @@
-Index: fedora-policy/policy/modules/contrib/evolution.te
+Index: fedora-policy/policy/modules/contrib/dbus.te
===================================================================
---- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200
-+++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200
-@@ -228,7 +228,6 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000
++++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000
+@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
+ manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
++allow system_dbusd_t system_dbusd_tmp_t:file execute;
- optional_policy(`
- dbus_system_bus_client(evolution_t)
-- dbus_all_session_bus_client(evolution_t)
- ')
-
- optional_policy(`
-@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
- ')
-
- optional_policy(`
-- dbus_all_session_bus_client(evolution_alarm_t)
--')
--
--optional_policy(`
- gnome_stream_connect_gconf(evolution_alarm_t)
- ')
-
-Index: fedora-policy/policy/modules/contrib/thunderbird.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200
-+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200
-@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
-
- optional_policy(`
- dbus_system_bus_client(thunderbird_t)
-- dbus_all_session_bus_client(thunderbird_t)
-
- optional_policy(`
- cups_dbus_chat(thunderbird_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
+ manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
diff --git a/fix_dbus.patch_orig b/fix_dbus.patch_orig
new file mode 100644
index 0000000..39f1fc6
--- /dev/null
+++ b/fix_dbus.patch_orig
@@ -0,0 +1,35 @@
+Index: fedora-policy/policy/modules/contrib/evolution.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200
++++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200
+@@ -228,7 +228,6 @@ optional_policy(`
+
+ optional_policy(`
+ dbus_system_bus_client(evolution_t)
+- dbus_all_session_bus_client(evolution_t)
+ ')
+
+ optional_policy(`
+@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
+- dbus_all_session_bus_client(evolution_alarm_t)
+-')
+-
+-optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200
++++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200
+@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
+
+ optional_policy(`
+ dbus_system_bus_client(thunderbird_t)
+- dbus_all_session_bus_client(thunderbird_t)
+
+ optional_policy(`
+ cups_dbus_chat(thunderbird_t)
diff --git a/fix_firewalld.patch b/fix_firewalld.patch
new file mode 100644
index 0000000..5b5e67e
--- /dev/null
+++ b/fix_firewalld.patch
@@ -0,0 +1,42 @@
+Index: fedora-policy/policy/modules/contrib/firewalld.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000
++++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000
+@@ -129,6 +129,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ iptables_manage_var_lib_files(firewalld_t)
+ iptables_domtrans(firewalld_t)
+ iptables_read_var_run(firewalld_t)
+ ')
+Index: fedora-policy/policy/modules/system/iptables.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ##
++## Allow management of iptables_var_lib_t files
++##
++##
++##
++## Domain allowed to mange files
++##
++##
++#
++interface(`iptables_manage_var_lib_files',`
++ gen_require(`
++ type iptables_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
++ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
++')
++
++########################################
++##
+ ## Execute iptables in the iptables domain.
+ ##
+ ##
diff --git a/fix_fwupd.patch b/fix_fwupd.patch
new file mode 100644
index 0000000..0a069b7
--- /dev/null
+++ b/fix_fwupd.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/fwupd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/fwupd.fc 2020-02-19 09:36:31.784283432 +0000
++++ fedora-policy/policy/modules/contrib/fwupd.fc 2020-02-21 14:24:21.739179426 +0000
+@@ -4,6 +4,7 @@
+ /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0)
+
+ /usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
++/usr/lib/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+ /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
+
diff --git a/fix_hadoop.patch b/fix_hadoop.patch
index 3782c40..34039ec 100644
--- a/fix_hadoop.patch
+++ b/fix_hadoop.patch
@@ -1,8 +1,8 @@
Index: fedora-policy/policy/modules/roles/sysadm.te
===================================================================
---- fedora-policy.orig/policy/modules/roles/sysadm.te 2019-08-05 09:39:39.113510611 +0200
-+++ fedora-policy/policy/modules/roles/sysadm.te 2019-08-05 14:11:28.416872543 +0200
-@@ -282,10 +282,6 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/roles/sysadm.te 2020-02-19 09:08:50.433854051 +0000
++++ fedora-policy/policy/modules/roles/sysadm.te 2020-02-19 09:17:47.026397710 +0000
+@@ -289,10 +289,6 @@ optional_policy(`
')
optional_policy(`
@@ -15,9 +15,9 @@ Index: fedora-policy/policy/modules/roles/sysadm.te
Index: fedora-policy/policy/modules/roles/unprivuser.te
===================================================================
---- fedora-policy.orig/policy/modules/roles/unprivuser.te 2019-08-05 09:39:39.113510611 +0200
-+++ fedora-policy/policy/modules/roles/unprivuser.te 2019-08-05 14:11:22.908782828 +0200
-@@ -192,10 +192,6 @@ ifndef(`distro_redhat',`
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te 2020-02-19 09:08:50.433854051 +0000
++++ fedora-policy/policy/modules/roles/unprivuser.te 2020-02-19 09:17:47.030397773 +0000
+@@ -197,10 +197,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
diff --git a/fix_init.patch b/fix_init.patch
new file mode 100644
index 0000000..841dff0
--- /dev/null
+++ b/fix_init.patch
@@ -0,0 +1,62 @@
+Index: fedora-policy/policy/modules/system/init.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/init.te
++++ fedora-policy/policy/modules/system/init.te
+@@ -250,6 +250,7 @@ corecmd_exec_bin(init_t)
+ corenet_all_recvfrom_netlabel(init_t)
+ corenet_tcp_bind_all_ports(init_t)
+ corenet_udp_bind_all_ports(init_t)
++corenet_udp_bind_generic_node(init_t)
+
+ dev_create_all_files(init_t)
+ dev_create_all_chr_files(init_t)
+@@ -419,10 +420,15 @@ ifdef(`distro_redhat',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+
+ storage_raw_rw_fixed_disk(init_t)
++storage_raw_read_removable_device(init_t)
+
+ sysnet_read_dhcpc_state(init_t)
+
+ optional_policy(`
++ networkmanager_initrc_read_lnk_files(init_t)
++')
++
++optional_policy(`
+ bootloader_domtrans(init_t)
+ ')
+
+@@ -536,7 +542,7 @@ tunable_policy(`init_create_dirs',`
+ allow init_t self:system all_system_perms;
+ allow init_t self:system module_load;
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
++allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -598,6 +604,7 @@ files_delete_all_spool_sockets(init_t)
+ files_create_var_lib_dirs(init_t)
+ files_create_var_lib_symlinks(init_t)
+ files_read_var_lib_symlinks(init_t)
++files_read_var_files(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+@@ -689,6 +696,7 @@ systemd_userdbd_runtime_manage_symlinks(
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+ create_dirs_pattern(init_t, var_log_t, var_log_t)
++files_manage_var_files(init_t)
+
+ auth_use_nsswitch(init_t)
+ auth_rw_login_records(init_t)
+@@ -1525,6 +1533,8 @@ optional_policy(`
+
+ optional_policy(`
+ postfix_list_spool(initrc_t)
++ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
++ postfix_domtrans_map(init_t)
+ ')
+
+ optional_policy(`
diff --git a/fix_iptables.patch b/fix_iptables.patch
new file mode 100644
index 0000000..5100015
--- /dev/null
+++ b/fix_iptables.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/iptables.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000
+@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t)
+ kernel_read_usermodehelper_state(iptables_t)
+ kernel_use_fds(iptables_t)
+ kernel_rw_net_sysctls(iptables_t)
++kernel_rw_pipes(iptables_t)
+ kernel_search_network_sysctl(iptables_t)
+
+
diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch
new file mode 100644
index 0000000..97b2679
--- /dev/null
+++ b/fix_irqbalance.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/irqbalance.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/irqbalance.te 2020-02-19 09:36:31.792283559 +0000
++++ fedora-policy/policy/modules/contrib/irqbalance.te 2020-02-21 12:18:36.155848163 +0000
+@@ -28,6 +28,8 @@ allow irqbalance_t self:udp_socket creat
+ manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+ files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+
++init_nnp_daemon_domain(irqbalance_t)
++
+ kernel_read_network_state(irqbalance_t)
+ kernel_read_system_state(irqbalance_t)
+ kernel_read_kernel_sysctls(irqbalance_t)
diff --git a/fix_locallogin.patch b/fix_locallogin.patch
new file mode 100644
index 0000000..6247e22
--- /dev/null
+++ b/fix_locallogin.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/locallogin.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000
+@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
+ kernel_read_kernel_sysctls(local_login_t)
+ kernel_search_key(local_login_t)
+ kernel_link_key(local_login_t)
++kernel_getattr_proc(local_login_t)
+
+ corecmd_list_bin(local_login_t)
+ corecmd_read_bin_symlinks(local_login_t)
diff --git a/fix_logging.patch b/fix_logging.patch
index f26a61d..d8a64a2 100644
--- a/fix_logging.patch
+++ b/fix_logging.patch
@@ -1,12 +1,21 @@
Index: fedora-policy/policy/modules/system/logging.fc
===================================================================
---- fedora-policy.orig/policy/modules/system/logging.fc 2019-08-22 11:28:09.250979768 +0200
-+++ fedora-policy/policy/modules/system/logging.fc 2019-08-22 11:45:28.360015899 +0200
-@@ -3,6 +3,7 @@
+--- fedora-policy.orig/policy/modules/system/logging.fc 2020-02-24 08:53:21.924002716 +0000
++++ fedora-policy/policy/modules/system/logging.fc 2020-02-24 13:33:16.353371311 +0000
+@@ -3,6 +3,8 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
-+/var//run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+@@ -83,6 +85,7 @@ ifdef(`distro_redhat',`
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+ /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+ /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
diff --git a/fix_logrotate.patch b/fix_logrotate.patch
new file mode 100644
index 0000000..a640d77
--- /dev/null
+++ b/fix_logrotate.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/logrotate.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/logrotate.te 2020-02-19 09:36:31.796283623 +0000
++++ fedora-policy/policy/modules/contrib/logrotate.te 2020-02-24 07:54:50.138294492 +0000
+@@ -100,6 +100,7 @@ files_var_lib_filetrans(logrotate_t, log
+
+ kernel_read_system_state(logrotate_t)
+ kernel_read_kernel_sysctls(logrotate_t)
++files_manage_mounttab(logrotate_t)
+
+ dev_read_urand(logrotate_t)
+ dev_read_sysfs(logrotate_t)
diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch
new file mode 100644
index 0000000..e78c78c
--- /dev/null
+++ b/fix_networkmanager.patch
@@ -0,0 +1,54 @@
+Index: fedora-policy/policy/modules/contrib/networkmanager.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.te
++++ fedora-policy/policy/modules/contrib/networkmanager.te
+@@ -233,6 +233,9 @@ userdom_read_home_certs(NetworkManager_t
+ userdom_read_user_home_content_files(NetworkManager_t)
+ userdom_dgram_send(NetworkManager_t)
+
++hostname_exec(NetworkManager_t)
++networkmanager_systemctl(NetworkManager_t)
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(NetworkManager_t)
+ ')
+@@ -250,6 +253,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ packagekit_dbus_chat(NetworkManager_t)
++')
++
++optional_policy(`
+ bind_domtrans(NetworkManager_t)
+ bind_manage_cache(NetworkManager_t)
+ bind_kill(NetworkManager_t)
+Index: fedora-policy/policy/modules/contrib/networkmanager.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.if
++++ fedora-policy/policy/modules/contrib/networkmanager.if
+@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ ')
+
++#######################################
++##
++## Allow reading of NetworkManager link files
++##
++##
++##
++## Domain allowed to read the links
++##
++##
++#
++interface(`networkmanager_initrc_read_lnk_files',`
++ gen_require(`
++ type NetworkManager_initrc_exec_t;
++ ')
++
++ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute NetworkManager server in the NetworkManager domain.
diff --git a/fix_nscd.patch b/fix_nscd.patch
index caba7f0..8830f9a 100644
--- a/fix_nscd.patch
+++ b/fix_nscd.patch
@@ -1,7 +1,7 @@
Index: fedora-policy/policy/modules/contrib/nscd.fc
===================================================================
---- fedora-policy.orig/policy/modules/contrib/nscd.fc 2019-08-05 09:39:48.661670516 +0200
-+++ fedora-policy/policy/modules/contrib/nscd.fc 2019-08-15 14:13:18.681607730 +0200
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc 2020-02-25 10:33:52.706658487 +0000
++++ fedora-policy/policy/modules/contrib/nscd.fc 2020-02-25 10:33:56.314719506 +0000
@@ -8,8 +8,10 @@
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
@@ -14,3 +14,18 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc
/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
+
+Index: fedora-policy/policy/modules/contrib/nscd.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nscd.te 2020-02-19 09:36:31.804283750 +0000
++++ fedora-policy/policy/modules/contrib/nscd.te 2020-02-25 10:34:18.611090097 +0000
+@@ -127,6 +127,10 @@ userdom_dontaudit_use_unpriv_user_fds(ns
+ userdom_dontaudit_search_user_home_dirs(nscd_t)
+
+ optional_policy(`
++ networkmanager_read_pid_files(nscd_t)
++')
++
++optional_policy(`
+ accountsd_dontaudit_rw_fifo_file(nscd_t)
+ ')
+
diff --git a/fix_ntp.patch b/fix_ntp.patch
new file mode 100644
index 0000000..b444775
--- /dev/null
+++ b/fix_ntp.patch
@@ -0,0 +1,39 @@
+Index: fedora-policy/policy/modules/contrib/ntp.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/ntp.fc 2020-02-21 15:59:23.349556504 +0000
++++ fedora-policy/policy/modules/contrib/ntp.fc 2020-02-21 16:01:41.591761350 +0000
+@@ -16,7 +16,6 @@
+
+ /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
+-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+ /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+ /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+@@ -25,3 +24,26 @@
+ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+ /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
++
++/var/lib/ntp gen_context(system_u:object_r:root_t,s0)
++/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0)
++/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0)
++/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0)
++/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
++/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0)
++/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
++/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
++/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0)
++/var/lib/ntp/var gen_context(system_u:object_r:var_t,s0)
++/var/lib/ntp/var/lib gen_context(system_u:object_r:var_lib_t,s0)
++/var/lib/ntp/var/run gen_context(system_u:object_r:var_run_t,s0)
++/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
++/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
++/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
++/var/lib/ntp/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/fix_policykit.patch b/fix_policykit.patch
new file mode 100644
index 0000000..1ce0185
--- /dev/null
+++ b/fix_policykit.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/policykit.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000
++++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000
+@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t)
+ userdom_read_all_users_state(policykit_t)
+ userdom_dontaudit_search_admin_dir(policykit_t)
+
++policykit_dbus_chat(policykit_t)
++
+ optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
diff --git a/postfix_paths.patch b/fix_postfix.patch
similarity index 82%
rename from postfix_paths.patch
rename to fix_postfix.patch
index edd7349..abd7860 100644
--- a/postfix_paths.patch
+++ b/fix_postfix.patch
@@ -1,11 +1,11 @@
Index: fedora-policy/policy/modules/contrib/postfix.fc
===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.fc 2019-08-05 09:39:48.669670650 +0200
-+++ fedora-policy/policy/modules/contrib/postfix.fc 2019-08-14 11:11:26.195163409 +0200
-@@ -1,36 +1,19 @@
- # postfix
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc 2020-02-25 10:34:35.875376865 +0000
++++ fedora-policy/policy/modules/contrib/postfix.fc 2020-02-25 10:34:37.719407494 +0000
+@@ -2,36 +2,19 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+ /etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -51,7 +51,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -44,6 +27,9 @@ ifdef(`distro_redhat', `
+@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -61,3 +61,20 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+Index: fedora-policy/policy/modules/contrib/postfix.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/postfix.te 2020-02-19 09:36:31.820284005 +0000
++++ fedora-policy/policy/modules/contrib/postfix.te 2020-02-25 10:35:55.544700764 +0000
+@@ -447,6 +447,12 @@ logging_send_syslog_msg(postfix_map_t)
+
+ userdom_use_inherited_user_ptys(postfix_map_t)
+
++corecmd_exec_bin(postfix_map_t)
++
++optional_policy(`
++ mta_read_aliases(postfix_map_t)
++')
++
+ optional_policy(`
+ locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch
new file mode 100644
index 0000000..fb0148d
--- /dev/null
+++ b/fix_selinuxutil.patch
@@ -0,0 +1,26 @@
+Index: fedora-policy/policy/modules/system/selinuxutil.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000
++++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000
+@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
++ packagekit_read_write_fifo(load_policy_t)
++')
++
++optional_policy(`
+ portage_dontaudit_use_fds(load_policy_t)
+ ')
+
+@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t)
+ logging_send_syslog_msg(setfiles_t)
+
+ optional_policy(`
++ packagekit_read_write_fifo(setfiles_t)
++')
++
++optional_policy(`
+ cloudform_dontaudit_write_cloud_log(setfiles_t)
+ ')
+
diff --git a/fix_snapper.patch b/fix_snapper.patch
new file mode 100644
index 0000000..ba4b6f0
--- /dev/null
+++ b/fix_snapper.patch
@@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/contrib/snapper.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/snapper.te 2020-02-19 09:36:31.880284960 +0000
++++ fedora-policy/policy/modules/contrib/snapper.te 2020-02-24 10:57:10.311792681 +0000
+@@ -73,6 +73,10 @@ storage_raw_read_fixed_disk(snapperd_t)
+ auth_use_nsswitch(snapperd_t)
+
+ optional_policy(`
++ packagekit_dbus_chat(snapperd_t)
++')
++
++optional_policy(`
+ cron_system_entry(snapperd_t, snapperd_exec_t)
+ ')
+
diff --git a/fix_systemd.patch b/fix_systemd.patch
new file mode 100644
index 0000000..b7dc35f
--- /dev/null
+++ b/fix_systemd.patch
@@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/system/systemd.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/systemd.te 2020-02-19 09:36:25.444182470 +0000
++++ fedora-policy/policy/modules/system/systemd.te 2020-02-24 10:56:11.762848157 +0000
+@@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system
+ xserver_dbus_chat(systemd_logind_t)
+
+ optional_policy(`
++ packagekit_dbus_chat(systemd_logind_t)
++')
++
++optional_policy(`
+ apache_read_tmp_files(systemd_logind_t)
+ ')
+
diff --git a/fix_unconfined.patch b/fix_unconfined.patch
new file mode 100644
index 0000000..261628c
--- /dev/null
+++ b/fix_unconfined.patch
@@ -0,0 +1,22 @@
+Index: fedora-policy/policy/modules/system/unconfined.te
+===================================================================
+--- fedora-policy.orig/policy/modules/system/unconfined.te 2020-02-19 09:36:25.444182470 +0000
++++ fedora-policy/policy/modules/system/unconfined.te 2020-02-24 15:14:59.222899685 +0000
+@@ -1,5 +1,10 @@
+ policy_module(unconfined, 3.5.0)
+
++require {
++ type var_run_t;
++ type net_conf_t;
++}
++
+ ########################################
+ #
+ # Declarations
+@@ -39,3 +44,6 @@ optional_policy(`
+ optional_policy(`
+ container_runtime_domtrans(unconfined_service_t)
+ ')
++
++filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir)
++
diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch
new file mode 100644
index 0000000..511dfcd
--- /dev/null
+++ b/fix_unconfineduser.patch
@@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/roles/unconfineduser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te 2020-02-19 09:36:25.436182342 +0000
++++ fedora-policy/policy/modules/roles/unconfineduser.te 2020-02-25 08:24:07.992702226 +0000
+@@ -244,6 +244,10 @@ optional_policy(`
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
++ systemd_dbus_chat_logind(unconfined_dbusd_t)
++ ')
++
++ optional_policy(`
+ bluetooth_dbus_chat(unconfined_t)
+ ')
+
diff --git a/fix_xserver.patch b/fix_xserver.patch
index 04e2aa2..14f6700 100644
--- a/fix_xserver.patch
+++ b/fix_xserver.patch
@@ -1,8 +1,24 @@
Index: fedora-policy/policy/modules/services/xserver.fc
===================================================================
---- fedora-policy.orig/policy/modules/services/xserver.fc 2019-08-05 09:39:39.113510611 +0200
-+++ fedora-policy/policy/modules/services/xserver.fc 2019-08-22 11:44:16.178832073 +0200
-@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
+--- fedora-policy.orig/policy/modules/services/xserver.fc
++++ fedora-policy/policy/modules/services/xserver.fc
+@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
+ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+ /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
+@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
+
+ /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
@@ -10,3 +26,18 @@ Index: fedora-policy/policy/modules/services/xserver.fc
ifndef(`distro_debian',`
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
')
+Index: fedora-policy/policy/modules/services/xserver.te
+===================================================================
+--- fedora-policy.orig/policy/modules/services/xserver.te
++++ fedora-policy/policy/modules/services/xserver.te
+@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x
+ userdom_signull_unpriv_users(xdm_t)
+ userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
+
++files_manage_generic_pids_symlinks(xdm_t)
++userdom_manage_user_home_content_dirs(xdm_t)
++userdom_manage_user_home_content_files(xdm_t)
++
+ # Allow gdm to run gdm-binary
+ can_exec(xdm_t, xdm_exec_t)
+ can_exec(xdm_t, xsession_exec_t)
diff --git a/minimum_temp_fixes.fc b/minimum_temp_fixes.fc
deleted file mode 100644
index 473a0f4..0000000
diff --git a/minimum_temp_fixes.if b/minimum_temp_fixes.if
deleted file mode 100644
index 5846dc1..0000000
--- a/minimum_temp_fixes.if
+++ /dev/null
@@ -1 +0,0 @@
-##
diff --git a/minimum_temp_fixes.te b/minimum_temp_fixes.te
deleted file mode 100644
index 13534a8..0000000
--- a/minimum_temp_fixes.te
+++ /dev/null
@@ -1,95 +0,0 @@
-policy_module(minimum_temp_fixes, 1.0)
-
-require {
- type sshd_t;
- type lib_t;
- type init_t;
- type unconfined_t;
- type systemd_localed_t;
- type systemd_logind_t;
- type unconfined_service_t;
- type chkpwd_t;
- type bin_t;
- type fsadm_t;
- type getty_t;
- type systemd_tmpfiles_t;
- type systemd_systemctl_exec_t;
- type unconfined_dbusd_t;
- type rtkit_daemon_t;
- type system_dbusd_t;
- class dir mounton;
- class dbus { acquire_svc send_msg };
- class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
- class process { execmem transition };
- class file { entrypoint execmod };
-}
-
-#============= chkpwd_t ==============
-allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
-files_map_var_lib_files(chkpwd_t)
-files_read_var_lib_files(chkpwd_t)
-files_write_generic_pid_sockets(chkpwd_t)
-
-#============= fsadm_t ==============
-allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
-
-#============= getty_t ==============
-allow getty_t unconfined_service_t:nscd shmemgrp;
-files_map_var_lib_files(getty_t)
-files_read_var_lib_files(getty_t)
-files_write_generic_pid_sockets(getty_t)
-
-#============= init_t ==============
-allow init_t bin_t:dir mounton;
-allow init_t lib_t:dir mounton;
-allow init_t self:process execmem;
-allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
-allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
-files_manage_generic_spool(init_t)
-corenet_udp_bind_generic_node(init_t)
-files_map_var_lib_files(init_t)
-files_read_var_files(init_t)
-files_manage_var_files(init_t)
-storage_raw_read_removable_device(init_t)
-
-#============= sshd_t ==============
-allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
-files_exec_generic_pid_files(sshd_t)
-files_map_var_lib_files(sshd_t)
-files_read_var_lib_files(sshd_t)
-files_write_generic_pid_sockets(sshd_t)
-unconfined_server_dbus_chat(sshd_t)
-
-#============= systemd_localed_t ==============
-allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
-files_write_generic_pid_sockets(systemd_localed_t)
-
-#============= systemd_logind_t ==============
-allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
-allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
-files_map_var_lib_files(systemd_logind_t)
-files_read_var_lib_files(systemd_logind_t)
-files_write_generic_pid_sockets(systemd_logind_t)
-systemd_dbus_chat_logind(systemd_logind_t)
-
-#============= systemd_tmpfiles_t ==============
-allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
-files_map_var_lib_files(systemd_tmpfiles_t)
-
-#============= unconfined_service_t ==============
-allow unconfined_service_t unconfined_t:process transition;
-init_dbus_chat(unconfined_service_t)
-unconfined_server_dbus_chat(unconfined_service_t)
-
-#============= unconfined_t ==============
-allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
-allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
-
-#============= unconfined_dbusd_t ==============
-allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
-
-#============= rtkit_daemon_t ==============
-allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
-
-#============= system_dbusd_t ==============
-allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf
index 42d49a3..8774301 100644
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@@ -406,13 +406,6 @@ kdbus = module
#
rpm = module
-# Layer: contrib
-# Module: minimum_temp_fixes
-#
-# Temporary fixes for the minimum policy.
-#
-minimum_temp_fixes = module
-
# Layer: contrib
# Module: packagekit
#
diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf
index f2e2ca2..80f7c5d 100644
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@@ -399,13 +399,6 @@ unconfined = module
#
kdbus = module
-# Layer: contrib
-# Module: targeted_temp_fixes
-#
-# Temporary fixes for the targeted policy.
-#
-targeted_temp_fixes = module
-
# Layer: contrib
# Module: packagekit
#
diff --git a/packagekit.if b/packagekit.if
index d9235e0..a9d1918 100644
--- a/packagekit.if
+++ b/packagekit.if
@@ -1,2 +1,40 @@
## A temporary policy for packagekit.
+########################################
+##
+## Allow reading of fifo files
+##
+##
+##
+## Domain allowed to mange files
+##
+##
+#
+interface(`packagekit_read_write_fifo',`
+ gen_require(`
+ type packagekit_t;
+ ')
+
+ allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Send and receive messages from
+## packagekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`packagekit_dbus_chat',`
+ gen_require(`
+ type packagekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 packagekit_t:dbus send_msg;
+ allow packagekit_t $1:dbus send_msg;
+')
diff --git a/packagekit.te b/packagekit.te
index b0e373f..090ccb7 100644
--- a/packagekit.te
+++ b/packagekit.te
@@ -9,29 +9,30 @@ type packagekit_t;
type packagekit_exec_t;
init_daemon_domain(packagekit_t,packagekit_exec_t)
-permissive packagekit_t;
-
type packagekit_unit_file_t;
systemd_unit_file(packagekit_unit_file_t)
type packagekit_var_lib_t;
files_type(packagekit_var_lib_t)
-#allow packagekit_t self:tcp_socket create_stream_socket_perms;
-#
-#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
-#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
-#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
-#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir)
-#
-#kernel_read_unix_sysctls(packagekit_t)
-#kernel_read_net_sysctls(packagekit_t)
-#
-#corenet_tcp_bind_generic_node(packagekit_t)
-#
-#corenet_tcp_bind_kubernetes_port(packagekit_t)
-#corenet_tcp_bind_afs3_callback_port(packagekit_t)
-#
-#fs_getattr_xattr_fs(packagekit_t)
-#
-#logging_send_syslog_msg(packagekit_t)
+unconfined_dbus_chat(packagekit_t)
+init_dbus_chat(packagekit_t)
+optional_policy(`
+ policykit_dbus_chat(packagekit_t)
+')
+
+optional_policy(`
+ unconfined_domain(packagekit_t)
+')
+
+optional_policy(`
+ snapper_dbus_chat(packagekit_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(packagekit_t)
+')
+
+optional_policy(`
+ rpm_transition_script(packagekit_t,system_r)
+')
diff --git a/rpmlintrc b/rpmlintrc
deleted file mode 100644
index 6e3208f..0000000
--- a/rpmlintrc
+++ /dev/null
@@ -1,2 +0,0 @@
-# this is intentional
-addFilter("W: files-duplicate")
diff --git a/selinux-policy-rpmlintrc b/selinux-policy-rpmlintrc
index 74b3c35..b3f69e8 100644
--- a/selinux-policy-rpmlintrc
+++ b/selinux-policy-rpmlintrc
@@ -3,16 +3,7 @@ addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
-addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final")
-addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts")
-addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs")
-addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers")
-addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts")
-addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs")
-addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers")
-addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts")
-addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs")
-addFilter("E: files-duplicated-waste")
-addFilter("E: files-duplicated-waste")
+addFilter("W: files-duplicate")
addFilter("E: files-duplicated-waste")
+addFilter("W: zero-length")
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 5d926a8..6342c60 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz
+
+- Update to version 20200219
+ Refreshed fix_hadoop.patch
+ Updated
+ * fix_dbus.patch
+ * fix_hadoop.patch
+ * fix_nscd.patch
+ * fix_xserver.patch
+ Renamed postfix_paths.patch to fix_postfix.patch
+ Added
+ * fix_init.patch
+ * fix_locallogin.patch
+ * fix_policykit.patch
+ * fix_iptables.patch
+ * fix_irqbalance.patch
+ * fix_ntp.patch
+ * fix_fwupd.patch
+ * fix_firewalld.patch
+ * fix_logrotate.patch
+ * fix_selinuxutil.patch
+ * fix_corecommand.patch
+ * fix_snapper.patch
+ * fix_systemd.patch
+ * fix_unconfined.patch
+ * fix_unconfineduser.patch
+ * fix_chronyd.patch
+ * fix_networkmanager.patch
+ * xdm_entrypoint_pam.patch
+- Removed modules minimum_temp_fixes and targeted_temp_fixes
+ from the corresponding policies
+- Reduced default module list of minimum policy by removing
+ apache inetd nis postfix mta modules
+- Adding/removing necessary pam config automatically
+- Minimum and targeted policy: Enable domain_can_mmap_files by default
+- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
+ selinuxuser_execstack to have safe defaults
+
-------------------------------------------------------------------
Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 259411d..98d15bf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -70,9 +70,9 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20190609
+Version: 20200219
Release: 0
-Source: fedora-policy.20190802.tar.bz2
+Source: fedora-policy.%{version}.tar.bz2
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
@@ -107,14 +107,6 @@ Source92: customizable_types
#Source93: config.tgz
Source94: file_contexts.subs_dist
-Source100: minimum_temp_fixes.te
-Source101: minimum_temp_fixes.if
-Source102: minimum_temp_fixes.fc
-
-Source110: targeted_temp_fixes.te
-Source111: targeted_temp_fixes.if
-Source112: targeted_temp_fixes.fc
-
Source120: packagekit.te
Source121: packagekit.if
Source122: packagekit.fc
@@ -125,12 +117,30 @@ Patch003: fix_gift.patch
Patch004: fix_java.patch
Patch005: fix_hadoop.patch
Patch006: fix_thunderbird.patch
-Patch007: postfix_paths.patch
+Patch007: fix_postfix.patch
Patch008: fix_nscd.patch
Patch009: fix_sysnetwork.patch
Patch010: fix_logging.patch
Patch011: fix_xserver.patch
Patch012: fix_miscfiles.patch
+Patch013: fix_init.patch
+Patch014: fix_locallogin.patch
+Patch015: fix_policykit.patch
+Patch016: fix_iptables.patch
+Patch017: fix_irqbalance.patch
+Patch018: fix_ntp.patch
+Patch019: fix_fwupd.patch
+Patch020: fix_firewalld.patch
+Patch021: fix_logrotate.patch
+Patch022: fix_selinuxutil.patch
+Patch024: fix_corecommand.patch
+Patch025: fix_snapper.patch
+Patch026: fix_systemd.patch
+Patch027: fix_unconfined.patch
+Patch028: fix_unconfineduser.patch
+Patch029: fix_chronyd.patch
+Patch030: fix_networkmanager.patch
+Patch031: xdm_entrypoint_pam.patch
Patch100: sedoctool.patch
@@ -150,8 +160,10 @@ BuildRequires: python
BuildRequires: python-xml
#BuildRequires: selinux-policy-devel
# we need selinuxenabled
-Requires(post): selinux-tools
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): pam-config
+Requires(post): pam-config
+Requires(post): selinux-tools
Requires(post): /bin/awk /usr/bin/sha512sum
Recommends: audit
Recommends: selinux-tools
@@ -349,6 +361,24 @@ systems and used as the basis for creating other policies.
%patch010 -p1
%patch011 -p1
%patch012 -p1
+%patch013 -p1
+%patch014 -p1
+%patch015 -p1
+%patch016 -p1
+%patch017 -p1
+%patch018 -p1
+%patch019 -p1
+%patch020 -p1
+%patch021 -p1
+%patch022 -p1
+%patch024 -p1
+%patch025 -p1
+%patch026 -p1
+%patch027 -p1
+%patch028 -p1
+%patch029 -p1
+%patch030 -p1
+%patch031 -p1
%patch100 -p1
@@ -374,16 +404,10 @@ done
make clean
%if %{BUILD_TARGETED}
-for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
- cp $i policy/modules/contrib
-done
%makeConfig targeted mcs n deny contrib
%installCmds targeted mcs n allow
%modulesList targeted
%endif
-for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
- rm policy/modules/contrib/$(basename $i)
-done
%if %{BUILD_MLS}
%makeConfig mls mls n deny contrib
@@ -392,9 +416,6 @@ done
%endif
%if %{BUILD_MINIMUM}
-for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do
- cp $i policy/modules/contrib
-done
%makeConfig minimum mcs n deny contrib
%installCmds minimum mcs n allow
install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
@@ -434,6 +455,9 @@ else
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
fi
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
+if [ $1 -eq 1 ]; then
+ pam-config -a --selinux
+fi
exit 0
%global post_un() \
@@ -443,6 +467,7 @@ if [ $1 -eq 0 ]; then \
if [ -s %{_sysconfdir}/selinux/config ]; then \
sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \
fi \
+ pam-config -d --selinux \
fi \
exit 0
@@ -534,14 +559,12 @@ fi
%post minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
-if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
- mkdir /var/lib/selinux/minimum/active/modules/disabled
-fi
+mkdir -p /var/lib/selinux/minimum/active/modules/disabled 2>/dev/null
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
-for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do
+for p in $basepackages dbus kerberos nscd rpm rtkit; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semanage import -S minimum -f - << __eof
@@ -555,7 +578,7 @@ instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
-for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do
+for p in $instpackages dbus kerberos nscd rtkit; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semodule -B -s minimum
diff --git a/targeted_temp_fixes.fc b/targeted_temp_fixes.fc
deleted file mode 100644
index 473a0f4..0000000
diff --git a/targeted_temp_fixes.if b/targeted_temp_fixes.if
deleted file mode 100644
index 5846dc1..0000000
--- a/targeted_temp_fixes.if
+++ /dev/null
@@ -1 +0,0 @@
-##
diff --git a/targeted_temp_fixes.te b/targeted_temp_fixes.te
deleted file mode 100644
index 61b1d82..0000000
--- a/targeted_temp_fixes.te
+++ /dev/null
@@ -1,54 +0,0 @@
-policy_module(targeted_temp_fixes, 1.0)
-
-require {
- type iptables_t;
- type nscd_t;
- type lib_t;
- type bin_t;
- type init_t;
- type irqbalance_t;
- type iptables_var_lib_t;
- type postfix_master_t;
- type firewalld_t;
- type postfix_map_exec_t;
- type xdm_t;
- type groupadd_t;
- type useradd_t;
- class netlink_selinux_socket { bind create };
- class dir { add_name mounton write };
- class file { create execute execute_no_trans getattr ioctl lock open read };
-}
-
-#============= firewalld_t ==============
-allow firewalld_t iptables_var_lib_t:dir { add_name write };
-allow firewalld_t iptables_var_lib_t:file { create lock open read };
-
-#============= init_t ==============
-allow init_t bin_t:dir mounton;
-allow init_t lib_t:dir mounton;
-allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
-files_rw_var_files(init_t)
-fwupd_manage_cache_dirs(init_t)
-ntp_read_drift_files(init_t)
-
-#============= iptables_t ==============
-kernel_rw_pipes(iptables_t)
-
-#============= irqbalance_t ==============
-init_nnp_daemon_domain(irqbalance_t)
-
-#============= nscd_t ==============
-files_exec_generic_pid_files(nscd_t)
-
-#============= postfix_master_t ==============
-files_read_var_lib_files(postfix_master_t)
-files_read_var_lib_symlinks(postfix_master_t)
-
-#============= xdm_t ==============
-# KDE write to home directories
-userdom_manage_user_home_content_files(xdm_t)
-
-#============= groupadd_t ============== allow groupadd_t self:netlink_selinux_socket { bind create };
-allow useradd_t self:netlink_selinux_socket { bind create };
-selinux_compute_access_vector(groupadd_t)
-selinux_compute_access_vector(useradd_t)
diff --git a/xdm_entrypoint_pam.patch b/xdm_entrypoint_pam.patch
new file mode 100644
index 0000000..b56d11c
--- /dev/null
+++ b/xdm_entrypoint_pam.patch
@@ -0,0 +1,43 @@
+Index: fedora-policy/policy/modules/roles/unconfineduser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
++++ fedora-policy/policy/modules/roles/unconfineduser.te
+@@ -126,6 +126,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ xdm_entrypoint(unconfined_t)
++ ')
++
++ optional_policy(`
+ abrt_dbus_chat(unconfined_t)
+ abrt_run_helper(unconfined_t, unconfined_r)
+ ')
+Index: fedora-policy/policy/modules/services/xserver.if
+===================================================================
+--- fedora-policy.orig/policy/modules/services/xserver.if
++++ fedora-policy/policy/modules/services/xserver.if
+@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',`
+ domtrans_pattern($1, xdm_exec_t, xdm_t)
+ ')
+
++########################################
++##
++## Allow any xdm_exec_t to be an entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xdm_entrypoint',`
++ gen_require(`
++ type xdm_exec_t;
++ ')
++ allow $1 xdm_exec_t:file entrypoint;
++')
+
+ ########################################
+ ##