Accepting request 832021 from security:SELinux

Policy is in better state now and should be fine for people with basic SELinux knowledge OBS-URL: https://build.opensuse.org/request/show/832021 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=1
2020-10-06 15:06:19 +00:00 · 2020-10-06 15:06:19 +00:00 · 3de9778fbc
commit 3de9778fbc
parent 83a39a4ddd
71 changed files with 617 additions and 2051 deletions
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -4,19 +4,19 @@ allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
-selinuxuser_execmod = false
+allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-selinuxuser_execstack = false
+allow_execstack = true
 # Allow ftpd to read cifs directories.
 # 
-ftpd_use_cifs = false
+allow_ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
-ftpd_use_nfs = false
+allow_ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
-gssd_read_tmp = true
+allow_gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
@ -32,7 +32,7 @@ allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
-httpd_mod_auth_pam = false
+allow_httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
@ -44,7 +44,7 @@ allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
-saslauthd_read_shadow  = false
+allow_saslauthd_read_shadow = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
@ -56,7 +56,7 @@ allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
-zebra_write_config = false
+allow_zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
@ -148,35 +148,55 @@ user_ping = false
 # allow host key based authentication
 # 
-ssh_keysign = false
+allow_ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
 # 
 read_untrusted_content = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow regular users direct mouse access
 # 
 user_direct_mouse = false
 # Allow users to read system messages.
 # 
 user_dmesg = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
-user_rw_noexattrfile = true
+user_rw_noexattrfile = false
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow w to display everyone
 # 
 user_ttyfile_stat = false
 # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
 # 
 write_untrusted_content = false
 # Allow all domains to talk to ttys
 # 
-daemons_use_tty = false
+allow_daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
-polyinstantiation_enabled = false
+allow_polyinstantiation = false
 # Allow all domains to dump core
 # 
-daemons_dump_core = true
+allow_daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
@ -188,16 +208,20 @@ samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
-xserver_execmem = false
+allow_xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
-guest_exec_content = false
+allow_guest_exec_content = false
-xguest_exec_content = false
+allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=false
 # Allow postfix locat to write to mail spool
 # 
-postfix_local_write_mail_spool = false
+allow_postfix_local_write_mail_spool=false
 # Allow common users to read/write noexattrfile systems
 # 
@ -207,26 +231,23 @@ user_rw_noexattrfile = true
 # 
 qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
 allow_nsplugin_execmem=true
 # Allow unconfined domain to transition to confined domain
 # 
 allow_unconfined_nsplugin_transition=true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
-mount_anyfile = true
+allow_mount_anyfile = true
 # Allow all domains to mmap files
 # 
 domain_can_mmap_files = true
 # Allow confined applications to use nscd shared memory
 #
 nscd_use_shm = true
 # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
 #
 unconfined_chrome_sandbox_transition = true
 # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
 #
 unconfined_mozilla_plugin_transition = true
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@ -1,232 +1,6 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+kerberos_enabled = true
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 selinuxuser_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 selinuxuser_execstack = false
 # Allow ftpd to read cifs directories.
 # 
 ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
 ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
 allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
 httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
 allow_kerberos = true
 # Allow rsync to modify public filesused for public file transfer services.
 # 
 allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
 saslauthd_read_shadow  = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
 allow_smbd_anon_write = false
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
 zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
 fcron_crond = false
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
 #
 # allow httpd to send dbus messages to avahi
 httpd_dbus_avahi = true
 #
 # allow httpd to network relay
 httpd_can_network_relay = false
 # Allow httpd to use built in scripting (usually php)
 # 
 httpd_builtin_scripting = true
 # Allow http daemon to tcp connect
 # 
 httpd_can_network_connect = false
 # Allow httpd cgi support
 # 
 httpd_enable_cgi = true
 # Allow httpd to act as a FTP server bylistening on the ftp port.
 # 
 httpd_enable_ftp_server = false
 # Allow httpd to read home directories
 # 
 httpd_enable_homedirs = false
 # Run SSI execs in system CGI script domain.
 # 
 httpd_ssi_exec = false
 # Allow http daemon to communicate with the TTY
 # 
 httpd_tty_comm = false
 # Run CGI in the main httpd domain
 # 
 httpd_unified = false
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
 named_write_master_zones = false
 # Allow nfs to be exported read/write.
 # 
 nfs_export_all_rw = true
 # Allow nfs to be exported read only
 # 
 nfs_export_all_ro = true
 # Allow pppd to load kernel modules for certain modems
 # 
 pppd_can_insmod = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
 squid_connect_any = false
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 # Control users use of ping and traceroute
 # 
 user_ping = false
 # allow host key based authentication
 # 
 ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = true
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow all domains to talk to ttys
 # 
 daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
 polyinstantiation_enabled = false
 # Allow all domains to dump core
 # 
 daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
 # Allow samba to export user home directories.
 # 
 samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
 xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
 guest_exec_content = false
 xguest_exec_content = false
 # Allow postfix locat to write to mail spool
 # 
 postfix_local_write_mail_spool = false
 # Allow common users to read/write noexattrfile systems
 # 
 user_rw_noexattrfile = true
 # Allow qemu to connect fully to the network
 # 
 qemu_full_network = true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
 mount_anyfile = true
-
+polyinstantiation_enabled = true
-# Allow all domains to mmap files
+ftpd_is_daemon = true
-# 
+selinuxuser_ping = true
-domain_can_mmap_files = true
+xserver_object_manager = true
 # Allow confined applications to use nscd shared memory
 #
 nscd_use_shm = true
 # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
 #
 unconfined_chrome_sandbox_transition = false
 # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
 #
 unconfined_mozilla_plugin_transition = false
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -1,232 +1,23 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 selinuxuser_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 selinuxuser_execstack = false
 # Allow ftpd to read cifs directories.
 # 
 ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
 ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
 allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
 httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
 allow_kerberos = true
 # Allow rsync to modify public filesused for public file transfer services.
 # 
 allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
 saslauthd_read_shadow  = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
 allow_smbd_anon_write = false
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
 zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
 fcron_crond = false
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
 #
 # allow httpd to send dbus messages to avahi
 httpd_dbus_avahi = true
 #
 # allow httpd to network relay
 httpd_can_network_relay = false
 # Allow httpd to use built in scripting (usually php)
 # 
 httpd_builtin_scripting = true
 # Allow http daemon to tcp connect
 # 
 httpd_can_network_connect = false
 # Allow httpd cgi support
 # 
 httpd_enable_cgi = true
-
+kerberos_enabled = true
 # Allow httpd to act as a FTP server bylistening on the ftp port.
 # 
 httpd_enable_ftp_server = false
 # Allow httpd to read home directories
 # 
 httpd_enable_homedirs = false
 # Run SSI execs in system CGI script domain.
 # 
 httpd_ssi_exec = false
 # Allow http daemon to communicate with the TTY
 # 
 httpd_tty_comm = false
 # Run CGI in the main httpd domain
 # 
 httpd_unified = false
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
 named_write_master_zones = false
 # Allow nfs to be exported read/write.
 # 
 nfs_export_all_rw = true
 # Allow nfs to be exported read only
 # 
 nfs_export_all_ro = true
 # Allow pppd to load kernel modules for certain modems
 # 
 pppd_can_insmod = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
 squid_connect_any = false
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 # Control users use of ping and traceroute
 # 
 user_ping = false
 # allow host key based authentication
 # 
 ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = true
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow all domains to talk to ttys
 # 
 daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
 polyinstantiation_enabled = false
 # Allow all domains to dump core
 # 
 daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
 # Allow samba to export user home directories.
 # 
 samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
 xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
 guest_exec_content = false
 xguest_exec_content = false
 # Allow postfix locat to write to mail spool
 # 
 postfix_local_write_mail_spool = false
 # Allow common users to read/write noexattrfile systems
 # 
 user_rw_noexattrfile = true
 # Allow qemu to connect fully to the network
 # 
 qemu_full_network = true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
 mount_anyfile = true
-
+nfs_export_all_ro = true
-# Allow all domains to mmap files
+nfs_export_all_rw = true
 # 
 domain_can_mmap_files = true
 # Allow confined applications to use nscd shared memory
 #
 nscd_use_shm = true
-
+openvpn_enable_homedirs = true
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+postfix_local_write_mail_spool= true
-#
+pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_rw_noexattrfile = true
 selinuxuser_ping = true
 squid_connect_any = true
 telepathy_tcp_connect_generic_network_ports=true
 unconfined_chrome_sandbox_transition=true
 # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
 #
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
 # Allow all domains to mmap files
 domain_can_mmap_files = true
--- a/distro_suse_to_distro_redhat.patch
+++ b/distro_suse_to_distro_redhat.patch
@ -1,209 +0,0 @@
 Index: fedora-policy-20221019/policy/modules/contrib/apache.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc
 +++ fedora-policy-20221019/policy/modules/contrib/apache.fc
@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
 +++ fedora-policy-20221019/policy/modules/contrib/cron.fc
@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',`
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',`
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
 +++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
@@ -80,7 +80,7 @@ ifdef(`distro_redhat', `
 /var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
 # SuSE
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /sbin/yast2			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc
 +++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc
@@ -462,7 +462,7 @@ ifdef(`distro_redhat', `
 /usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
 ')
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ssh/.*			--	gen_context(system_u:object_r:bin_t,s0)
@@ -491,7 +491,7 @@ ifdef(`distro_suse', `
 /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
 /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/kernel/devices.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc
 +++ fedora-policy-20221019/policy/modules/kernel/devices.fc
@@ -148,7 +148,7 @@
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usbmon.+		-c	gen_context(system_u:object_r:usbmon_device_t,s0)
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vmci       -c  gen_context(system_u:object_r:vmci_device_t,s0)
 Index: fedora-policy-20221019/policy/modules/kernel/files.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
 +++ fedora-policy-20221019/policy/modules/kernel/files.fc
@@ -22,7 +22,7 @@ ifdef(`distro_redhat',`
 /[^/]+			--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 /success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
 /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/services/xserver.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
 +++ fedora-policy-20221019/policy/modules/services/xserver.fc
@@ -189,7 +189,7 @@ ifndef(`distro_debian',`
 /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 /var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/system/authlogin.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc
 +++ fedora-policy-20221019/policy/modules/system/authlogin.fc
@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~		gen_co
 /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/system/init.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/init.fc
 +++ fedora-policy-20221019/policy/modules/system/init.fc
@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
 /var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /var/run/bootsplashctl	-p	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/keymap		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/numlock-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 Index: fedora-policy-20221019/policy/modules/system/init.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/init.te
 +++ fedora-policy-20221019/policy/modules/system/init.te
@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',`
 	')
 ')
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 	optional_policy(`
 		# set permissions on /tmp/.X11-unix
 		xserver_setattr_xdm_tmp_dirs(initrc_t)
 Index: fedora-policy-20221019/policy/modules/system/libraries.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/libraries.fc
 +++ fedora-policy-20221019/policy/modules/system/libraries.fc
@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_
 /var/lib/spamassassin/compiled/.*\.so.* --	gen_context(system_u:object_r:lib_t,s0)
 /usr/lib/xfce4/.*\.so.*			-- 	gen_context(system_u:object_r:lib_t,s0)
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/system/locallogin.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/locallogin.te
 +++ fedora-policy-20221019/policy/modules/system/locallogin.te
@@ -274,7 +274,7 @@ ifdef(`enable_mls',`
 ')
 # suse and debian do not use pam with sulogin...
 -ifdef(`distro_suse', `define(`sulogin_no_pam')')
 +ifdef(`distro_redhat', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
 allow sulogin_t self:capability sys_tty_config;
 Index: fedora-policy-20221019/policy/modules/system/logging.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/logging.fc
 +++ fedora-policy-20221019/policy/modules/system/logging.fc
@@ -46,7 +46,7 @@
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 -ifdef(`distro_suse', `
 +ifdef(`distro_redhat', `
 /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 Index: fedora-policy-20221019/policy/modules/system/logging.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/logging.te
 +++ fedora-policy-20221019/policy/modules/system/logging.te
@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',`
 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
 ')
 -ifdef(`distro_suse',`
 +ifdef(`distro_redhat',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
 ')
--- a/dontaudit_interface_kmod_tmpfs.patch
+++ b/dontaudit_interface_kmod_tmpfs.patch
@ -1,41 +0,0 @@
 Index: fedora-policy-20221019/policy/modules/services/xserver.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/services/xserver.te
 +++ fedora-policy-20221019/policy/modules/services/xserver.te
@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
 userdom_nnp_transition_login_userdomain(xdm_t)
 userdom_watch_user_home_dirs(xdm_t)
 +# SUSE uses startproc to start the display manager. While checking for running processes
 +# it goes over all running instances, triggering AVCs
 +modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
 +
 #userdom_home_manager(xdm_t)
 tunable_policy(`xdm_write_home',`
     userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
 Index: fedora-policy-20221019/policy/modules/system/modutils.if
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/modutils.if
 +++ fedora-policy-20221019/policy/modules/system/modutils.if
@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
 ')
 +
 +#######################################
 +## <summary>
 +## Don't audit accesses to tmp file type.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +## Domain allowed access.
 +## </summary>
 +## </param>
 +#
 +interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
 +    gen_require(`
 +        type kmod_tmpfs_t;
 +    ')
 +
 +    dontaudit $1 kmod_tmpfs_t:file { getattr };
 +')
--- a/fedora-policy-20221019.tar.bz2
+++ b/fedora-policy-20221019.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede
 size 733130
--- a/fedora-policy.20200717.tar.bz2
+++ b/fedora-policy.20200717.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
 size 752394
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -14,4 +14,3 @@
 /var/run/netconfig /etc
 /var/adm/netconfig/md5/etc /etc
 /var/adm/netconfig/md5/var /var
 /usr/etc /etc
--- a/fix_alsa.patch
+++ b/fix_alsa.patch
@ -1,15 +0,0 @@
 Index: fedora-policy-20221019/policy/modules/contrib/alsa.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te
 +++ fedora-policy-20221019/policy/modules/contrib/alsa.te
@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
 +optional_policy(`
 +	gnome_read_home_config(alsa_t)
 +')
 +
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(alsa_t)
--- a/fix_apache.patch
+++ b/fix_apache.patch
@ -1,10 +1,10 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.if
+Index: fedora-policy/policy/modules/contrib/apache.if
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/apache.if
+--- fedora-policy.orig/policy/modules/contrib/apache.if
-+++ fedora-policy-20221019/policy/modules/contrib/apache.if
+++ fedora-policy/policy/modules/contrib/apache.if
-@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',`
+@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets',
- 	allow $1 httpd_t:sem r_sem_perms;
+     allow $1 httpd_t:unix_stream_socket ioctl;
 ')
 +
 +#######################################
--- a/fix_auditd.patch
+++ b/fix_auditd.patch
@ -1,12 +0,0 @@
 Index: fedora-policy-20211111/policy/modules/system/logging.if
 ===================================================================
 --- fedora-policy-20211111.orig/policy/modules/system/logging.if
 +++ fedora-policy-20211111/policy/modules/system/logging.if
@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config',
 	files_search_etc($1)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
 +	allow $1 auditd_etc_t:dir mounton;
 ')
 ########################################
--- a/fix_authlogin.patch
+++ b/fix_authlogin.patch
@ -1,10 +1,10 @@
-Index: fedora-policy-20211111/policy/modules/system/authlogin.fc
+Index: fedora-policy/policy/modules/system/authlogin.fc
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc
+--- fedora-policy.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20211111/policy/modules/system/authlogin.fc
+++ fedora-policy/policy/modules/system/authlogin.fc
-@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', `
+@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
- /usr/libexec/chkpwd/tcb_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/libexec/chkpwd/tcb_updpwd	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
+ 
 /usr/libexec/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
 +/usr/lib/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
--- a/fix_bitlbee.patch
+++ b/fix_bitlbee.patch
@ -1,12 +0,0 @@
 Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
 ===================================================================
 --- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc
 +++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
@@ -9,6 +9,5 @@
 /var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
 -/var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 -/var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 +/var/run/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 /var/run/bip(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
--- a/fix_chronyd.patch
+++ b/fix_chronyd.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
+Index: fedora-policy/policy/modules/contrib/chronyd.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
+--- fedora-policy.orig/policy/modules/contrib/chronyd.te
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
+++ fedora-policy/policy/modules/contrib/chronyd.te
-@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t)
+@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t)
 userdom_dgram_send(chronyd_t)
 optional_policy(`
@ -17,16 +17,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
     cron_dgram_send(chronyd_t)
 ')
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
+Index: fedora-policy/policy/modules/contrib/chronyd.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc
+--- fedora-policy.orig/policy/modules/contrib/chronyd.fc
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc
+++ fedora-policy/policy/modules/contrib/chronyd.fc
-@@ -6,6 +6,8 @@
+@@ -6,6 +6,7 @@
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 /usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 +/usr/lib/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 +/usr/libexec/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 /usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
--- a/fix_cloudform.patch
+++ b/fix_cloudform.patch
@ -1,13 +0,0 @@
 Index: fedora-policy/policy/modules/contrib/cloudform.te
 ===================================================================
 --- cloudform.te	2022-07-18 14:06:56.735383426 +0200
 +++ cloudform.te.new	2022-07-18 14:07:36.003069544 +0200
@@ -81,6 +81,8 @@
 init_dbus_chat(cloud_init_t)
 +snapper_dbus_chat(cloud_init_t)
 +
 kernel_read_network_state(cloud_init_t)
 corenet_tcp_connect_http_port(cloud_init_t)
--- a/fix_colord.patch
+++ b/fix_colord.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
+Index: fedora-policy/policy/modules/contrib/colord.fc
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc
+--- fedora-policy.orig/policy/modules/contrib/colord.fc
-+++ fedora-policy-20211111/policy/modules/contrib/colord.fc
+++ fedora-policy/policy/modules/contrib/colord.fc
@@ -6,6 +6,8 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
@ -11,15 +11,3 @@ Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
 /usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
 Index: fedora-policy-20211111/policy/modules/contrib/colord.te
 ===================================================================
 --- fedora-policy-20211111.orig/policy/modules/contrib/colord.te
 +++ fedora-policy-20211111/policy/modules/contrib/colord.te
@@ -17,6 +17,7 @@ type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
 init_daemon_domain(colord_t, colord_exec_t)
 +init_nnp_daemon_domain(colord_t)
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
--- a/fix_corecommand.patch
+++ b/fix_corecommand.patch
@ -45,16 +45,7 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc
 /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',`
+@@ -391,6 +411,7 @@ ifdef(`distro_debian',`
 /usr/lib/xfce4(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/.*	--	gen_context(system_u:object_r:bin_t,s0)
 +
 /usr/Brother(/.*)?              gen_context(system_u:object_r:bin_t,s0)
 /usr/Printer(/.*)?              gen_context(system_u:object_r:bin_t,s0)
 /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
@@ -391,6 +413,7 @@ ifdef(`distro_debian',`
 /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
 ')
--- a/fix_cron.patch
+++ b/fix_cron.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
+Index: fedora-policy/policy/modules/contrib/cron.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
+--- fedora-policy.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
+++ fedora-policy/policy/modules/contrib/cron.fc
@@ -34,7 +34,7 @@
 /var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
@ -11,32 +11,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
 /var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/crontabs/.*	--	<<none>>
-@@ -55,6 +55,10 @@ ifdef(`distro_redhat', `
+@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',`
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +
 +/var/spool/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/spool/atjobs/.SEQ          --	gen_context(system_u:object_r:user_cron_spool_t,s0)
 +/var/spool/atjobs/[^/]*		--	<<none>>
 ')
 ifdef(`distro_debian',`
@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',`
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 -
-ifdef(`distro_redhat', `
+-ifdef(`distro_suse', `
 -/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 -/var/spool/cron/lastrun/[^/]*	--	<<none>>
 -/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 -')
-Index: fedora-policy-20221019/policy/modules/contrib/cron.if
+Index: fedora-policy/policy/modules/contrib/cron.if
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.if
+--- fedora-policy.orig/policy/modules/contrib/cron.if
-+++ fedora-policy-20221019/policy/modules/contrib/cron.if
+++ fedora-policy/policy/modules/contrib/cron.if
-@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo
+@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo
 #
 interface(`cron_system_spool_entrypoint',`
 	gen_require(`
--- a/fix_dbus.patch
+++ b/fix_dbus.patch
@ -1,11 +1,11 @@
-Index: fedora-policy-20211111/policy/modules/contrib/dbus.te
+Index: fedora-policy/policy/modules/contrib/dbus.te
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te
+--- fedora-policy.orig/policy/modules/contrib/dbus.te	2020-02-25 08:22:02.846623845 +0000
-+++ fedora-policy-20211111/policy/modules/contrib/dbus.te
+++ fedora-policy/policy/modules/contrib/dbus.te	2020-02-25 08:22:31.991108418 +0000
-@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
+@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
 +allow system_dbusd_t system_dbusd_tmp_t:file execute;
 manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
--- a/fix_dnsmasq.patch
+++ b/fix_dnsmasq.patch
@ -1,12 +0,0 @@
 Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
 ===================================================================
 --- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te
 +++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t)
 logging_send_syslog_msg(dnsmasq_t)
 miscfiles_read_public_files(dnsmasq_t)
 +sysnet_manage_config_dirs(dnsmasq_t)
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
--- a/fix_dovecot.patch
+++ b/fix_dovecot.patch
@ -1,15 +0,0 @@
 Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc
 ===================================================================
 --- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc
 +++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc
@@ -34,6 +34,10 @@ ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 ')
 +/usr/lib/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 +/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 +/usr/lib/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 +
 #
 # /var
 #
--- a/fix_firewalld.patch
+++ b/fix_firewalld.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
+Index: fedora-policy/policy/modules/contrib/firewalld.te
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te
+--- fedora-policy.orig/policy/modules/contrib/firewalld.te	2020-02-24 08:16:03.798820784 +0000
-+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te
+++ fedora-policy/policy/modules/contrib/firewalld.te	2020-02-24 08:18:03.164764310 +0000
-@@ -131,6 +131,7 @@ optional_policy(`
+@@ -129,6 +129,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -10,10 +10,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
 	iptables_domtrans(firewalld_t)
 	iptables_read_var_run(firewalld_t)
 ')
-Index: fedora-policy-20211111/policy/modules/system/iptables.if
+Index: fedora-policy/policy/modules/system/iptables.if
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/iptables.if
+--- fedora-policy.orig/policy/modules/system/iptables.if	2020-02-19 09:36:25.440182406 +0000
-+++ fedora-policy-20211111/policy/modules/system/iptables.if
+++ fedora-policy/policy/modules/system/iptables.if	2020-02-24 08:17:53.076600108 +0000
@@ -2,6 +2,25 @@
 ########################################
--- a/fix_gift.patch
+++ b/fix_gift.patch
@ -0,0 +1,9 @@
 Index: fedora-policy/policy/modules/contrib/gift.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/gift.te	2019-08-05 09:39:48.645670248 +0200
 +++ fedora-policy/policy/modules/contrib/gift.te	2019-08-05 10:05:44.787808191 +0200
@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
 sysnet_dns_name_resolve(giftd_t)
 userdom_use_inherited_user_terminals(giftd_t)
 -userdom_home_manager(gitd_t)
--- a/fix_hadoop.patch
+++ b/fix_hadoop.patch
@ -0,0 +1,30 @@
 Index: fedora-policy/policy/modules/roles/sysadm.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/roles/sysadm.te
 +++ fedora-policy/policy/modules/roles/sysadm.te
@@ -293,10 +293,6 @@ optional_policy(`
 ')
 optional_policy(`
 -	hadoop_role(sysadm_r, sysadm_t)
 -')
 -
 -optional_policy(`
     iotop_run(sysadm_t, sysadm_r)
 ')
 Index: fedora-policy/policy/modules/roles/unprivuser.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/roles/unprivuser.te
 +++ fedora-policy/policy/modules/roles/unprivuser.te
@@ -200,10 +200,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
 -		hadoop_role(user_r, user_t)
 -	')
 -
 -	optional_policy(`
 		irc_role(user_r, user_t)
 	')
--- a/fix_hypervkvp.patch
+++ b/fix_hypervkvp.patch
@ -1,15 +0,0 @@
 Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
 ===================================================================
 --- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc
 +++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
@@ -3,8 +3,10 @@
 /usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
 /usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
 +/usr/lib/hyper-v/bin/.*kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
 /usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
 /usr/sbin/hypervvssd        --  gen_context(system_u:object_r:hypervvssd_exec_t,s0)
 +/usr/lib/hyper-v/bin/.*vss_daemon	--	gen_context(system_u:object_r:hypervvssd_exec_t,s0)
 /var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
--- a/fix_init.patch
+++ b/fix_init.patch
@ -1,17 +1,16 @@
-Index: fedora-policy-20221019/policy/modules/system/init.te
+Index: fedora-policy/policy/modules/system/init.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
+--- fedora-policy.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
+++ fedora-policy/policy/modules/system/init.te
-@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
+@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t)
 corenet_all_recvfrom_netlabel(init_t)
 corenet_tcp_bind_all_ports(init_t)
 corenet_udp_bind_all_ports(init_t)
 +corenet_udp_bind_generic_node(init_t)
 +corenet_tcp_bind_generic_node(init_t)
 dev_create_all_files(init_t)
 dev_create_all_chr_files(init_t)
-@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
+@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t)
 logging_create_syslog_netlink_audit_socket(init_t)
 logging_write_var_log_dirs(init_t)
 logging_manage_var_log_symlinks(init_t)
@ -19,7 +18,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 seutil_read_config(init_t)
 seutil_read_login_config(init_t)
-@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
+@@ -427,10 +429,15 @@ ifdef(`distro_redhat',`
 corecmd_shell_domtrans(init_t, initrc_t)
 storage_raw_rw_fixed_disk(init_t)
@ -27,19 +26,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 sysnet_read_dhcpc_state(init_t)
-+# bsc#1197610, find a better, generic solution
+ optional_policy(`
 +optional_policy(`
 +    mta_getattr_spool(init_t)
 +')
 +
 +optional_policy(`
 +	networkmanager_initrc_read_lnk_files(init_t)
 +')
 +
- optional_policy(`
+optional_policy(`
- 	anaconda_stream_connect(init_t)
+     bootloader_domtrans(init_t)
- 	anaconda_create_unix_stream_sockets(init_t)
+ ')
-@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
+ 
@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',`
 allow init_t self:system all_system_perms;
 allow init_t self:system module_load;
 allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@ -47,12 +42,8 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
 allow init_t self:process { getcap setcap };
 allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t)
 allow init_t self:netlink_selinux_socket create_socket_perms;
 allow init_t self:unix_dgram_socket lock;
 # Until systemd is fixed
@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
 files_create_var_lib_dirs(init_t)
 files_create_var_lib_symlinks(init_t)
 files_read_var_lib_symlinks(init_t)
@ -60,16 +51,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 files_manage_urandom_seed(init_t)
 files_list_locks(init_t)
 files_list_spool(init_t)
-@@ -684,7 +698,7 @@ fs_list_all(init_t)
+@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_
 fs_list_auto_mountpoints(init_t)
 fs_register_binary_executable_type(init_t)
 fs_relabel_tmpfs_sock_file(init_t)
 -fs_rw_tmpfs_files(init_t)	
 +fs_rw_tmpfs_files(init_t)
 fs_relabel_cgroup_dirs(init_t)
 fs_search_cgroup_dirs(init_t)
 # for network namespaces
@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
 create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 create_dirs_pattern(init_t, var_log_t, var_log_t)
@ -77,7 +59,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
-@@ -1596,6 +1611,8 @@ optional_policy(`
+@@ -1543,6 +1552,8 @@ optional_policy(`
 optional_policy(`
 	postfix_list_spool(initrc_t)
@ -86,3 +68,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 ')
 optional_policy(`
 Index: fedora-policy/policy/modules/system/init.if
 ===================================================================
 --- fedora-policy.orig/policy/modules/system/init.if
 +++ fedora-policy/policy/modules/system/init.if
@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content'
 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
 	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
 +	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
 	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 ')
--- a/fix_iptables.patch
+++ b/fix_iptables.patch
@ -1,9 +1,9 @@
-Index: fedora-policy-20220428/policy/modules/system/iptables.te
+Index: fedora-policy/policy/modules/system/iptables.te
 ===================================================================
--- fedora-policy-20220428.orig/policy/modules/system/iptables.te
+--- fedora-policy.orig/policy/modules/system/iptables.te	2020-02-19 09:36:25.440182406 +0000
-+++ fedora-policy-20220428/policy/modules/system/iptables.te
+++ fedora-policy/policy/modules/system/iptables.te	2020-02-21 12:19:23.060595602 +0000
-@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t)
+@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t)
- kernel_read_kernel_sysctls(iptables_t)
+ kernel_read_usermodehelper_state(iptables_t)
 kernel_use_fds(iptables_t)
 kernel_rw_net_sysctls(iptables_t)
 +kernel_rw_pipes(iptables_t)
--- a/fix_kernel_sysctl.patch
+++ b/fix_kernel_sysctl.patch
@ -1,26 +0,0 @@
 Index: fedora-policy-20221019/policy/modules/kernel/files.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
 +++ fedora-policy-20221019/policy/modules/kernel/files.fc
@@ -242,6 +242,8 @@ ifdef(`distro_redhat',`
 /usr/lib/ostree-boot(/.*)?                gen_context(system_u:object_r:usr_t,s0)
 /usr/lib/modules(/.*)/vmlinuz         -- 	gen_context(system_u:object_r:usr_t,s0)
 /usr/lib/modules(/.*)/initramfs.img   --	gen_context(system_u:object_r:usr_t,s0)
 +/usr/lib/modules(/.*)/sysctl.conf     --	gen_context(system_u:object_r:usr_t,s0)
 +/usr/lib/modules(/.*)/System.map      --	gen_context(system_u:object_r:system_map_t,s0)
 /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 Index: fedora-policy-20221019/policy/modules/system/systemd.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/systemd.te
 +++ fedora-policy-20221019/policy/modules/system/systemd.te
@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t)
 logging_send_syslog_msg(systemd_sysctl_t)
 systemd_read_efivarfs(systemd_sysctl_t)
 +# kernel specific sysctl.conf may be in modules dir
 +allow systemd_sysctl_t modules_object_t:dir search;
 #######################################
 #
--- a/fix_libraries.patch
+++ b/fix_libraries.patch
@ -1,13 +0,0 @@
 Index: fedora-policy-20210419/policy/modules/system/libraries.fc
 ===================================================================
 --- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
 +++ fedora-policy-20210419/policy/modules/system/libraries.fc
@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
 /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
 +/usr/lib/libreoffice/program/resource.* --	gen_context(system_u:object_r:lib_t,s0)
 +
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--- a/fix_locallogin.patch
+++ b/fix_locallogin.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20220624/policy/modules/system/locallogin.te
+Index: fedora-policy/policy/modules/system/locallogin.te
 ===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/locallogin.te
+--- fedora-policy.orig/policy/modules/system/locallogin.te	2020-02-19 09:36:25.440182406 +0000
-+++ fedora-policy-20220624/policy/modules/system/locallogin.te
+++ fedora-policy/policy/modules/system/locallogin.te	2020-02-21 08:52:35.961803038 +0000
@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)
@ -10,11 +10,3 @@ Index: fedora-policy-20220624/policy/modules/system/locallogin.te
 corecmd_list_bin(local_login_t)
 corecmd_read_bin_symlinks(local_login_t)
@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t)
 auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
 auth_use_nsswitch(local_login_t)
 +auth_read_shadow(local_login_t)
 init_dontaudit_use_fds(local_login_t)
 init_stream_connect(local_login_t)
--- a/fix_logging.patch
+++ b/fix_logging.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20220624/policy/modules/system/logging.fc
+Index: fedora-policy/policy/modules/system/logging.fc
 ===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.fc
+--- fedora-policy.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20220624/policy/modules/system/logging.fc
+++ fedora-policy/policy/modules/system/logging.fc
@@ -3,6 +3,8 @@
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@ -19,11 +19,11 @@ Index: fedora-policy-20220624/policy/modules/system/logging.fc
 /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-Index: fedora-policy-20220624/policy/modules/system/logging.if
+Index: fedora-policy/policy/modules/system/logging.if
 ===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.if
+--- fedora-policy.orig/policy/modules/system/logging.if
-+++ fedora-policy-20220624/policy/modules/system/logging.if
+++ fedora-policy/policy/modules/system/logging.if
-@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',`
+@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',`
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 ')
--- a/fix_logrotate.patch
+++ b/fix_logrotate.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te
+Index: fedora-policy/policy/modules/contrib/logrotate.te
 ===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te
+--- fedora-policy.orig/policy/modules/contrib/logrotate.te
-+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te
+++ fedora-policy/policy/modules/contrib/logrotate.te
-@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log
+@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log
 kernel_read_system_state(logrotate_t)
 kernel_read_kernel_sysctls(logrotate_t)
--- a/fix_nagios.patch
+++ b/fix_nagios.patch
@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/nagios.te
 +++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
+@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
 manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
 manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
+Index: fedora-policy/policy/modules/contrib/networkmanager.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.te
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
+++ fedora-policy/policy/modules/contrib/networkmanager.te
-@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t
+@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t
 userdom_read_user_home_content_files(NetworkManager_t)
 userdom_dgram_send(NetworkManager_t)
@ -12,18 +12,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 tunable_policy(`use_nfs_home_dirs',`
     fs_read_nfs_files(NetworkManager_t)
 ')
-@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -253,6 +256,14 @@ optional_policy(`
 ')
 optional_policy(`
 +    nis_systemctl_ypbind(NetworkManager_t)
 +')
 +
 +optional_policy(`
 	avahi_domtrans(NetworkManager_t)
 	avahi_kill(NetworkManager_t)
 	avahi_signal(NetworkManager_t)
@@ -292,6 +299,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -38,39 +27,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)
 	bind_kill(NetworkManager_t)
-@@ -419,6 +434,8 @@ optional_policy(`
+Index: fedora-policy/policy/modules/contrib/networkmanager.if
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
 	nscd_systemctl(NetworkManager_t)
 +	nscd_socket_use(NetworkManager_dispatcher_tlp_t)
 +	nscd_socket_use(NetworkManager_dispatcher_custom_t)
 ')
 optional_policy(`
@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di
 init_status(NetworkManager_dispatcher_cloud_t)
 init_status(NetworkManager_dispatcher_ddclient_t)
 +init_status(NetworkManager_dispatcher_custom_t)
 init_append_stream_sockets(networkmanager_dispatcher_plugin)
 init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
 init_stream_connect(networkmanager_dispatcher_plugin)
@@ -621,6 +639,10 @@ optional_policy(`
 ')
 optional_policy(`
 +	nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
 +')
 +
 +optional_policy(`
 	cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
 ')
 Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
+++ fedora-policy/policy/modules/contrib/networkmanager.if
-@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
+@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran
         init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
 ')
@ -95,15 +56,3 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
 ########################################
 ## <summary>
 ##	Execute NetworkManager server in the NetworkManager domain.
 Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
 +++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
@@ -24,6 +24,7 @@
 /usr/lib/NetworkManager/dispatcher\.d/04-iscsi	--	gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/10-sendmail	--	gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/11-dhclient	--	gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
 +/usr/lib/NetworkManager/dispatcher\.d/20-chrony	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/30-winbind	--	gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
--- a/fix_nscd.patch
+++ b/fix_nscd.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
+Index: fedora-policy/policy/modules/contrib/nscd.fc
 ===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc
+++ fedora-policy/policy/modules/contrib/nscd.fc
@@ -8,8 +8,10 @@
 /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
@ -14,11 +14,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
 /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 +
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.te
+Index: fedora-policy/policy/modules/contrib/nscd.te
 ===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te
+--- fedora-policy.orig/policy/modules/contrib/nscd.te
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.te
+++ fedora-policy/policy/modules/contrib/nscd.te
-@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
+@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
 userdom_dontaudit_search_user_home_dirs(nscd_t)
 optional_policy(`
--- a/fix_policykit.patch
+++ b/fix_policykit.patch
@ -0,0 +1,13 @@
 Index: fedora-policy/policy/modules/contrib/policykit.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/policykit.te	2020-02-21 13:28:23.080385220 +0000
 +++ fedora-policy/policy/modules/contrib/policykit.te	2020-02-21 13:31:09.023086041 +0000
@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
 userdom_dontaudit_search_admin_dir(policykit_t)
 +policykit_dbus_chat(policykit_t)
 +
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
+Index: fedora-policy/policy/modules/contrib/postfix.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc
+++ fedora-policy/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,21 @@
+@@ -1,37 +1,20 @@
 # postfix
 -/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 -/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
@ -41,7 +41,6 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
 +/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
 +/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/systemd/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -57,7 +56,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
+@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
 /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
 /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -67,28 +66,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
 /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
 /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+Index: fedora-policy/policy/modules/contrib/postfix.te
 /var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_t,s0)
 /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
 -/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
 +/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
 /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
 /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
 Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te
+--- fedora-policy.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.te
+++ fedora-policy/policy/modules/contrib/postfix.te
-@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c
+@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
 allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
 mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
 +# SUSE also runs this on /etc/alias
 +mta_filetrans_aliases(postfix_master_t, etc_t)
 can_exec(postfix_master_t, postfix_exec_t)
@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t)
 userdom_use_inherited_user_ptys(postfix_map_t)
@ -103,7 +85,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
-@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m
+@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m
 files_search_all_mountpoints(postfix_smtp_t)
 optional_policy(`
--- a/fix_rpm.patch
+++ b/fix_rpm.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
+Index: fedora-policy/policy/modules/contrib/rpm.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
+--- fedora-policy.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
+++ fedora-policy/policy/modules/contrib/rpm.fc
-@@ -18,6 +18,10 @@
+@@ -17,6 +17,10 @@
 /usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
 /usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
 /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -56,6 +60,8 @@ ifdef(`distro_redhat', `
+@@ -54,6 +58,8 @@ ifdef(`distro_redhat', `
 /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 /var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
@ -22,11 +22,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
+Index: fedora-policy/policy/modules/contrib/rpm.if
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if
+--- fedora-policy.orig/policy/modules/contrib/rpm.if
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.if
+++ fedora-policy/policy/modules/contrib/rpm.if
-@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',`
+@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',`
 	logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
 	logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
 	logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
@ -37,11 +37,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
+Index: fedora-policy/policy/modules/kernel/files.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
+--- fedora-policy.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
+++ fedora-policy/policy/modules/kernel/files.fc
-@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
+@@ -67,6 +67,7 @@ ifdef(`distro_suse',`
 /etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
 /etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
 /etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
--- a/fix_selinuxutil.patch
+++ b/fix_selinuxutil.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
+Index: fedora-policy/policy/modules/system/selinuxutil.te
 ===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te
+--- fedora-policy.orig/policy/modules/system/selinuxutil.te	2020-02-19 09:36:25.444182470 +0000
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te
+++ fedora-policy/policy/modules/system/selinuxutil.te	2020-02-24 07:57:26.556813139 +0000
@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
 ')
@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
 	portage_dontaudit_use_fds(load_policy_t)
 ')
-@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t)
+@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t)
 logging_send_syslog_msg(setfiles_t)
 optional_policy(`
@ -24,16 +24,3 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
     cloudform_dontaudit_write_cloud_log(setfiles_t)
 ')
 Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if
 ===================================================================
 --- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if
 +++ fedora-policy-20210628/policy/modules/system/selinuxutil.if
@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config'
 	dontaudit $1 selinux_config_t:dir search_dir_perms;
 	dontaudit $1 selinux_config_t:file read_file_perms;
 +	# /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
 +	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
 ')
 ########################################
--- a/fix_snapper.patch
+++ b/fix_snapper.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
+Index: fedora-policy/policy/modules/contrib/snapper.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te
+--- fedora-policy.orig/policy/modules/contrib/snapper.te
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.te
+++ fedora-policy/policy/modules/contrib/snapper.te
@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
 type snapperd_data_t;
 files_type(snapperd_data_t)
@ -23,25 +23,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
 kernel_setsched(snapperd_t)
 domain_read_all_domains_state(snapperd_t)
-@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t)
+@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t)
 auth_use_nsswitch(snapperd_t)
 optional_policy(`
 +	packagekit_dbus_chat(snapperd_t)
 +')
 +
 +optional_policy(`
 +        rpm_dbus_chat(snapperd_t)
 +')
 +
 +optional_policy(`
     cron_system_entry(snapperd_t, snapperd_exec_t)
 ')
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc
+Index: fedora-policy/policy/modules/contrib/snapper.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc
+--- fedora-policy.orig/policy/modules/contrib/snapper.fc
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc
+++ fedora-policy/policy/modules/contrib/snapper.fc
@@ -7,9 +7,17 @@
 /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
--- a/fix_sysnetwork.patch
+++ b/fix_sysnetwork.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc
+Index: fedora-policy/policy/modules/system/sysnetwork.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc
+--- fedora-policy.orig/policy/modules/system/sysnetwork.fc
-+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc
+++ fedora-policy/policy/modules/system/sysnetwork.fc
-@@ -103,6 +103,8 @@ ifdef(`distro_debian',`
+@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
+Index: fedora-policy/policy/modules/system/systemd.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
+--- fedora-policy.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
+++ fedora-policy/policy/modules/system/systemd.te
-@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
+@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system
 xserver_dbus_chat(systemd_logind_t)
 optional_policy(`
@ -13,8 +13,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
 	apache_read_tmp_files(systemd_logind_t)
 ')
-@@ -863,6 +867,10 @@ optional_policy(`
+@@ -823,6 +827,10 @@ optional_policy(`
- 	dbus_system_bus_client(systemd_localed_t)
+         dbus_connect_system_bus(systemd_hostnamed_t)
 ')
 +optional_policy(`
@ -23,22 +23,4 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
 +
 #######################################
 #
- # Hostnamed policy
+ # rfkill policy
@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
 # systemd_gpt_generator domain
 #
 -allow systemd_gpt_generator_t self:capability sys_rawio;
 +allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
 allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
 dev_read_sysfs(systemd_gpt_generator_t)
@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_
 systemd_create_unit_file_dirs(systemd_gpt_generator_t)
 systemd_create_unit_file_lnk(systemd_gpt_generator_t)
 +kernel_dgram_send(systemd_gpt_generator_t)
 +
 optional_policy(`
 	udev_read_pid_files(systemd_gpt_generator_t)
 ')
--- a/fix_systemd_watch.patch
+++ b/fix_systemd_watch.patch
@ -1,17 +0,0 @@
 Index: fedora-policy-20221019/policy/modules/system/systemd.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/system/systemd.te
 +++ fedora-policy-20221019/policy/modules/system/systemd.te
@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t)
 storage_getattr_fixed_disk_dev(systemd_sleep_t)
 storage_getattr_removable_dev(systemd_sleep_t)
 +#######################################
 +#
 +# Allow systemd to watch certificate dir for ca-certificates
 +# 
 +watch_dirs_pattern(init_t,cert_t,cert_t)
 +
 optional_policy(`
 	sysstat_domtrans(systemd_sleep_t)
 ')
--- a/fix_thunderbird.patch
+++ b/fix_thunderbird.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
 ===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te
-+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te
+++ fedora-policy/policy/modules/contrib/thunderbird.te
-@@ -138,7 +138,6 @@ optional_policy(`
+@@ -139,7 +139,6 @@ optional_policy(`
 optional_policy(`
 	gnome_stream_connect_gconf(thunderbird_t)
 	gnome_domtrans_gconfd(thunderbird_t)
--- a/fix_unconfined.patch
+++ b/fix_unconfined.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/system/unconfined.te
+Index: fedora-policy/policy/modules/system/unconfined.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/unconfined.te
+--- fedora-policy.orig/policy/modules/system/unconfined.te
-+++ fedora-policy-20221019/policy/modules/system/unconfined.te
+++ fedora-policy/policy/modules/system/unconfined.te
@@ -1,5 +1,10 @@
 policy_module(unconfined, 3.5.0)
@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/system/unconfined.te
 ########################################
 #
 # Declarations
-@@ -45,3 +50,6 @@ optional_policy(`
+@@ -39,3 +44,6 @@ optional_policy(`
 optional_policy(`
 	container_runtime_domtrans(unconfined_service_t)
 ')
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
+Index: fedora-policy/policy/modules/roles/unconfineduser.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
+++ fedora-policy/policy/modules/roles/unconfineduser.te
-@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
+@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all'
     domain_dyntrans(unconfined_t)
 ')
@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
 optional_policy(`
 	gen_require(`
 		type unconfined_t;
-@@ -214,6 +219,10 @@ optional_policy(`
+@@ -210,6 +215,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
 	chrome_role_notrans(unconfined_r, unconfined_t)
 	tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -248,6 +257,18 @@ optional_policy(`
+@@ -244,6 +253,18 @@ optional_policy(`
 	dbus_stub(unconfined_t)
 	optional_policy(`
--- a/fix_unprivuser.patch
+++ b/fix_unprivuser.patch
@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te
+Index: fedora-policy/policy/modules/roles/unprivuser.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te
+++ fedora-policy/policy/modules/roles/unprivuser.te
-@@ -300,6 +300,13 @@ ifndef(`distro_redhat',`
+@@ -289,6 +289,13 @@ ifndef(`distro_redhat',`
 ')
 optional_policy(`
--- a/fix_userdomain.patch
+++ b/fix_userdomain.patch
@ -1,12 +0,0 @@
 Index: fedora-policy-20220624/policy/modules/system/userdomain.if
 ===================================================================
 --- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
 +++ fedora-policy-20220624/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 #	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 +	corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
 	# Need the following rule to allow users to run vpnc
 	corenet_tcp_bind_xserver_port($1_t)
 	corenet_tcp_bind_generic_node($1_usertype)
--- a/fix_usermanage.patch
+++ b/fix_usermanage.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
+Index: fedora-policy/policy/modules/admin/usermanage.te
 ===================================================================
--- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te
+--- fedora-policy.orig/policy/modules/admin/usermanage.te
-+++ fedora-policy-20220428/policy/modules/admin/usermanage.te
+++ fedora-policy/policy/modules/admin/usermanage.te
@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 allow groupadd_t self:unix_dgram_socket sendto;
@ -10,7 +10,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
 fs_getattr_xattr_fs(groupadd_t)
 fs_search_auto_mountpoints(groupadd_t)
-@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c
+@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
@ -18,7 +18,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
 manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
 manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v
+@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
--- a/fix_wine.patch
+++ b/fix_wine.patch
@ -1,23 +0,0 @@
 Index: fedora-policy-20220428/policy/modules/system/libraries.fc
 ===================================================================
 --- fedora-policy-20220428.orig/policy/modules/system/libraries.fc
 +++ fedora-policy-20220428/policy/modules/system/libraries.fc
@@ -90,7 +90,7 @@ ifdef(`distro_redhat',`
 /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
 /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/opt/cx.*/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/cx.*/lib/wine/.+\.(so|dll)		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
 /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -173,7 +173,8 @@ ifdef(`distro_redhat',`
 /usr/lib/systemd/libsystemd-.+\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
 /usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
 -/usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/wine/*-windows/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--- a/fix_xserver.patch
+++ b/fix_xserver.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
+Index: fedora-policy/policy/modules/services/xserver.fc
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
+--- fedora-policy.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
+++ fedora-policy/policy/modules/services/xserver.fc
@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@ -18,15 +18,7 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
-@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
+@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /usr/bin/Xwayland	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/nvidia.*	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +/usr/bin/greetd		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/libexec/Xorg\.bin  --  gen_context(system_u:object_r:xserver_exec_t,s0)   
 /usr/libexec/Xorg\.wrap  --  gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
@ -34,30 +26,13 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 ')
-@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
+Index: fedora-policy/policy/modules/services/xserver.te
 /var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 /var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
 +/var/lib/greetd(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/cache/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/greetd[^/]*\.sock	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/greetd\.run		--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 Index: fedora-policy-20221019/policy/modules/services/xserver.te
 ===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
+--- fedora-policy.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
+++ fedora-policy/policy/modules/services/xserver.te
-@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi
+@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x
- 
+ userdom_signull_unpriv_users(xdm_t)
- kernel_read_vm_sysctls(xdm_t)
+ userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
 +files_manage_generic_pids_symlinks(xdm_t)
 +userdom_manage_user_home_content_dirs(xdm_t)
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@ -392,6 +392,13 @@ udev = module
 # 
 unconfined = module
 # Layer: system
 # Module: kdbus
 #
 # Policy for kdbus.
 #
 kdbus = module
 # Layer: admin
 # Module: rpm
 #
@ -412,3 +419,4 @@ packagekit = module
 # Name service cache daemon
 # 
 nscd = module
--- a/modules-minimum-contrib.conf
+++ b/modules-minimum-contrib.conf
@ -342,6 +342,13 @@ cmirrord = module
 # 
 cobbler = module
 # Layer: contrib
 # Module: cockpit
 #
 # cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
 # 
 cockpit = module
 # Layer: services
 # Module: collectd
 #
@ -2360,6 +2367,13 @@ minissdpd = module
 #
 freeipmi = module
 # Layer: contrib
 # Module: freeipmi
 # 
 # ipa policy module contain SELinux policies for IPA services
 #
 ipa = module
 # Layer: contrib
 # Module: mirrormanager
 # 
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -392,6 +392,13 @@ udev = module
 # 
 unconfined = module
 # Layer: system
 # Module: kdbus
 #
 # Policy for kdbus.
 #
 kdbus = module
 # Layer: contrib
 # Module: packagekit
 #
@ -412,10 +419,3 @@ rtorrent = module
 # Policy for wicked
 #
 wicked = module
 # Layer: system
 # Module: rebootmgr
 #
 # Policy for rebootmgr
 #
 rebootmgr = module
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -342,6 +342,13 @@ cmirrord = module
 # 
 cobbler = module
 # Layer: contrib
 # Module: cockpit
 #
 # cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
 # 
 cockpit = module
 # Layer: services
 # Module: collectd
 #
@ -2374,6 +2381,13 @@ minissdpd = module
 #
 freeipmi = module
 # Layer: contrib
 # Module: freeipmi
 # 
 # ipa policy module contain SELinux policies for IPA services
 #
 ipa = module
 # Layer: contrib
 # Module: mirrormanager
 # 
--- a/rebootmgr.fc
+++ b/rebootmgr.fc
@ -1 +0,0 @@
 /usr/sbin/rebootmgrd		--	gen_context(system_u:object_r:rebootmgr_exec_t,s0)
--- a/rebootmgr.if
+++ b/rebootmgr.if
@ -1,61 +0,0 @@
 ## <summary>policy for rebootmgr</summary>
 ########################################
 ## <summary>
 ##	Execute rebootmgr_exec_t in the rebootmgr domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`rebootmgr_domtrans',`
 	gen_require(`
 		type rebootmgr_t, rebootmgr_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
 ')
 ######################################
 ## <summary>
 ##	Execute rebootmgr in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`rebootmgr_exec',`
 	gen_require(`
 		type rebootmgr_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, rebootmgr_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Send and receive messages from
 ##	rebootmgr over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`rebootmgr_dbus_chat',`
 	gen_require(`
 		type rebootmgr_t;
 		class dbus send_msg;
 	')
 	allow $1 rebootmgr_t:dbus send_msg;
 	allow rebootmgr_t $1:dbus send_msg;
 ')
--- a/rebootmgr.te
+++ b/rebootmgr.te
@ -1,37 +0,0 @@
 policy_module(rebootmgr, 1.0.0)
 ########################################
 #
 # Declarations
 #
 type rebootmgr_t;
 type rebootmgr_exec_t;
 init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
 ########################################
 #
 # rebootmgr local policy
 #
 allow rebootmgr_t self:process { fork };
 allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
 allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
 domain_use_interactive_fds(rebootmgr_t)
 files_manage_etc_files(rebootmgr_t)
 logging_send_syslog_msg(rebootmgr_t)
 miscfiles_read_localization(rebootmgr_t)
 systemd_start_power_services(rebootmgr_t)
 systemd_dbus_chat_logind(rebootmgr_t)
 unconfined_dbus_chat(rebootmgr_t)
 optional_policy(`
 	dbus_system_bus_client(rebootmgr_t)
 	dbus_connect_system_bus(rebootmgr_t)
 ')
--- a/rtorrent.if
+++ b/rtorrent.if
@ -1,71 +1,6 @@
 ## <summary>Policy for rtorrent.</summary>
-## <summary>policy for rtorrent</summary>
+############################################################
 ########################################
 ## <summary>
 ##	Execute rtorrent_exec_t in the rtorrent domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`rtorrent_domtrans',`
 	gen_require(`
 		type rtorrent_t, rtorrent_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
 ')
 ######################################
 ## <summary>
 ##	Execute rtorrent in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`rtorrent_exec',`
 	gen_require(`
 		type rtorrent_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, rtorrent_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute rtorrent in the rtorrent domain, and
 ##	allow the specified role the rtorrent domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	The role to be allowed the rtorrent domain.
 ##	</summary>
 ## </param>
 #
 interface(`rtorrent_run',`
 	gen_require(`
 		type rtorrent_t;
 		attribute_role rtorrent_roles;
 	')
 	rtorrent_domtrans($1)
 	roleattribute $2 rtorrent_roles;
 ')
 ########################################
 ## <summary>
 ##	Role access for rtorrent
 ## </summary>
@ -82,14 +17,95 @@ interface(`rtorrent_run',`
 #
 interface(`rtorrent_role',`
 	gen_require(`
 		type rtorrent_t;
 	    attribute_role rtorrent_roles;
 	    type rtorrent_t, rtorrent_exec_t;
 	')
 	roleattribute $1 rtorrent_roles;
-	rtorrent_domtrans($2)
+	# transition from the userdomain to the derived domain
 	domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
 	# allow ps to show rtorrent
 	ps_process_pattern($2, rtorrent_t)
-	allow $2 rtorrent_t:process { signull signal sigkill };
+	allow $2 rtorrent_t:process { signull sigstop signal sigkill };
 	ifdef(`hide_broken_symptoms',`
 		#Leaked File Descriptors
 		dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms;
 	')
 ')
 ########################################
 ## <summary>
 ##	Transition to a user torrent domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 interface(`rtorrent_domtrans',`
 	gen_require(`
 		type rtorrent_t, rtorrent_exec_t;
 	')
 	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
 ')
 ######################################
 ## <summary>
 ##	Execute torrent in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`rtorrent_exec',`
 	gen_require(`
 		type rtorrent_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, rtorrent_exec_t)
 ')
 ######################################
 ## <summary>
 ##  Make rtorrent an entrypoint for
 ##  the specified domain.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
 ##  The domain for which cifs_t is an entrypoint.
 ##  </summary>
 ## </param>
 #
 interface(`rtorrent_entry_type',`
    gen_require(`
        type rtorrent_exec_t;
    ')
    domain_entry_file($1, rtorrent_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Send generic signals to user rtorrent processes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`rtorrent_signal',`
 	gen_require(`
 		type rtorrent_t;
 	')
 	allow $1 rtorrent_t:process signal;
 ')
--- a/rtorrent.te
+++ b/rtorrent.te
@ -1,4 +1,4 @@
-policy_module(rtorrent, 1.0.0)
+policy_module(rtorrent, 1.0.1)
 ########################################
 #
@ -18,65 +18,66 @@ gen_tunable(rtorrent_send_mails, false)
 ## </desc>
 gen_tunable(rtorrent_enable_rutorrent, false)
-## <desc>
+attribute rtorrentdomain;
 ## <p>
 ## Allow rtorrent to execute helper scripts in home directories
 ## </p>
 ## </desc>
 gen_tunable(rtorrent_exec_scripts, false)
 attribute_role rtorrent_roles;
 roleattribute system_r rtorrent_roles;
 type rtorrent_t;
 type rtorrent_exec_t;
-application_domain(rtorrent_t, rtorrent_exec_t)
+userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)
 role rtorrent_roles types rtorrent_t;
 ########################################
 #
 # rtorrent local policy
 #
 allow rtorrent_t self:process { fork signal_perms };
-allow rtorrent_t self:fifo_file manage_fifo_file_perms;
+corenet_tcp_bind_commplex_main_port(rtorrent_t)
 allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
 domain_use_interactive_fds(rtorrent_t)
 files_read_etc_files(rtorrent_t)
 miscfiles_read_localization(rtorrent_t)
 sysnet_dns_name_resolve(rtorrent_t)
 optional_policy(`
 	gen_require(`
 		type staff_t;
 		role staff_r;
 	')
 	rtorrent_run(staff_t, staff_r)
 ')
 type rtorrent_port_t;
 corenet_port(rtorrent_port_t)
 allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
 userdom_read_user_home_content_symlinks(rtorrent_t)
 userdom_manage_user_home_content_files(rtorrent_t)
 userdom_manage_user_home_content_dirs(rtorrent_t)
-allow rtorrent_t self:tcp_socket { accept listen };
+allow rtorrent_t self:process setpgid;
 allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
 allow rtorrent_t self:fifo_file rw_fifo_file_perms;
 allow rtorrent_t self:tcp_socket create_stream_socket_perms;
 allow rtorrent_t self:unix_stream_socket connectto;
 allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read };
 allow rtorrent_t self:udp_socket { connect create getattr };
 nscd_shm_use(rtorrent_t)
 #corecmd_exec_shell(rtorrent_t)
 corecmd_exec_bin(rtorrent_t)
 # execute helper scripts
 userdom_exec_user_bin_files(rtorrent_t)
 corenet_all_recvfrom_netlabel(rtorrent_t)
 corenet_tcp_sendrecv_generic_if(rtorrent_t)
 corenet_udp_sendrecv_generic_if(rtorrent_t)
 corenet_tcp_sendrecv_generic_node(rtorrent_t)
 corenet_udp_sendrecv_generic_node(rtorrent_t)
 corenet_tcp_sendrecv_all_ports(rtorrent_t)
 corenet_udp_sendrecv_all_ports(rtorrent_t)
 corenet_tcp_connect_all_ports(rtorrent_t)
 corenet_sendrecv_all_client_packets(rtorrent_t)
 corenet_udp_bind_all_unreserved_ports(rtorrent_t)
 domain_use_interactive_fds(rtorrent_t)
 auth_use_nsswitch(rtorrent_t)
 miscfiles_map_generic_certs(rtorrent_t)
 fs_getattr_xattr_fs(rtorrent_t)
 userdom_use_inherited_user_terminals(rtorrent_t)
-# this might be to much
+userdom_manage_user_home_content_files(rtorrent_t)
 userdom_manage_user_home_content_dirs(rtorrent_t)
 userdom_home_manager(rtorrent_t)
 userdom_filetrans_home_content(rtorrent_t)
 userdom_stream_connect(rtorrent_t)
 optional_policy(`
 	tunable_policy(`rtorrent_send_mails',`
@ -88,14 +89,10 @@ optional_policy(`
 ')
 optional_policy(`
    tunable_policy(`rtorrent_enable_rutorrent',`
    apache_manage_sys_content(rtorrent_t)
    tunable_policy(`rtorrent_enable_rutorrent',`
        apache_exec_sys_content(rtorrent_t)
    ')
 ')
 tunable_policy(`rtorrent_exec_scripts',`
    # execute helper scripts
    corecmd_exec_bin(rtorrent_t)
    userdom_exec_user_bin_files(rtorrent_t)
 ')
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,438 +1,3 @@
 -------------------------------------------------------------------
 Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
 - Dropped fix_cockpit.patch as this is now packaged with cockpit itself
 - Remove the ipa module, freeip ships their own module
 - Added fix_alsa.patch to allow reading of config files in home directories
 - Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
 - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
 - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
 -------------------------------------------------------------------
 Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Updated quilt couldn't unpack tarball. This will cause ongoing issues
  so drop the sed statement in the %prep section and add 
  distro_suse_to_distro_redhat.patch to add the necessary changes
  via a patch
 -------------------------------------------------------------------
 Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update fix_networkmanager.patch to ensure NetworkManager chrony
  dispatcher is properly labled and update fix_chronyd.patch to ensure
  chrony helper script has proper label to be used by NetworkManager.
  Also allow NetworkManager_dispatcher_custom_t to query systemd status
  (bsc#1203824)
 -------------------------------------------------------------------
 Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
 - Update fix_xserver.patch to add greetd support (bsc#1198559)
 -------------------------------------------------------------------
 Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Revamped rtorrent module
 -------------------------------------------------------------------
 Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
 - Move SUSE directory from manual page section to html docu
 -------------------------------------------------------------------
 Wed Jul 27 14:00:55 UTC 2022 - Hu <cathy.hu@suse.com>
 - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t 
  and NetworkManager_dispatcher_custom_t to access nscd socket 
  (bsc#1201741)
 -------------------------------------------------------------------
 Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala <zkubala@suse.com>
 - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper 
  (bnc#1201015)
 -------------------------------------------------------------------
 Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20220714. Refreshed:
  * fix_init.patch
  * fix_systemd_watch.patch
 -------------------------------------------------------------------
 Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
  systemd_gpt_generator_t (bsc#1200911)
 -------------------------------------------------------------------
 Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - postfix: Label PID files and some helpers correctly (bsc#1197242)
 -------------------------------------------------------------------
 Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
 -------------------------------------------------------------------
 Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20220624. Refreshed:
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_networkmanager.patch
  * fix_unprivuser.patch
  Dropped fix_hadoop.patch, not necessary anymore
 * Updated fix_locallogin.patch to allow accesses for nss-systemd 
  (bsc#1199630)
 -------------------------------------------------------------------
 Fri May 20 13:46:47 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20220520 to pass stricter 3.4 toolchain checks
 -------------------------------------------------------------------
 Fri May 20 09:14:58 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20220428. Refreshed:
  * fix_apache.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_iptables.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unprivuser.patch
  * fix_usermanage.patch
  * fix_wine.patch
 -------------------------------------------------------------------
 Thu May 19 12:25:31 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Add fix_dnsmasq.patch to fix problems with virtualization on Microos
  (bsc#1199518)
 -------------------------------------------------------------------
 Tue May  3 13:18:38 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Modified fix_init.patch to allow init to setup contrained environment
  for accountsservice. This needs a better, more general solution
  (bsc#1197610)
 -------------------------------------------------------------------
 Mon May  2 11:27:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
  This happens in certain boot conditions (bsc#1182500)
 - Changed fix_unconfineduser.patch to not transition into ldconfig_t
  from unconfined_t (bsc#1197169)
 -------------------------------------------------------------------
 Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf <kkaempf@suse.com>
 - use %license tag for COPYING file
 -------------------------------------------------------------------
 Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
 -------------------------------------------------------------------
 Wed Feb  9 16:04:09 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
 - Fix bitlbee runtime directory (bsc#1193230)
  * add fix_bitlbee.patch
 -------------------------------------------------------------------
 Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20220124. Refreshed:
  * fix_hadoop.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
 - Added fix_hypervkvp.patch to fix issues with hyperv labeling 
  (bsc#1193987)
 -------------------------------------------------------------------
 Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Allow colord to use systemd hardenings (bsc#1194631)
 -------------------------------------------------------------------
 Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20211111. Refreshed:
  * fix_dbus.patch
  * fix_systemd.patch
  * fix_authlogin.patch
  * fix_auditd.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_chronyd.patch
  * fix_unconfineduser.patch
  * fix_unconfined.patch
  * fix_firewalld.patch
  * fix_init.patch
  * fix_xserver.patch
  * fix_logging.patch
  * fix_hadoop.patch
 -------------------------------------------------------------------
 Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner <meissner@suse.com>
 - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
 -------------------------------------------------------------------
 Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
 - Fix auditd service start with systemd hardening directives (boo#1190918)
  * add fix_auditd.patch
 -------------------------------------------------------------------
 Thu Sep  2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Modified fix_systemd.patch to allow systemd gpt generator access to
  udev files (bsc#1189280)
 -------------------------------------------------------------------
 Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
 - fix rebootmgr does not trigger the reboot properly (boo#1189878)
  * fix managing /etc/rebootmgr.conf
  * allow rebootmgr_t to cope with systemd and dbus messaging
 -------------------------------------------------------------------
 Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Properly label cockpit files
 - Allow wicked to communicate with network manager on DBUS (bsc#1188331)
 -------------------------------------------------------------------
 Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
 - Added policy module for rebootmgr (jsc#SMO-28) 
 -------------------------------------------------------------------
 Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 - Allow systemd-sysctl to read kernel specific sysctl.conf
  (fix_kernel_sysctl.patch, boo#1184804)
 -------------------------------------------------------------------
 Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 - Fix quoting in postInstall macro
 -------------------------------------------------------------------
 Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20210716
 - Remove interfaces for container module before building the package
  (bsc#1188184)
 - Updated
  * fix_init.patch
  * fix_systemd_watch.patch
  to adapt to upstream changes
 -------------------------------------------------------------------
 Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
  here
 -------------------------------------------------------------------
 Tue Jul  6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
 - Add tabrmd SELinux modules from upstream (bsc#1187925)
  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
 - Automatic spec-cleaner to fix ordering and misaligned spaces
 -------------------------------------------------------------------
 Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20210419
 - Dropped fix_gift.patch, module was removed
 - Updated wicked.te to removed dropped interface
 - Refreshed:
  * fix_cockpit.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_logrotate.patch
  * fix_networkmanager.patch
  * fix_nscd.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
 -------------------------------------------------------------------
 Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
  that trigger on changes in those.
  Added fix_systemd_watch.patch
 - own /usr/share/selinux/packages/$SELINUXTYPE/ and
  /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
  files there
 -------------------------------------------------------------------
 Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 - allow cockpit socket to bind nodes (fix_cockpit.patch)
 - use %autosetup to get rid of endless patch lines
 -------------------------------------------------------------------
 Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Updated fix_networkmanager.patch to allow NetworkManager to watch
  its configuration directories
 - Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
 -------------------------------------------------------------------
 Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Added Recommends for selinux-autorelabel (bsc#1181837)
 - Prevent libreoffice fonts from changing types on every relabel 
  (bsc#1185265). Added fix_libraries.patch
 -------------------------------------------------------------------
 Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Transition unconfined users to ldconfig type (bsc#1183121).
  Extended fix_unconfineduser.patch
 -------------------------------------------------------------------
 Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20210419
 - Refreshed:
  * fix_dbus.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_unprivuser.patch
 -------------------------------------------------------------------
 Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
 - Adjust fix_init.patch to allow systemd to do sd-listen on 
  tcp socket [bsc#1183177]
 -------------------------------------------------------------------
 Tue Mar  9 13:39:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20210309
 - Refreshed
  * fix_systemd.patch
  * fix_selinuxutil.patch
  * fix_iptables.patch
  * fix_init.patch
  * fix_logging.patch
  * fix_nscd.patch
  * fix_hadoop.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
 - Ensure that /usr/etc is labeled according to /etc rules
 -------------------------------------------------------------------
 Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 20210223
 - Change name of tar file to a more common schema to allow
  parallel installation of several source versions
 - Adjust fix_init.patch
 -------------------------------------------------------------------
 Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 20210111
  - Drop fix_policykit.patch (integrated upstream)
  - Adjust fix_iptables.patch
  - update container policy
 -------------------------------------------------------------------
 Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
 - Updated fix_corecommand.patch to set correct types for the OBS
  build tools
 -------------------------------------------------------------------
 Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
 - wicked.fc: add libexec directories
 - Update to version 20201029
  - update container policy
 -------------------------------------------------------------------
 Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 20201016
 - Use python3 to build (fc_sort.c was replaced by fc_sort.py which
  uses python3)
 - Drop SELINUX=disabled, "selinux=0" kernel commandline option has
  to be used instead. New default is "permissive" [bsc#1176923].
 -------------------------------------------------------------------
 Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
 - Update to version 20200910. Refreshed
  * fix_authlogin.patch
  * fix_nagios.patch
  * fix_systemd.patch
  * fix_usermanage.patch
 - Delete suse_specific.patch, moved content into fix_selinuxutil.patch
 - Cleanup of booleans-* presets
  * Enabled
    user_rw_noexattrfile
    unconfined_chrome_sandbox_transition
    unconfined_mozilla_plugin_transition
    for the minimal policy
  * Disabled
    xserver_object_manager
    for the MLS policy
  * Disabled
    openvpn_enable_homedirs
    privoxy_connect_any
    selinuxuser_direct_dri_enabled
    selinuxuser_ping (aka user_ping)
    squid_connect_any
    telepathy_tcp_connect_generic_network_ports
    for the targeted policy
  Change your local config if you need them
 - Build HTML version of manpages for the -devel package
 -------------------------------------------------------------------
 Thu Sep  3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,12 +12,12 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
-
+# TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
-# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch)
+# ones used by redhat and include also the SUSE specific ones (see sed statement below)
 %define distro redhat
 %define ubac n
 %define polyinstatiate n
@ -33,9 +33,9 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20221019
+Version:        20200717
 Release:        0
-Source:         fedora-policy-%{version}.tar.bz2
+Source:         fedora-policy.%{version}.tar.bz2
 Source1:        selinux-policy-rpmlintrc
 Source10:       modules-targeted-base.conf
@ -65,6 +65,7 @@ Source52:       users-minimum
 Source60:       selinux-policy.conf
 Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
 #Source93:       config.tgz
@ -81,14 +82,12 @@ Source125:      rtorrent.fc
 Source126:      wicked.te
 Source127:      wicked.if
 Source128:      wicked.fc
 Source129:      rebootmgr.te
 Source130:      rebootmgr.if
 Source131:      rebootmgr.fc
 Patch000:       distro_suse_to_distro_redhat.patch
 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
 Patch003:       fix_gift.patch
 Patch004:       fix_java.patch
 Patch005:       fix_hadoop.patch
 Patch006:       fix_thunderbird.patch
 Patch007: 	fix_postfix.patch
 Patch008: 	fix_nscd.patch
@ -98,6 +97,7 @@ Patch011:       fix_xserver.patch
 Patch012:       fix_miscfiles.patch
 Patch013:       fix_init.patch
 Patch014:       fix_locallogin.patch
 Patch015:       fix_policykit.patch
 Patch016:       fix_iptables.patch
 Patch017:       fix_irqbalance.patch
 Patch018:       fix_ntp.patch
@ -123,33 +123,17 @@ Patch039:       fix_cron.patch
 Patch040:       fix_usermanage.patch
 Patch041:       fix_smartmon.patch
 Patch042:       fix_geoclue.patch
 Patch043:       suse_specific.patch
 Patch044:       fix_authlogin.patch
 Patch045:       fix_screen.patch
 Patch046:       fix_unprivuser.patch
 Patch047:       fix_rpm.patch
 Patch048:       fix_apache.patch
 Patch049:       fix_nis.patch
 Patch050:       fix_libraries.patch
 Patch051:       fix_dovecot.patch
 # https://github.com/cockpit-project/cockpit/pull/15758
 #Patch052:       fix_cockpit.patch
 Patch053:       fix_systemd_watch.patch
 # kernel specific sysctl.conf (boo#1184804)
 Patch054:       fix_kernel_sysctl.patch
 Patch055:       fix_auditd.patch
 Patch056:       fix_wine.patch
 Patch057:       fix_hypervkvp.patch
 Patch058:       fix_bitlbee.patch
 Patch059:       systemd_domain_dyntrans_type.patch
 Patch060:       fix_dnsmasq.patch
 Patch061:       fix_userdomain.patch
 Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
 Patch100: 	sedoctool.patch
-URL:            https://github.com/fedora-selinux/selinux-policy.git
+Url:            https://github.com/fedora-selinux/selinux-policy.git
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 BuildRequires:  checkpolicy
@ -157,9 +141,8 @@ BuildRequires:  gawk
 BuildRequires:  libxml2-tools
 BuildRequires:  m4
 BuildRequires:  policycoreutils
 BuildRequires:  policycoreutils-devel
 BuildRequires:  python3
 BuildRequires:  python3-policycoreutils
 BuildRequires:  policycoreutils-devel
 # we need selinuxenabled
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre):  pam-config
@ -170,9 +153,7 @@ Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
 Recommends:     python3-policycoreutils
 Recommends:     container-selinux
 Recommends:     policycoreutils-python-utils
 Recommends:     selinux-autorelabel
 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -198,7 +179,6 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
 %{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
@ -226,8 +206,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
 %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
 %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
 %dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
 %dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
@ -268,7 +246,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
 %dir %{_datadir}/selinux/%1 \
 %dir %{_datadir}/selinux/packages/%1 \
 %{_datadir}/selinux/%1/base.lst \
 %{_datadir}/selinux/%1/modules-base.lst \
 %{_datadir}/selinux/%1/modules-contrib.lst \
@ -280,7 +257,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %{_sharedstatedir}/selinux/%1/active/seusers \
 %{_sharedstatedir}/selinux/%1/active/file_contexts \
 %{_sharedstatedir}/selinux/%1/active/policy.kern \
 %{_sharedstatedir}/selinux/%1/active/modules_checksum \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
@ -320,9 +296,9 @@ fi;
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
+if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
-  rm %{_sysconfdir}/selinux/%2/.rebuild; \
+  rm %{_sysconfdir}/selinux/%%2/.rebuild; \
-  /usr/sbin/semodule -B -n -s %2; \
+  /usr/sbin/semodule -B -n -s %%2; \
 fi; \
 if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
  touch /etc/selinux/.autorelabel \
@ -370,17 +346,17 @@ creating other policies.
 %files
 %defattr(-,root,root,-)
-%license COPYING
+%doc COPYING
 %dir %{_datadir}/selinux
 %dir %{_datadir}/selinux/packages
 %dir %{_sysconfdir}/selinux
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 #%ghost %{_sysconfdir}/sysconfig/selinux-policy
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
 %package sandbox
 Summary: SELinux policy sandbox
 Group:          System/Management
 Requires(pre): selinux-policy-targeted = %{version}-%{release}
 %description sandbox
@ -408,13 +384,66 @@ fi;
 exit 0
 %prep
-%autosetup -n fedora-policy-%{version} -p1
+%setup -n fedora-policy
 %patch001 -p1
 %patch002 -p1
 %patch003 -p1
 %patch004 -p1
 %patch005 -p1
 %patch006 -p1
 %patch007 -p1
 %patch008 -p1
 %patch009 -p1
 %patch010 -p1
 %patch011 -p1
 %patch012 -p1
 %patch013 -p1
 %patch014 -p1
 %patch015 -p1
 %patch016 -p1
 %patch017 -p1
 %patch018 -p1
 %patch019 -p1
 %patch020 -p1
 %patch021 -p1
 %patch022 -p1
 %patch024 -p1
 %patch025 -p1
 %patch026 -p1
 %patch027 -p1
 %patch028 -p1
 %patch029 -p1
 %patch030 -p1
 #% patch031 -p1
 %patch032 -p1
 %patch033 -p1
 %patch034 -p1
 %patch035 -p1
 %patch036 -p1
 %patch037 -p1
 %patch038 -p1
 %patch039 -p1
 %patch040 -p1
 %patch041 -p1
 %patch042 -p1
 %patch043 -p1
 %patch044 -p1
 %patch045 -p1
 %patch046 -p1
 %patch047 -p1
 %patch048 -p1
 %patch049 -p1
 %patch100 -p1
 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
 %build
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 touch %{buildroot}%{_sysconfdir}/selinux/config
 #mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
 #touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy
 mkdir -p %{buildroot}%{_tmpfilesdir}
 cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
@ -428,14 +457,15 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig
 mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
-mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_datadir}/selinux/packages
 mkdir selinux_config
 for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
 cp $i selinux_config
 done
-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
 cp $i policy/modules/contrib
 done
@ -482,13 +512,11 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
-%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
+#XXX what's missing for html?
-mkdir %{buildroot}%{_datadir}/selinux/devel/html
+#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
-mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html
+#mkdir %{buildroot}%{_datadir}/selinux/devel/html
-mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
+#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
-mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
+#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
 rm %{buildroot}%{_mandir}/man8/container_selinux.8*
 rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
 %post
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -497,15 +525,14 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
    if [ -f  %{_sysconfdir}/sysconfig/selinux-policy ]; then
 	mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
    else
 	# XXX right default for SELINUXTYPE?
 	echo "
 # This file controls the state of SELinux on the system.
 # SELinux can be completly disabled with the \"selinux=0\" kernel
 # commandline option.
 #
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
-SELINUX=permissive
+#     disabled - No SELinux policy is loaded.
 SELINUX=disabled
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected.
@ -532,7 +559,9 @@ if [ $1 -eq 0 ]; then \
  if [ "$SELINUXTYPE" = "$2" ]; then \
    %{_sbindir}/setenforce 0 2> /dev/null \
    if [ -s %{_sysconfdir}/selinux/config ]; then \
-      sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
+      sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \
    else \
      echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \
    fi \
  fi \
  pam-config -d --selinux \
@ -542,12 +571,15 @@ exit 0
 %postun
 if [ $1 = 0 ]; then
     %{_sbindir}/setenforce 0 2> /dev/null
-     if [ -s %{_sysconfdir}/selinux/config ]; then
+     if [ ! -s %{_sysconfdir}/selinux/config ]; then
-          sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
+          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
     else
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
     fi
 fi
 exit 0
 %package devel
 Summary:        SELinux policy devel
 Group:          System/Management
@ -562,10 +594,7 @@ SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %doc %{_datadir}/man/ru/man8/*
 %doc %{_datadir}/man/man8/*
 %dir %{_datadir}/selinux/devel
 %dir %{_datadir}/selinux/devel/html/
 %doc %{_datadir}/selinux/devel/html/*
 %dir %{_datadir}/selinux/devel/include
 %{_datadir}/selinux/devel/include/*
 %{_datadir}/selinux/devel/Makefile
@ -625,6 +654,7 @@ Requires(pre):  /usr/bin/awk
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 %description minimum
 SELinux Reference policy minimum base module.
--- a/suse_specific.patch
+++ b/suse_specific.patch
@ -0,0 +1,13 @@
 Index: fedora-policy/policy/modules/system/selinuxutil.if
 ===================================================================
 --- fedora-policy.orig/policy/modules/system/selinuxutil.if
 +++ fedora-policy/policy/modules/system/selinuxutil.if
@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
 	dontaudit $1 selinux_config_t:dir search_dir_perms;
 	dontaudit $1 selinux_config_t:file read_file_perms;
 +	# /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
 +	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
 ')
 ########################################
--- a/systemd_domain_dyntrans_type.patch
+++ b/systemd_domain_dyntrans_type.patch
@ -1,13 +0,0 @@
 Index: fedora-policy-20220124/policy/modules/system/init.te
 ===================================================================
 --- fedora-policy-20220124.orig/policy/modules/system/init.te
 +++ fedora-policy-20220124/policy/modules/system/init.te
@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac
 allow init_t self:packet_socket create_socket_perms;
 allow init_t self:key manage_key_perms;
 allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 +domain_dyntrans_type(init_t)
 +allow init_t self:process { dyntransition setcurrent };
 # is ~sys_module really needed? observed:
 # sys_boot
--- a/update.sh
+++ b/update.sh
@ -4,19 +4,21 @@ date=$(date '+%Y%m%d')
 echo Update to $date
-rm -rf fedora-policy container-selinux
+rm -rf fedora-policy container-selinux selinux-policy-contrib
 git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
 git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git
 git clone --depth 1 https://github.com/containers/container-selinux.git
-mv selinux-policy fedora-policy-$date
+mv selinux-policy fedora-policy
-rm -rf fedora-policy-$date/.git*
+rm -rf fedora-policy/.git*
-mv container-selinux/container.* fedora-policy-$date/policy/modules/services/
+mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
 mv container-selinux/* fedora-policy/policy/modules/contrib/
-rm -f fedora-policy?$date.tar*
+rm -f fedora-policy.$date.tar*
-tar cf fedora-policy-$date.tar fedora-policy-$date
+tar cf fedora-policy.$date.tar fedora-policy
-bzip2 fedora-policy-$date.tar
+bzip2 fedora-policy.$date.tar
-rm -rf fedora-policy-$date container-selinux
+rm -rf fedora-policy container-selinux selinux-policy-contrib
 sed -i -e "s/^Version:.*/Version:        $date/" selinux-policy.spec
--- a/1
+++ b/1
@ -36,4 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/2
+++ b/2
@ -36,5 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(guest_u, user, guest_r, s0, s0)
 gen_user(xguest_u, user, xguest_r, s0, s0)
--- a/3
+++ b/3
@ -36,6 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(guest_u, user, guest_r, s0, s0)
 gen_user(xguest_u, user, xguest_r, s0, s0)
--- a/wicked.fc
+++ b/wicked.fc
@ -19,7 +19,6 @@
 /usr/sbin/rcwicked.*		--	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
 /usr/lib/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
 /usr/libexec/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
 #/usr/lib64/libwicked-0.6.63.so
--- a/wicked.te
+++ b/wicked.te
@ -326,6 +326,10 @@ optional_policy(`
    fcoe_dgram_send_fcoemon(wicked_t)
 ')
 optional_policy(`
 	hal_write_log(wicked_t)
 ')
 optional_policy(`
 	howl_signal(wicked_t)
 ')
@ -494,10 +498,6 @@ optional_policy(`
 	virt_dbus_chat(wicked_t)
 ')
 optional_policy(`
 	networkmanager_dbus_chat(wicked_t)
 ')
 #tunable_policy(`use_ecryptfs_home_dirs',`
 #fs_manage_ecryptfs_files(wicked_t)
 #')
		`@ -1 +0,0 @@`
			`/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)`