OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68

2018-11-27 09:16:35 +00:00 · 2018-11-27 09:16:35 +00:00 · 50b70e6d39
commit 50b70e6d39
parent f9b110e284
70 changed files with 171012 additions and 161 deletions
--- a/Makefile.devel
+++ b/Makefile.devel
@ -0,0 +1,22 @@
 # installation paths
 SHAREDIR := /usr/share/selinux
 AWK ?= gawk
 NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
 ifeq ($(MLSENABLED),)
 	MLSENABLED := 1
 endif
 ifeq ($(MLSENABLED),1)
 	NTYPE = mcs
 endif
 ifeq ($(NAME),mls)
 	NTYPE = mls
 endif
 TYPE ?= $(NTYPE)
 HEADERDIR := $(SHAREDIR)/devel/include
 include $(HEADERDIR)/Makefile
--- a/add-overlayfs-as-xattr-capable.patch
+++ b/add-overlayfs-as-xattr-capable.patch
@ -0,0 +1,22 @@
 commit b3a95b4aeb4ecc3ce5125aac2f114224fcead5b9
 Author: Jason Zaman <jason@perfinion.com>
 Date:   Sun Oct 11 18:35:20 2015 +0800
    Add overlayfs as an XATTR capable fs
    The module is called "overlay" in the kernel
 ---
 policy/modules/kernel/filesystem.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr gpfs gen_context(system_u:o
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
--- a/allow-local_login_t-read-shadow.patch
+++ b/allow-local_login_t-read-shadow.patch
@ -0,0 +1,12 @@
 Index: serefpolicy-3.12.1/policy/modules/system/locallogin.te
 ===================================================================
 --- serefpolicy-3.12.1.orig/policy/modules/system/locallogin.te	2013-10-23 11:44:16.815098321 +0200
 +++ serefpolicy-3.12.1/policy/modules/system/locallogin.te	2013-10-23 11:44:16.848098676 +0200
@@ -126,6 +126,7 @@ term_setattr_unallocated_ttys(local_logi
 term_relabel_all_ptys(local_login_t)
 term_setattr_generic_ptys(local_login_t)
 +auth_read_shadow(local_login_t)
 auth_rw_login_records(local_login_t)
 auth_rw_faillog(local_login_t)
 auth_manage_pam_console_data(local_login_t)
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -0,0 +1,252 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 allow_execstack = true
 # Allow ftpd to read cifs directories.
 # 
 allow_ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
 allow_ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 allow_gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
 allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
 allow_httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
 allow_kerberos = true
 # Allow rsync to modify public filesused for public file transfer services.
 # 
 allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
 allow_saslauthd_read_shadow = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
 allow_smbd_anon_write = false
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
 allow_zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
 fcron_crond = false
 # Allow ftp to read and write files in the user home directories
 # 
 ftp_home_dir = false
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
 #
 # allow httpd to send dbus messages to avahi
 httpd_dbus_avahi = true
 #
 # allow httpd to network relay
 httpd_can_network_relay = false
 # Allow httpd to use built in scripting (usually php)
 # 
 httpd_builtin_scripting = true
 # Allow http daemon to tcp connect
 # 
 httpd_can_network_connect = false
 # Allow httpd cgi support
 # 
 httpd_enable_cgi = true
 # Allow httpd to act as a FTP server bylistening on the ftp port.
 # 
 httpd_enable_ftp_server = false
 # Allow httpd to read home directories
 # 
 httpd_enable_homedirs = false
 # Run SSI execs in system CGI script domain.
 # 
 httpd_ssi_exec = false
 # Allow http daemon to communicate with the TTY
 # 
 httpd_tty_comm = false
 # Run CGI in the main httpd domain
 # 
 httpd_unified = false
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
 named_write_master_zones = false
 # Allow nfs to be exported read/write.
 # 
 nfs_export_all_rw = true
 # Allow nfs to be exported read only
 # 
 nfs_export_all_ro = true
 # Allow pppd to load kernel modules for certain modems
 # 
 pppd_can_insmod = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
 squid_connect_any = false
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 # Control users use of ping and traceroute
 # 
 user_ping = false
 # allow host key based authentication
 # 
 allow_ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
 # 
 read_untrusted_content = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow regular users direct mouse access
 # 
 user_direct_mouse = false
 # Allow users to read system messages.
 # 
 user_dmesg = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = false
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow w to display everyone
 # 
 user_ttyfile_stat = false
 # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
 # 
 write_untrusted_content = false
 # Allow all domains to talk to ttys
 # 
 allow_daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
 allow_polyinstantiation = false
 # Allow all domains to dump core
 # 
 allow_daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
 # Allow samba to export user home directories.
 # 
 samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
 allow_guest_exec_content = false
 allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=false
 # Allow postfix locat to write to mail spool
 # 
 allow_postfix_local_write_mail_spool=false
 # Allow common users to read/write noexattrfile systems
 # 
 user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
 qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
 allow_nsplugin_execmem=true
 # Allow unconfined domain to transition to confined domain
 # 
 allow_unconfined_nsplugin_transition=true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
 allow_mount_anyfile = true
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@ -0,0 +1,6 @@
 kerberos_enabled = true
 mount_anyfile = true
 polyinstantiation_enabled = true
 ftpd_is_daemon = true
 selinuxuser_ping = true
 xserver_object_manager = true
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -0,0 +1,24 @@
 gssd_read_tmp = true
 httpd_builtin_scripting = true
 httpd_enable_cgi = true
 httpd_graceful_shutdown = true
 kerberos_enabled = true
 mount_anyfile = true
 nfs_export_all_ro = true
 nfs_export_all_rw = true
 nscd_use_shm = true
 openvpn_enable_homedirs = true
 postfix_local_write_mail_spool=true
 pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_execmem = true
 selinuxuser_execmod = true
 selinuxuser_execstack = true
 selinuxuser_rw_noexattrfile=true
 selinuxuser_ping = true
 squid_connect_any = true
 telepathy_tcp_connect_generic_network_ports=true
 unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@ -0,0 +1,49 @@
 allow_auditadm_exec_content auditadm_exec_content
 allow_console_login login_console_enabled
 allow_cvs_read_shadow cvs_read_shadow
 allow_daemons_dump_core daemons_dump_core
 allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
 allow_daemons_use_tty daemons_use_tty
 allow_domain_fd_use domain_fd_use
 allow_execheap selinuxuser_execheap
 allow_execmod selinuxuser_execmod
 allow_execstack selinuxuser_execstack
 allow_ftpd_anon_write ftpd_anon_write
 allow_ftpd_full_access ftpd_full_access
 allow_ftpd_use_cifs ftpd_use_cifs
 allow_ftpd_use_nfs ftpd_use_nfs
 allow_gssd_read_tmp gssd_read_tmp
 allow_guest_exec_content guest_exec_content
 allow_httpd_anon_write httpd_anon_write
 allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
 allow_httpd_mod_auth_pam httpd_mod_auth_pam
 allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
 allow_kerberos kerberos_enabled
 allow_mplayer_execstack mplayer_execstack
 allow_mount_anyfile mount_anyfile
 allow_nfsd_anon_write nfsd_anon_write
 allow_polyinstantiation polyinstantiation_enabled
 allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
 allow_rsync_anon_write rsync_anon_write
 allow_saslauthd_read_shadow saslauthd_read_shadow
 allow_secadm_exec_content secadm_exec_content
 allow_smbd_anon_write smbd_anon_write
 allow_ssh_keysign ssh_keysign
 allow_staff_exec_content staff_exec_content
 allow_sysadm_exec_content sysadm_exec_content
 allow_user_exec_content user_exec_content
 allow_user_mysql_connect selinuxuser_mysql_connect_enabled
 allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
 allow_write_xshm xserver_clients_write_xshm
 allow_xguest_exec_content xguest_exec_content
 allow_xserver_execmem xserver_execmem
 allow_ypbind nis_enabled
 allow_zebra_write_config zebra_write_config
 user_direct_dri selinuxuser_direct_dri_enabled
 user_ping selinuxuser_ping
 user_share_music selinuxuser_share_music
 user_tcp_server selinuxuser_tcp_server
 sepgsql_enable_pitr_implementation postgresql_can_rsync
 sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
 sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
 sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SELINUX=permissive
 SELINUXTYPE=refpolicy-standard
--- a/config.tgz
+++ b/config.tgz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:652101e6cd75232a223d53d498a9190f0c21d513c9587d34956805fd56545ee2
 size 3189
--- a/13
+++ b/13
@ -0,0 +1,13 @@
 sandbox_file_t
 svirt_image_t
 svirt_home_t
 svirt_lxc_file_t
 virt_content_t
 httpd_user_htaccess_t
 httpd_user_script_exec_t
 httpd_user_rw_content_t
 httpd_user_ra_content_t
 httpd_user_content_t
 git_session_content_t
 home_bin_t
 user_tty_device_t
--- a/dont_use_xmllint_in_make_conf.patch
+++ b/dont_use_xmllint_in_make_conf.patch
@ -0,0 +1,14 @@
 Index: serefpolicy-20140730/Makefile
 ===================================================================
 --- serefpolicy-20140730.orig/Makefile	2014-07-30 16:48:48.379896000 +0200
 +++ serefpolicy-20140730/Makefile	2015-02-25 12:37:11.262844720 +0100
@@ -431,9 +431,6 @@ $(polxml): $(layerxml) $(tunxml) $(boolx
 	$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
 	$(verbose) cat $(tunxml) $(boolxml) >> $@
 	$(verbose) echo '</policy>' >> $@
 -	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
 -		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
 -	fi
 xml: $(polxml)
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -0,0 +1,13 @@
 /run /var/run
 /run/lock /var/lock
 /var/run/lock /var/lock
 /lib /usr/lib
 /lib64 /usr/lib
 /usr/lib64 /usr/lib
 /usr/local /usr
 /usr/local/lib64 /usr/lib
 /usr/local/lib32 /usr/lib
 /etc/systemd/system /usr/lib/systemd/system
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
 /var/lib/xguest/home /home
--- a/label_sysconfig.selinux-policy.patch
+++ b/label_sysconfig.selinux-policy.patch
@ -0,0 +1,12 @@
 Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc
 ===================================================================
 --- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc	2013-10-23 11:44:16.817098343 +0200
 +++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc	2013-10-23 11:44:16.836098547 +0200
@@ -4,6 +4,7 @@
 # /etc
 #
 /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
 +/etc/sysconfig/selinux-policy		gen_context(system_u:object_r:selinux_config_t,s0)
 /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 /etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
--- a/label_var_run_rsyslog.patch
+++ b/label_var_run_rsyslog.patch
@ -0,0 +1,23 @@
 Index: serefpolicy-20140730/policy/modules/system/logging.fc
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/logging.fc
 +++ serefpolicy-20140730/policy/modules/system/logging.fc
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 +/var/run/rsyslog(/.*)?		gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 Index: serefpolicy-20140730/policy/modules/system/init.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/init.te
 +++ serefpolicy-20140730/policy/modules/system/init.te
@@ -1676,3 +1676,6 @@ optional_policy(`
         ccs_read_config(daemon)
     ')
  ')
 +
 +# relabel /var/run/rsyslog
 +filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog")
--- a/modules-mls-base.conf
+++ b/modules-mls-base.conf
@ -0,0 +1,416 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 # 
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 # 
 corecommands = base
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unlabelednet
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: logadm
 #
 # logadm account on tty logins
 # 
 logadm = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: services
 # Module: automount
 #
 # Filesystem automounter service.
 # 
 automount = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -0,0 +1,430 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 #
 corecommands = base
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 #
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unconfined
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unconfineduser
 #
 # The unconfined user domain.
 # 
 unconfineduser = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: apps
 # Module: rssh
 #
 #  Restricted (scp/sftp) only shell
 # 
 rssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: services
 # Module: automount
 #
 # Filesystem automounter service.
 # 
 automount = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
 # Layer: system
 # Module: unconfined
 #
 # The unconfined domain.
 # 
 unconfined = module
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/refpolicy-2.20081210.tar.bz2
+++ b/refpolicy-2.20081210.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2ac9bc01e21541ee8e5e374320e9daeee11d807a7c197142e5c9eea7e096ac77
 size 458911
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/6
+++ b/6
@ -0,0 +1,6 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
 auditadm_tty_device_t
 secureadm_tty_device_t
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/selinux-policy-build_conf.patch
+++ b/selinux-policy-build_conf.patch
@ -1,74 +0,0 @@
 --- refpolicy-mcs/build.conf
 +++ refpolicy-mcs/build.conf
@@ -12,13 +12,13 @@
 # Policy Type
 # standard, mls, mcs
 -TYPE = standard
 +TYPE = mcs
 # Policy Name
 # If set, this will be used as the policy
 # name.  Otherwise the policy type will be
 # used for the name.
 -NAME = refpolicy
 +NAME = refpolicy-mcs
 # Distribution
 # Some distributions have portions of policy
@@ -27,7 +27,7 @@
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
 -#DISTRO = redhat
 +DISTRO = suse
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the
 --- refpolicy-mls/build.conf
 +++ refpolicy-mls/build.conf
@@ -12,13 +12,13 @@
 # Policy Type
 # standard, mls, mcs
 -TYPE = standard
 +TYPE = mls
 # Policy Name
 # If set, this will be used as the policy
 # name.  Otherwise the policy type will be
 # used for the name.
 -NAME = refpolicy
 +NAME = refpolicy-mls
 # Distribution
 # Some distributions have portions of policy
@@ -27,7 +27,7 @@
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
 -#DISTRO = redhat
 +DISTRO = suse
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the
 --- refpolicy-standard/build.conf
 +++ refpolicy-standard/build.conf
@@ -18,7 +18,7 @@
 # If set, this will be used as the policy
 # name.  Otherwise the policy type will be
 # used for the name.
 -NAME = refpolicy
 +NAME = refpolicy-standard
 # Distribution
 # Some distributions have portions of policy
@@ -27,7 +27,7 @@
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
 -#DISTRO = redhat
 +DISTRO = suse
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the
--- a/18
+++ b/18
@ -0,0 +1,18 @@
 addFilter("W: non-conffile-in-etc.*")
 addFilter("W: zero-length /etc/selinux/.*")
 addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
 addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
 addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
 addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final")
 addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts")
 addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs")
 addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers")
 addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts")
 addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs")
 addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers")
 addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts")
 addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs")
 addFilter("E: files-duplicated-waste")
 addFilter("E: files-duplicated-waste")
 addFilter("E: files-duplicated-waste")
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,309 @@
 -------------------------------------------------------------------
 Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com
 - Add overlayfs as xattr capable (bsc#1073741)
  * add-overlayfs-as-xattr-capable.patch
 -------------------------------------------------------------------
 Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com
 - Added
  * suse_modifications_glusterfs.patch
  * suse_modifications_passenger.patch
  * suse_modifications_stapserver.patch
  to modify module name to make the current tools happy
 -------------------------------------------------------------------
 Wed Nov 29 13:20:22 UTC 2017 - rbrown@suse.com
 - Repair erroneous changes introduced with %_fillupdir macro
 -------------------------------------------------------------------
 Thu Nov 23 13:53:09 UTC 2017 - rbrown@suse.com
 - Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
 -------------------------------------------------------------------
 Wed Mar 15 21:50:32 UTC 2017 - mwilck@suse.com
 - POLCYVER depends both on the libsemanage/policycoreutils version
  and the kernel. The former is more important for us, kernel seems
  to have all necessary features in Leap 42.1 already.
 - Replaced = runtime dependencies on checkpolicy/policycoreutils 
  with "=". 2.5 policy is not supposed to work with 2.3 tools,
  The runtime policy tools need to be same the policy was built with.
 -------------------------------------------------------------------
 Wed Mar 15 15:16:20 UTC 2017 - mwilck@suse.com
 - Changes required by policycoreutils update to 2.5
  * lots of spec file content needs to be conditional on
    policycoreutils version.
 - Specific policycoreutils 2.5 related changes:
  * modules moved from /etc/selinux to /var/lib/selinux
  (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
  * module path now includes includes priority. Users override default
  policies by setting higher priority. Thus installed policy modules can be
  fully verified by RPM.
  * Installed modules have a different format and path.
  Raw bzip2 doesn't suffice to create them any more, but we can process them
  all in a single semodule -i command.
 - Policy version depends on kernel / distro version  
  * do not touch policy.<version>, rather fail if it's not created
 - Enabled building mls policy for Leap (not for SLES)
 - Other
  * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils
  * Bug: (minimum) additional modules that need to be activated: postfix
  (required by apache), plymouthd (required by getty)
  * Cleanup: /etc -> %{sysconfdir} etc.
 -------------------------------------------------------------------
 Thu Aug 13 08:14:34 UTC 2015 - jsegitz@novell.com
 - fixed missing role assignment in cron_unconfined_role
 -------------------------------------------------------------------
 Tue Aug 11 08:36:17 UTC 2015 - jsegitz@novell.com
 - Updated suse_modifications_ipsec.patch, removed dontaudits for 
  ipsec_mgmt_t and granted matching permissions
 -------------------------------------------------------------------
 Wed Aug  5 11:31:24 UTC 2015 - jsegitz@novell.com
 - Added suse_modifications_ipsec.patch to grant additional privileges
  to ipsec_mgmt_t
 -------------------------------------------------------------------
 Tue Jul 21 14:56:07 UTC 2015 - jsegitz@novell.com
 - Minor changes for CC evaluation. Allow reading of /dev/random
  and ipc_lock for dbus and dhcp
 -------------------------------------------------------------------
 Wed Jun 24 08:27:30 UTC 2015 - jsegitz@novell.com
 - Transition from unconfined user to cron admin type
 - Allow systemd_timedated_t to talk to unconfined dbus for minimal
  policy (bsc#932826)
 - Allow hostnamectl to set the hostname (bsc#933764)
 -------------------------------------------------------------------
 Wed May 20 14:05:04 UTC 2015 - jsegitz@novell.com
 - Removed ability of staff_t and user_t to use svirt. Will reenable
  this later on with a policy upgrade
  Added suse_modifications_staff.patch
 -------------------------------------------------------------------
 Wed Feb 25 11:38:44 UTC 2015 - jsegitz@novell.com
 - Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage
  in make conf. This currently breaks manual builds. 
 - Added BuildRequires for libxml2-tools to enable xmllint checks 
  once the issue mentioned above is solved
 -------------------------------------------------------------------
 Thu Jan 29 09:56:40 UTC 2015 - jsegitz@novell.com
 - adjusted suse_modifications_ntp to match SUSE chroot paths
 -------------------------------------------------------------------
 Wed Jan 28 09:37:06 UTC 2015 - jsegitz@novell.com
 - Added 
  * suse_additions_obs.patch to allow local builds by OBS
  * suse_additions_sslh.patch to confine sslh
 - Added suse_modifications_cron.patch to adjust crontabs contexts
 - Modified suse_modifications_postfix.patch to match SUSE paths
 - Modified suse_modifications_ssh.patch to bring boolean
  sshd_forward_ports back
 - Modified 
  * suse_modifications_dbus.patch
  * suse_modifications_unprivuser.patch
  * suse_modifications_xserver.patch
  to allow users to be confined
 - Added
  * suse_modifications_apache.patch 
  * suse_modifications_ntp.patch
  and modified
  * suse_modifications_xserver.patch
  to fix labels on startup scripts used by systemd
 - Removed unused and incorrect interface dev_create_all_dev_nodes
  from systemd-tmpfiles.patch
 - Removed BuildRequire for selinux-policy-devel
 -------------------------------------------------------------------
 Fri Jan 23 15:52:02 UTC 2015 - jsegitz@novell.com
 - Major cleanup of the spec file
 -------------------------------------------------------------------
 Fri Jan 23 11:44:52 UTC 2015 - jsegitz@novell.com
 - removed suse_minimal_cc.patch and splitted them into
  * suse_modifications_dbus.patch
  * suse_modifications_policykit.patch
  * suse_modifications_postfix.patch
  * suse_modifications_rtkit.patch
  * suse_modifications_unconfined.patch
  * suse_modifications_systemd.patch
  * suse_modifications_unconfineduser.patch
  * suse_modifications_selinuxutil.patch
  * suse_modifications_logging.patch
  * suse_modifications_getty.patch
  * suse_modifications_authlogin.patch
  * suse_modifications_xserver.patch
  * suse_modifications_ssh.patch
  * suse_modifications_usermanage.patch
 - Added suse_modifications_virt.patch to enable svirt on s390x
 -------------------------------------------------------------------
 Sat Nov 08 19:17:00 UTC 2014 - Led <ledest@gmail.com>
 - fix bashism in post script
 -------------------------------------------------------------------
 Thu Sep 18 09:06:09 UTC 2014 - jsegitz@suse.com
 Redid changes done by vcizek@suse.com in SLE12 package
 - disable build of MLS policy
 - removed outdated description files 
  * Alan_Rouse-openSUSE_with_SELinux.txt
  * Alan_Rouse-Policy_Development_Process.txt
 -------------------------------------------------------------------
 Mon Sep  8 09:08:19 UTC 2014 - jsegitz@suse.com
 - removed remove_duplicate_filetrans_pattern_rules.patch
 -------------------------------------------------------------------
 Fri Sep  5 11:22:02 UTC 2014 - jsegitz@suse.com
 - Updated policy to include everything up until 20140730 (refpolicy and
  fedora rawhide improvements). Rebased all patches that are still
  necessary
 - Removed permissivedomains.pp. Doesn't work with the new policy
 - modified spec file so that all modifications for distro=redhat and
  distro=suse will be used. 
 - added selinux-policy-rpmlintrc to suppress some warnings that aren't
  valid for this package
 - added suse_minimal_cc.patch to create a suse specific module to prevent
  errors while using the minimum policy. Will rework them in the proper
  places once the minimum policy is reworked to really only confine a 
  minimal set of domains.
 -------------------------------------------------------------------
 Tue Sep  2 13:31:58 UTC 2014 - vcizek@suse.com
 - removed source files which were not used
  * modules-minimum.conf, modules-mls.conf, modules-targeted.conf,
    permissivedomains.fc, permissivedomains.if, permissivedomains.te,
    seusers, seusers-mls, seusers-targeted, users_extra-mls,
    users_extra-targeted
 -------------------------------------------------------------------
 Mon Jun  2 12:08:40 UTC 2014 - vcizek@suse.com
 - remove duplicate filetrans_pattern rules
  * fixes build with libsepol-2.3
  * added remove_duplicate_filetrans_pattern_rules.patch
 -------------------------------------------------------------------
 Mon Dec  9 13:57:18 UTC 2013 - vcizek@suse.com
 - enable build of mls and targeted policies
 - fixes to the minimum policy:
 - label /var/run/rsyslog correctly
  * label_var_run_rsyslog.patch
 - allow systemd-tmpfiles to create devices
  * systemd-tmpfiles.patch
 - add rules for sysconfig
  * correctly label /dev/.sysconfig/network
  * added sysconfig_network_scripts.patch
 - run restorecon and fixfiles only if if selinux is enabled
 - fix console login
  * allow-local_login_t-read-shadow.patch
 - allow rsyslog to write to xconsole
  * xconsole.patch
 - useradd needs to call selinux_check_access (via pam_rootok)
  * useradd-netlink_selinux_socket.patch
 -------------------------------------------------------------------
 Mon Aug 12 02:08:15 CEST 2013 - ro@suse.de
 - fix build on factory: newer rpm does not allow to mark
  non-directories as dir anymore (like symlinks in this case) 
 -------------------------------------------------------------------
 Thu Jul 11 11:00:14 UTC 2013 - coolo@suse.com
 - install COPYING
 -------------------------------------------------------------------
 Fri Mar 22 11:52:43 UTC 2013 - vcizek@suse.com
 - switch to Fedora as upstream
 - added patches:
  * policy-rawhide-base.patch
  * policy-rawhide-contrib.patch
  * type_transition_file_class.patch
  * type_transition_contrib.patch
  * label_sysconfig.selinux-policy.patch
 -------------------------------------------------------------------
 Tue Dec 11 13:40:27 UTC 2012 - vcizek@suse.com
 - bump up policy version to 27, due to recent libsepol update
 - dropped currently unused policy-rawhide.patch
 - fix installing of file_contexts (this enables restorecond to run properly)
 - Recommends: audit and setools
 -------------------------------------------------------------------
 Mon Dec 10 15:47:13 UTC 2012 - meissner@suse.com
 - mark included files in source
 -------------------------------------------------------------------
 Mon Oct 22 18:47:00 UTC 2012 - vcizek@suse.com
 - update to 2.20120725
 - added selinux-policy-run_sepolgen_during_build.patch
 - renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch
 - dropped policygentool and OLPC stuff
 -------------------------------------------------------------------
 Wed May  9 10:01:26 UTC 2012 - coolo@suse.com
 - patch license to be in spdx.org format
 -------------------------------------------------------------------
 Fri May 21 16:05:49 CEST 2010 - prusnak@suse.cz
 - use policy created by Alan Rouse
 -------------------------------------------------------------------
 Sat Apr 10 23:45:17 PDT 2010 - justinmattock@gmail.com
 - Adjust selinux-policy.spec so that the policy
  source tree is put in /usr/share/doc/packages/selinux-*
  so users can build the policy [bnc#582404]
 -------------------------------------------------------------------
 Wed Apr  7 09:59:43 UTC 2010 - thomas@novell.com
 - fixed fileperms of /etc/selinux/config to be 644 to allow
  libselinux to read from it (bnc#582399)
  this is also the default file mode in fedora 12
 -------------------------------------------------------------------
 Fri Jun 26 12:19:07 CEST 2009 - thomas@novell.com
--- a/selinux-policy.conf
+++ b/selinux-policy.conf
@ -0,0 +1,2 @@
 z /sys/devices/system/cpu/online - - -
 Z /sys/class/net - - -
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,110 +1,713 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 # norootforbuild
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir /var/adm/fillup-templates
 %endif
 # TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
 # ones used by redhat and include also the SUSE specific ones (see sed statement below)
 %define distro redhat
 %define polyinstatiate n
 %define monolithic n
 %define BUILD_DOC 1
 %define BUILD_TARGETED 1
 %define BUILD_MINIMUM 1
 %if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0
 %define BUILD_MLS 0
 %else
 %define BUILD_MLS 1
 %endif
 %if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 )
 %else
 %endif
 %define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
 %define CHECKPOLICYVER %POLICYCOREUTILSVER
 %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else  print "0" end }
 # conditional stuff depending on policycoreutils version
 # See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
 %if %{coreutils_ge 2.5}
 # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
 # It depends on the kernel, but apparently more so on the libsemanage version.
 %define POLICYVER 30
 # macros calling module_store have to be defined using global, not define, and
 # "lazy" evaluation
 %global module_store() %{_localstatedir}/lib/selinux/%%{1}
 %global policy_prio 100
 %global module_dir active/modules/%{policy_prio}
 %global module_disabled() %{module_store %%{1}}/active/modules/disabled/%%{2}
 %global install_pp() \
 	(cd %{buildroot}/%{_usr}/share/selinux/%1/ \
 	 /usr/sbin/semodule -s %%{1} -X %{policy_prio} -n -p %{buildroot} -i *.pp \
         rm -f *pp*); 
 # FixMe 170315: None of these exist any more. Are they necessary?
 %global files_base_pp() %nil
 %global touch_file_contexts() touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
 %global files_file_contexts() %nil
 %global mkdir_other() \
    %{__mkdir} -p %{buildroot}%{module_store %%1}/active/modules/disabled
 %global files_other() \
    %dir %{module_store %%1}/active/modules \
    %dir %{module_store %%1}/active/modules/disabled \
    %{module_disabled %%1 sandbox}
 %global files_dot_bin() %nil
 %global rm_selinux_mod() rm -rf %%1
 %else
 # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
 # It depends on the kernel, but apparently more so on the libsemanage version.
 %define POLICYVER 29
 %global module_store() %{_sysconfdir}/selinux/%%{1}/modules
 %global module_dir active/modules
 %global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled
 # FixMe 170315: Why is bzip2 used here rather than semodule -i?
 %global install_pp() \
 	(cd  %{buildroot}/%{_usr}/share/selinux/%%1/ \
 	 bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \
 	 rm -f base.pp \
 	 for i in *.pp; do \
 	    bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \
 	 done \
         rm -f *pp* );
 # FixMe 170315:
 # Why is base.pp installed in a different path than other modules?
 # Requirement of policycoreutils 2.3 ??
 %global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp
 # FixMe 170315: do we really need these?
 %global touch_file_contexts() \
    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \
    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \
    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin;
 %global mkdir_other() %nil
 # FixMe 170315: do we really need these?
 %global files_file_contexts() \
    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \
    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template
 # FixMe 170315: do we really need these?
 %global files_other() \
    %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \
    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts
 %global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin
 %global rm_selinux_mod() rm -f %%{1}.pp
 %endif
 Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        2.20081210
+Version:        20140730
-Release:        1
+Release:        0
-Url:            http://oss.tresys.com/projects/refpolicy/
+Source:         serefpolicy-%{version}.tgz
-License:        GPL v2
+Source1:        serefpolicy-contrib-%{version}.tgz
-Group:          System/Base
+
-Summary:        SELinux policies
+Source10:       modules-targeted-base.conf
-Source:         refpolicy-%{version}.tar.bz2
+Source11:       modules-targeted-contrib.conf
-Source1:        config
+Source12:       modules-mls-base.conf
-Patch0:         %{name}-build_conf.patch
+Source13:       modules-mls-contrib.conf
 #Source14:      modules-minimum.conf
 Source20:       booleans-targeted.conf
 Source21:       booleans-mls.conf
 Source22:       booleans-minimum.conf
 Source23:       booleans.subs_dist
 Source30:       setrans-targeted.conf
 Source31:       setrans-mls.conf
 Source32:       setrans-minimum.conf
 Source40:       securetty_types-targeted
 Source41:       securetty_types-mls
 Source42:       securetty_types-minimum
 Source50:       users-targeted
 Source51:       users-mls
 Source52:       users-minimum
 Source60:       selinux-policy.conf
 Source61:       selinux-policy.sysconfig
 Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
 Source93:       config.tgz
 Source94:       file_contexts.subs_dist
 # base policy patches
 Patch0001:      policy-rawhide-base.patch
 # The following two patches are a workaround for 812055
 Patch0002:      type_transition_file_class.patch
 Patch0003:      label_sysconfig.selinux-policy.patch
 Patch0004:      sysconfig_network_scripts.patch
 Patch0005:      allow-local_login_t-read-shadow.patch
 Patch0006:      xconsole.patch
 Patch0007:      useradd-netlink_selinux_socket.patch
 Patch0008:      systemd-tmpfiles.patch
 Patch0009:      label_var_run_rsyslog.patch
 Patch0010:      suse_modifications_unconfined.patch
 Patch0011:      suse_modifications_systemd.patch
 Patch0012:      suse_modifications_unconfineduser.patch
 Patch0013:      suse_modifications_selinuxutil.patch
 Patch0014:      suse_modifications_logging.patch
 Patch0015:      suse_modifications_getty.patch
 Patch0016:      suse_modifications_authlogin.patch
 Patch0017:      suse_modifications_xserver.patch
 Patch0018:      suse_modifications_ssh.patch
 Patch0019:      suse_modifications_usermanage.patch
 Patch0020:      suse_modifications_unprivuser.patch
 Patch0021:      dont_use_xmllint_in_make_conf.patch
 Patch0022:      suse_modifications_staff.patch
 Patch0023:      suse_modifications_ipsec.patch
 Patch0024:      add-overlayfs-as-xattr-capable.patch
 # contrib patches
 Patch1000:      policy-rawhide-contrib.patch
 Patch1001:      type_transition_contrib.patch
 Patch1002:      suse_modifications_virt.patch
 Patch1003:      suse_modifications_dbus.patch
 Patch1004:      suse_modifications_policykit.patch
 Patch1005:      suse_modifications_postfix.patch
 Patch1006:      suse_modifications_rtkit.patch
 Patch1007:      suse_modifications_apache.patch
 Patch1008:      suse_modifications_ntp.patch
 Patch1009:      suse_modifications_cron.patch
 Patch1010:      suse_additions_sslh.patch
 Patch1011:      suse_additions_obs.patch
 Patch1012:      suse_modifications_glusterfs.patch
 Patch1013:      suse_modifications_passenger.patch
 Patch1014:      suse_modifications_stapserver.patch
 Url:            http://oss.tresys.com/repos/refpolicy/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  checkpolicy policycoreutils libsepol-devel python python-xml m4
 BuildArch:      noarch
-# default is refpolicy-standard (mentioned in config)
+BuildRequires:  %fillup_prereq
-Requires:       selinux-policy-refpolicy-standard
+BuildRequires:  %insserv_prereq
 BuildRequires:  bzip2
 BuildRequires:  checkpolicy
 BuildRequires:  gawk
 BuildRequires:  libxml2-tools
 BuildRequires:  m4
 BuildRequires:  policycoreutils
 BuildRequires:  policycoreutils-python
 BuildRequires:  python
 BuildRequires:  python-xml
 #BuildRequires:  selinux-policy-devel
 # we need selinuxenabled
 Requires(post): selinux-tools
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
 Recommends:     policycoreutils-python
-%description
+%global makeCmds() \
-SELinux policy
+make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
 make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
 cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
 cp -f selinux_config/users-%1 ./policy/users \
 #cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
-%package refpolicy-standard
+%global makeModulesConf() \
-Group:          System/Base
+cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
-Summary:        SELinux policy - Tresys Standard Refpolicy
+cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
-Requires:       selinux-policy
+if [ "%3" = "contrib" ];then \
  cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
  cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
 fi; \
-%description refpolicy-standard
+%global installCmds() \
 make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
 make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
 make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
 make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
 %{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
 %{mkdir_other %%1} \
 touch %{buildroot}/%{module_store %%{1}}/semanage.read.LOCK \
 touch %{buildroot}/%{module_store %%{1}}/semanage.trans.LOCK \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 %{touch_file_contexts %%1} \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
 install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
 install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 touch %{buildroot}%{module_store %%{1}}/active/seusers \
 touch %{buildroot}%{module_store %%{1}}/active/nodes.local \
 touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
 touch %{buildroot}%{module_store %%{1}}/active/users.local \
 cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
 %install_pp %%1 \
 touch %{buildroot}%{module_disabled %%1 sandbox} \
 /usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
 /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \
 ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER}  %{buildroot}%{module_store %%{1}}/active/policy.kern \
 %nil
-SELinux policy - based on reference policy from Tresys - standard
+%global fileList() \
 %defattr(-,root,root) \
 %dir %{_usr}/share/selinux/%1 \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
 %dir %{_sysconfdir}/selinux/%1/logins \
 %dir %{module_store %%{1}} \
 %verify(not md5 size mtime) %{module_store %%{1}}/semanage.read.LOCK \
 %verify(not md5 size mtime) %{module_store %%{1}}/semanage.trans.LOCK \
 %dir %attr(700,root,root) %dir %{module_store %%{1}}/active \
 %dir %{module_store %%{1}}/%{module_dir} \
 %verify(not md5 size mtime) %{module_store %%{1}}/active/policy.kern \
 %verify(not md5 size mtime) %{module_store %%{1}}/active/commit_num \
 %{files_base_pp %%1} \
 %verify(not md5 size mtime) %{module_store %%{1}}/active/file_contexts \
 %{files_file_contexts %%1} \
 %{files_other %%1} \
 %config(noreplace) %verify(not md5 size mtime) %{module_store %%{1}}/active/users_extra \
 %verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \
 %{module_store %%{1}}/%{module_dir}/* \
 %ghost %{module_store %%{1}}/active/*.local \
 %{files_dot_bin %%1} \
 %ghost %{module_store %%{1}}/active/seusers \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
 %{_sysconfdir}/selinux/%1/.policy.sha512 \
 %dir %{_sysconfdir}/selinux/%1/contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
 %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %{_sysconfdir}/selinux/%1/booleans.subs_dist \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
-%package refpolicy-mcs
+%define relabel() \
-Group:          System/Base
+. %{_sysconfdir}/sysconfig/selinux-policy; \
-Summary:        SELinux policy - Tresys MCS Refpolicy
+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-Requires:       selinux-policy
+if selinuxenabled; then \
  if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
    /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
    rm -f ${FILE_CONTEXT}.pre; \
  fi; \
  /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \
  /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \
 fi;
-%description refpolicy-mcs
+%global preInstall() \
 if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
  . %{_sysconfdir}/selinux/config; \
  FILE_CONTEXT=%{_sysconfdir}/selinux/%%1/contexts/files/file_contexts; \
  if [ "${SELINUXTYPE}" = %%1 -a -f ${FILE_CONTEXT} ]; then \
    [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
  fi; \
  touch %{_sysconfdir}/selinux/%%1/.rebuild; \
  if [ -e %{_sysconfdir}/selinux/%%1/.policy.sha512 ]; then \
    sha512=`sha512sum %{module_store %%{1}}/active/policy.kern | cut -d ' ' -f 1`; \
    checksha512=`cat %{_sysconfdir}/selinux/%%1/.policy.sha512`; \
    if [ "$sha512" = "$checksha512" ] ; then \
      rm %{_sysconfdir}/selinux/%%1/.rebuild; \
    fi; \
  fi; \
 fi;
-SELinux policy - based on reference policy from Tresys - mcs
+%global postInstall() \
 . %{_sysconfdir}/selinux/config; \
 if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
  rm %{_sysconfdir}/selinux/%%2/.rebuild; \
  (cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \
  /usr/sbin/semodule -B -n -s %%2; \
 else \
  touch %{module_disabled %%2 sandbox} \
 fi; \
 if [ "${SELINUXTYPE}" = "%2" ]; then \
  if selinuxenabled; then \
    load_policy; \
  else \
    # probably a first install of the policy \
    true; \
  fi; \
 fi; \
 if selinuxenabled; then \
  if [ %1 -eq 1 ]; then \
    /sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \
  else \
    %relabel %2 \
  fi; \
 else \
  # run fixfiles on next boot \
  touch /.autorelabel \
 fi;
-%package refpolicy-mls
+%define modulesList() \
-Group:          System/Base
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
-Summary:        SELinux policy - Tresys MLS Refpolicy
+if [ -e ./policy/modules-contrib.conf ];then \
-Requires:       selinux-policy
+  awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
-
+fi;
 %description refpolicy-mls
 SELinux policy - based on reference policy from Tresys - mls
 %prep
 %setup -q -c -n selinux-policy -T
 tar xfj %{SOURCE0} && mv refpolicy refpolicy-standard
 tar xfj %{SOURCE0} && mv refpolicy refpolicy-mcs
 tar xfj %{SOURCE0} && mv refpolicy refpolicy-mls
 %patch0
 %build
 for i in standard mcs mls; do
  cd refpolicy-$i
  make conf
  make policy
  cd ..
 done
 %install
 for i in standard mcs mls; do
  cd refpolicy-$i
  make DESTDIR=$RPM_BUILD_ROOT install
  sed -i "s:^# edit $RPM_BUILD_ROOT:# edit :" $RPM_BUILD_ROOT%{_sysconfdir}/selinux/refpolicy-$i/contexts/files/file_contexts.homedirs
  cd ..
 done
 install -m 600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/selinux/
 %clean
 rm -rf $RPM_BUILD_ROOT
 %files
-%defattr(-,root,root)
+%defattr(-,root,root,-)
 %doc COPYING
 %dir %{_usr}/share/selinux
 %dir %{_sysconfdir}/selinux
-%{_sysconfdir}/selinux/config
+%ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %{_fillupdir}/sysconfig.%{name}
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
-%files refpolicy-standard
+%description
-%defattr(-,root,root)
+SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of
-%doc refpolicy-standard/COPYING refpolicy-standard/Changelog refpolicy-standard/README
+systems and used as the basis for creating other policies. 
 %dir %{_sysconfdir}/selinux/refpolicy-standard
 %{_sysconfdir}/selinux/refpolicy-standard/*
-%files refpolicy-mcs
+%prep
-%defattr(-,root,root)
+# contrib modules
-%doc refpolicy-mcs/COPYING refpolicy-mcs/Changelog refpolicy-mcs/README
+%setup -n serefpolicy-contrib-%{version} -q -b 1
-%dir %{_sysconfdir}/selinux/refpolicy-mcs
+%patch1000 -p1
-%{_sysconfdir}/selinux/refpolicy-mcs/*
+%patch1001 -p1
 %patch1002 -p1
 %patch1003 -p1
 %patch1004 -p1
 %patch1005 -p1
 %patch1006 -p1
 %patch1007 -p1
 %patch1008 -p1
 %patch1009 -p1
 %patch1010 -p1
 %patch1011 -p1
 %patch1012 -p1
 %patch1013 -p1
 %patch1014 -p1
-%files refpolicy-mls
+# base policy
-%defattr(-,root,root)
+contrib_path=`pwd`
-%doc refpolicy-mls/COPYING refpolicy-mls/Changelog refpolicy-mls/README
+%setup -n serefpolicy-%{version} -q 
-%dir %{_sysconfdir}/selinux/refpolicy-mls
+cp COPYING ..
-%{_sysconfdir}/selinux/refpolicy-mls/*
+%patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p0
 %patch0007 -p1
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
 %patch0011 -p1
 %patch0012 -p1
 %patch0013 -p1
 %patch0014 -p1
 %patch0015 -p1
 %patch0016 -p1
 %patch0017 -p1
 %patch0018 -p1
 %patch0019 -p1
 %patch0020 -p1
 %patch0021 -p1
 %patch0022 -p1
 %patch0023 -p1
 %patch0024 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 # we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse
 find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g'
 %build
 %install
 mkdir selinux_config
 for i in %{SOURCE10} %{SOURCE11} %{SOURCE12}  %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
 cp $i selinux_config
 done
 tar zxvf selinux_config/config.tgz
 # Build targeted policy
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
 cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
 make clean
 %if %{BUILD_TARGETED}
 # Build targeted policy
 mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
 %makeCmds targeted mcs n allow
 %makeModulesConf targeted base contrib
 %installCmds targeted mcs n allow
 %modulesList targeted
 %endif
 %if %{BUILD_MINIMUM}
 # Build minimum policy
 mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
 %makeCmds minimum mcs n allow
 %makeModulesConf targeted base contrib
 %installCmds minimum mcs n allow
 %modulesList minimum
 %endif
 %if %{BUILD_MLS}
 # Build mls policy
 mkdir -p %{buildroot}%{_usr}/share/selinux/mls
 %makeCmds mls mls n deny
 %makeModulesConf mls base contrib
 %installCmds mls mls n deny
 %modulesList mls
 %endif
 # Install devel
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
 make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
 make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
 rm -rf selinux_config
 # fillup sysconfig
 mkdir -p %{buildroot}%{_fillupdir}
 cp %{SOURCE61} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 %clean
 %post
 %{fillup_only}
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
  # new install
  ln -sf %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
  restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
 else
  . %{_sysconfdir}/sysconfig/selinux-policy
  # if first time update booleans.local needs to be copied to sandbox
  [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/
  [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
 fi
 exit 0
 %postun
 if [ $1 = 0 ]; then
  setenforce 0 2> /dev/null
  if [ -s %{_sysconfdir}/selinux/config ]; then
    sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
  fi
 fi
 exit 0
 %package devel
 Summary:        SELinux policy devel
 Group:          System/Management
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       /usr/bin/make
 Requires:       checkpolicy >= %{CHECKPOLICYVER}
 Requires:       m4
 %description devel
 SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %{_mandir}/ru/man8/ftpd_selinux.8.gz
 %{_mandir}/ru/man8/httpd_selinux.8.gz
 %{_mandir}/ru/man8/kerberos_selinux.8.gz
 %{_mandir}/ru/man8/named_selinux.8.gz
 %{_mandir}/ru/man8/nfs_selinux.8.gz
 %{_mandir}/ru/man8/rsync_selinux.8.gz
 %{_mandir}/ru/man8/samba_selinux.8.gz
 %{_mandir}/ru/man8/ypbind_selinux.8.gz
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %package doc
 Summary:        SELinux policy documentation
 Group:          System/Management
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       /usr/bin/xdg-open
 %description doc
 SELinux policy documentation package
 %files doc
 %defattr(-,root,root,-)
 %doc %{_usr}/share/doc/%{name}-%{version}
 %{_usr}/share/selinux/devel/policy.*
 %if %{BUILD_TARGETED}
 %package targeted
 Summary:        SELinux targeted base policy
 Group:          System/Management
 Provides:       selinux-policy-base = %{version}-%{release}
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre):  coreutils
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 %description targeted
 SELinux Reference policy targeted base module.
 %pre targeted
 %preInstall targeted
 %post targeted
 %postInstall $1 targeted
 exit 0
 %files targeted
 %defattr(-,root,root,-)
 %fileList targeted
 %{_usr}/share/selinux/targeted/modules-base.lst
 %{_usr}/share/selinux/targeted/modules-contrib.lst
 %endif
 %if %{BUILD_MINIMUM}
 %package minimum
 Summary:        SELinux minimum base policy
 Group:          System/Management
 Provides:       selinux-policy-base = %{version}-%{release}
 Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER}
 Requires(pre):  coreutils
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 Conflicts:      seedit
 %description minimum
 SELinux Reference policy minimum base module.
 %pre minimum
 %preInstall minimum
 if [ $1 -ne 1 ]; then
  /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst
 fi
 %post minimum
 contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
 basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
 if [ $1 -eq 1 ]; then
 for p in $contribpackages; do
  touch %{module_disabled minimum $p}
 done
 # this is temporarily needed to make minimum policy work without errors. Will be included
 # into the proper places later on
 for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do
    rm -f %{module_disabled minimum $p}
 done
 # those are default anyway
 # /usr/sbin/semanage -S minimum -i - << __eof
 # login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 # login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 # __eof
 /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
 /usr/sbin/semodule -B -s minimum
 else
 instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
 for p in $contribpackages; do
  touch %{module_disabled minimum $p}
 done
 for p in $instpackages apache dbus inetd kerberos mta nis; do
    rm -f %{module_disabled minimum $p}
 done
 /usr/sbin/semodule -B -s minimum
 %relabel minimum
 fi
 exit 0
 %files minimum
 %defattr(-,root,root,-)
 %fileList minimum
 %{_usr}/share/selinux/minimum/modules-base.lst
 %{_usr}/share/selinux/minimum/modules-contrib.lst
 %endif
 %if %{BUILD_MLS}
 %package mls
 Summary:        SELinux mls base policy
 Group:          System/Management
 Provides:       selinux-policy-base = %{version}-%{release}
 Obsoletes:      selinux-policy-mls-sources < 2
 Requires:       policycoreutils-newrole = %{POLICYCOREUTILSVER}
 Requires:       setransd
 Requires(pre):  policycoreutils = %{POLICYCOREUTILSVER}
 Requires(pre):  coreutils
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 Conflicts:      seedit
 %description mls
 SELinux Reference policy mls base module.
 %pre mls
 %preInstall mls
 %post mls
 %postInstall $1 mls
 %files mls
 %defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
 %fileList mls
 %{_usr}/share/selinux/mls/modules-base.lst
 %{_usr}/share/selinux/mls/modules-contrib.lst
 %endif
 %changelog
--- a/selinux-policy.sysconfig
+++ b/selinux-policy.sysconfig
@ -0,0 +1,11 @@
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
 SELINUX=permissive
 # SELINUXTYPE= can take one of these two values:
 #     targeted - Targeted processes are protected,
 #     mls - Multi Level Security protection.
 #     minimum - Modification of targeted policy. Only selected processes are protected.
 SELINUXTYPE=minimum
--- a/serefpolicy-20140730.tgz
+++ b/serefpolicy-20140730.tgz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ef950250ca524c822fff44677af9d061d77e09b02cba2ce6444fb057d35f0dae
 size 318859
--- a/serefpolicy-contrib-20140730.tgz
+++ b/serefpolicy-contrib-20140730.tgz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a717a82690fc2f10de53241471112944cd99eedb1d4ffd05c7c8d6883cf31d11
 size 467521
--- a/setrans-minimum.conf
+++ b/setrans-minimum.conf
@ -0,0 +1,19 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/setrans-mls.conf
+++ b/setrans-mls.conf
@ -0,0 +1,52 @@
 #
 # Multi-Level Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be labeled with one of 16 levels and be categorized with 0-1023 
 # categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Users can modify this table to translate the MLS labels for different purpose.
 #
 # Assumptions: using below MLS labels.
 #  SystemLow
 #  SystemHigh
 #  Unclassified 
 #  Secret with compartments A and B.
 # 
 # SystemLow and SystemHigh
 s0=SystemLow
 s15:c0.c1023=SystemHigh
 s0-s15:c0.c1023=SystemLow-SystemHigh
 # Unclassified level
 s1=Unclassified
 # Secret level with compartments
 s2=Secret
 s2:c0=A
 s2:c1=B
 # ranges for Unclassified
 s0-s1=SystemLow-Unclassified
 s1-s2=Unclassified-Secret
 s1-s15:c0.c1023=Unclassified-SystemHigh
 # ranges for Secret with compartments
 s0-s2=SystemLow-Secret
 s0-s2:c0=SystemLow-Secret:A
 s0-s2:c1=SystemLow-Secret:B
 s0-s2:c0,c1=SystemLow-Secret:AB
 s1-s2:c0=Unclassified-Secret:A
 s1-s2:c1=Unclassified-Secret:B
 s1-s2:c0,c1=Unclassified-Secret:AB
 s2-s2:c0=Secret-Secret:A
 s2-s2:c1=Secret-Secret:B
 s2-s2:c0,c1=Secret-Secret:AB
 s2-s15:c0.c1023=Secret-SystemHigh
 s2:c0-s2:c0,c1=Secret:A-Secret:AB
 s2:c0-s15:c0.c1023=Secret:A-SystemHigh
 s2:c1-s2:c0,c1=Secret:B-Secret:AB
 s2:c1-s15:c0.c1023=Secret:B-SystemHigh
 s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
--- a/setrans-targeted.conf
+++ b/setrans-targeted.conf
@ -0,0 +1,19 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/suse_additions_obs.patch
+++ b/suse_additions_obs.patch
@ -0,0 +1,96 @@
 Index: serefpolicy-contrib-20140730/obs.fc
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/obs.fc
@@ -0,0 +1,63 @@
 +/usr/lib/build/Build(/.*)?                      -- gen_context(system_u:object_r:lib_t,s0)
 +/usr/lib/build/Build.pm                         -- gen_context(system_u:object_r:lib_t,s0)
 +
 +/usr/lib/build/configs(/.*)?                    -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/baselibs_global.conf             -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/baselibs_global-deb.conf         -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-pkg                        -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-pkg-arch                   -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-pkg-deb                    -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-pkg-rpm                    -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-arch                -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-dsc                 -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-kiwi                -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-livebuild           -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-mock                -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-preinstallimage     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-recipe-spec                -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm                         -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-ec2                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-emulator                -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-kvm                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-lxc                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-openstack               -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-qemu                    -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-uml                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-xen                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/build-vm-zvm                     -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/lxc.conf                         -- gen_context(system_u:object_r:etc_t,s0)
 +/usr/lib/build/qemu-reg                         -- gen_context(system_u:object_r:etc_t,s0)
 +
 +/usr/lib/build/emulator/.*                      -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/build                            -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/changelog2spec                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/common_functions                 -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/computeblocklists                -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createarchdeps                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createdebdeps                    -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createrepomddeps                 -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createrpmdeps                    -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createyastdeps                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/createzyppdeps                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/debtransform                     -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/debtransformbz2                  -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/debtransformzip                  -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/download                         -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/expanddeps                       -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/extractbuild                     -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/getbinaryid                      -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/init_buildsystem                 -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/killchroot                       -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/mkbaselibs                       -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/mkdrpms                          -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/order                            -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/queryconfig                      -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/signdummy                        -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/spec2changelog                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/spec_add_patch                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/spectool                         -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/substitutedeps                   -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/unrpm                            -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/build/vc                               -- gen_context(system_u:object_r:bin_t,s0)
 +
 Index: serefpolicy-contrib-20140730/obs.if
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/obs.if
@@ -0,0 +1 @@
 +#
 Index: serefpolicy-contrib-20140730/obs.te
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/obs.te
@@ -0,0 +1,17 @@
 +policy_module(obs, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +# work out a real policy later on
 +#type obs_t;
 +#type obs_exec_t;
 +#application_domain(obs_t, obs_exec_t)
 +#
 +#type obs_conf_t;
 +#files_config_file(obs_conf_t)
 +#
 +#permissive obs_t;
 +
--- a/suse_additions_sslh.patch
+++ b/suse_additions_sslh.patch
@ -0,0 +1,149 @@
 Index: serefpolicy-contrib-20140730/sslh.fc
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/sslh.fc
@@ -0,0 +1,9 @@
 +/etc/conf.d/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
 +/etc/default/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
 +
 +/etc/init.d/sslh 			-- 	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
 +/usr/lib/systemd/system/sslh.service  	-- 	gen_context(system_u:object_r:sslh_unit_file_t,s0)
 +
 +#/usr/sbin/rcsslh			--	gen_context(system_u:object_r:sslh_exec_t,s0)
 +/usr/sbin/sslh				--	gen_context(system_u:object_r:sslh_exec_t,s0)
 +
 Index: serefpolicy-contrib-20140730/sslh.if
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/sslh.if
@@ -0,0 +1,77 @@
 +## <summary>sslh Applicative Protocol Multiplexer</summary>
 +
 +#######################################
 +## <summary>
 +##  Allow a domain to getattr on sslh binary.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
 +## </param>
 +#
 +interface(`sslh_getattr_exec',`
 +	gen_require(`
 +		type sslh_exec_t;
 +	')
 +
 +	allow $1 sslh_exec_t:file getattr;
 +')
 +
 +#######################################
 +## <summary>
 +##  Read sslh configuration.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`sslh_read_config',`
 +    gen_require(`
 +        type sslh_conf_t;
 +    ')
 +
 +    files_search_etc($1)
 +    list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
 +    read_files_pattern($1, sslh_conf_t, sslh_conf_t)
 +')
 +
 +######################################
 +## <summary>
 +##  Write sslh configuration.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`sslh_write_config',`
 +    gen_require(`
 +        type sslh_conf_t;
 +    ')
 +
 +    files_search_etc($1)
 +    write_files_pattern($1, sslh_conf_t, sslh_conf_t)
 +')
 +
 +####################################
 +## <summary>
 +##  Manage sslh configuration.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`sslh_manage_config',`
 +    gen_require(`
 +        type sslh_conf_t;
 +    ')
 +
 +    files_search_etc($1)
 +    manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
 +')
 Index: serefpolicy-contrib-20140730/sslh.te
 ===================================================================
 --- /dev/null
 +++ serefpolicy-contrib-20140730/sslh.te
@@ -0,0 +1,48 @@
 +policy_module(sslh, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type sslh_t;
 +type sslh_exec_t;
 +init_daemon_domain(sslh_t, sslh_exec_t)
 +
 +type sslh_initrc_exec_t;
 +init_script_file(sslh_initrc_exec_t)
 +
 +type sslh_conf_t;
 +files_config_file(sslh_conf_t)
 +
 +type sslh_unit_file_t;
 +systemd_unit_file(sslh_unit_file_t)
 +
 +########################################
 +#
 +# sslh local policy
 +#
 +
 +allow sslh_t self:capability { setuid net_bind_service setgid };
 +allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 +allow sslh_t self:process { setcap signal };
 +allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
 +
 +corenet_tcp_bind_generic_node(sslh_t)
 +corenet_tcp_bind_all_ports(sslh_t)
 +corenet_tcp_connect_all_ports(sslh_t)
 +
 +corenet_udp_bind_all_ports(sslh_t)
 +corenet_udp_send_generic_if(sslh_t)
 +corenet_udp_receive_generic_if(sslh_t)
 +
 +read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
 +
 +nscd_shm_use(sslh_t)
 +
 +allow sslh_t nscd_var_run_t:file read;
 +
 +# dontaudit?
 +#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
 +#allow sshd_t unconfined_t:process { siginh noatsecure };
 +
--- a/suse_modifications_apache.patch
+++ b/suse_modifications_apache.patch
@ -0,0 +1,12 @@
 Index: serefpolicy-contrib-20140730/apache.fc
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/apache.fc
 +++ serefpolicy-contrib-20140730/apache.fc
@@ -64,6 +64,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/sbin/cherokee		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd\.event		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/start_apache2		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/htcacheclean      --  gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/nginx         --  gen_context(system_u:object_r:httpd_exec_t,s0)
--- a/suse_modifications_authlogin.patch
+++ b/suse_modifications_authlogin.patch
@ -0,0 +1,14 @@
 Index: serefpolicy-20140730/policy/modules/system/authlogin.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/authlogin.te
 +++ serefpolicy-20140730/policy/modules/system/authlogin.te
@@ -152,6 +152,9 @@ seutil_dontaudit_use_newrole_fds(chkpwd_
 userdom_dontaudit_use_user_ttys(chkpwd_t)
 +allow chkpwd_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(chkpwd_t)
 +
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(chkpwd_t)
--- a/suse_modifications_cron.patch
+++ b/suse_modifications_cron.patch
@ -0,0 +1,57 @@
 Index: serefpolicy-contrib-20140730/cron.fc
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/cron.fc	2015-08-13 10:13:01.320203530 +0200
 +++ serefpolicy-contrib-20140730/cron.fc	2015-08-13 10:13:01.620208372 +0200
@@ -55,6 +55,8 @@ ifdef(`distro_suse', `
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/spool/cron/tabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 +/var/spool/cron/tabs/[^/]*	--	gen_context(system_u:object_r:user_cron_spool_t,s0)
 ')
 ifdef(`distro_debian',`
 Index: serefpolicy-contrib-20140730/cron.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/cron.te	2015-08-13 10:13:01.320203530 +0200
 +++ serefpolicy-contrib-20140730/cron.te	2015-08-13 10:13:01.620208372 +0200
@@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti
 optional_policy(`
 	unconfined_domain(unconfined_cronjob_t)
 ')
 +
 +ifdef(`distro_suse',`
 +	files_read_default_symlinks(crontab_t)
 +	userdom_manage_user_home_dirs(crontab_t)
 +	xserver_non_drawing_client(crontab_t)
 +')
 Index: serefpolicy-contrib-20140730/cron.if
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/cron.if	2015-08-13 10:13:01.320203530 +0200
 +++ serefpolicy-contrib-20140730/cron.if	2015-08-13 10:14:06.153249993 +0200
@@ -158,7 +158,7 @@ interface(`cron_role',`
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
 -		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
 +		type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
         type crond_t, user_cron_spool_t;
         bool cron_userdomain_transition;
 	')
@@ -168,14 +168,14 @@ interface(`cron_unconfined_role',`
     # Declarations
     #
 -    role $1 types { unconfined_cronjob_t crontab_t };
 +    role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
     ##############################
     #
     # Local policy
     #
 -    domtrans_pattern($2, crontab_exec_t, crontab_t)
 +    domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
     dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
--- a/suse_modifications_dbus.patch
+++ b/suse_modifications_dbus.patch
@ -0,0 +1,61 @@
 Index: serefpolicy-contrib-20140730/dbus.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/dbus.te	2015-07-21 16:39:25.588407411 +0200
 +++ serefpolicy-contrib-20140730/dbus.te	2015-07-21 16:41:17.738197485 +0200
@@ -55,7 +55,7 @@ ifdef(`enable_mls',`
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability2 block_suspend;
 -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 +allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock};
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_
 kernel_stream_connect(system_dbusd_t)
 dev_read_urand(system_dbusd_t)
 +dev_read_rand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 dev_rw_inherited_input_dev(system_dbusd_t)
@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs(
 userdom_home_reader(system_dbusd_t)
 +allow system_dbusd_t var_run_t:sock_file write;
 +
 optional_policy(`
 	bind_domtrans(system_dbusd_t)
 ')
 Index: serefpolicy-contrib-20140730/dbus.if
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/dbus.if	2015-07-21 16:39:25.588407411 +0200
 +++ serefpolicy-contrib-20140730/dbus.if	2015-07-21 16:39:28.964461299 +0200
@@ -111,6 +111,26 @@ template(`dbus_role_template',`
 	logging_send_syslog_msg($1_dbusd_t)
 +	ifdef(`distro_suse',`
 +		gen_require(`
 +			type config_home_t, xdm_var_run_t;
 +		')
 +		allow $1_dbusd_t self:unix_stream_socket connectto;
 +
 +		# is this firefox mislabeled?
 +		#allow $1_dbusd_t lib_t:file execute_no_trans;
 +		allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr };
 +		allow $1_dbusd_t xdm_var_run_t:file { getattr open read };
 +
 +		allow $1_dbusd_t $1_t:dbus send_msg;
 +
 +		auth_login_pgm_domain($1_dbusd_t)
 +		xserver_non_drawing_client($1_dbusd_t)
 +		gnome_manage_home_config_dirs($1_dbusd_t)
 +		gnome_delete_home_config_dirs($1_dbusd_t)
 +		corenet_tcp_connect_xserver_port($1_dbusd_t)
 +	')
 +
 	optional_policy(`
 		mozilla_domtrans_spec($1_dbusd_t, $1_t)
 	')
--- a/suse_modifications_getty.patch
+++ b/suse_modifications_getty.patch
@ -0,0 +1,15 @@
 Index: serefpolicy-20140730/policy/modules/system/getty.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/getty.te
 +++ serefpolicy-20140730/policy/modules/system/getty.te
@@ -109,6 +109,10 @@ locallogin_domtrans(getty_t)
 logging_send_syslog_msg(getty_t)
 +allow getty_t var_run_t:sock_file write;
 +plymouthd_exec_plymouth(getty_t)
 +kernel_stream_connect(getty_t)
 +
 ifdef(`distro_gentoo',`
 	# Gentoo default /etc/issue makes agetty
 	# do a DNS lookup for the hostname
--- a/suse_modifications_glusterfs.patch
+++ b/suse_modifications_glusterfs.patch
@ -0,0 +1,10 @@
 Index: serefpolicy-contrib-20140730/glusterd.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/glusterd.te	2017-12-11 17:38:13.448089663 +0100
 +++ serefpolicy-contrib-20140730/glusterd.te	2017-12-11 17:38:52.960730655 +0100
@@ -1,4 +1,4 @@
 -policy_module(glusterfs, 1.1.2)
 +policy_module(glusterd, 1.1.2)
 ## <desc>
 ## <p>
--- a/suse_modifications_ipsec.patch
+++ b/suse_modifications_ipsec.patch
@ -0,0 +1,65 @@
 Index: serefpolicy-20140730/policy/modules/system/ipsec.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/ipsec.te	2015-08-10 12:55:56.098645940 +0200
 +++ serefpolicy-20140730/policy/modules/system/ipsec.te	2015-08-10 14:32:28.542764339 +0200
@@ -209,14 +209,18 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
 +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
 dontaudit ipsec_mgmt_t self:capability sys_tty_config;
 -allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
 +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
 allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 +allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
 +allow ipsec_mgmt_t self:packet_socket { setopt create read write };
 +allow ipsec_mgmt_t self:socket { bind create read write };
 +allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
 +# temporary fix until the rules above work
 +allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
 kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 +kernel_request_load_module(ipsec_mgmt_t)
 domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
 domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
 +corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
 +corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
 +corenet_udp_bind_generic_node(ipsec_mgmt_t)
 +corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
 domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
 -# suppress audit messages about unnecessary socket access
 -# cjp: this seems excessive
 -domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
 -domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 +#  domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
--- a/suse_modifications_logging.patch
+++ b/suse_modifications_logging.patch
@ -0,0 +1,14 @@
 Index: serefpolicy-20140730/policy/modules/system/logging.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/logging.te
 +++ serefpolicy-20140730/policy/modules/system/logging.te
@@ -565,6 +565,9 @@ userdom_dontaudit_use_unpriv_user_fds(sy
 userdom_search_user_home_dirs(syslogd_t)
 userdom_rw_inherited_user_tmp_files(syslogd_t)
 +allow syslogd_t var_run_t:file { read getattr open };
 +allow syslogd_t var_run_t:sock_file write;
 +
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
--- a/suse_modifications_ntp.patch
+++ b/suse_modifications_ntp.patch
@ -0,0 +1,76 @@
 Index: serefpolicy-contrib-20140730/ntp.fc
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/ntp.fc
 +++ serefpolicy-contrib-20140730/ntp.fc
@@ -1,25 +1,36 @@
 /etc/cron\.(daily|weekly)/ntp-simple	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /etc/cron\.(daily|weekly)/ntp-server	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 -/etc/ntpd.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
 -/etc/ntp/crypto(/.*)?	gen_context(system_u:object_r:ntpd_key_t,s0)
 -/etc/ntp/data(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 -/etc/ntp/keys	--	gen_context(system_u:object_r:ntpd_key_t,s0)
 -/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
 -
 -/etc/rc\.d/init\.d/ntpd	--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 -
 -/usr/sbin/ntpd	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 -/usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 -/usr/sbin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 -
 -/usr/lib/systemd/system/ntpd.*               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
 -
 -/var/lib/ntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 -/var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 -
 -/var/log/ntp.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
 -/var/log/ntpstats(/.*)?	gen_context(system_u:object_r:ntpd_log_t,s0)
 -/var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
 -
 -/var/run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 +/etc/ntpd.*\.conf.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
 +/etc/ntp/crypto(/.*)?				gen_context(system_u:object_r:ntpd_key_t,s0)
 +/etc/ntp/data(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 +/etc/ntp/keys				--	gen_context(system_u:object_r:ntpd_key_t,s0)
 +/etc/ntp/step-tickers.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
 +
 +/etc/rc\.d/init\.d/ntpd			--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 +
 +/usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 +/usr/sbin/start-ntpd			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 +/usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 +/usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 +
 +/usr/lib/systemd/system/ntpd.* 		-- 	gen_context(system_u:object_r:ntpd_unit_file_t,s0)
 +
 +/var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 +/var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 +
 +/var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
 +/var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
 +/var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
 +
 +/var/run/ntpd\.pid			--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 +
 +# SUSE chroot
 +/var/lib/ntp/etc/ntpd?.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
 +/var/lib/ntp/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)
 +/var/lib/ntp/etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
 +/var/lib/ntp/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)
 +/var/lib/ntp/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
 +/var/lib/ntp/var/lib/ntp(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
 +/var/lib/ntp/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
 +/var/lib/ntp/var/run/ntp(/.*)?			gen_context(system_u:object_r:ntpd_var_run_t,s0)
 Index: serefpolicy-contrib-20140730/ntp.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/ntp.te
 +++ serefpolicy-contrib-20140730/ntp.te
@@ -76,7 +76,7 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_
 fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
 manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
 -files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 +files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file lnk_file } )
 can_exec(ntpd_t, ntpd_exec_t)
--- a/suse_modifications_passenger.patch
+++ b/suse_modifications_passenger.patch
@ -0,0 +1,10 @@
 Index: serefpolicy-contrib-20140730/passenger.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/passenger.te	2017-12-11 17:38:13.276086872 +0100
 +++ serefpolicy-contrib-20140730/passenger.te	2017-12-11 17:42:24.592161419 +0100
@@ -1,4 +1,4 @@
 -policy_module(passanger, 1.1.1)
 +policy_module(passenger, 1.1.1)
 ########################################
 #
--- a/suse_modifications_policykit.patch
+++ b/suse_modifications_policykit.patch
@ -0,0 +1,14 @@
 Index: serefpolicy-contrib-20140730/policykit.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/policykit.te
 +++ serefpolicy-contrib-20140730/policykit.te
@@ -94,6 +94,9 @@ userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
 userdom_dontaudit_search_admin_dir(policykit_t)
 +allow policykit_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(policykit_t)
 +
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
--- a/suse_modifications_postfix.patch
+++ b/suse_modifications_postfix.patch
@ -0,0 +1,49 @@
 Index: serefpolicy-contrib-20140730/postfix.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/postfix.te
 +++ serefpolicy-contrib-20140730/postfix.te
@@ -132,6 +132,9 @@ allow postfix_master_t postfix_map_exec_
 allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
 +allow postfix_master_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(postfix_master_t)
 +
 manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 Index: serefpolicy-contrib-20140730/postfix.fc
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/postfix.fc
 +++ serefpolicy-contrib-20140730/postfix.fc
@@ -1,22 +1,6 @@
 # postfix
 /etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 /etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
 -ifdef(`distro_redhat', `
 -/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 -/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 -/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 -/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 -/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 -/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
 -/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
 -/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
 -/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 -/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 -/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 -/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 -/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 -', `
 /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 /usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
@@ -30,7 +14,6 @@ ifdef(`distro_redhat', `
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
--- a/suse_modifications_rtkit.patch
+++ b/suse_modifications_rtkit.patch
@ -0,0 +1,14 @@
 Index: serefpolicy-contrib-20140730/rtkit.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/rtkit.te
 +++ serefpolicy-contrib-20140730/rtkit.te
@@ -20,6 +20,9 @@ init_script_file(rtkit_daemon_initrc_exe
 allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
 allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
 +allow rtkit_daemon_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(rtkit_daemon_t)
 +
 kernel_read_system_state(rtkit_daemon_t)
 domain_getsched_all_domains(rtkit_daemon_t)
--- a/suse_modifications_selinuxutil.patch
+++ b/suse_modifications_selinuxutil.patch
@ -0,0 +1,13 @@
 Index: serefpolicy-20140730/policy/modules/system/selinuxutil.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/selinuxutil.te
 +++ serefpolicy-20140730/policy/modules/system/selinuxutil.te
@@ -337,6 +337,8 @@ optional_policy(`
 	xserver_dontaudit_exec_xauth(newrole_t)
 ')
 +allow restorecond_t var_run_t:sock_file write;
 +
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(newrole_t)
--- a/suse_modifications_ssh.patch
+++ b/suse_modifications_ssh.patch
@ -0,0 +1,43 @@
 Index: serefpolicy-20140730/policy/modules/services/ssh.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/services/ssh.te
 +++ serefpolicy-20140730/policy/modules/services/ssh.te
@@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false)
 ## </desc>
 gen_tunable(ssh_chroot_rw_homedirs, false)
 +## <desc>
 +## <p>
 +## Allow sshd to forward port connections. This should work
 +## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48
 +## but it doesn't
 +## </p>
 +## </desc>
 +##
 +gen_tunable(sshd_forward_ports, false)
 +
 attribute ssh_dyntransition_domain;
 attribute ssh_server;
 attribute ssh_agent_type;
@@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t)
 corenet_tcp_bind_vnc_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 +tunable_policy(`sshd_forward_ports',`
 +	corenet_tcp_bind_all_unreserved_ports(sshd_t)
 +	corenet_tcp_connect_all_ports(sshd_t)
 +')
 +
 auth_exec_login_program(sshd_t)
 userdom_read_user_home_content_files(sshd_t)
@@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_
 userdom_signal_unpriv_users(sshd_t)
 userdom_dyntransition_unpriv_users(sshd_t)
 +allow sshd_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(sshd_t)
 +
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
--- a/suse_modifications_staff.patch
+++ b/suse_modifications_staff.patch
@ -0,0 +1,23 @@
 Index: serefpolicy-20140730/policy/modules/roles/staff.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/roles/staff.te	2015-05-20 15:15:49.646097573 +0200
 +++ serefpolicy-20140730/policy/modules/roles/staff.te	2015-05-20 15:59:47.483684401 +0200
@@ -388,18 +388,3 @@ ifndef(`distro_redhat',`
 tunable_policy(`selinuxuser_execmod',`
 	userdom_execmod_user_home_files(staff_t)
 ')
 -
 -optional_policy(`
 -	virt_transition_svirt(staff_t, staff_r)
 -	virt_filetrans_home_content(staff_t)
 -')
 -
 -optional_policy(`
 -	tunable_policy(`staff_use_svirt',`
 -		allow staff_t self:fifo_file relabelfrom;
 -		dev_rw_kvm(staff_t)
 -		virt_manage_images(staff_t)
 -		virt_stream_connect_svirt(staff_t)
 -		virt_exec(staff_t)
 -	')
 -')
--- a/suse_modifications_stapserver.patch
+++ b/suse_modifications_stapserver.patch
@ -0,0 +1,10 @@
 Index: serefpolicy-contrib-20140730/stapserver.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/stapserver.te	2017-12-11 17:38:13.312087456 +0100
 +++ serefpolicy-contrib-20140730/stapserver.te	2017-12-11 17:46:03.915729618 +0100
@@ -1,4 +1,4 @@
 -policy_module(systemtap, 1.1.0)
 +policy_module(stapserver, 1.1.0)
 ########################################
 #
--- a/suse_modifications_systemd.patch
+++ b/suse_modifications_systemd.patch
@ -0,0 +1,40 @@
 Index: serefpolicy-20140730/policy/modules/system/systemd.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/systemd.te	2015-06-24 14:42:23.931790867 +0200
 +++ serefpolicy-20140730/policy/modules/system/systemd.te	2015-06-24 15:34:50.677937166 +0200
@@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst
 xserver_dbus_chat(systemd_logind_t)
 +allow systemd_logind_t var_run_t:sock_file write;
 +files_rw_inherited_generic_pid_files(systemd_logind_t)
 +
 optional_policy(`
 	apache_read_tmp_files(systemd_logind_t)
 ')
@@ -528,9 +531,14 @@ allow systemd_hostnamed_t self:unix_stre
 allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
 manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
 +manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
 manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
 files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
 files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
 +# since we have unpredictable filenames for the link file we can't use a named transition
 +create_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
 +delete_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
 +rename_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
 kernel_dgram_send(systemd_hostnamed_t)
@@ -608,6 +616,10 @@ optional_policy(`
 ')
 optional_policy(`
 +	unconfined_dbus_send(systemd_timedated_t)
 +')
 +
 +optional_policy(`
 	gnome_manage_usr_config(systemd_timedated_t)
 	gnome_manage_home_config(systemd_timedated_t)
 	gnome_manage_home_config_dirs(systemd_timedated_t)
--- a/suse_modifications_unconfined.patch
+++ b/suse_modifications_unconfined.patch
@ -0,0 +1,15 @@
 Index: serefpolicy-20140730/policy/modules/system/unconfined.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/unconfined.te
 +++ serefpolicy-20140730/policy/modules/system/unconfined.te
@@ -15,6 +15,10 @@ unconfined_domain(unconfined_service_t)
 corecmd_bin_entry_type(unconfined_service_t)
 corecmd_shell_entry_type(unconfined_service_t)
 +systemd_dbus_chat_localed(unconfined_service_t)
 +systemd_dbus_chat_logind(unconfined_service_t)
 +unconfined_shell_domtrans(unconfined_service_t)
 +
 optional_policy(`
 	rpm_transition_script(unconfined_service_t, system_r)
 ')
--- a/suse_modifications_unconfineduser.patch
+++ b/suse_modifications_unconfineduser.patch
@ -0,0 +1,16 @@
 Index: serefpolicy-20140730/policy/modules/roles/unconfineduser.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/roles/unconfineduser.te
 +++ serefpolicy-20140730/policy/modules/roles/unconfineduser.te
@@ -79,6 +79,11 @@ domain_transition_all(unconfined_t)
 usermanage_run_passwd(unconfined_t, unconfined_r)
 +# FIXME SUSE
 +#allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
 +allow unconfined_t init_exec_t:file entrypoint;
 +allow init_t unconfined_t:process transition;
 +
 tunable_policy(`deny_execmem',`',`
 	allow unconfined_t self:process execmem;
 ')
--- a/suse_modifications_unprivuser.patch
+++ b/suse_modifications_unprivuser.patch
@ -0,0 +1,26 @@
 Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te	2015-05-20 15:15:49.646097573 +0200
 +++ serefpolicy-20140730/policy/modules/roles/unprivuser.te	2015-05-20 16:00:16.212137319 +0200
@@ -259,17 +259,12 @@ ifndef(`distro_redhat',`
 ')
 optional_policy(`
 -    vmtools_run_helper(user_t, user_r)
 +	vmtools_run_helper(user_t, user_r)
 ')
 -optional_policy(`
 -	virt_transition_svirt(user_t, user_r)
 -	virt_filetrans_home_content(user_t)
 +ifdef(`distro_suse',`
 +	xserver_xsession_entry_type(user_t)
 +	dbus_system_bus_client(user_t)
 ')
 -optional_policy(`
 -	tunable_policy(`unprivuser_use_svirt',`
 -		virt_manage_images(user_t)
 -	')
 -')
--- a/suse_modifications_usermanage.patch
+++ b/suse_modifications_usermanage.patch
@ -0,0 +1,24 @@
 Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
 +++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -274,6 +274,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 +allow groupadd_t self:netlink_selinux_socket { create bind };
 +allow groupadd_t var_run_t:sock_file write;
 +
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
@@ -572,6 +575,9 @@ userdom_home_filetrans_user_home_dir(use
 userdom_manage_home_role(system_r, useradd_t)
 userdom_delete_all_user_home_content(useradd_t)
 +allow useradd_t var_run_t:sock_file write;
 +selinux_compute_access_vector(useradd_t)
 +
 optional_policy(`
 	mta_manage_spool(useradd_t)
 ')
--- a/suse_modifications_virt.patch
+++ b/suse_modifications_virt.patch
@ -0,0 +1,13 @@
 Index: serefpolicy-contrib-20140730/virt.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/virt.te
 +++ serefpolicy-contrib-20140730/virt.te
@@ -280,6 +280,8 @@ corenet_udp_bind_all_ports(svirt_t)
 corenet_tcp_bind_all_ports(svirt_t)
 corenet_tcp_connect_all_ports(svirt_t)
 +allow svirt_t qemu_exec_t:file execmod;
 +
 #######################################
 #
 # svirt_prot_exec local policy
--- a/suse_modifications_xserver.patch
+++ b/suse_modifications_xserver.patch
@ -0,0 +1,36 @@
 Index: serefpolicy-20140730/policy/modules/services/xserver.fc
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/services/xserver.fc
 +++ serefpolicy-20140730/policy/modules/services/xserver.fc
@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /usr/bin/Xvnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +#/usr/lib/gdm/.* 	-- 	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/X11/display-manager	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 Index: serefpolicy-20140730/policy/modules/services/xserver.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/services/xserver.te
 +++ serefpolicy-20140730/policy/modules/services/xserver.te
@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
 	allow xdm_t self:process { execheap execmem };
 ')
 +ifndef(`distro_suse',`
 +	# this is a neverallow, maybe dontaudit it
 +	#allow xdm_t proc_kcore_t:file getattr;
 +	allow xdm_t var_run_t:lnk_file create;
 +	allow xdm_t var_lib_t:lnk_file read;
 +
 +	dev_getattr_all_blk_files( xdm_t )
 +	dev_getattr_all_chr_files( xdm_t )
 +	logging_r_xconsole(xdm_t)
 +')
 +
 tunable_policy(`use_nfs_home_dirs',`
 	fs_exec_nfs_files(xdm_t)
 ')
--- a/sysconfig_network_scripts.patch
+++ b/sysconfig_network_scripts.patch
@ -0,0 +1,70 @@
 Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc	2015-07-21 16:52:51.913277147 +0200
 +++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc	2015-07-21 16:52:55.461333779 +0200
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
 /dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
 ')
 +# SUSE
 +# sysconfig network files are stored in /dev/.sysconfig
 +/dev/.sysconfig/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 +# label netconfig files in /var/adm and /var/lib and /var/run
 +/var/adm/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 +/var/lib/ntp/var(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
 +/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 +
 +
 #
 # /etc
 #
@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
 /var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 ')
 +/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
 +/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
 +
 #
 # /sbin
 #
 Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te	2015-07-21 16:52:51.913277147 +0200
 +++ serefpolicy-20140730/policy/modules/system/sysnetwork.te	2015-07-21 16:54:15.998619244 +0200
@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
 -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 +# need sys_admin to set hostname/domainname
 +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock };
 dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 +# allow relabel of /dev/.sysconfig
 +dev_associate(net_conf_t)
 +
 +# allow mv /etc/resolv.conf.netconfig
 +allow dhcpc_t etc_runtime_t:file unlink;
 +
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc	2015-07-21 16:52:51.913277147 +0200
 +++ serefpolicy-20140730/policy/modules/kernel/devices.fc	2015-07-21 16:52:55.461333779 +0200
@@ -2,6 +2,7 @@
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
 +/dev/.sysconfig(/.*)?	-d	gen_context(system_u:object_r:net_conf_t,s0)
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
--- a/systemd-tmpfiles.patch
+++ b/systemd-tmpfiles.patch
@ -0,0 +1,43 @@
 Index: serefpolicy-20140730/policy/modules/system/systemd.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/systemd.te
 +++ serefpolicy-20140730/policy/modules/system/systemd.te
@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
 +# allow tmpfiles to create files/dirs in /dev
 +systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
 +dev_getattr_autofs_dev(systemd_tmpfiles_t);
 +dev_getattr_lvm_control(systemd_tmpfiles_t);
 +dev_create_generic_dirs(systemd_tmpfiles_t);
 domain_obj_id_change_exemption(systemd_tmpfiles_t)
 # systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
 Index: serefpolicy-20140730/policy/modules/system/systemd.if
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/systemd.if
 +++ serefpolicy-20140730/policy/modules/system/systemd.if
@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
 	dontaudit $1 systemd_domain:dbus send_msg;
 ')
 +
 +########################################
 +## <summary>
 +##	Allow systemd-tmpfiles to create xconsole_device_t
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`systemd_tmpfiles_xconsole_create',`
 +	gen_require(`
 +		type device_t, xconsole_device_t;
 +	')
 +
 +	create_fifo_files_pattern($1, device_t, xconsole_device_t);
 +')
 +
--- a/type_transition_contrib.patch
+++ b/type_transition_contrib.patch
@ -0,0 +1,13 @@
 Index: serefpolicy-contrib-20140730/glusterd.te
 ===================================================================
 --- serefpolicy-contrib-20140730.orig/glusterd.te
 +++ serefpolicy-contrib-20140730/glusterd.te
@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket
 manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
 manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
 -files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
 +files_etc_filetrans(glusterd_t, glusterd_conf_t, file, "glusterfs")
 manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
 manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
--- a/type_transition_file_class.patch
+++ b/type_transition_file_class.patch
@ -0,0 +1,24 @@
 Index: serefpolicy-20140730/policy/modules/system/miscfiles.if
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if
 +++ serefpolicy-20140730/policy/modules/system/miscfiles.if
@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local
 	')
 	files_etc_filetrans($1, locale_t, lnk_file)
 -	files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
 +	files_etc_filetrans($1, locale_t, file, "localtime" )
 +	files_etc_filetrans($1, locale_t, lnk_file, "localtime" )
 	files_etc_filetrans($1, locale_t, file, "locale.conf" )
 	files_etc_filetrans($1, locale_t, file, "timezone" )
 	files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na
 		type locale_t;
 	')
 -	files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
 +	files_etc_filetrans($1, locale_t, file, "localtime")
 +	files_etc_filetrans($1, locale_t, lnk_file, "localtime")
 	files_etc_filetrans($1, locale_t, file, "locale.conf")
 	files_etc_filetrans($1, locale_t, file, "vconsole.conf")
 	files_etc_filetrans($1, locale_t, file, "locale.conf.new")
--- a/useradd-netlink_selinux_socket.patch
+++ b/useradd-netlink_selinux_socket.patch
@ -0,0 +1,12 @@
 Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
 ===================================================================
 --- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
 +++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
 +allow useradd_t self:netlink_selinux_socket create_socket_perms;
 manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
 manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/xconsole.patch
+++ b/xconsole.patch
@ -0,0 +1,231 @@
 Basically, /dev/xconsole is a FIFO written to by syslog, and often is
 present even when there is no X. Therefore, this should go into the
 logging policy.
 Patch attached.
 best regards,
 Erich Schubert
 -- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
 Nothing prevents happiness like the memory of happiness. --- A. Gide //\
       Die einzige Hoffnung auf Freude liegt in den menschlichen      V_/_
               Beziehungen. --- Antoine de Saint-Exupéry
 ["xconsole" (xconsole)]
 Index: policy/modules/services/xserver.te
 ===================================================================
 --- policy/modules/services/xserver.te.orig
 +++ policy/modules/services/xserver.te
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
 userdom_user_tmp_file(xauth_tmp_t)
 -# this is not actually a device, its a pipe
 -type xconsole_device_t;
 -files_type(xconsole_device_t)
 -dev_associate(xconsole_device_t)
 -fs_associate_tmpfs(xconsole_device_t)
 -files_associate_tmp(xconsole_device_t)
 -
 type xdm_unconfined_exec_t;
 application_executable_file(xdm_unconfined_exec_t)
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
 allow xdm_t xauth_home_t:file manage_file_perms;
 -allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
 libs_exec_ldconfig(xdm_t)
 logging_read_generic_logs(xdm_t)
 +logging_setattr_xconsole_pipes(xdm_t)
 +
 +# allow relabel of /dev/xconsole
 +dev_associate(xconsole_device_t)
 miscfiles_search_man_pages(xdm_t)
 miscfiles_read_fonts(xdm_t)
 Index: policy/modules/services/xserver.fc
 ===================================================================
 --- policy/modules/services/xserver.fc.orig
 +++ policy/modules/services/xserver.fc
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /root/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 #
 -# /dev
 -#
 -/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
 -
 -#
 # /etc
 #
 /etc/gdm(3)?/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 Index: policy/modules/system/logging.te
 ===================================================================
 --- policy/modules/system/logging.te.orig
 +++ policy/modules/system/logging.te
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 +# this is not actually a device, its a pipe
 +type xconsole_device_t;
 +files_type(xconsole_device_t)
 +fs_associate_tmpfs(xconsole_device_t)
 +files_associate_tmp(xconsole_device_t)
 +
 ########################################
 #
 # Auditctl local policy
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
 +# log to xconsole
 +allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
 +
 kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
@@ -631,11 +640,6 @@ optional_policy(`
 	udev_read_db(syslogd_t)
 ')
 -optional_policy(`
 -	# log to the xconsole
 -	xserver_rw_console(syslogd_t)
 -')
 -
 #####################################################
 #
 # syslog client rules
 Index: policy/modules/system/logging.if
 ===================================================================
 --- policy/modules/system/logging.if.orig
 +++ policy/modules/system/logging.if
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
     logging_log_filetrans($1, var_log_t, dir, "anaconda")
 ')
 +
 +########################################
 +## <summary>
 +##	Set the attributes of the xconsole named pipes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`logging_setattr_xconsole_pipes',`
 +	gen_require(`
 +		type xconsole_device_t;
 +	')
 +
 +	allow $1 xconsole_device_t:fifo_file setattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Read the xconsole named pipe.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`logging_r_xconsole',`
 +	gen_require(`
 +		type xconsole_device_t;
 +	')
 +
 +	allow $1 xconsole_device_t:fifo_file { getattr read };
 +')
 +
 Index: policy/modules/system/init.te
 ===================================================================
 --- policy/modules/system/init.te.orig
 +++ policy/modules/system/init.te
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 +logging_setattr_xconsole_pipes(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_manage_generic_cert_files(initrc_t)
@@ -1453,9 +1454,6 @@ optional_policy(`
 ')
 optional_policy(`
 -	# Set device ownerships/modes.
 -	xserver_setattr_console_pipes(initrc_t)
 -
 	# init script wants to check if it needs to update windowmanagerlist
 	xserver_read_xdm_rw_config(initrc_t)
 ')
 Index: policy/modules/system/logging.fc
 ===================================================================
 --- policy/modules/system/logging.fc.orig
 +++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 +/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 Index: policy/modules/services/xserver.if
 ===================================================================
 --- policy/modules/services/xserver.if.orig
 +++ policy/modules/services/xserver.if
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
 ########################################
 ## <summary>
 -##	Set the attributes of the X windows console named pipes.
 -## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
 -#
 -interface(`xserver_setattr_console_pipes',`
 -	gen_require(`
 -		type xconsole_device_t;
 -	')
 -
 -	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 -')
 -
 -########################################
 -## <summary>
 -##	Read and write the X windows console named pipe.
 -## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
 -#
 -interface(`xserver_rw_console',`
 -	gen_require(`
 -		type xconsole_device_t;
 -	')
 -
 -	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
 -')
 -
 -########################################
 -## <summary>
 ##	Read XDM state files.
 ## </summary>
 ## <param name="domain">
		`@ -1,2 +0,0 @@`
			`SELINUX=permissive`
			`SELINUXTYPE=refpolicy-standard`
		`@ -0,0 +1,2 @@`
							`z /sys/devices/system/cpu/online - - -`
							`Z /sys/class/net - - -`