Accepting request 1073587 from security:SELinux

please stage this with the microos-tools changes. Should now be good since kernel_t is unconfined again OBS-URL: https://build.opensuse.org/request/show/1073587 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=44
2023-03-22 21:29:18 +00:00 · 2023-03-22 21:29:18 +00:00 · b73764daca
commit b73764daca
parent ce6fed0f4e 4bd800106f
85 changed files with 2863 additions and 3884 deletions
--- a/README.Update
+++ b/README.Update
@ -0,0 +1,19 @@
+# How to update this project
+
+This project is updated using obs services.
+The obs services pull from git repositories, which are specified in the `_service` file.
+Please contribute all changes to the upstream git repositories listed there.
+
+To update this project to the upstream versions, please make sure you installed these obs services locally:
+```
+sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files
+```
+
+Then, generate new tarballs, changelog and version number for this repository by running this command:
+```
+sh update.sh
+```
+
+Afterwards, please check your local project state and remove old tarballs if necessary.
+Then proceed as usual with check-in and build.
+
--- a/18
+++ b/18
@ -0,0 +1,18 @@
+<services>
+  <service name="tar_scm" mode="manual">
+    <param name="version">1</param>
+    <param name="versionformat">%cd</param>
+    <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+    <param name="revision">factory</param>
+  </service>
+  <service name="recompress" mode="manual">
+    <param name="compression">xz</param>
+    <param name="file">*.tar</param>
+  </service>
+  <service name="set_version" mode="manual" >
+    <param name="file">selinux-policy.spec</param>
+  </service>
+</services>
+
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
+              <param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm">
+                <param name="url">https://github.com/containers/container-selinux.git</param>
+              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
--- a/container.fc
+++ b/container.fc
@ -0,0 +1,156 @@
+/root/\.docker	gen_context(system_u:object_r:container_home_t,s0)
+
+/usr/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+
+/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/lxc/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/libexec/lxd/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
+/usr/local/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
+/usr/local/s?bin/runc		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/runc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crun		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/crun			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/kata-agent	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kata-agent		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/container[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/sbin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-latest		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-current		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/ocid.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+
+/usr/lib/systemd/system/docker.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/lxd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/containerd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/buildkit.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+
+/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/docker-latest(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/buildkit(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+
+/var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/.*\.log		gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/lib/containerd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
+/var/lib/containerd/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containerd/[^/]*/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl/[^/]*/volumes(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/buildkit(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/buildkit/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
+/var/lib/buildkit/runc-.*/executor(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
+# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
+# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
+/var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containers/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/atomic(/.*)?	<<none>>
+/var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+
+/var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker-latest/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
+/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
+/var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
+
+/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+
+/srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+
+/var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)
--- a/container.if
+++ b/container.if
--- a/container.te
+++ b/container.te
--- a/distro_suse_to_distro_redhat.patch
+++ b/distro_suse_to_distro_redhat.patch
@ -1,209 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc
-+++ fedora-policy-20221019/policy/modules/contrib/apache.fc
-@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
- /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
- /usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
-@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- ')
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- ')
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -80,7 +80,7 @@ ifdef(`distro_redhat', `
- /var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
- 
- # SuSE
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /sbin/yast2			--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc
-+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-@@ -462,7 +462,7 @@ ifdef(`distro_redhat', `
- /usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
- ')
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ssh/.*			--	gen_context(system_u:object_r:bin_t,s0)
-@@ -491,7 +491,7 @@ ifdef(`distro_suse', `
- /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/kernel/devices.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc
-+++ fedora-policy-20221019/policy/modules/kernel/devices.fc
-@@ -148,7 +148,7 @@
- /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usbmon.+		-c	gen_context(system_u:object_r:usbmon_device_t,s0)
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
- ')
- /dev/vmci       -c  gen_context(system_u:object_r:vmci_device_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -22,7 +22,7 @@ ifdef(`distro_redhat',`
- /[^/]+			--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
-@@ -189,7 +189,7 @@ ifndef(`distro_debian',`
- /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/authlogin.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20221019/policy/modules/system/authlogin.fc
-@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~		gen_co
- /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/init.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.fc
-+++ fedora-policy-20221019/policy/modules/system/init.fc
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/run/bootsplashctl	-p	gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/keymap		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/numlock-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/system/init.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',`
- 	')
- ')
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- 	optional_policy(`
- 		# set permissions on /tmp/.X11-unix
- 		xserver_setattr_xdm_tmp_dirs(initrc_t)
-Index: fedora-policy-20221019/policy/modules/system/libraries.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20221019/policy/modules/system/libraries.fc
-@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_
- /var/lib/spamassassin/compiled/.*\.so.* --	gen_context(system_u:object_r:lib_t,s0)
- /usr/lib/xfce4/.*\.so.*			-- 	gen_context(system_u:object_r:lib_t,s0)
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/locallogin.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20221019/policy/modules/system/locallogin.te
-@@ -274,7 +274,7 @@ ifdef(`enable_mls',`
- ')
- 
- # suse and debian do not use pam with sulogin...
-ifdef(`distro_suse', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
- 
- allow sulogin_t self:capability sys_tty_config;
-Index: fedora-policy-20221019/policy/modules/system/logging.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20221019/policy/modules/system/logging.fc
-@@ -46,7 +46,7 @@
- /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh)
- /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- 
-ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/logging.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/logging.te
-+++ fedora-policy-20221019/policy/modules/system/logging.te
-@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',`
- 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
- ')
- 
-ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
- 	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
- ')
--- a/dontaudit_interface_kmod_tmpfs.patch
+++ b/dontaudit_interface_kmod_tmpfs.patch
@ -1,41 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
- userdom_nnp_transition_login_userdomain(xdm_t)
- userdom_watch_user_home_dirs(xdm_t)
- 
-+# SUSE uses startproc to start the display manager. While checking for running processes
-+# it goes over all running instances, triggering AVCs
-+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
-+
- #userdom_home_manager(xdm_t)
- tunable_policy(`xdm_write_home',`
-     userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
-Index: fedora-policy-20221019/policy/modules/system/modutils.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/modutils.if
-+++ fedora-policy-20221019/policy/modules/system/modutils.if
-@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
- 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
- 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
- ')
-+
-+#######################################
-+## <summary>
-+## Don't audit accesses to tmp file type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
-+    gen_require(`
-+        type kmod_tmpfs_t;
-+    ')
-+
-+    dontaudit $1 kmod_tmpfs_t:file { getattr };
-+')
--- a/fedora-policy-20221019.tar.bz2
+++ b/fedora-policy-20221019.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede
-size 733130
--- a/fix_accountsd.patch
+++ b/fix_accountsd.patch
@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/accountsd.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/accountsd.fc
-+++ fedora-policy/policy/modules/contrib/accountsd.fc
-@@ -1,6 +1,7 @@
- /usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
- 
- /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
-+/usr/lib/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
- 
- /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
- 
--- a/fix_alsa.patch
+++ b/fix_alsa.patch
@ -1,15 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/alsa.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te
-+++ fedora-policy-20221019/policy/modules/contrib/alsa.te
-@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al
- userdom_manage_unpriv_user_shared_mem(alsa_t)
- userdom_search_user_home_dirs(alsa_t)
- 
-+optional_policy(`
-+	gnome_read_home_config(alsa_t)
-+')
-+
- ifdef(`distro_debian',`
- 	term_dontaudit_use_unallocated_ttys(alsa_t)
- 
--- a/fix_apache.patch
+++ b/fix_apache.patch
@ -1,30 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/apache.if
-+++ fedora-policy-20221019/policy/modules/contrib/apache.if
-@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',`
- 
- 	allow $1 httpd_t:sem r_sem_perms;
- ')
-+
-+#######################################
-+## <summary>
-+##  Allow the specified domain to execute
-+##  httpd_sys_content_t and manage httpd_sys_rw_content_t
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`apache_exec_sys_content',`
-+    gen_require(`
-+        type httpd_sys_content_t;
-+	type httpd_sys_rw_content_t;
-+    ')
-+
-+    apache_manage_sys_content_rw($1)
-+    filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+    can_exec($1, httpd_sys_content_t)
-+')
--- a/fix_auditd.patch
+++ b/fix_auditd.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/system/logging.if
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/logging.if
-+++ fedora-policy-20211111/policy/modules/system/logging.if
-@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config',
- 
- 	files_search_etc($1)
- 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-+	allow $1 auditd_etc_t:dir mounton;
- ')
- 
- ########################################
--- a/fix_authlogin.patch
+++ b/fix_authlogin.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/system/authlogin.fc
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20211111/policy/modules/system/authlogin.fc
-@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', `
- /usr/libexec/chkpwd/tcb_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/libexec/chkpwd/tcb_updpwd	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
- /usr/libexec/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
-+/usr/lib/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
- 
- /var/ace(/.*)?			gen_context(system_u:object_r:var_auth_t,s0)
- 
--- a/fix_automount.patch
+++ b/fix_automount.patch
@ -1,15 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/automount.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/automount.te
-+++ fedora-policy/policy/modules/contrib/automount.te
-@@ -154,6 +154,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	networkmanager_read_pid_files(automount_t)
-+')
-+
-+optional_policy(`
- 	fstools_domtrans(automount_t)
- ')
- 
--- a/fix_bitlbee.patch
+++ b/fix_bitlbee.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-===================================================================
--- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc
-+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-@@ -9,6 +9,5 @@
- 
- /var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
- 
-/var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-/var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
- /var/run/bip(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
--- a/fix_chronyd.patch
+++ b/fix_chronyd.patch
@ -1,60 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
-@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t)
- userdom_dgram_send(chronyd_t)
- 
- optional_policy(`
-+	networkmanager_read_pid_files(chronyd_t)
-+	networkmanager_dispatcher_custom_dgram_send(chronyd_t)
-+')
-+
-+optional_policy(`
-+	wicked_read_pid_files(chronyd_t)
-+')
-+
-+optional_policy(`
-     cron_dgram_send(chronyd_t)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc
-@@ -6,6 +6,8 @@
- 
- /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
- /usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/lib/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/libexec/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
- 
- /usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
- 
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug
- 
- 	domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t)
- ')
-+
-+########################################
-+## <summary>
-+##      Send a message to NetworkManager_dispatcher_custom
-+##      over a unix domain datagram socket.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`networkmanager_dispatcher_custom_dgram_send',`
-+        gen_require(`
-+                type NetworkManager_dispatcher_custom_t;
-+        ')
-+
-+        allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto;
-+')
--- a/fix_cloudform.patch
+++ b/fix_cloudform.patch
@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/cloudform.te
-===================================================================
--- cloudform.te	2022-07-18 14:06:56.735383426 +0200
-+++ cloudform.te.new	2022-07-18 14:07:36.003069544 +0200
-@@ -81,6 +81,8 @@
- 
- init_dbus_chat(cloud_init_t)
- 
-+snapper_dbus_chat(cloud_init_t)
-+
- kernel_read_network_state(cloud_init_t)
- 
- corenet_tcp_connect_http_port(cloud_init_t)
--- a/fix_colord.patch
+++ b/fix_colord.patch
@ -1,25 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc
-+++ fedora-policy-20211111/policy/modules/contrib/colord.fc
-@@ -6,6 +6,8 @@
- 
- /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
- /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/lib/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/lib/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
- 
- /usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
- 
-Index: fedora-policy-20211111/policy/modules/contrib/colord.te
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/colord.te
-+++ fedora-policy-20211111/policy/modules/contrib/colord.te
-@@ -17,6 +17,7 @@ type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
- init_daemon_domain(colord_t, colord_exec_t)
-+init_nnp_daemon_domain(colord_t)
- 
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
--- a/fix_container.patch
+++ b/fix_container.patch
@ -1,13 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/container.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/container.te
-+++ fedora-policy-20221019/policy/modules/services/container.te
-@@ -681,6 +681,8 @@ init_dbus_chat(spc_t)
- optional_policy(`
- 	systemd_dbus_chat_machined(spc_t)
- 	systemd_dbus_chat_logind(spc_t)
-+	systemd_dbus_chat_timedated(spc_t)
-+	systemd_dbus_chat_localed(spc_t)
- ')
- 
- optional_policy(`
--- a/fix_corecommand.patch
+++ b/fix_corecommand.patch
@ -1,64 +0,0 @@
-Index: fedora-policy/policy/modules/kernel/corecommands.fc
-===================================================================
--- fedora-policy.orig/policy/modules/kernel/corecommands.fc
-+++ fedora-policy/policy/modules/kernel/corecommands.fc
-@@ -86,7 +86,10 @@ ifdef(`distro_redhat',`
- 
- /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
- 
-/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/netconfig.d/.*		--	gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/mcelog/.*-error.*-trigger	--	gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
- 
-@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',`
- /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gnome-settings-daemon/.* --	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-settings-daemon-3.0/.* --	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-calculator-search-provider --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-control-center-search-provider --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-photos-thumbnailer --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-rr-debug --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-binary --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated-gles-helper --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated-gl-helper --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-failed --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-software-cmd --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-software-restarter --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-terminal-migration --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-terminal-server --        gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-tweak-tool-lid-inhibitor --        gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gvfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',`
- 
- /usr/lib/xen/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
- /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-+# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib'
-+/usr/lib/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
- 
- /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',`
- 
- /usr/lib/xfce4(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- 
-+/usr/lib/build/.*	--	gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/Brother(/.*)?              gen_context(system_u:object_r:bin_t,s0)
- /usr/Printer(/.*)?              gen_context(system_u:object_r:bin_t,s0)
- /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-@@ -391,6 +413,7 @@ ifdef(`distro_debian',`
- /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
- ')
-+/usr/lib/gdm/.*		--	gen_context(system_u:object_r:bin_t,s0)
- 
- ifdef(`distro_gentoo', `
- /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
--- a/fix_cron.patch
+++ b/fix_cron.patch
@ -1,47 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
-@@ -34,7 +34,7 @@
- 
- /var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
-+/var/spool/cron/tabs/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
- 
- /var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.*	--	<<none>>
-@@ -55,6 +55,10 @@ ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+
-+/var/spool/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/atjobs/.SEQ          --	gen_context(system_u:object_r:user_cron_spool_t,s0)
-+/var/spool/atjobs/[^/]*		--	<<none>>
- ')
- 
- ifdef(`distro_debian',`
-@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- ')
-
-ifdef(`distro_redhat', `
-/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
-/var/spool/cron/lastrun/[^/]*	--	<<none>>
-/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-')
-Index: fedora-policy-20221019/policy/modules/contrib/cron.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.if
-+++ fedora-policy-20221019/policy/modules/contrib/cron.if
-@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo
- #
- interface(`cron_system_spool_entrypoint',`
- 	gen_require(`
-		attribute system_cron_spool_t;
-+		type system_cron_spool_t;
- 	')
- 	allow $1 system_cron_spool_t:file entrypoint;
- ')
--- a/fix_dbus.patch
+++ b/fix_dbus.patch
@ -1,21 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/dbus.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te
-+++ fedora-policy-20221019/policy/modules/contrib/dbus.te
-@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
- manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
-+allow system_dbusd_t system_dbusd_tmp_t:file execute;
- 
- manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
- manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
-@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd
- files_rw_inherited_non_security_files(system_dbusd_t)
- files_watch_usr_dirs(system_dbusd_t)
- files_watch_var_lib_dirs(system_dbusd_t)
-+# bsc#1205895
-+files_watch_lib_dirs(system_dbusd_t)
- 
- fs_getattr_all_fs(system_dbusd_t)
- fs_search_auto_mountpoints(system_dbusd_t)
--- a/fix_djbdns.patch
+++ b/fix_djbdns.patch
@ -1,33 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/djbdns.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/djbdns.te	2019-08-05 09:39:48.641670181 +0200
-+++ fedora-policy/policy/modules/contrib/djbdns.te	2019-08-05 09:53:08.383084236 +0200
-@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi
- allow djbdns_domain self:tcp_socket create_stream_socket_perms;
- allow djbdns_domain self:udp_socket create_socket_perms;
- 
-corenet_all_recvfrom_unlabeled(djbdns_domain)
-corenet_all_recvfrom_netlabel(djbdns_domain)
-corenet_tcp_sendrecv_generic_if(djbdns_domain)
-corenet_udp_sendrecv_generic_if(djbdns_domain)
-corenet_tcp_sendrecv_generic_node(djbdns_domain)
-corenet_udp_sendrecv_generic_node(djbdns_domain)
-corenet_tcp_sendrecv_all_ports(djbdns_domain)
-corenet_udp_sendrecv_all_ports(djbdns_domain)
-corenet_tcp_bind_generic_node(djbdns_domain)
-corenet_udp_bind_generic_node(djbdns_domain)
-
-corenet_sendrecv_dns_server_packets(djbdns_domain)
-corenet_tcp_bind_dns_port(djbdns_domain)
-corenet_udp_bind_dns_port(djbdns_domain)
-
-corenet_sendrecv_dns_client_packets(djbdns_domain)
-corenet_tcp_connect_dns_port(djbdns_domain)
-
-corenet_sendrecv_generic_server_packets(djbdns_domain)
-corenet_tcp_bind_generic_port(djbdns_domain)
-corenet_udp_bind_generic_port(djbdns_domain)
-
- files_search_var(djbdns_domain)
- 
- daemontools_ipc_domain(djbdns_axfrdns_t)
--- a/fix_dnsmasq.patch
+++ b/fix_dnsmasq.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-===================================================================
--- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te
-+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
- 
- miscfiles_read_public_files(dnsmasq_t)
-+sysnet_manage_config_dirs(dnsmasq_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
- userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
--- a/fix_dovecot.patch
+++ b/fix_dovecot.patch
@ -1,15 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-===================================================================
--- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc
-+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-@@ -34,6 +34,10 @@ ifdef(`distro_redhat', `
- /usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- ')
- 
-+/usr/lib/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/lib/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+
- #
- # /var
- #
--- a/fix_firewalld.patch
+++ b/fix_firewalld.patch
@ -1,42 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te
-+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te
-@@ -131,6 +131,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	iptables_manage_var_lib_files(firewalld_t)
- 	iptables_domtrans(firewalld_t)
- 	iptables_read_var_run(firewalld_t)
- ')
-Index: fedora-policy-20211111/policy/modules/system/iptables.if
-===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/iptables.if
-+++ fedora-policy-20211111/policy/modules/system/iptables.if
-@@ -2,6 +2,25 @@
- 
- ########################################
- ## <summary>
-+##	Allow management of iptables_var_lib_t files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to mange files
-+##	</summary>
-+## </param>
-+#
-+interface(`iptables_manage_var_lib_files',`
-+	gen_require(`
-+		type iptables_var_lib_t;
-+	')
-+
-+	manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
-+	manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute iptables in the iptables domain.
- ## </summary>
- ## <param name="domain">
--- a/fix_fwupd.patch
+++ b/fix_fwupd.patch
@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/fwupd.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/fwupd.fc
-+++ fedora-policy/policy/modules/contrib/fwupd.fc
-@@ -4,6 +4,7 @@
- /etc/pki/(fwupd|fwupd-metadata)(/.*)?		gen_context(system_u:object_r:fwupd_cert_t,s0)
- 
- /usr/libexec/fwupd/fwupd		--	gen_context(system_u:object_r:fwupd_exec_t,s0)
-+/usr/lib/fwupd/fwupd			--	gen_context(system_u:object_r:fwupd_exec_t,s0)
- 
- /var/cache/app-info(/.*)?		gen_context(system_u:object_r:fwupd_cache_t,s0)
- /var/cache/fwupd(/.*)?			gen_context(system_u:object_r:fwupd_cache_t,s0)
--- a/fix_geoclue.patch
+++ b/fix_geoclue.patch
@ -1,10 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/geoclue.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/geoclue.fc
-+++ fedora-policy/policy/modules/contrib/geoclue.fc
-@@ -1,4 +1,4 @@
-
-+/usr/lib/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
- /usr/libexec/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
- 
- /var/lib/geoclue(/.*)?		gen_context(system_u:object_r:geoclue_var_lib_t,s0)
--- a/fix_hypervkvp.patch
+++ b/fix_hypervkvp.patch
@ -1,15 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-===================================================================
--- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc
-+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-@@ -3,8 +3,10 @@
- /usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
- 
- /usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
- /usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
- 
- /usr/sbin/hypervvssd        --  gen_context(system_u:object_r:hypervvssd_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*vss_daemon	--	gen_context(system_u:object_r:hypervvssd_exec_t,s0)
- 
- /var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
--- a/fix_init.patch
+++ b/fix_init.patch
@ -1,88 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/init.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
- corenet_all_recvfrom_netlabel(init_t)
- corenet_tcp_bind_all_ports(init_t)
- corenet_udp_bind_all_ports(init_t)
-+corenet_udp_bind_generic_node(init_t)
-+corenet_tcp_bind_generic_node(init_t)
- 
- dev_create_all_files(init_t)
- dev_create_all_chr_files(init_t)
-@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
- logging_create_syslog_netlink_audit_socket(init_t)
- logging_write_var_log_dirs(init_t)
- logging_manage_var_log_symlinks(init_t)
-+logging_dgram_accept(init_t)
- 
- seutil_read_config(init_t)
- seutil_read_login_config(init_t)
-@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
- corecmd_shell_domtrans(init_t, initrc_t)
- 
- storage_raw_rw_fixed_disk(init_t)
-+storage_raw_read_removable_device(init_t)
- 
- sysnet_read_dhcpc_state(init_t)
- 
-+# bsc#1197610, find a better, generic solution
-+optional_policy(`
-+    mta_getattr_spool(init_t)
-+')
-+
-+optional_policy(`
-+    networkmanager_initrc_read_lnk_files(init_t)
-+')
-+
- optional_policy(`
- 	anaconda_stream_connect(init_t)
- 	anaconda_create_unix_stream_sockets(init_t)
-@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
- allow init_t self:system all_system_perms;
- allow init_t self:system module_load;
- allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
-+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
- allow init_t self:process { getcap setcap };
- allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow init_t self:netlink_selinux_socket create_socket_perms;
- allow init_t self:unix_dgram_socket lock;
- # Until systemd is fixed
-@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
- files_create_var_lib_dirs(init_t)
- files_create_var_lib_symlinks(init_t)
- files_read_var_lib_symlinks(init_t)
-+files_read_var_files(init_t)
- files_manage_urandom_seed(init_t)
- files_list_locks(init_t)
- files_list_spool(init_t)
-@@ -684,7 +698,7 @@ fs_list_all(init_t)
- fs_list_auto_mountpoints(init_t)
- fs_register_binary_executable_type(init_t)
- fs_relabel_tmpfs_sock_file(init_t)
-fs_rw_tmpfs_files(init_t)	
-+fs_rw_tmpfs_files(init_t)
- fs_relabel_cgroup_dirs(init_t)
- fs_search_cgroup_dirs(init_t)
- # for network namespaces
-@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
- create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
- 
- create_dirs_pattern(init_t, var_log_t, var_log_t)
-+files_manage_var_files(init_t)
- 
- auth_use_nsswitch(init_t)
- auth_rw_login_records(init_t)
-@@ -1596,6 +1611,8 @@ optional_policy(`
- 
- optional_policy(`
- 	postfix_list_spool(initrc_t)
-+	#allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
-+	postfix_domtrans_map(init_t)
- ')
- 
- optional_policy(`
--- a/fix_ipsec.patch
+++ b/fix_ipsec.patch
@ -1,20 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/ipsec.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/ipsec.te
-+++ fedora-policy-20221019/policy/modules/system/ipsec.te
-@@ -87,6 +87,7 @@ allow ipsec_t self:tcp_socket create_str
- allow ipsec_t self:udp_socket create_socket_perms;
- allow ipsec_t self:packet_socket create_socket_perms;
- allow ipsec_t self:key_socket create_socket_perms;
-+allow ipsec_t self:alg_socket create_socket_perms;
- allow ipsec_t self:fifo_file read_fifo_file_perms;
- allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
- allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-@@ -269,6 +270,7 @@ allow ipsec_mgmt_t self:unix_stream_sock
- allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:udp_socket create_socket_perms;
- allow ipsec_mgmt_t self:key_socket create_socket_perms;
-+allow ipsec_mgmt_t self:alg_socket create_socket_perms;
- allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
- allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
- allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
--- a/fix_iptables.patch
+++ b/fix_iptables.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/system/iptables.te
-===================================================================
--- fedora-policy-20220428.orig/policy/modules/system/iptables.te
-+++ fedora-policy-20220428/policy/modules/system/iptables.te
-@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t)
- kernel_read_kernel_sysctls(iptables_t)
- kernel_use_fds(iptables_t)
- kernel_rw_net_sysctls(iptables_t)
-+kernel_rw_pipes(iptables_t)
- kernel_search_network_sysctl(iptables_t)
- 
- 
--- a/fix_irqbalance.patch
+++ b/fix_irqbalance.patch
@ -1,13 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/irqbalance.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/irqbalance.te
-+++ fedora-policy-20221019/policy/modules/contrib/irqbalance.te
-@@ -24,7 +24,7 @@ files_pid_file(irqbalance_var_run_t)
- allow irqbalance_t self:capability { setpcap net_admin };
- dontaudit irqbalance_t self:capability sys_tty_config;
- allow irqbalance_t self:process { getcap getsched setcap signal_perms };
-allow irqbalance_t self:udp_socket create_socket_perms;
-+allow irqbalance_t self:{udp_socket netlink_generic_socket} create_socket_perms;
- 
- manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
- manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
--- a/fix_java.patch
+++ b/fix_java.patch
@ -1,41 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/java.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/java.te	2019-08-05 13:50:32.925673660 +0200
-+++ fedora-policy/policy/modules/contrib/java.te	2019-08-05 14:06:51.896425229 +0200
-@@ -21,6 +21,7 @@ roleattribute system_r java_roles;
- attribute_role unconfined_java_roles;
- 
- type java_t, java_domain;
-+typealias java_t alias java_domain_t;
- type java_exec_t;
- userdom_user_application_domain(java_t, java_exec_t)
- typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
-@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java
- kernel_read_all_sysctls(java_domain)
- kernel_search_vm_sysctl(java_domain)
- kernel_read_network_state(java_domain)
-kernel_read_system_state(java_domain)
- 
- corecmd_search_bin(java_domain)
- 
-corenet_all_recvfrom_unlabeled(java_domain)
-corenet_all_recvfrom_netlabel(java_domain)
-corenet_tcp_sendrecv_generic_if(java_domain)
-corenet_tcp_sendrecv_generic_node(java_domain)
-
-corenet_sendrecv_all_client_packets(java_domain)
-corenet_tcp_connect_all_ports(java_domain)
-corenet_tcp_sendrecv_all_ports(java_domain)
-
- dev_read_sound(java_domain)
- dev_write_sound(java_domain)
- dev_read_urand(java_domain)
-@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain
- fs_getattr_all_fs(java_domain)
- fs_dontaudit_rw_tmpfs_files(java_domain)
- 
-logging_send_syslog_msg(java_domain)
-
- miscfiles_read_localization(java_domain)
- miscfiles_read_fonts(java_domain)
- 
--- a/fix_kernel_sysctl.patch
+++ b/fix_kernel_sysctl.patch
@ -1,26 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -242,6 +242,8 @@ ifdef(`distro_redhat',`
- /usr/lib/ostree-boot(/.*)?                gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/vmlinuz         -- 	gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/initramfs.img   --	gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/sysctl.conf     --	gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/System.map      --	gen_context(system_u:object_r:system_map_t,s0)
- 
- /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
- 
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t)
- logging_send_syslog_msg(systemd_sysctl_t)
- 
- systemd_read_efivarfs(systemd_sysctl_t)
-+# kernel specific sysctl.conf may be in modules dir
-+allow systemd_sysctl_t modules_object_t:dir search;
- 
- #######################################
- #
--- a/fix_libraries.patch
+++ b/fix_libraries.patch
@ -1,13 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/system/libraries.fc
-===================================================================
--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20210419/policy/modules/system/libraries.fc
-@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
- 
- /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
- 
-+/usr/lib/libreoffice/program/resource.* --	gen_context(system_u:object_r:lib_t,s0)
-+
- /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--- a/fix_locallogin.patch
+++ b/fix_locallogin.patch
@ -1,20 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/locallogin.te
-===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20220624/policy/modules/system/locallogin.te
-@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
- kernel_read_kernel_sysctls(local_login_t)
- kernel_search_key(local_login_t)
- kernel_link_key(local_login_t)
-+kernel_getattr_proc(local_login_t)
- 
- corecmd_list_bin(local_login_t)
- corecmd_read_bin_symlinks(local_login_t)
-@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t)
- auth_manage_pam_console_data(local_login_t)
- auth_domtrans_pam_console(local_login_t)
- auth_use_nsswitch(local_login_t)
-+auth_read_shadow(local_login_t)
- 
- init_dontaudit_use_fds(local_login_t)
- init_stream_connect(local_login_t)
--- a/fix_logging.patch
+++ b/fix_logging.patch
@ -1,48 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/logging.fc
-===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20220624/policy/modules/system/logging.fc
-@@ -3,6 +3,8 @@
- /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/rsyslog.d(/.*)?		gen_context(system_u:object_r:syslog_conf_t,s0)
-+/var/run/rsyslog/additional-log-sockets.conf 	--		gen_context(system_u:object_r:syslog_conf_t,s0)
-+/run/rsyslog/additional-log-sockets.conf 	--		gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-@@ -83,6 +85,7 @@ ifdef(`distro_redhat',`
- /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/rsyslog(/.*)?		gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
- 
- /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-Index: fedora-policy-20220624/policy/modules/system/logging.if
-===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.if
-+++ fedora-policy-20220624/policy/modules/system/logging.if
-@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',`
- 
- 	allow $1 syslogd_t:unix_dgram_socket sendto;
- ')
-+
-+########################################
-+## <summary>
-+##	Accept a message to syslogd over a unix domain
-+##	datagram socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`logging_dgram_accept',`
-+	gen_require(`
-+		type syslogd_t;
-+	')
-+
-+	allow $1 syslogd_t:unix_dgram_socket accept;
-+')
--- a/fix_logrotate.patch
+++ b/fix_logrotate.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te
-+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te
-@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log
- 
- kernel_read_system_state(logrotate_t)
- kernel_read_kernel_sysctls(logrotate_t)
-+files_manage_mounttab(logrotate_t)
- 
- dev_read_urand(logrotate_t)
- dev_read_sysfs(logrotate_t)
--- a/fix_mcelog.patch
+++ b/fix_mcelog.patch
@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/mcelog.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/mcelog.te
-+++ fedora-policy/policy/modules/contrib/mcelog.te
-@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t)
- # Local policy
- #
- 
-allow mcelog_t self:capability sys_admin;
-+allow mcelog_t self:capability { sys_admin setgid };
- allow mcelog_t self:unix_stream_socket connected_socket_perms;
- 
- allow mcelog_t mcelog_etc_t:dir list_dir_perms;
--- a/fix_miscfiles.patch
+++ b/fix_miscfiles.patch
@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/system/miscfiles.fc
-===================================================================
--- fedora-policy.orig/policy/modules/system/miscfiles.fc	2019-08-05 09:39:39.117510678 +0200
-+++ fedora-policy/policy/modules/system/miscfiles.fc	2019-08-22 12:44:01.678484113 +0200
-@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
- /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
- 
- /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
-+/var/lib/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
- /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
--- a/fix_nagios.patch
+++ b/fix_nagios.patch
@ -1,24 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/nagios.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/nagios.fc
-+++ fedora-policy/policy/modules/contrib/nagios.fc
-@@ -24,6 +24,7 @@
- /var/log/pnp4nagios(/.*)?                   gen_context(system_u:object_r:nagios_log_t,s0)
- 
- /var/lib/pnp4nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
-+/var/lib/nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
- 
- /var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
- 
-Index: fedora-policy/policy/modules/contrib/nagios.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/nagios.te
-+++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
- manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
- 
- kernel_read_system_state(nagios_t)
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@ -1,127 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_
- sysnet_manage_config(NetworkManager_t)
- sysnet_filetrans_named_content(NetworkManager_t)
- sysnet_filetrans_net_conf(NetworkManager_t)
-+sysnet_watch_config(NetworkManager_t)
- 
- systemd_login_watch_pid_dirs(NetworkManager_t)
- systemd_login_watch_session_dirs(NetworkManager_t)
-@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t
- userdom_read_user_home_content_files(NetworkManager_t)
- userdom_dgram_send(NetworkManager_t)
- 
-+hostname_exec(NetworkManager_t)
-+networkmanager_systemctl(NetworkManager_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
-     fs_read_nfs_files(NetworkManager_t)
- ')
-@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',`
- ')
- 
- optional_policy(`
-+    nis_systemctl_ypbind(NetworkManager_t)
-+')
-+
-+optional_policy(`
- 	avahi_domtrans(NetworkManager_t)
- 	avahi_kill(NetworkManager_t)
- 	avahi_signal(NetworkManager_t)
-@@ -292,6 +300,14 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	packagekit_dbus_chat(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+    networkmanager_dbus_chat(NetworkManager_t)
-+')
-+
-+optional_policy(`
- 	bind_domtrans(NetworkManager_t)
- 	bind_manage_cache(NetworkManager_t)
- 	bind_kill(NetworkManager_t)
-@@ -419,6 +435,8 @@ optional_policy(`
- 	nscd_kill(NetworkManager_t)
- 	nscd_initrc_domtrans(NetworkManager_t)
- 	nscd_systemctl(NetworkManager_t)
-+	nscd_socket_use(NetworkManager_dispatcher_tlp_t)
-+	nscd_socket_use(NetworkManager_dispatcher_custom_t)
- ')
- 
- optional_policy(`
-@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di
- 
- init_status(NetworkManager_dispatcher_cloud_t)
- init_status(NetworkManager_dispatcher_ddclient_t)
-+init_status(NetworkManager_dispatcher_custom_t)
- init_append_stream_sockets(networkmanager_dispatcher_plugin)
- init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
- init_stream_connect(networkmanager_dispatcher_plugin)
-@@ -621,6 +640,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
-+')
-+
-+optional_policy(`
- 	cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
-         init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- ')
- 
-+#######################################
-+## <summary>
-+##      Allow reading of NetworkManager link files
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed to read the links
-+##      </summary>
-+## </param>
-+#
-+interface(`networkmanager_initrc_read_lnk_files',`
-+        gen_require(`
-+                type NetworkManager_initrc_exec_t;
-+        ')
-+
-+	read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
-+')
-+
- ########################################
- ## <summary>
- ##	Execute NetworkManager server in the NetworkManager domain.
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-@@ -24,6 +24,7 @@
- /usr/lib/NetworkManager/dispatcher\.d/04-iscsi	--	gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/10-sendmail	--	gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/11-dhclient	--	gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
-+/usr/lib/NetworkManager/dispatcher\.d/20-chrony	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/30-winbind	--	gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
-@@ -37,6 +38,9 @@
- 
- /usr/libexec/nm-dispatcher --	gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
- /usr/libexec/nm-priv-helper  -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
-+# bsc#1206355
-+/usr/lib/nm-dispatcher --	gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
-+/usr/lib/nm-priv-helper  -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
- 
- /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
--- a/fix_nis.patch
+++ b/fix_nis.patch
@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/nis.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/nis.te
-+++ fedora-policy/policy/modules/contrib/nis.te
-@@ -78,6 +78,7 @@ manage_files_pattern(ypbind_t, ypbind_va
- files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
- 
- manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
-+manage_dirs_pattern(ypbind_t, var_yp_t, var_yp_t)
- 
- kernel_read_system_state(ypbind_t)
- kernel_read_kernel_sysctls(ypbind_t)
--- a/fix_nscd.patch
+++ b/fix_nscd.patch
@ -1,35 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc
-@@ -8,8 +8,10 @@
- /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
- 
- /var/run/nscd\.pid	--	gen_context(system_u:object_r:nscd_var_run_t,s0)
-/var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
-+/var/run/nscd/socket		-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
- 
-+/var/lib/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
- /var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
- 
- /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
-+
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.te
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.te
-@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
- userdom_dontaudit_search_user_home_dirs(nscd_t)
- 
- optional_policy(`
-+	networkmanager_read_pid_files(nscd_t)
-+')
-+
-+optional_policy(`
-+	wicked_read_pid_files(nscd_t)
-+')
-+
-+optional_policy(`
- 	accountsd_dontaudit_rw_fifo_file(nscd_t)
- ')
- 
--- a/fix_ntp.patch
+++ b/fix_ntp.patch
@ -1,39 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/ntp.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/ntp.fc	2020-02-21 15:59:23.349556504 +0000
-+++ fedora-policy/policy/modules/contrib/ntp.fc	2020-02-21 16:01:41.591761350 +0000
-@@ -16,7 +16,6 @@
- 
- /usr/lib/systemd/system/ntpd.*               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
- 
-/var/lib/ntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
- /var/lib/sntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
- /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
- 
-@@ -25,3 +24,26 @@
- /var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
- 
- /var/run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
-+
-+/var/lib/ntp                           gen_context(system_u:object_r:root_t,s0)
-+/var/lib/ntp/kod                       gen_context(system_u:object_r:etc_runtime_t,s0)
-+/var/lib/ntp/dev                       gen_context(system_u:object_r:device_t,s0)
-+/var/lib/ntp/etc                       gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/ntp/etc/ntpd.*\.conf.*        --      gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp/crypto(/.*)?      --      gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/data(/.*)?        --      gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/etc/ntp/keys              --      gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/step-tickers.*    --      gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp.conf.iburst       --      gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/var                       gen_context(system_u:object_r:var_t,s0)
-+/var/lib/ntp/var/lib                   gen_context(system_u:object_r:var_lib_t,s0)
-+/var/lib/ntp/var/run                   gen_context(system_u:object_r:var_run_t,s0)
-+/var/lib/ntp/var/lib/ntp(/.*)?         gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp(/.*)?        gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp-kod(/.*)?    gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/drift                     gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/drift/ntp.drift           --      gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/log/ntp.*             --      gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/log/ntpstats(/.*)?    gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/log/xntpd.*           --      gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/run/ntpd\.pid         --      gen_context(system_u:object_r:ntpd_var_run_t,s0)
--- a/fix_openvpn.patch
+++ b/fix_openvpn.patch
@ -1,41 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/openvpn.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/openvpn.te
-+++ fedora-policy/policy/modules/contrib/openvpn.te
-@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal
- ## </desc>
- gen_tunable(openvpn_can_network_connect, true)
- 
-+## <desc>
-+##	<p>
-+##	Determine whether openvpn can
-+##	change sysctl values (e.g. rp_filter)
-+##	</p>
-+## </desc>
-+gen_tunable(openvpn_allow_changing_sysctls, false)
-+
- attribute_role openvpn_roles;
- 
- type openvpn_t;
-@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t
- userdom_read_inherited_user_tmp_files(openvpn_t)
- userdom_read_inherited_user_home_content_files(openvpn_t)
- 
-+tunable_policy(`openvpn_allow_changing_sysctls',`
-+        kernel_rw_net_sysctls(openvpn_t)
-+')
-+
- tunable_policy(`openvpn_enable_homedirs',`
- 	userdom_search_user_home_dirs(openvpn_t)
- ')
-@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn
- ')
- 
- optional_policy(`
-+	firewalld_dbus_chat(openvpn_t)
-+')
-+
-+optional_policy(`
- 	brctl_domtrans(openvpn_t)
- ')
- 
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@ -1,120 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,21 @@
- # postfix
-/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
-/etc/postfix/chroot-update --	gen_context(system_u:object_r:postfix_exec_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-')
-+/etc/rc\.d/init\.d/postfix    --  	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-+/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
-+/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/systemd/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-+/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-+/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-+/usr/lib/postfix/bin/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-+/usr/lib/postfix/bin/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-+/usr/lib/postfix/bin/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-+/usr/lib/postfix/bin/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-+/usr/lib/postfix/bin/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-+/usr/lib/postfix/bin/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
- /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
- /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
- /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
- /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
- 
-+/etc/postfix/system/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-+/etc/postfix/system/update_postmaps	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
-+
- /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
- 
- /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
-+/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
- /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
- /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
- /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.te
-@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c
- allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t postfix_etc_t:file rw_file_perms;
- mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
-+# SUSE also runs this on /etc/alias
-+mta_filetrans_aliases(postfix_master_t, etc_t)
- 
- can_exec(postfix_master_t, postfix_exec_t)
- 
-@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t)
- 
- userdom_use_inherited_user_ptys(postfix_map_t)
- 
-+corecmd_exec_bin(postfix_map_t)
-+allow postfix_map_t postfix_map_exec_t:file execute_no_trans;
-+init_ioctl_stream_sockets(postfix_map_t)
-+
-+optional_policy(`
-+	mta_read_aliases(postfix_map_t)
-+')
-+
- optional_policy(`
- 	locallogin_dontaudit_use_fds(postfix_map_t)
- ')
-@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m
- files_search_all_mountpoints(postfix_smtp_t)
- 
- optional_policy(`
-+    networkmanager_read_pid_files(postfix_smtp_t)
-+')
-+
-+optional_policy(`
-+    wicked_read_pid_files(postfix_smtp_t)
-+')
-+
-+optional_policy(`
- 	cyrus_stream_connect(postfix_smtp_t)
- 	cyrus_runtime_stream_connect(postfix_smtp_t)
- ')
--- a/fix_rpm.patch
+++ b/fix_rpm.patch
@ -1,51 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -18,6 +18,10 @@
- /usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
- /usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
-+/usr/sbin/zypp-refresh		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/zypper			--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+
-+
- /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -56,6 +60,8 @@ ifdef(`distro_redhat', `
- /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
- /var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
- 
-+/var/cache/zypp(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+
- /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.if
-@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',`
- 	logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
- 	logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
- 	logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
-+	logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log")
- 	files_var_filetrans($1, rpm_var_cache_t, dir, "dnf")
- 	files_var_filetrans($1, rpm_var_cache_t, dir, "yum")
-+	files_var_filetrans($1, rpm_var_cache_t, dir, "zypp")
- 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
- 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
- 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
- /etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
- /etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
- /etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/zypp(/.*)?                        		gen_context(system_u:object_r:system_conf_t,s0)
- /etc/ostree/remotes.d(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
- 
- /ostree/repo(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
--- a/fix_screen.patch
+++ b/fix_screen.patch
@ -1,22 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/screen.if
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/screen.if
-+++ fedora-policy/policy/modules/contrib/screen.if
-@@ -45,6 +45,7 @@ template(`screen_role_template',`
- 
-     userdom_list_user_home_dirs($1_screen_t)
- 	userdom_home_reader($1_screen_t)
-+        userdom_read_user_home_content_symlinks($1_screen_t)
- 
- 	domtrans_pattern($3, screen_exec_t, $1_screen_t)
- 	allow $3 $1_screen_t:process { signal sigchld };
-Index: fedora-policy/policy/modules/contrib/screen.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/screen.fc
-+++ fedora-policy/policy/modules/contrib/screen.fc
-@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf	--	gen_context(sys
- /usr/bin/tmux			--	gen_context(system_u:object_r:screen_exec_t,s0)
- 
- /var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
-+/var/run/uscreens(/.*)?'                gen_context(system_u:object_r:screen_var_run_t,s0)
- /var/run/tmux(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
--- a/fix_selinuxutil.patch
+++ b/fix_selinuxutil.patch
@ -1,39 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te
-@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
- ')
- 
- optional_policy(`
-+	packagekit_read_write_fifo(load_policy_t)
-+')
-+
-+optional_policy(`
- 	portage_dontaudit_use_fds(load_policy_t)
- ')
- 
-@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t)
- logging_send_syslog_msg(setfiles_t)
- 
- optional_policy(`
-+	packagekit_read_write_fifo(setfiles_t)
-+')
-+
-+optional_policy(`
-     cloudform_dontaudit_write_cloud_log(setfiles_t)
- ')
- 
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if
-@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config'
- 
- 	dontaudit $1 selinux_config_t:dir search_dir_perms;
- 	dontaudit $1 selinux_config_t:file read_file_perms;
-+	# /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
-+	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
--- a/fix_sendmail.patch
+++ b/fix_sendmail.patch
@ -1,32 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc
-+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc
-@@ -1,8 +1,9 @@
- 
- /etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-+/etc/mail/system/sm-client.pre --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
- 
- /var/log/sendmail\.st.*		--	gen_context(system_u:object_r:sendmail_log_t,s0)
- /var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
- 
-/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
-+/var/run/sendmail(/.*)?                 gen_context(system_u:object_r:sendmail_var_run_t,s0)
- /var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te
-+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te
-@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail
- manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
- files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
- 
-allow sendmail_t sendmail_var_run_t:file manage_file_perms;
-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
-+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+files_pid_filetrans(sendmail_t, sendmail_var_run_t,  { file dir })
- 
- kernel_read_network_state(sendmail_t)
- kernel_read_kernel_sysctls(sendmail_t)
--- a/fix_smartmon.patch
+++ b/fix_smartmon.patch
@ -1,9 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/smartmon.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/smartmon.fc
-+++ fedora-policy/policy/modules/contrib/smartmon.fc
-@@ -5,3 +5,4 @@
- /var/run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
- 
- /var/lib/smartmontools(/.*)?	gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
-+/var/lib/smartmontools/smartd_opts      --      gen_context(system_u:object_r:etc_t,s0)
--- a/fix_snapper.patch
+++ b/fix_snapper.patch
@ -1,68 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.te
-@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
- type snapperd_data_t;
- files_type(snapperd_data_t)
- 
-+type snapperd_tmp_t;
-+files_tmp_file(snapperd_tmp_t)
-+
- ########################################
- #
- # snapperd local policy
-@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r
- allow snapperd_t snapperd_data_t:file relabelfrom;
- snapper_filetrans_named_content(snapperd_t)
- 
-+allow snapperd_t snapperd_tmp_t:file manage_file_perms;
-+allow snapperd_t snapperd_tmp_t:dir manage_dir_perms;
-+files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir })
-+
- kernel_setsched(snapperd_t)
- 
- domain_read_all_domains_state(snapperd_t)
-@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t)
- auth_use_nsswitch(snapperd_t)
- 
- optional_policy(`
-+	packagekit_dbus_chat(snapperd_t)
-+')
-+
-+optional_policy(`
-+        rpm_dbus_chat(snapperd_t)
-+')
-+
-+optional_policy(`
-     cron_system_entry(snapperd_t, snapperd_exec_t)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc
-@@ -7,9 +7,17 @@
- 
- /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
- 
-/mnt/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-/usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-/var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-/etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-HOME_ROOT/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-+/mnt/(.*/)?\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
-+/\.snapshots(/.*)?   			gen_context(system_u:object_r:snapperd_data_t,s0)
-+/usr/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
-+/var/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
-+/etc/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
-+HOME_ROOT/(.*/)?\.snapshots(/.*)?   	gen_context(system_u:object_r:snapperd_data_t,s0)
-+
-+# ensure that the snapshots itself aren't relabled
-+/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
-+/\.snapshots/[^/]*/snapshot(/.*)?   			<<none>>
-+/usr/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
-+/var/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
-+/etc/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
-+HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)?   	<<none>>
--- a/fix_sslh.patch
+++ b/fix_sslh.patch
@ -1,33 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/sslh.te
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/sslh.te
-+++ fedora-policy/policy/modules/contrib/sslh.te
-@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals
- type sslh_t;
- type sslh_exec_t;
- init_daemon_domain(sslh_t, sslh_exec_t)
-+init_nnp_daemon_domain(sslh_t)
- 
- type sslh_config_t;
- files_config_file(sslh_config_t)
-@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por
-     # allow sslh to connect to any port
-     corenet_tcp_sendrecv_all_ports(sslh_t) 
-     corenet_tcp_connect_all_ports(sslh_t)
-+    corenet_tcp_connect_all_ports(sslh_t)
- ')
- 
- tunable_policy(`sslh_can_bind_any_port',`
-Index: fedora-policy/policy/modules/contrib/sslh.fc
-===================================================================
--- fedora-policy.orig/policy/modules/contrib/sslh.fc
-+++ fedora-policy/policy/modules/contrib/sslh.fc
-@@ -4,6 +4,8 @@
- /etc/rc\.d/init\.d/sslh 	--	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
- /etc/sslh(/.*)?                         gen_context(system_u:object_r:sslh_config_t,s0)
- /etc/sslh\.cfg 			-- 	gen_context(system_u:object_r:sslh_config_t,s0)
-+/etc/conf\.d/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
-+/etc/default/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
- /etc/sysconfig/sslh		-- 	gen_context(system_u:object_r:sslh_config_t,s0)
- /usr/lib/systemd/system/sslh.*  --	gen_context(system_u:object_r:sslh_unit_file_t,s0)
- /var/run/sslh.* 			gen_context(system_u:object_r:sslh_var_run_t,s0)
--- a/fix_sysnetwork.patch
+++ b/fix_sysnetwork.patch
@ -1,25 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc
-+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc
-@@ -33,9 +33,9 @@ ifdef(`distro_debian',`
- /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
- 
- ifdef(`distro_redhat',`
-/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/resolve/stub-resolv\.conf  gen_context(system_u:object_r:net_conf_t,s0)
-@@ -103,6 +103,8 @@ ifdef(`distro_debian',`
- /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
- ')
- 
-+/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+
- /var/run/netns	-d 		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
- /var/run/netns/[^/]+       	<<none>>
- 
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@ -1,44 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
- xserver_dbus_chat(systemd_logind_t)
- 
- optional_policy(`
-+	packagekit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
- 	apache_read_tmp_files(systemd_logind_t)
- ')
- 
-@@ -863,6 +867,10 @@ optional_policy(`
- 	dbus_system_bus_client(systemd_localed_t)
- ')
- 
-+optional_policy(`
-+	nscd_unconfined(systemd_hostnamed_t)
-+')
-+
- #######################################
- #
- # Hostnamed policy
-@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
- # systemd_gpt_generator domain
- #
- 
-allow systemd_gpt_generator_t self:capability sys_rawio;
-+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
- allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
- dev_read_sysfs(systemd_gpt_generator_t)
-@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_
- systemd_create_unit_file_dirs(systemd_gpt_generator_t)
- systemd_create_unit_file_lnk(systemd_gpt_generator_t)
- 
-+kernel_dgram_send(systemd_gpt_generator_t)
-+
- optional_policy(`
- 	udev_read_pid_files(systemd_gpt_generator_t)
- ')
--- a/fix_systemd_watch.patch
+++ b/fix_systemd_watch.patch
@ -1,17 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t)
- storage_getattr_fixed_disk_dev(systemd_sleep_t)
- storage_getattr_removable_dev(systemd_sleep_t)
- 
-+#######################################
-+#
-+# Allow systemd to watch certificate dir for ca-certificates
-+# 
-+watch_dirs_pattern(init_t,cert_t,cert_t)
-+
- optional_policy(`
- 	sysstat_domtrans(systemd_sleep_t)
- ')
--- a/fix_thunderbird.patch
+++ b/fix_thunderbird.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te
-===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te
-+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te
-@@ -138,7 +138,6 @@ optional_policy(`
- optional_policy(`
- 	gnome_stream_connect_gconf(thunderbird_t)
- 	gnome_domtrans_gconfd(thunderbird_t)
-	gnome_manage_generic_home_content(thunderbird_t)
- ')
- 
- optional_policy(`
--- a/fix_unconfined.patch
+++ b/fix_unconfined.patch
@ -1,22 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/unconfined.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/unconfined.te
-+++ fedora-policy-20221019/policy/modules/system/unconfined.te
-@@ -1,5 +1,10 @@
- policy_module(unconfined, 3.5.0)
- 
-+require {
-+        type var_run_t;
-+        type net_conf_t;
-+}
-+
- ########################################
- #
- # Declarations
-@@ -45,3 +50,6 @@ optional_policy(`
- optional_policy(`
- 	container_runtime_domtrans(unconfined_service_t)
- ')
-+
-+filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir)
-+
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@ -1,46 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
-@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
-     domain_dyntrans(unconfined_t)
- ')
- 
-+# FIXME this is probably caused by some wierd PAM interaction
-+corecmd_entrypoint_all_executables(unconfined_t)
-+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative
-+files_execmod_tmp(unconfined_t)
-+
- optional_policy(`
- 	gen_require(`
- 		type unconfined_t;
-@@ -214,6 +219,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+    cron_system_spool_entrypoint(unconfined_t)
-+')
-+
-+optional_policy(`
- 	chrome_role_notrans(unconfined_r, unconfined_t)
- 
- 	tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -248,6 +257,18 @@ optional_policy(`
- 	dbus_stub(unconfined_t)
- 
- 	optional_policy(`
-+		accountsd_dbus_chat(unconfined_dbusd_t)
-+	')
-+
-+	optional_policy(`
-+		networkmanager_dbus_chat(unconfined_dbusd_t)
-+	')
-+
-+	optional_policy(`
-+		systemd_dbus_chat_logind(unconfined_dbusd_t)
-+	')
-+
-+	optional_policy(`
- 		bluetooth_dbus_chat(unconfined_t)
- 	')
- 
--- a/fix_unprivuser.patch
+++ b/fix_unprivuser.patch
@ -1,18 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te
-@@ -300,6 +300,13 @@ ifndef(`distro_redhat',`
- ')
- 
- optional_policy(`
-+    rtorrent_role(user_r, user_t)
-+    # needed for tunable rtorrent_send_mails
-+    mta_role_access_system_mail(user_r)
-+')
-+
-+
-+optional_policy(`
-     vmtools_run_helper(user_t, user_r)
- ')
- 
--- a/fix_userdomain.patch
+++ b/fix_userdomain.patch
@ -1,12 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/userdomain.if
-===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
-+++ fedora-policy-20220624/policy/modules/system/userdomain.if
-@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
- 
- 	# port access is audited even if dac would not have allowed it, so dontaudit it here
- #	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+	corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
- 	# Need the following rule to allow users to run vpnc
- 	corenet_tcp_bind_xserver_port($1_t)
- 	corenet_tcp_bind_generic_node($1_usertype)
--- a/fix_usermanage.patch
+++ b/fix_usermanage.patch
@ -1,29 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
-===================================================================
--- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te
-+++ fedora-policy-20220428/policy/modules/admin/usermanage.te
-@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
- allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
- allow groupadd_t self:unix_dgram_socket sendto;
- allow groupadd_t self:unix_stream_socket connectto;
-+allow groupadd_t self:netlink_selinux_socket create_socket_perms;
- 
- fs_getattr_xattr_fs(groupadd_t)
- fs_search_auto_mountpoints(groupadd_t)
-@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c
- allow useradd_t self:unix_stream_socket create_stream_socket_perms;
- allow useradd_t self:unix_dgram_socket sendto;
- allow useradd_t self:unix_stream_socket connectto;
-+allow useradd_t self:netlink_selinux_socket create_socket_perms;
- 
- manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
- manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v
- # for getting the number of groups
- kernel_read_kernel_sysctls(useradd_t)
- 
-+selinux_compute_access_vector(useradd_t)
-+
- corecmd_exec_shell(useradd_t)
- # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
- corecmd_exec_bin(useradd_t)
--- a/fix_wine.patch
+++ b/fix_wine.patch
@ -1,23 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/system/libraries.fc
-===================================================================
--- fedora-policy-20220428.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20220428/policy/modules/system/libraries.fc
-@@ -90,7 +90,7 @@ ifdef(`distro_redhat',`
- /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
- /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/cx.*/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/cx.*/lib/wine/.+\.(so|dll)		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
- /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -173,7 +173,8 @@ ifdef(`distro_redhat',`
- /usr/lib/systemd/libsystemd-.+\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
- 
- /usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
-/usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/*-windows/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
--- a/fix_xserver.patch
+++ b/fix_xserver.patch
@ -1,68 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
-@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
- /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
- /etc/X11/wdm/Xsetup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-+/etc/X11/xdm/Xsetup	--	gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
- 
-@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
- 
- /usr/bin/sddm         	--	gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/sddm-greeter  	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/lib/sddm/sddm-helper  	--	gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
- /usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
-@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
- /usr/bin/Xwayland	--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/nvidia.*	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/greetd		--	gen_context(system_u:object_r:xdm_exec_t,s0)
- 
- /usr/libexec/Xorg\.bin  --  gen_context(system_u:object_r:xserver_exec_t,s0)   
- /usr/libexec/Xorg\.wrap  --  gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
- /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
- /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
- 
-+/usr/lib/X11/display-manager 	-- 	gen_context(system_u:object_r:xdm_exec_t,s0)
- ifndef(`distro_debian',`
- /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
- ')
-@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
- /var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
- /var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
-+/var/lib/greetd(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
- 
- /var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/cache/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
-@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
- /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd[^/]*\.sock	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd\.run		--	gen_context(system_u:object_r:xdm_var_run_t,s0)
- 
- /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
-===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi
- 
- kernel_read_vm_sysctls(xdm_t)
- 
-+files_manage_generic_pids_symlinks(xdm_t)
-+userdom_manage_user_home_content_dirs(xdm_t)
-+userdom_manage_user_home_content_files(xdm_t)
-+
- # Allow gdm to run gdm-binary
- can_exec(xdm_t, xdm_exec_t)
- can_exec(xdm_t, xsession_exec_t)
--- a/packagekit.fc
+++ b/packagekit.fc
@ -1,44 +0,0 @@
-/usr/lib/systemd/system/packagekit.*  --  gen_context(system_u:object_r:packagekit_unit_file_t,s0)
-
-/usr/bin/packagekit                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
-
-#/var/lib/PackageKit(/.*)?                 gen_context(system_u:object_r:packagekit_var_lib_t,s0)
-
-/usr/bin/pkcon                  	--  gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/bin/pkmon				--  gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/packagekit-direct             --  gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/packagekitd                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/pk-offline-update                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
-
-#/etc/PackageKit
-#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
-#/usr/lib/tmpfiles.d
-#/usr/lib/tmpfiles.d/PackageKit.conf
-#/usr/lib64/packagekit-backend
-#/usr/lib64/packagekit-backend/libpk_backend_dummy.so
-#/usr/sbin/rcpackagekit
-#/usr/sbin/rcpackagekit-offline-update
-#/usr/share/PackageKit
-#/usr/share/PackageKit/helpers
-#/usr/share/PackageKit/helpers/test_spawn
-#/usr/share/PackageKit/helpers/test_spawn/search-name.sh
-#/usr/share/PackageKit/packagekit-background.sh
-#/usr/share/PackageKit/pk-upgrade-distro.sh
-#/usr/share/PackageKit/transactions.db
-#/usr/share/bash-completion/completions/pkcon
-#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml
-#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml
-#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service
-#/usr/share/doc/packages/PackageKit
-#/usr/share/doc/packages/PackageKit/AUTHORS
-#/usr/share/doc/packages/PackageKit/HACKING
-#/usr/share/doc/packages/PackageKit/NEWS
-#/usr/share/doc/packages/PackageKit/README
-#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules
-#/usr/share/licenses/PackageKit
-#/usr/share/licenses/PackageKit/COPYING
-#/usr/share/man/man1/pkcon.1.gz
-#/usr/share/man/man1/pkmon.1.gz
-#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
-#/var/cache/PackageKit
-
--- a/packagekit.if
+++ b/packagekit.if
@ -1,40 +0,0 @@
-## <summary>A temporary policy for packagekit.</summary>
-
-########################################
-## <summary>
-##	Allow reading of fifo files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to mange files
-##	</summary>
-## </param>
-#
-interface(`packagekit_read_write_fifo',`
-	gen_require(`
-		type packagekit_t;
-	')
-
-	allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms;
-')
-
-########################################
-## <summary>
-##      Send and receive messages from
-##      packagekit over dbus.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`packagekit_dbus_chat',`
-        gen_require(`
-                type packagekit_t;
-                class dbus send_msg;
-        ')
-
-        allow $1 packagekit_t:dbus send_msg;
-        allow packagekit_t $1:dbus send_msg;
-')
--- a/packagekit.te
+++ b/packagekit.te
@ -1,38 +0,0 @@
-policy_module(packagekit,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type packagekit_t;
-type packagekit_exec_t;
-init_daemon_domain(packagekit_t,packagekit_exec_t)
-
-type packagekit_unit_file_t;
-systemd_unit_file(packagekit_unit_file_t)
-
-type packagekit_var_lib_t;
-files_type(packagekit_var_lib_t)
-
-unconfined_dbus_chat(packagekit_t)
-init_dbus_chat(packagekit_t)
-optional_policy(`
-	policykit_dbus_chat(packagekit_t)
-')
-
-optional_policy(`
-	unconfined_domain(packagekit_t)
-')
-
-optional_policy(`
-	snapper_dbus_chat(packagekit_t)
-')
-
-optional_policy(`
-	systemd_dbus_chat_logind(packagekit_t)
-')
-
-optional_policy(`
-	rpm_transition_script(packagekit_t,system_r)
-')
--- a/rebootmgr.fc
+++ b/rebootmgr.fc
@ -1 +0,0 @@
-/usr/sbin/rebootmgrd		--	gen_context(system_u:object_r:rebootmgr_exec_t,s0)
--- a/rebootmgr.if
+++ b/rebootmgr.if
@ -1,61 +0,0 @@
-
-## <summary>policy for rebootmgr</summary>
-
-########################################
-## <summary>
-##	Execute rebootmgr_exec_t in the rebootmgr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rebootmgr_domtrans',`
-	gen_require(`
-		type rebootmgr_t, rebootmgr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
-')
-
-######################################
-## <summary>
-##	Execute rebootmgr in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rebootmgr_exec',`
-	gen_require(`
-		type rebootmgr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, rebootmgr_exec_t)
-')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	rebootmgr over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rebootmgr_dbus_chat',`
-	gen_require(`
-		type rebootmgr_t;
-		class dbus send_msg;
-	')
-
-	allow $1 rebootmgr_t:dbus send_msg;
-	allow rebootmgr_t $1:dbus send_msg;
-')
--- a/rebootmgr.te
+++ b/rebootmgr.te
@ -1,37 +0,0 @@
-policy_module(rebootmgr, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type rebootmgr_t;
-type rebootmgr_exec_t;
-init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
-
-########################################
-#
-# rebootmgr local policy
-#
-allow rebootmgr_t self:process { fork };
-allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
-allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rebootmgr_t)
-
-files_manage_etc_files(rebootmgr_t)
-
-logging_send_syslog_msg(rebootmgr_t)
-
-miscfiles_read_localization(rebootmgr_t)
-
-systemd_start_power_services(rebootmgr_t)
-
-systemd_dbus_chat_logind(rebootmgr_t)
-
-unconfined_dbus_chat(rebootmgr_t)
-
-optional_policy(`
-	dbus_system_bus_client(rebootmgr_t)
-	dbus_connect_system_bus(rebootmgr_t)
-')
--- a/rtorrent.fc
+++ b/rtorrent.fc
@ -1 +0,0 @@
-/usr/bin/rtorrent		--	gen_context(system_u:object_r:rtorrent_exec_t,s0)
--- a/rtorrent.if
+++ b/rtorrent.if
@ -1,95 +0,0 @@
-
-## <summary>policy for rtorrent</summary>
-
-########################################
-## <summary>
-##	Execute rtorrent_exec_t in the rtorrent domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rtorrent_domtrans',`
-	gen_require(`
-		type rtorrent_t, rtorrent_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
-')
-
-######################################
-## <summary>
-##	Execute rtorrent in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rtorrent_exec',`
-	gen_require(`
-		type rtorrent_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, rtorrent_exec_t)
-')
-
-########################################
-## <summary>
-##	Execute rtorrent in the rtorrent domain, and
-##	allow the specified role the rtorrent domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed the rtorrent domain.
-##	</summary>
-## </param>
-#
-interface(`rtorrent_run',`
-	gen_require(`
-		type rtorrent_t;
-		attribute_role rtorrent_roles;
-	')
-
-	rtorrent_domtrans($1)
-	roleattribute $2 rtorrent_roles;
-')
-
-########################################
-## <summary>
-##	Role access for rtorrent
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role
-##	</summary>
-## </param>
-#
-interface(`rtorrent_role',`
-	gen_require(`
-		type rtorrent_t;
-		attribute_role rtorrent_roles;
-	')
-
-	roleattribute $1 rtorrent_roles;
-
-	rtorrent_domtrans($2)
-
-	ps_process_pattern($2, rtorrent_t)
-	allow $2 rtorrent_t:process { signull signal sigkill };
-')
--- a/rtorrent.te
+++ b/rtorrent.te
@ -1,101 +0,0 @@
-policy_module(rtorrent, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-## <desc>
-## <p>
-## Allow rtorrent to use send mails
-## </p>
-## </desc>
-gen_tunable(rtorrent_send_mails, false)
-
-## <desc>
-## <p>
-## Enable necessary permissions for rutorrent
-## </p>
-## </desc>
-gen_tunable(rtorrent_enable_rutorrent, false)
-
-## <desc>
-## <p>
-## Allow rtorrent to execute helper scripts in home directories
-## </p>
-## </desc>
-gen_tunable(rtorrent_exec_scripts, false)
-
-attribute_role rtorrent_roles;
-roleattribute system_r rtorrent_roles;
-
-type rtorrent_t;
-type rtorrent_exec_t;
-application_domain(rtorrent_t, rtorrent_exec_t)
-role rtorrent_roles types rtorrent_t;
-
-########################################
-#
-# rtorrent local policy
-#
-allow rtorrent_t self:process { fork signal_perms };
-
-allow rtorrent_t self:fifo_file manage_fifo_file_perms;
-allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rtorrent_t)
-
-files_read_etc_files(rtorrent_t)
-
-miscfiles_read_localization(rtorrent_t)
-
-sysnet_dns_name_resolve(rtorrent_t)
-
-optional_policy(`
-	gen_require(`
-		type staff_t;
-		role staff_r;
-	')
-
-	rtorrent_run(staff_t, staff_r)
-')
-
-type rtorrent_port_t;
-corenet_port(rtorrent_port_t)
-allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
-
-userdom_read_user_home_content_symlinks(rtorrent_t)
-userdom_manage_user_home_content_files(rtorrent_t)
-userdom_manage_user_home_content_dirs(rtorrent_t)
-
-allow rtorrent_t self:tcp_socket { accept listen };
-
-corenet_tcp_connect_all_ports(rtorrent_t)
-
-fs_getattr_xattr_fs(rtorrent_t)
-
-userdom_use_inherited_user_terminals(rtorrent_t)
-# this might be to much
-userdom_home_manager(rtorrent_t)
-userdom_filetrans_home_content(rtorrent_t)
-
-optional_policy(`
-        tunable_policy(`rtorrent_send_mails',`
-                userdom_exec_user_bin_files(rtorrent_t)
-                userdom_exec_user_home_content_files(rtorrent_t)
-                files_manage_generic_tmp_files(rtorrent_t)
-                mta_send_mail(rtorrent_t)
-        ')
-')
-
-optional_policy(`
-    tunable_policy(`rtorrent_enable_rutorrent',`
-	apache_manage_sys_content(rtorrent_t)
-        apache_exec_sys_content(rtorrent_t)
-    ')
-')
-
-tunable_policy(`rtorrent_exec_scripts',`
-    # execute helper scripts
-    corecmd_exec_bin(rtorrent_t)
-    userdom_exec_user_bin_files(rtorrent_t)
-')
--- a/sedoctool.patch
+++ b/sedoctool.patch
@ -1,22 +0,0 @@
-Index: fedora-policy/support/sedoctool.py
-===================================================================
--- fedora-policy.orig/support/sedoctool.py
-+++ fedora-policy/support/sedoctool.py
-@@ -810,7 +810,7 @@ if booleans:
- 	namevalue_list = []
- 	if os.path.exists(booleans):
- 		try:
-			conf = open(booleans, 'r')
-+			conf = open(booleans, 'r', errors='replace')
- 		except:
- 			error("Could not open booleans file for reading")
- 
-@@ -831,7 +831,7 @@ if modules:
- 	namevalue_list = []
- 	if os.path.exists(modules):
- 		try:
-			conf = open(modules, 'r')
-+			conf = open(modules, 'r', errors='replace')
- 		except:
- 			error("Could not open modules file for reading")
- 		namevalue_list = get_conf(conf)	
--- a/selinux-policy-20230321.tar.xz
+++ b/selinux-policy-20230321.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
+size 752588
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,9 +1,168 @@
+-------------------------------------------------------------------
+Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230321:
+  * make kernel_t unconfined again
+
+-------------------------------------------------------------------
+Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230316:
+  * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
+    path
+  * allow kernel_t to relabel etc_t files
+  * allow kernel_t to relabel sysnet config files
+  * allow kernel_t to relabel systemd hwdb etc files
+  * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
+  * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
+    to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
+    management of config files
+  * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
+    interfaces to allow labeling on etc_t, not on the broader configfiles
+    attribute
+  * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
+    watch permissions reported are already fixed in a current policy.
+- Reinstate update.sh and remove container-selinux from the service.
+  Having both repos in there causes issues and update.sh makes the update
+  process easier in general. Updated README.Update
+
 -------------------------------------------------------------------
 Tue Mar  7 08:49:05 UTC 2023 - Johannes Segitz <jsegitz@suse.com>

 - Remove erroneous SUSE man page. Will not be created with the
  3.5 toolchain

+-------------------------------------------------------------------
+Tue Feb 14 21:41:54 UTC 2023 - Hu <cathy.hu@suse.com>
+
+- Complete packaging rework: Move policy to git repository and
+  only use tar_scm obs service to refresh from there: 
+  https://gitlab.suse.de/selinux/selinux-policy
+
+  Please use `osc service manualrun` to update this OBS package to the 
+  newest git version.
+
+  * Added README.Update describing how to update this package
+  * Added _service file that pulls from selinux-policy and 
+    upstream container-selinux and tars them
+  * Adapted selinux-policy.spec to build selinux-policy with
+    container-selinux
+  * Removed update.sh as no longer needed
+  * Removed suse specific modules as they are now covered by git commits
+    * packagekit.te packagekit.if packagekit.fc
+    * rebootmgr.te rebootmgr.if rebootmgr.fc
+    * rtorrent.te rtorrent.if rtorrent.fc
+    * wicked.te wicked.if wicked.fc
+  * Removed *.patch as they are now covered by git commits:
+    * distro_suse_to_distro_redhat.patch
+    * dontaudit_interface_kmod_tmpfs.patch
+    * fix_accountsd.patch
+    * fix_alsa.patch
+    * fix_apache.patch
+    * fix_auditd.patch
+    * fix_authlogin.patch
+    * fix_automount.patch
+    * fix_bitlbee.patch
+    * fix_chronyd.patch
+    * fix_cloudform.patch
+    * fix_colord.patch
+    * fix_corecommand.patch
+    * fix_cron.patch
+    * fix_dbus.patch
+    * fix_djbdns.patch
+    * fix_dnsmasq.patch
+    * fix_dovecot.patch
+    * fix_entropyd.patch
+    * fix_firewalld.patch
+    * fix_fwupd.patch
+    * fix_geoclue.patch
+    * fix_hypervkvp.patch
+    * fix_init.patch
+    * fix_ipsec.patch
+    * fix_iptables.patch
+    * fix_irqbalance.patch
+    * fix_java.patch
+    * fix_kernel.patch
+    * fix_kernel_sysctl.patch
+    * fix_libraries.patch
+    * fix_locallogin.patch
+    * fix_logging.patch
+    * fix_logrotate.patch
+    * fix_mcelog.patch
+    * fix_miscfiles.patch
+    * fix_nagios.patch
+    * fix_networkmanager.patch
+    * fix_nis.patch
+    * fix_nscd.patch
+    * fix_ntp.patch
+    * fix_openvpn.patch
+    * fix_postfix.patch
+    * fix_rpm.patch
+    * fix_rtkit.patch
+    * fix_screen.patch
+    * fix_selinuxutil.patch
+    * fix_sendmail.patch
+    * fix_smartmon.patch
+    * fix_snapper.patch
+    * fix_sslh.patch
+    * fix_sysnetwork.patch
+    * fix_systemd.patch
+    * fix_systemd_watch.patch
+    * fix_thunderbird.patch
+    * fix_unconfined.patch
+    * fix_unconfineduser.patch
+    * fix_unprivuser.patch
+    * fix_userdomain.patch
+    * fix_usermanage.patch
+    * fix_wine.patch
+    * fix_xserver.patch
+    * sedoctool.patch
+    * systemd_domain_dyntrans_type.patch
+
+-------------------------------------------------------------------
+Mon Feb  6 08:36:32 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 20230206. Refreshed:
+  * fix_entropyd.patch
+  * fix_networkmanager.patch
+  * fix_systemd_watch.patch
+  * fix_unconfineduser.patch
+- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
+  necessary as plymouth doesn't run in it's own domain in early boot
+
+-------------------------------------------------------------------
+Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 20230125. Refreshed:
+  * distro_suse_to_distro_redhat.patch
+  * fix_dnsmasq.patch
+  * fix_init.patch
+  * fix_ipsec.patch
+  * fix_kernel_sysctl.patch
+  * fix_logging.patch
+  * fix_rpm.patch
+  * fix_selinuxutil.patch
+  * fix_systemd_watch.patch
+  * fix_userdomain.patch
+- More flexible lib(exec) matching in fix_fwupd.patch
+- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
+- Dropped fix_container.patch, is now upstream
+- Added fix_entropyd.patch
+  * Added new interface entropyd_semaphore_filetrans to properly transfer
+    semaphore created during early boot. That doesn't work yet, so work
+    around with next item
+  * Allow reading tempfs files
+- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
+  to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
+- Added fix_rtkit.patch to fix labeling of binary
+- Modified fix_ntp.patch:
+  * Proper labeling for start-ntpd
+  * Fixed label rules for chroot path
+  * Temporarily allow dac_override for ntpd_t (bsc#1207577)
+  * Add interface ntp_manage_pid_files to allow management of pid
+    files
+- Updated fix_networkmanager.patch to allow managing ntp pid files
+
 -------------------------------------------------------------------
 Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz <jsegitz@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,10 +33,15 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20221019
+Version:        20230321
 Release:        0
-Source:         fedora-policy-%{version}.tar.bz2
-Source1:        selinux-policy-rpmlintrc
+Source0:        %{name}-%{version}.tar.xz
+Source1:        container.fc
+Source2:        container.te
+Source3:        container.if
+Source4:        selinux-policy-rpmlintrc
+Source5:        README.Update
+Source6:        update.sh

 Source10:       modules-targeted-base.conf
 Source11:       modules-targeted-contrib.conf
@ -70,88 +75,6 @@ Source92:       customizable_types
 #Source93:       config.tgz
 Source94:       file_contexts.subs_dist
 Source95:       macros.selinux-policy
-Source96:       update.sh
-
-Source120:      packagekit.te
-Source121:      packagekit.if
-Source122:      packagekit.fc
-Source123:      rtorrent.te
-Source124:      rtorrent.if
-Source125:      rtorrent.fc
-Source126:      wicked.te
-Source127:      wicked.if
-Source128:      wicked.fc
-Source129:      rebootmgr.te
-Source130:      rebootmgr.if
-Source131:      rebootmgr.fc
-
-Patch000:       distro_suse_to_distro_redhat.patch
-Patch001:       fix_djbdns.patch
-Patch002:       fix_dbus.patch
-Patch004:       fix_java.patch
-Patch006:       fix_thunderbird.patch
-Patch007:       fix_postfix.patch
-Patch008:       fix_nscd.patch
-Patch009:       fix_sysnetwork.patch
-Patch010:       fix_logging.patch
-Patch011:       fix_xserver.patch
-Patch012:       fix_miscfiles.patch
-Patch013:       fix_init.patch
-Patch014:       fix_locallogin.patch
-Patch016:       fix_iptables.patch
-Patch017:       fix_irqbalance.patch
-Patch018:       fix_ntp.patch
-Patch019:       fix_fwupd.patch
-Patch020:       fix_firewalld.patch
-Patch021:       fix_logrotate.patch
-Patch022:       fix_selinuxutil.patch
-Patch024:       fix_corecommand.patch
-Patch025:       fix_snapper.patch
-Patch026:       fix_systemd.patch
-Patch027:       fix_unconfined.patch
-Patch028:       fix_unconfineduser.patch
-Patch029:       fix_chronyd.patch
-Patch030:       fix_networkmanager.patch
-Patch032:       fix_accountsd.patch
-Patch033:       fix_automount.patch
-Patch034:       fix_colord.patch
-Patch035:       fix_mcelog.patch
-Patch036:       fix_sslh.patch
-Patch037:       fix_nagios.patch
-Patch038:       fix_openvpn.patch
-Patch039:       fix_cron.patch
-Patch040:       fix_usermanage.patch
-Patch041:       fix_smartmon.patch
-Patch042:       fix_geoclue.patch
-Patch044:       fix_authlogin.patch
-Patch045:       fix_screen.patch
-Patch046:       fix_unprivuser.patch
-Patch047:       fix_rpm.patch
-Patch048:       fix_apache.patch
-Patch049:       fix_nis.patch
-Patch050:       fix_libraries.patch
-Patch051:       fix_dovecot.patch
-# https://github.com/cockpit-project/cockpit/pull/15758
-#Patch052:       fix_cockpit.patch
-Patch053:       fix_systemd_watch.patch
-# kernel specific sysctl.conf (boo#1184804)
-Patch054:       fix_kernel_sysctl.patch
-Patch055:       fix_auditd.patch
-Patch056:       fix_wine.patch
-Patch057:       fix_hypervkvp.patch
-Patch058:       fix_bitlbee.patch
-Patch059:       systemd_domain_dyntrans_type.patch
-Patch060:       fix_dnsmasq.patch
-Patch061:       fix_userdomain.patch
-Patch062:       fix_cloudform.patch
-Patch063:       fix_alsa.patch
-Patch064:       dontaudit_interface_kmod_tmpfs.patch
-Patch065:       fix_sendmail.patch
-Patch066:       fix_ipsec.patch
-# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included
-Patch067:       fix_container.patch
-
-Patch100:       sedoctool.patch

 URL:            https://github.com/fedora-selinux/selinux-policy.git
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -412,7 +335,16 @@ fi;
 exit 0

 %prep
-%autosetup -n fedora-policy-%{version} -p1
+
+# set up selinux-policy
+%autosetup -n %{name}-%{version} -p1
+
+# dirty hack for container-selinux, because selinux-policy won't build without it
+# upstream does not want to include it in main policy tree:
+# see discussion in https://github.com/containers/container-selinux/issues/186
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
+  cp $i policy/modules/services/
+done

 %build

@ -439,10 +371,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
 cp $i selinux_config
 done

-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
- cp $i policy/modules/contrib
-done
-
 make clean
 %if %{BUILD_TARGETED}
 %makeCmds targeted mcs allow
--- a/systemd_domain_dyntrans_type.patch
+++ b/systemd_domain_dyntrans_type.patch
@ -1,13 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/system/init.te
-===================================================================
--- fedora-policy-20220124.orig/policy/modules/system/init.te
-+++ fedora-policy-20220124/policy/modules/system/init.te
-@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac
- allow init_t self:packet_socket create_socket_perms;
- allow init_t self:key manage_key_perms;
- allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
-+domain_dyntrans_type(init_t)
-+allow init_t self:process { dyntransition setcurrent };
- 
- # is ~sys_module really needed? observed:
- # sys_boot
--- a/update.sh
+++ b/update.sh
@ -1,23 +1,27 @@
 #!/bin/sh

 date=$(date '+%Y%m%d')
+base_name_pattern='selinux-policy-*.tar.xz'

 echo Update to $date

-rm -rf fedora-policy container-selinux
+old_tar_file=$(ls -1 $base_name_pattern)

-git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
+osc service manualrun
+
+rm -rf container-selinux
 git clone --depth 1 https://github.com/containers/container-selinux.git
+rm -f container.*
+mv container-selinux/container.* .
+rm -rf container-selinux

-mv selinux-policy fedora-policy-$date
-rm -rf fedora-policy-$date/.git*
-mv container-selinux/container.* fedora-policy-$date/policy/modules/services/
+# delete old files. Might need a better sanity check
+tar_cnt=$(ls -1 $base_name_pattern  | wc -l)
+if [ $tar_cnt -gt 1 ]; then
+  echo delte old file $old_tar_file
+  rm "$old_tar_file"
+  osc addremove
+fi

-rm -f fedora-policy?$date.tar*
-tar cf fedora-policy-$date.tar fedora-policy-$date
-bzip2 fedora-policy-$date.tar
-rm -rf fedora-policy-$date container-selinux
+osc status

-sed -i -e "s/^Version:.*/Version:        $date/" selinux-policy.spec
-
-echo "remove old tar file, then osc addremove"
--- a/wicked.fc
+++ b/wicked.fc
@ -1,50 +0,0 @@
-# not used
-#/etc/wicked/dispatcher\.d(/.*)?	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-
-/etc/wicked(/.*)?	gen_context(system_u:object_r:wicked_etc_t,s0)
-/etc/wicked/extensions/.* 	--	gen_context(system_u:object_r:wicked_exec_t,s0)
-
-#/etc/wicked/wicked\.conf	gen_context(system_u:object_r:wicked_etc_rw_t,s0)
-#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0)
-
-/usr/lib/systemd/system/wicked.* --	gen_context(system_u:object_r:wicked_unit_file_t,s0)
-
-/sbin/ifdown 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifprobe 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifstatus 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifup 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/ifup 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-
-/usr/sbin/rcwicked.*		--	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-
-/usr/lib/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/libexec/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
-
-#/usr/lib64/libwicked-0.6.63.so
-
-/usr/sbin/wicked 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/wickedd 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/wickedd-nanny 		--	gen_context(system_u:object_r:wicked_exec_t,s0)
-#/usr/share/wicked/schema/wireless.xml
-/var/lib/wicked(/.*)?				gen_context(system_u:object_r:wicked_var_lib_t,s0)
-#/etc/sysconfig/network/ifcfg-lo
-
-#/usr/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-#/usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:wicked_exec_t,s0)
-#/var/lib/wicd(/.*)?			gen_context(system_u:object_r:wicked_var_lib_t,s0)
-#/var/log/wicd.*				--	gen_context(system_u:object_r:wicked_log_t,s0)
-
-/var/run/wicked(/.*)?		gen_context(system_u:object_r:wicked_var_run_t,s0)
-
-#/etc/dbus-1
-#/etc/dbus-1/system.d
-#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.conf
-
-/etc/sysconfig/network/scripts(/.*)?	gen_context(system_u:object_r:wicked_script_t,s0)
-/etc/sysconfig/network/scripts/samba-winbindd	--	gen_context(system_u:object_r:wicked_winbind_script_t,s0)
-/etc/sysconfig/network/scripts/dhcpd-restart-hook	--	gen_context(system_u:object_r:wicked_dhcp_script_t,s0)
--- a/wicked.if
+++ b/wicked.if
@ -1,678 +0,0 @@
-## <summary>Manager for dynamically switching between networks.</summary>
-
-########################################
-## <summary>
-##	Read and write wicked UDP sockets.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-# cjp: added for named.
-interface(`wicked_rw_udp_sockets',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:udp_socket { read write };
-')
-
-########################################
-## <summary>
-##	Read and write wicked packet sockets.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-# cjp: added for named.
-interface(`wicked_rw_packet_sockets',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:packet_socket { read write };
-')
-
-#######################################
-## <summary>
-## Allow caller to relabel tun_socket
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_attach_tun_iface',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
-')
-
-########################################
-## <summary>
-##	Read and write wicked netlink
-##	routing sockets.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-# cjp: added for named.
-interface(`wicked_rw_routing_sockets',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:netlink_route_socket { read write };
-')
-
-########################################
-## <summary>
-##	Execute wicked with a domain transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`wicked_domtrans',`
-	gen_require(`
-		type wicked_t, wicked_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, wicked_exec_t, wicked_t)
-')
-
-#######################################
-## <summary>
-##      Execute wicked scripts with an automatic domain transition to initrc.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed to transition.
-##      </summary>
-## </param>
-#
-interface(`wicked_initrc_domtrans',`
-        gen_require(`
-                type wicked_initrc_exec_t;
-        ')
-
-        init_labeled_script_domtrans($1, wicked_initrc_exec_t)
-')
-
-#######################################
-## <summary>
-##      Allow reading of wicked link files
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed to read the links
-##      </summary>
-## </param>
-#
-interface(`wicked_initrc_read_lnk_files',`
-        gen_require(`
-                type wicked_initrc_exec_t;
-        ')
-
-	read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	Execute wicked server in the wicked domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`wicked_systemctl',`
-	gen_require(`
-		type wicked_unit_file_t;
-		type wicked_t;
-	')
-
-	systemd_exec_systemctl($1)
-	init_reload_services($1)
-	allow $1 wicked_unit_file_t:file read_file_perms;
-	allow $1 wicked_unit_file_t:service manage_service_perms;
-
-	ps_process_pattern($1, wicked_t)
-')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	wicked over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_dbus_chat',`
-	gen_require(`
-		type wicked_t;
-		class dbus send_msg;
-	')
-
-	allow $1 wicked_t:dbus send_msg;
-	allow wicked_t $1:dbus send_msg;
-')
-
-#######################################
-## <summary>
-##	Read metworkmanager process state files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_read_state',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:dir search_dir_perms;
-	allow $1 wicked_t:file read_file_perms;
-	allow $1 wicked_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send and
-##	receive messages from wicked
-##	over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`wicked_dontaudit_dbus_chat',`
-	gen_require(`
-		type wicked_t;
-		class dbus send_msg;
-	')
-
-	dontaudit $1 wicked_t:dbus send_msg;
-	dontaudit wicked_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-##	Send a generic signal to wicked
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_signal',`
-	gen_require(`
-		type wicked_t;
-	')
-
-	allow $1 wicked_t:process signal;
-')
-
-########################################
-## <summary>
-##	Create, read, and write
-##	wicked library files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_manage_lib_files',`
-	gen_require(`
-		type wicked_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
-	allow $1 wicked_var_lib_t:file map;
-')
-
-########################################
-## <summary>
-##	Read wicked lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_read_lib_files',`
-	gen_require(`
-		type wicked_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
-	read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
-	allow $1 wicked_var_lib_t:file map;
-')
-
-#######################################
-## <summary>
-##  Read wicked conf files.
-## </summary>
-## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
-## </param>
-#
-interface(`wicked_read_conf',`
-    gen_require(`
-        type wicked_etc_t;
-        type wicked_etc_rw_t;
-    ')
-
-	allow $1 wicked_etc_t:dir list_dir_perms;
-	read_files_pattern($1,wicked_etc_t,wicked_etc_t)
-	read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t)
-')
-
-########################################
-## <summary>
-##	Read wicked PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_read_pid_files',`
-	gen_require(`
-		type wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-## <summary>
-##	Manage wicked PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_manage_pid_files',`
-	gen_require(`
-		type wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-	manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t)
-	manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-## <summary>
-##	Manage wicked PID sock files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_manage_pid_sock_files',`
-	gen_require(`
-		type wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-	manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-## <summary>
-##	Create objects in /etc with a private
-##	type using a type_transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	Private file type.
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Object classes to be created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`wicked_pid_filetrans',`
-	gen_require(`
-		type wicked_var_run_t;
-	')
-
-	filetrans_pattern($1, wicked_var_run_t, $2, $3, $4)
-')
-
-####################################
-## <summary>
-##  Connect to wicked over
-##	a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
-## </param>
-#
-interface(`wicked_stream_connect',`
-	gen_require(`
-		type wicked_t, wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
-')
-
-########################################
-## <summary>
-##	Delete wicked PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_delete_pid_files',`
-	gen_require(`
-		type wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-    delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-## <summary>
-##	Execute wicked in the wicked domain, and
-##	allow the specified role the wicked domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`wicked_run',`
-	gen_require(`
-		type wicked_t, wicked_exec_t;
-	')
-
-	wicked_domtrans($1)
-	role $2 types wicked_t;
-')
-
-########################################
-## <summary>
-##	Allow the specified domain to append
-##	to Network Manager log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_append_log',`
-	gen_require(`
-		type wicked_log_t;
-	')
-
-	logging_search_logs($1)
-	allow $1 wicked_log_t:dir list_dir_perms;
-	append_files_pattern($1, wicked_log_t, wicked_log_t)
-	allow $1 wicked_log_t:file map;
-
-')
-
-#######################################
-## <summary>
-##  Allow the specified domain to manage
-##  to Network Manager lib files.
-## </summary>
-## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
-## </param>
-#
-interface(`wicked_manage_lib',`
-    gen_require(`
-        type wicked_var_lib_t;
-    ')
-
-    manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
-    allow $1 wicked_var_lib_t:file map;
-
-')
-
-#######################################
-## <summary>
-##	Send to wicked with a unix dgram socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_dgram_send',`
-	gen_require(`
-		type wicked_t, wicked_var_run_t;
-	')
-
-	files_search_pids($1)
-	dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
-')
-
-########################################
-## <summary>
-##	Send sigchld to wicked.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`wicked_sigchld',`
-	gen_require(`
-		type wicked_t;
-	')
-
-    allow $1 wicked_t:process sigchld;
-')
-
-########################################
-## <summary>
-##	Send signull to wicked.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`wicked_signull',`
-	gen_require(`
-		type wicked_t;
-	')
-
-    allow $1 wicked_t:process signull;
-')
-
-########################################
-## <summary>
-##	Send sigkill to wicked.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`wicked_sigkill',`
-	gen_require(`
-		type wicked_t;
-	')
-
-    allow $1 wicked_t:process sigkill;
-')
-
-########################################
-## <summary>
-##	Transition to wicked named content
-## </summary>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wicked_filetrans_named_content',`
-	gen_require(`
-		type wicked_var_run_t;
-		type wicked_var_lib_t;
-	')
-
-
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6")
-
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6")
-
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4")
-	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6")
-
-	files_pid_filetrans($1, wicked_var_run_t, dir, "extension")
-	files_pid_filetrans($1, wicked_var_run_t, dir, "nanny")
-
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml")
-	files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
-')
-
-########################################
-## <summary>
-##	Create a set of derived types for various wicked scripts
-## </summary>
-## <param name="prefix">
-##	<summary>
-##	The name to be used for deriving type names.
-##	</summary>
-## </param>
-#
-template(`wicked_script_template',`
-	gen_require(`
-		attribute wicked_plugin, wicked_script;
-		type wicked_t;
-	')
-
-	type wicked_$1_t, wicked_plugin;
-	type wicked_$1_script_t, wicked_script;
-	application_domain(wicked_$1_t, wicked_$1_script_t)
-	role system_r types wicked_$1_t;
-
-	domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t)
-')
--- a/wicked.te
+++ b/wicked.te
@ -1,572 +0,0 @@
-policy_module(wicked, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type wicked_t;
-type wicked_exec_t;
-init_daemon_domain(wicked_t, wicked_exec_t)
-
-type wicked_initrc_exec_t;
-init_script_file(wicked_initrc_exec_t)
-
-type wicked_unit_file_t;
-systemd_unit_file(wicked_unit_file_t)
-
-type wicked_etc_t;
-files_config_file(wicked_etc_t)
-
-type wicked_etc_rw_t;
-files_config_file(wicked_etc_rw_t)
-
-#type wicked_log_t;
-#logging_log_file(wicked_log_t)
-
-type wicked_tmp_t;
-files_tmp_file(wicked_tmp_t)
-
-type wicked_var_lib_t;
-files_type(wicked_var_lib_t)
-
-type wicked_var_run_t;
-files_pid_file(wicked_var_run_t)
-
-
-# Wicked scripts
-
-attribute wicked_plugin;
-attribute wicked_script;
-type wicked_script_t, wicked_script;
-type wicked_custom_t, wicked_plugin;
-role system_r types wicked_custom_t;
-application_domain(wicked_custom_t, wicked_script_t)
-domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t)
-
-wicked_script_template(winbind);
-wicked_script_template(dhcp);
-
-#type wpa_cli_t;
-#type wpa_cli_exec_t;
-#init_system_domain(wpa_cli_t, wpa_cli_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-# wicked will ptrace itself if gdb is installed
-# and it receives a unexpected signal (rh bug #204161)
-allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
-dontaudit wicked_t self:capability sys_tty_config;
-
-allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run };
-
-ifdef(`hide_broken_symptoms',`
-	# caused by some bogus kernel code
-	dontaudit wicked_t self:capability sys_module;
-')
-# alternatively allow with
-# kernel_load_module( wicked_t )
-
-allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms };
-
-allow wicked_t self:process setfscreate;
-selinux_validate_context(wicked_t)
-
-tunable_policy(`deny_ptrace',`',`
-	allow wicked_t self:capability sys_ptrace;
-	allow wicked_t self:process ptrace;
-')
-
-allow wicked_t self:fifo_file rw_fifo_file_perms;
-allow wicked_t self:unix_dgram_socket { sendto create_socket_perms };
-allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto };
-allow wicked_t self:netlink_generic_socket create_socket_perms;
-allow wicked_t self:netlink_route_socket create_netlink_socket_perms;
-allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms;
-allow wicked_t self:netlink_socket create_socket_perms;
-allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow wicked_t self:tcp_socket create_stream_socket_perms;
-allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto };
-allow wicked_t self:udp_socket create_socket_perms;
-allow wicked_t self:packet_socket create_socket_perms;
-allow wicked_t self:rawip_socket create_socket_perms;
-allow wicked_t self:socket create_socket_perms;
-
-tunable_policy(`deny_bluetooth',`',`
-    allow wicked_t self:bluetooth_socket create_stream_socket_perms;
-')
-
-#allow wicked_t wpa_cli_t:unix_dgram_socket sendto;
-
-can_exec(wicked_t, wicked_exec_t)
-#wicd
-# can_exec(wicked_t, wpa_cli_exec_t)
-
-list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-
-list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-
-read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file })
-
-#allow wicked_t wicked_log_t:dir setattr_dir_perms;
-#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#logging_log_filetrans(wicked_t, wicked_log_t, file)
-
-can_exec(wicked_t, wicked_tmp_t)
-manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
-manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
-files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file })
-
-manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file })
-
-manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file })
-
-kernel_read_system_state(wicked_t)
-kernel_read_network_state(wicked_t)
-kernel_read_kernel_sysctls(wicked_t)
-kernel_request_load_module(wicked_t)
-kernel_read_debugfs(wicked_t)
-kernel_rw_net_sysctls(wicked_t)
-kernel_dontaudit_setsched(wicked_t)
-kernel_signull(wicked_t)
-
-corenet_ib_manage_subnet_unlabeled_endports(wicked_t)
-corenet_ib_access_unlabeled_pkeys(wicked_t)
-corenet_all_recvfrom_netlabel(wicked_t)
-corenet_tcp_sendrecv_generic_if(wicked_t)
-corenet_udp_sendrecv_generic_if(wicked_t)
-corenet_raw_sendrecv_generic_if(wicked_t)
-corenet_tcp_sendrecv_generic_node(wicked_t)
-corenet_udp_sendrecv_generic_node(wicked_t)
-corenet_raw_sendrecv_generic_node(wicked_t)
-corenet_tcp_sendrecv_all_ports(wicked_t)
-corenet_udp_sendrecv_all_ports(wicked_t)
-corenet_udp_bind_generic_node(wicked_t)
-corenet_udp_bind_isakmp_port(wicked_t)
-corenet_udp_bind_dhcpc_port(wicked_t)
-corenet_tcp_connect_all_ports(wicked_t)
-corenet_sendrecv_isakmp_server_packets(wicked_t)
-corenet_sendrecv_dhcpc_server_packets(wicked_t)
-corenet_sendrecv_all_client_packets(wicked_t)
-corenet_rw_tun_tap_dev(wicked_t)
-corenet_getattr_ppp_dev(wicked_t)
-
-dev_access_check_sysfs(wicked_t)
-dev_rw_sysfs(wicked_t)
-dev_write_sysfs_dirs(wicked_t)
-dev_read_rand(wicked_t)
-dev_read_urand(wicked_t)
-dev_dontaudit_getattr_generic_blk_files(wicked_t)
-dev_getattr_all_chr_files(wicked_t)
-dev_rw_wireless(wicked_t)
-
-fs_getattr_all_fs(wicked_t)
-fs_search_auto_mountpoints(wicked_t)
-fs_list_inotifyfs(wicked_t)
-fs_read_nsfs_files(wicked_t)
-
-mls_file_read_all_levels(wicked_t)
-
-selinux_dontaudit_search_fs(wicked_t)
-
-corecmd_exec_shell(wicked_t)
-corecmd_exec_bin(wicked_t)
-
-domain_use_interactive_fds(wicked_t)
-domain_read_all_domains_state(wicked_t)
-
-files_read_etc_runtime_files(wicked_t)
-files_read_system_conf_files(wicked_t)
-files_read_usr_src_files(wicked_t)
-files_read_isid_type_files(wicked_t)
-
-storage_getattr_fixed_disk_dev(wicked_t)
-
-term_open_unallocated_ttys(wicked_t)
-
-init_read_utmp(wicked_t)
-init_dontaudit_write_utmp(wicked_t)
-init_domtrans_script(wicked_t)
-init_signull_script(wicked_t)
-init_signal_script(wicked_t)
-init_sigkill_script(wicked_t)
-
-auth_use_nsswitch(wicked_t)
-
-libs_exec_ldconfig(wicked_t)
-
-logging_send_syslog_msg(wicked_t)
-logging_send_audit_msgs(wicked_t)
-
-miscfiles_read_generic_certs(wicked_t)
-
-seutil_read_config(wicked_t)
-seutil_run_setfiles(wicked_t, system_r)
-
-sysnet_domtrans_ifconfig(wicked_t)
-sysnet_domtrans_dhcpc(wicked_t)
-sysnet_signal_dhcpc(wicked_t)
-sysnet_signull_dhcpc(wicked_t)
-sysnet_read_dhcpc_pid(wicked_t)
-sysnet_read_dhcp_config(wicked_t)
-sysnet_delete_dhcpc_pid(wicked_t)
-sysnet_kill_dhcpc(wicked_t)
-sysnet_read_dhcpc_state(wicked_t)
-sysnet_delete_dhcpc_state(wicked_t)
-sysnet_search_dhcp_state(wicked_t)
-# in /etc created by wicked will be labelled net_conf_t.
-sysnet_manage_config(wicked_t)
-sysnet_filetrans_named_content(wicked_t)
-sysnet_filetrans_net_conf(wicked_t)
-
-systemd_machined_read_pid_files(wicked_t)
-
-term_use_unallocated_ttys(wicked_t)
-
-userdom_stream_connect(wicked_t)
-userdom_dontaudit_use_unpriv_user_fds(wicked_t)
-userdom_dontaudit_use_user_ttys(wicked_t)
-# Read gnome-keyring
-userdom_read_home_certs(wicked_t)
-userdom_read_user_home_content_files(wicked_t)
-userdom_dgram_send(wicked_t)
-
-hostname_exec(wicked_t)
-wicked_systemctl(wicked_t)
-
-sysnet_manage_config_dirs(wicked_t)
-
-
-# Wicked scripts
-
-list_dirs_pattern(wicked_t, wicked_script_t, wicked_script)
-read_files_pattern(wicked_t, wicked_script_t, wicked_script)
-read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script)
-list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t)
-read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script)
-
-auth_read_passwd(wicked_plugin)
-
-corecmd_exec_bin(wicked_plugin)
-corecmd_exec_shell(wicked_winbind_t)
-
-#tunable_policy(`use_nfs_home_dirs',`
-#    fs_read_nfs_files(wicked_t)
-#')
-#
-#tunable_policy(`use_samba_home_dirs',`
-#    fs_read_cifs_files(wicked_t)
-#')
-
-optional_policy(`
-	avahi_domtrans(wicked_t)
-	avahi_kill(wicked_t)
-	avahi_signal(wicked_t)
-	avahi_signull(wicked_t)
-	avahi_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-	packagekit_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-    firewalld_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-    wicked_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-	bind_domtrans(wicked_t)
-	bind_manage_cache(wicked_t)
-	bind_kill(wicked_t)
-	bind_signal(wicked_t)
-	bind_signull(wicked_t)
-')
-
-optional_policy(`
-	bluetooth_dontaudit_read_helper_state(wicked_t)
-')
-
-optional_policy(`
-	consoletype_exec(wicked_t)
-')
-
-optional_policy(`
-	cron_read_system_job_lib_files(wicked_t)
-')
-
-optional_policy(`
-	chronyd_domtrans_chronyc(wicked_t)
-	chronyd_domtrans(wicked_t)
-')
-
-optional_policy(`
-	dbus_system_domain(wicked_t, wicked_exec_t)
-
-	init_dbus_chat(wicked_t)
-
-	optional_policy(`
-		consolekit_dbus_chat(wicked_t)
-		consolekit_read_pid_files(wicked_t)
-	')
-')
-
-optional_policy(`
-	dnsmasq_read_pid_files(wicked_t)
-	dnsmasq_dbus_chat(wicked_t)
-	dnsmasq_delete_pid_files(wicked_t)
-	dnsmasq_domtrans(wicked_t)
-	dnsmasq_initrc_domtrans(wicked_t)
-	dnsmasq_kill(wicked_t)
-	dnsmasq_signal(wicked_t)
-	dnsmasq_signull(wicked_t)
-	dnsmasq_systemctl(wicked_t)
-')
-
-optional_policy(`
-    dnssec_trigger_domtrans(wicked_t)
-    dnssec_trigger_signull(wicked_t)
-    dnssec_trigger_sigkill(wicked_t)
-')
-
-optional_policy(`
-    fcoe_dgram_send_fcoemon(wicked_t)
-')
-
-optional_policy(`
-	howl_signal(wicked_t)
-')
-
-optional_policy(`
-	gnome_dontaudit_search_config(wicked_t)
-')
-
-optional_policy(`
-    iscsid_domtrans(wicked_t)
-')
-
-optional_policy(`
-    iodined_domtrans(wicked_t)
-')
-
-optional_policy(`
-	ipsec_domtrans_mgmt(wicked_t)
-	ipsec_kill_mgmt(wicked_t)
-	ipsec_signal_mgmt(wicked_t)
-	ipsec_signull_mgmt(wicked_t)
-	ipsec_domtrans(wicked_t)
-	ipsec_kill(wicked_t)
-	ipsec_signal(wicked_t)
-	ipsec_signull(wicked_t)
-')
-
-optional_policy(`
-	iptables_domtrans(wicked_t)
-')
-
-optional_policy(`
-	l2tpd_domtrans(wicked_t)
-    l2tpd_sigkill(wicked_t)
-    l2tpd_signal(wicked_t)
-    l2tpd_signull(wicked_t)
-')
-
-optional_policy(`
-    lldpad_dgram_send(wicked_t)
-')
-
-optional_policy(`
-    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t)
-')
-
-optional_policy(`
-	netutils_exec_ping(wicked_t)
-    netutils_exec(wicked_t)
-')
-
-optional_policy(`
-	nscd_domtrans(wicked_t)
-	nscd_signal(wicked_t)
-	nscd_signull(wicked_t)
-	nscd_kill(wicked_t)
-	nscd_initrc_domtrans(wicked_t)
-	nscd_systemctl(wicked_t)
-')
-
-optional_policy(`
-	# Dispatcher starting and stoping ntp
-	ntp_initrc_domtrans(wicked_t)
-	ntp_systemctl(wicked_t)
-')
-
-optional_policy(`
-	modutils_domtrans_kmod(wicked_t)
-')
-
-optional_policy(`
-	openvpn_read_config(wicked_t)
-	openvpn_domtrans(wicked_t)
-	openvpn_kill(wicked_t)
-	openvpn_signal(wicked_t)
-	openvpn_signull(wicked_t)
-	openvpn_stream_connect(wicked_t)
-	openvpn_noatsecure(wicked_t)
-')
-
-optional_policy(`
-	policykit_dbus_chat(wicked_t)
-	policykit_domtrans_auth(wicked_t)
-	policykit_read_lib(wicked_t)
-	policykit_read_reload(wicked_t)
-	userdom_read_all_users_state(wicked_t)
-')
-
-optional_policy(`
-	polipo_systemctl(wicked_t)
-')
-
-optional_policy(`
-	ppp_initrc_domtrans(wicked_t)
-	ppp_domtrans(wicked_t)
-	ppp_manage_pid_files(wicked_t)
-	ppp_kill(wicked_t)
-	ppp_signal(wicked_t)
-	ppp_signull(wicked_t)
-	ppp_read_config(wicked_t)
-	ppp_systemctl(wicked_t)
-')
-
-optional_policy(`
-	rpm_exec(wicked_t)
-	rpm_read_db(wicked_t)
-	rpm_dontaudit_manage_db(wicked_t)
-')
-
-optional_policy(`
-    samba_service_status(wicked_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(wicked_t)
-')
-
-optional_policy(`
-	sysnet_manage_dhcpc_state(wicked_t)
-')
-
-optional_policy(`
-	systemd_write_inhibit_pipes(wicked_t)
-	systemd_read_logind_sessions_files(wicked_t)
-	systemd_dbus_chat_logind(wicked_t)
-	systemd_dbus_chat_hostnamed(wicked_t)
-    systemd_hostnamed_manage_config(wicked_t)
-')
-
-optional_policy(`
-    ssh_basic_client_template(wicked, wicked_t, system_r)
-    term_use_generic_ptys(wicked_ssh_t)
-    modutils_domtrans_kmod(wicked_ssh_t)
-    dbus_connect_system_bus(wicked_ssh_t)
-    dbus_system_bus_client(wicked_ssh_t)
-
-    wicked_dbus_chat(wicked_ssh_t)
-')
-
-optional_policy(`
-	udev_exec(wicked_t)
-	udev_read_db(wicked_t)
-	udev_read_pid_files(wicked_t)
-')
-
-optional_policy(`
-	vpn_domtrans(wicked_t)
-	vpn_kill(wicked_t)
-	vpn_signal(wicked_t)
-	vpn_signull(wicked_t)
-	vpn_relabelfrom_tun_socket(wicked_t)
-')
-
-optional_policy(`
-	openfortivpn_domtrans(wicked_t)
-	openfortivpn_sigkill(wicked_t)
-	openfortivpn_signal(wicked_t)
-	openfortivpn_signull(wicked_t)
-')
-
-optional_policy(`
-	openvswitch_stream_connect(wicked_t)
-')
-
-optional_policy(`
-	virt_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-	networkmanager_dbus_chat(wicked_t)
-')
-
-optional_policy(`
-	logging_send_syslog_msg(wicked_winbind_t)
-')
-
-optional_policy(`
-	sysnet_exec_ifconfig(wicked_plugin)
-	sysnet_read_config(wicked_plugin)
-')
-
-optional_policy(`
-	systemd_exec_systemctl(wicked_winbind_t)
-	systemd_exec_systemctl(wicked_dhcp_t)
-')
-
-optional_policy(`
-	samba_domtrans_smbcontrol(wicked_winbind_t)
-	samba_read_config(wicked_winbind_t)
-	samba_service_status(wicked_winbind_t)
-')
-
-#tunable_policy(`use_ecryptfs_home_dirs',`
-#fs_manage_ecryptfs_files(wicked_t)
-#')
-
-########################################
-#
-# wpa_cli local policy
-#
-
-#allow wpa_cli_t self:capability { dac_read_search  };
-#allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
-#
-#allow wpa_cli_t wicked_t:unix_dgram_socket sendto;
-#
-#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t)
-#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file)
-#
-#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
-#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
-#
-#init_dontaudit_use_fds(wpa_cli_t)
-#init_use_script_ptys(wpa_cli_t)
-#
-#term_dontaudit_use_console(wpa_cli_t)
				`@ -1 +0,0 @@`
				`/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)`
				`@ -1 +0,0 @@`
				`/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)`