directory, this directory does not contain the "executor" directory inside it.
+ # Core snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-native")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-btrfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-zfs")
+ # Non-core snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-fuse-overlayfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-nydus")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlaybd")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-stargz")
+ # Third-party snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
+
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers")
+
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic")
+ userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
+ filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
+ filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
+ files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+')
+
+########################################
+##
+## Connect to container over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_stream_connect',`
+ gen_require(`
+ type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t)
+ stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t)
+ allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Connect to SPC containers over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_spc_stream_connect',`
+ gen_require(`
+ type spc_t, spc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 spc_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an container environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin',`
+ gen_require(`
+ type container_runtime_t;
+ type container_var_lib_t, container_var_run_t;
+ type container_unit_file_t;
+ type container_lock_t;
+ type container_log_t;
+ type container_config_t;
+ type container_file_t;
+ ')
+
+ allow $1 container_runtime_t:process { ptrace signal_perms };
+ ps_process_pattern($1, container_runtime_t)
+
+ admin_pattern($1, container_config_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, container_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, container_var_run_t)
+
+ files_search_locks($1)
+ admin_pattern($1, container_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, container_log_t)
+
+ container_systemctl($1)
+ admin_pattern($1, container_unit_file_t)
+ allow $1 container_unit_file_t:service all_service_perms;
+
+ admin_pattern($1, container_file_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Execute container_auth_exec_t in the container_auth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_auth_domtrans',`
+ gen_require(`
+ type container_auth_t, container_auth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, container_auth_exec_t, container_auth_t)
+')
+
+######################################
+##
+## Execute container_auth in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_auth_exec',`
+ gen_require(`
+ type container_auth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, container_auth_exec_t)
+')
+
+########################################
+##
+## Connect to container_auth over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_auth_stream_connect',`
+ gen_require(`
+ type container_auth_t, container_plugin_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
+')
+
+########################################
+##
+## container domain typebounds calling domain.
+##
+##
+##
+## Domain to be typebound.
+##
+##
+#
+interface(`container_runtime_typebounds',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ allow container_runtime_t $1:process2 nnp_transition;
+')
+
+########################################
+##
+## Allow any container_runtime_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`container_runtime_entrypoint',`
+ gen_require(`
+ type container_runtime_exec_t;
+ ')
+ allow $1 container_runtime_exec_t:file entrypoint;
+')
+
+interface(`docker_exec_lib',`
+ container_exec_lib($1)
+')
+
+interface(`docker_read_share_files',`
+ container_read_share_files($1)
+')
+
+interface(`docker_exec_share_files',`
+ container_exec_share_files($1)
+')
+
+interface(`docker_manage_lib_files',`
+ container_manage_lib_files($1)
+')
+
+
+interface(`docker_manage_lib_dirs',`
+ container_manage_lib_dirs($1)
+')
+
+interface(`docker_lib_filetrans',`
+ container_lib_filetrans($1, $2, $3, $4)
+')
+
+interface(`docker_read_pid_files',`
+ container_read_pid_files($1)
+')
+
+interface(`docker_systemctl',`
+ container_systemctl($1)
+')
+
+interface(`docker_use_ptys',`
+ container_use_ptys($1)
+')
+
+interface(`docker_stream_connect',`
+ container_stream_connect($1)
+')
+
+interface(`docker_spc_stream_connect',`
+ container_spc_stream_connect($1)
+')
+
+########################################
+##
+## Read the process state of spc containers
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_spc_read_state',`
+ gen_require(`
+ type spc_t;
+ ')
+
+ ps_process_pattern($1, spc_t)
+')
+
+########################################
+##
+## Creates types and rules for a basic
+## container runtime process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`container_runtime_domain_template',`
+ gen_require(`
+ attribute container_runtime_domain;
+ type container_runtime_t;
+ type container_var_lib_t;
+ type container_ro_file_t;
+ role system_r, sysadm_r;
+ ')
+
+ type $1_t, container_runtime_domain;
+ role system_r types $1_t;
+ role sysadm_r types $1_t;
+ domain_type($1_t)
+ domain_subj_id_change_exemption($1_t)
+ domain_role_change_exemption($1_t)
+
+ kernel_read_system_state($1_t)
+ kernel_read_all_proc($1_t)
+
+ mls_file_read_to_clearance($1_t)
+ mls_file_write_to_clearance($1_t)
+
+ storage_raw_rw_fixed_disk($1_t)
+ auth_use_nsswitch($1_t)
+ logging_send_syslog_msg($1_t)
+')
+
+########################################
+##
+## Creates types and rules for a basic
+## container process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+##
+##
+## Prefix for the file type.
+##
+##
+#
+template(`container_domain_template',`
+ gen_require(`
+ attribute container_domain;
+ type container_runtime_t;
+ type container_var_lib_t;
+ type container_ro_file_t;
+ ')
+
+ type $1_t, container_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ allow $1_t $2_file_t:file entrypoint;
+
+ container_manage_files_template($1, $2)
+')
+
+
+########################################
+##
+## Manage container files template
+##
+##
+##
+## Prefix for the domain.
+##
+##
+##
+##
+## Prefix for the file type.
+##
+##
+#
+template(`container_manage_files_template',`
+ gen_require(`
+ attribute container_domain;
+ type container_runtime_t;
+ type container_var_lib_t;
+ type container_ro_file_t;
+ ')
+
+
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
+ kernel_read_all_proc($1_t)
+
+ allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map };
+
+ manage_files_pattern($1_t, $2_file_t, $2_file_t)
+ exec_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_dirs_pattern($1_t, $2_file_t, $2_file_t)
+ manage_chr_files_pattern($1_t, $2_file_t, $2_file_t)
+ allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads };
+ manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
+ allow $1_t $2_file_t:{file dir} mounton;
+ allow $1_t $2_file_t:filesystem { mount remount unmount };
+ allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map };
+
+ fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file })
+')
+
+########################################
+##
+## Read and write a spc_t unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_spc_rw_pipes',`
+ gen_require(`
+ type spc_t;
+ ')
+
+ allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Execute container in the container domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_kubelet_domtrans',`
+ gen_require(`
+ type kubelet_t, kubelet_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kubelet_exec_t, kubelet_t)
+')
+
+########################################
+##
+## Execute kubelet_exec_t in the kubelet_t domain
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`container_kubelet_run',`
+ gen_require(`
+ type kubelet_t;
+ class dbus send_msg;
+ ')
+
+ container_kubelet_domtrans($1)
+ role $2 types kubelet_t;
+')
+
+########################################
+##
+## Connect to kubelet over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_kubelet_stream_connect',`
+ gen_require(`
+ type kubelet_t, container_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t)
+')
+
+#######################################
+##
+## Create a file type used for container files.
+##
+##
+##
+## Type to be used for an container file.
+##
+##
+#
+interface(`container_file',`
+ gen_require(`
+ attribute container_file_type;
+ ')
+
+ typeattribute $1 container_file_type;
+ files_type($1)
+ files_mountpoint($1)
+')
diff --git a/container.te b/container.te
new file mode 100644
index 0000000..7b156e7
--- /dev/null
+++ b/container.te
@@ -0,0 +1,1424 @@
+policy_module(container, 2.205.0)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether container can
+## connect to all TCP ports.
+##
+##
+gen_tunable(container_connect_any, false)
+
+##
+##
+## Allow containers to use any device volume mounted into container
+##
+##
+gen_tunable(container_use_devices, false)
+
+##
+##
+## Allow sandbox containers to manage cgroup (systemd)
+##
+##
+gen_tunable(container_manage_cgroup, false)
+
+##
+##
+## Determine whether container can
+## use ceph file system
+##
+##
+gen_tunable(container_use_cephfs, false)
+
+##
+##
+## Determine whether container can
+## use ecrypt file system
+##
+##
+gen_tunable(container_use_ecryptfs, false)
+
+attribute container_runtime_domain;
+container_runtime_domain_template(container_runtime)
+typealias container_runtime_t alias docker_t;
+
+type container_runtime_exec_t alias docker_exec_t;
+can_exec(container_runtime_t,container_runtime_exec_t)
+attribute container_domain;
+attribute container_user_domain;
+attribute container_net_domain;
+attribute container_init_domain;
+attribute container_file_type;
+allow container_runtime_domain container_domain:process { dyntransition transition };
+allow container_domain container_runtime_domain:process sigchld;
+allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition };
+dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh };
+
+type conmon_exec_t;
+application_executable_file(conmon_exec_t)
+can_exec(container_runtime_t, conmon_exec_t)
+allow container_runtime_domain conmon_exec_t:file entrypoint;
+ifdef(`enable_mcs',`
+ range_transition container_runtime_t conmon_exec_t:process s0;
+')
+ifdef(`enable_mls',`
+ range_transition container_runtime_t conmon_exec_t:process s0;
+')
+
+type spc_t, container_domain;
+domain_type(spc_t)
+role system_r types spc_t;
+init_initrc_domain(spc_t)
+
+type container_auth_t alias docker_auth_t;
+type container_auth_exec_t alias docker_auth_exec_t;
+init_daemon_domain(container_auth_t, container_auth_exec_t)
+
+type spc_var_run_t;
+files_pid_file(spc_var_run_t)
+
+type kubernetes_file_t;
+files_config_file(kubernetes_file_t)
+
+type container_var_lib_t alias docker_var_lib_t;
+files_type(container_var_lib_t)
+
+type container_home_t alias docker_home_t;
+userdom_user_home_content(container_home_t)
+
+type container_config_t alias docker_config_t;
+files_config_file(container_config_t)
+
+type container_lock_t alias docker_lock_t;
+files_lock_file(container_lock_t)
+
+type container_log_t alias docker_log_t;
+logging_log_file(container_log_t)
+
+type container_runtime_tmp_t alias docker_tmp_t;
+files_tmp_file(container_runtime_tmp_t)
+
+type container_runtime_tmpfs_t alias docker_tmpfs_t;
+files_tmpfs_file(container_runtime_tmpfs_t)
+
+type container_var_run_t alias docker_var_run_t;
+files_pid_file(container_var_run_t)
+
+type container_plugin_var_run_t alias docker_plugin_var_run_t;
+files_pid_file(container_plugin_var_run_t)
+
+type container_unit_file_t alias docker_unit_file_t;
+systemd_unit_file(container_unit_file_t)
+
+type container_devpts_t alias docker_devpts_t;
+term_pty(container_devpts_t)
+
+typealias container_ro_file_t alias { container_share_t docker_share_t };
+files_mountpoint(container_ro_file_t)
+
+type container_port_t alias docker_port_t;
+corenet_port(container_port_t)
+
+init_daemon_domain(container_runtime_t, container_runtime_exec_t)
+#ifdef(`enable_mcs',`
+# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh)
+#')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(container_runtime_t)
+
+
+########################################
+#
+# container local policy
+#
+allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
+allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
+allow container_runtime_domain self:process ~setcurrent;
+allow container_runtime_domain self:passwd rootok;
+allow container_runtime_domain self:fd use;
+allow container_runtime_domain self:dir mounton;
+allow container_runtime_domain self:file mounton;
+
+allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
+allow container_runtime_domain self:fifo_file manage_file_perms;
+allow container_runtime_domain self:msg all_msg_perms;
+allow container_runtime_domain self:sem create_sem_perms;
+allow container_runtime_domain self:shm create_shm_perms;
+allow container_runtime_domain self:msgq create_msgq_perms;
+allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms;
+allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
+allow container_runtime_domain self:udp_socket create_socket_perms;
+allow container_runtime_domain self:capability2 block_suspend;
+allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain self:filesystem associate;
+allow container_runtime_domain self:packet_socket create_socket_perms;
+allow container_runtime_domain self:socket create_socket_perms;
+allow container_runtime_domain self:rawip_socket create_stream_socket_perms;
+allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms;
+allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms;
+allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow container_runtime_domain self:netlink_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(container_runtime_domain)
+corenet_udp_bind_generic_node(container_runtime_domain)
+corenet_raw_bind_generic_node(container_runtime_domain)
+corenet_tcp_sendrecv_all_ports(container_runtime_domain)
+corenet_udp_sendrecv_all_ports(container_runtime_domain)
+corenet_udp_bind_all_ports(container_runtime_domain)
+corenet_tcp_bind_all_ports(container_runtime_domain)
+corenet_tcp_connect_all_ports(container_runtime_domain)
+corenet_sctp_bind_all_ports(container_net_domain)
+corenet_sctp_connect_all_ports(container_net_domain)
+corenet_rw_tun_tap_dev(container_runtime_domain)
+
+container_auth_stream_connect(container_runtime_domain)
+
+manage_files_pattern(container_runtime_domain, container_file_type, container_file_type)
+manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
+manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
+allow container_runtime_domain container_domain:key manage_key_perms;
+manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type)
+allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod};
+allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms;
+
+manage_files_pattern(container_runtime_domain, container_home_t, container_home_t)
+manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t)
+manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
+userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
+userdom_manage_user_home_content(container_runtime_domain)
+
+manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
+manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+
+manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
+manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
+files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
+
+manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
+manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
+allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
+allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
+
+manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
+
+manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom;
+can_exec(container_runtime_domain, container_runtime_tmpfs_t)
+fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set)
+allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton;
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
+can_exec(container_runtime_domain, container_ro_file_t)
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env")
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname")
+filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts")
+
+#container_filetrans_named_content(container_runtime_domain)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
+manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
+manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
+files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+
+allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(container_runtime_domain, container_devpts_t)
+term_use_all_ttys(container_runtime_domain)
+term_use_all_inherited_terms(container_runtime_domain)
+
+kernel_read_network_state(container_runtime_domain)
+kernel_read_all_sysctls(container_runtime_domain)
+kernel_rw_net_sysctls(container_runtime_domain)
+kernel_setsched(container_runtime_domain)
+kernel_rw_all_sysctls(container_runtime_domain)
+
+domain_obj_id_change_exemption(container_runtime_t)
+domain_subj_id_change_exemption(container_runtime_t)
+domain_role_change_exemption(container_runtime_t)
+domain_use_interactive_fds(container_runtime_domain)
+domain_dontaudit_read_all_domains_state(container_runtime_domain)
+domain_sigchld_all_domains(container_runtime_domain)
+domain_use_interactive_fds(container_runtime_domain)
+domain_read_all_domains_state(container_runtime_domain)
+domain_getattr_all_domains(container_runtime_domain)
+
+userdom_map_tmp_files(container_runtime_domain)
+
+optional_policy(`
+ gnome_map_generic_data_home_files(container_runtime_domain)
+ allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
+')
+
+gen_require(`
+ attribute domain;
+')
+
+allow container_runtime_domain domain:fifo_file rw_fifo_file_perms;
+allow container_runtime_domain domain:fd use;
+
+corecmd_exec_bin(container_runtime_domain)
+corecmd_exec_shell(container_runtime_domain)
+corecmd_exec_all_executables(container_runtime_domain)
+corecmd_bin_entry_type(container_runtime_domain)
+corecmd_shell_entry_type(container_runtime_domain)
+
+corenet_tcp_bind_generic_node(container_runtime_domain)
+corenet_tcp_sendrecv_generic_if(container_runtime_domain)
+corenet_tcp_sendrecv_generic_node(container_runtime_domain)
+corenet_tcp_sendrecv_generic_port(container_runtime_domain)
+corenet_tcp_bind_all_ports(container_runtime_domain)
+corenet_tcp_connect_http_port(container_runtime_domain)
+corenet_tcp_connect_commplex_main_port(container_runtime_domain)
+corenet_udp_sendrecv_generic_if(container_runtime_domain)
+corenet_udp_sendrecv_generic_node(container_runtime_domain)
+corenet_udp_sendrecv_all_ports(container_runtime_domain)
+corenet_udp_bind_generic_node(container_runtime_domain)
+corenet_udp_bind_all_ports(container_runtime_domain)
+
+files_read_kernel_modules(container_runtime_domain)
+files_read_config_files(container_runtime_domain)
+files_dontaudit_getattr_all_dirs(container_runtime_domain)
+files_dontaudit_getattr_all_files(container_runtime_domain)
+files_execmod_all_files(container_runtime_domain)
+files_search_all(container_runtime_domain)
+files_read_usr_symlinks(container_runtime_domain)
+files_search_locks(container_runtime_domain)
+files_dontaudit_unmount_all_mountpoints(container_runtime_domain)
+
+fs_read_cgroup_files(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_search_all(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_rw_onload_sockets(container_runtime_domain)
+
+auth_dontaudit_getattr_shadow(container_runtime_domain)
+
+init_read_state(container_runtime_domain)
+init_status(container_runtime_domain)
+init_stop(container_runtime_domain)
+init_start(container_runtime_domain)
+init_manage_config_transient_files(container_runtime_domain)
+
+logging_send_audit_msgs(container_runtime_domain)
+
+miscfiles_read_localization(container_runtime_domain)
+miscfiles_dontaudit_access_check_cert(container_runtime_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain)
+miscfiles_read_fonts(container_runtime_domain)
+miscfiles_read_hwdata(container_runtime_domain)
+fs_relabel_cgroup_dirs(container_runtime_domain)
+# fs_relabel_cgroup_files(container_runtime_domain)
+allow container_runtime_domain container_domain:file relabelfrom;
+
+mount_domtrans(container_runtime_domain)
+
+seutil_read_default_contexts(container_runtime_domain)
+seutil_read_config(container_runtime_domain)
+
+sysnet_dns_name_resolve(container_runtime_domain)
+sysnet_exec_ifconfig(container_runtime_domain)
+
+optional_policy(`
+ cron_system_entry(container_runtime_t, container_runtime_exec_t)
+')
+
+optional_policy(`
+ ssh_use_ptys(container_runtime_domain)
+')
+
+optional_policy(`
+ rpm_exec(container_runtime_domain)
+ rpm_read_cache(container_runtime_domain)
+ rpm_read_db(container_runtime_domain)
+ rpm_exec(container_runtime_domain)
+')
+
+optional_policy(`
+ fstools_domtrans(container_runtime_domain)
+')
+
+optional_policy(`
+ iptables_domtrans(container_runtime_domain)
+
+ container_read_pid_files(iptables_t)
+ container_read_state(iptables_t)
+ container_append_file(iptables_t)
+ allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
+ allow iptables_t container_file_type:dir list_dir_perms;
+')
+
+optional_policy(`
+ openvswitch_stream_connect(container_runtime_domain)
+')
+
+optional_policy(`
+ gen_require(`
+ attribute named_filetrans_domain;
+ ')
+ container_filetrans_named_content(named_filetrans_domain)
+')
+
+#
+# lxc rules
+#
+
+allow container_runtime_domain self:capability ~{ sys_module };
+allow container_runtime_domain self:capability2 ~{ mac_override mac_admin };
+allow container_runtime_domain self:cap_userns ~{ sys_module };
+allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin };
+
+allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;;
+allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms;
+allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms;
+allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow container_runtime_domain container_var_lib_t:dir mounton;
+allow container_runtime_domain container_var_lib_t:chr_file mounton;
+can_exec(container_runtime_domain, container_var_lib_t)
+
+kernel_dontaudit_setsched(container_runtime_domain)
+kernel_get_sysvipc_info(container_runtime_domain)
+kernel_request_load_module(container_runtime_domain)
+kernel_mounton_messages(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+kernel_mounton_all_sysctls(container_runtime_domain)
+kernel_list_all_proc(container_runtime_domain)
+kernel_read_all_sysctls(container_runtime_domain)
+kernel_rw_net_sysctls(container_runtime_domain)
+kernel_rw_unix_sysctls(container_runtime_domain)
+kernel_dontaudit_search_kernel_sysctl(container_runtime_domain)
+kernel_dontaudit_access_check_proc(container_runtime_domain)
+kernel_dontaudit_setattr_proc_files(container_runtime_domain)
+kernel_dontaudit_setattr_proc_dirs(container_runtime_domain)
+kernel_dontaudit_write_usermodehelper_state(container_runtime_domain)
+
+dev_setattr_null_dev(container_runtime_t)
+dev_getattr_all(container_runtime_domain)
+dev_getattr_sysfs_fs(container_runtime_domain)
+dev_read_rand(container_runtime_domain)
+dev_read_urand(container_runtime_domain)
+dev_read_lvm_control(container_runtime_domain)
+dev_rw_sysfs(container_runtime_domain)
+dev_rw_loop_control(container_runtime_domain)
+dev_rw_lvm_control(container_runtime_domain)
+dev_read_mtrr(container_runtime_domain)
+
+files_getattr_isid_type_dirs(container_runtime_domain)
+files_manage_isid_type_dirs(container_runtime_domain)
+files_manage_isid_type_files(container_runtime_domain)
+files_manage_isid_type_symlinks(container_runtime_domain)
+files_manage_isid_type_chr_files(container_runtime_domain)
+files_manage_isid_type_blk_files(container_runtime_domain)
+files_exec_isid_files(container_runtime_domain)
+files_mounton_isid(container_runtime_domain)
+files_mounton_non_security(container_runtime_domain)
+files_mounton_isid_type_chr_file(container_runtime_domain)
+
+fs_mount_all_fs(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+files_mounton_isid(container_runtime_domain)
+fs_manage_cgroup_dirs(container_runtime_domain)
+fs_manage_cgroup_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_search_tmpfs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
+fs_manage_hugetlbfs_files(container_runtime_domain)
+
+
+term_use_generic_ptys(container_runtime_domain)
+term_use_ptmx(container_runtime_domain)
+term_getattr_pty_fs(container_runtime_domain)
+term_relabel_pty_fs(container_runtime_domain)
+term_mounton_unallocated_ttys(container_runtime_domain)
+
+modutils_domtrans_kmod(container_runtime_domain)
+
+systemd_status_all_unit_files(container_runtime_domain)
+systemd_start_systemd_services(container_runtime_domain)
+systemd_dbus_chat_logind(container_runtime_domain)
+systemd_chat_resolved(container_runtime_domain)
+
+userdom_stream_connect(container_runtime_domain)
+userdom_search_user_home_content(container_runtime_domain)
+userdom_read_all_users_state(container_runtime_domain)
+userdom_relabel_user_home_files(container_runtime_domain)
+userdom_relabel_user_tmp_files(container_runtime_domain)
+userdom_relabel_user_tmp_dirs(container_runtime_domain)
+userdom_use_inherited_user_terminals(container_runtime_domain)
+userdom_use_user_ptys(container_runtime_domain)
+userdom_connectto_stream(container_runtime_domain)
+allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(container_runtime_domain)
+ fs_manage_nfs_files(container_runtime_domain)
+ fs_manage_nfs_named_sockets(container_runtime_domain)
+ fs_manage_nfs_symlinks(container_runtime_domain)
+ fs_remount_nfs(container_runtime_domain)
+ fs_mount_nfs(container_runtime_domain)
+ fs_unmount_nfs(container_runtime_domain)
+ fs_exec_nfs_files(container_runtime_domain)
+ kernel_rw_fs_sysctls(container_runtime_domain)
+ allow container_runtime_domain nfs_t:file execmod;
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(container_runtime_domain)
+ fs_manage_cifs_dirs(container_runtime_domain)
+ fs_manage_cifs_named_sockets(container_runtime_domain)
+ fs_manage_cifs_symlinks(container_runtime_domain)
+ fs_exec_cifs_files(container_runtime_domain)
+ allow container_runtime_domain cifs_t:file execmod;
+
+ fs_manage_cifs_files(container_domain)
+ fs_manage_cifs_dirs(container_domain)
+ fs_manage_cifs_named_sockets(container_domain)
+ fs_manage_cifs_symlinks(container_domain)
+ fs_exec_cifs_files(container_domain)
+ allow container_domain cifs_t:file execmod;
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(container_domain)
+ fs_manage_nfs_files(container_domain)
+ fs_manage_nfs_named_sockets(container_domain)
+ fs_manage_nfs_symlinks(container_domain)
+ fs_mount_nfs(container_domain)
+ fs_unmount_nfs(container_domain)
+ fs_exec_nfs_files(container_domain)
+ allow container_domain nfs_t:file execmod;
+')
+
+gen_require(`
+ type cephfs_t;
+')
+
+tunable_policy(`container_use_cephfs',`
+ manage_files_pattern(container_domain, cephfs_t, cephfs_t)
+ manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
+ manage_dirs_pattern(container_domain, cephfs_t, cephfs_t)
+ exec_files_pattern(container_domain, cephfs_t, cephfs_t)
+ allow container_domain cephfs_t:file execmod;
+')
+
+gen_require(`
+ type ecryptfs_t;
+')
+
+tunable_policy(`container_use_ecryptfs',`
+ manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ allow container_domain ecryptfs_t:file execmod;
+')
+
+fs_manage_fusefs_named_sockets(container_runtime_domain)
+fs_manage_fusefs_dirs(container_runtime_domain)
+fs_manage_fusefs_files(container_runtime_domain)
+fs_manage_fusefs_symlinks(container_runtime_domain)
+fs_mount_fusefs(container_runtime_domain)
+fs_unmount_fusefs(container_runtime_domain)
+fs_exec_fusefs_files(container_runtime_domain)
+storage_rw_fuse(container_runtime_domain)
+
+
+optional_policy(`
+ files_search_all(container_domain)
+ container_read_share_files(container_domain)
+ container_exec_share_files(container_domain)
+ allow container_domain container_ro_file_t:file execmod;
+ container_lib_filetrans(container_domain,container_file_t, sock_file)
+ container_use_ptys(container_domain)
+ container_spc_stream_connect(container_domain)
+ fs_dontaudit_remount_tmpfs(container_domain)
+ dev_dontaudit_mounton_sysfs(container_domain)
+')
+
+optional_policy(`
+ apache_exec_modules(container_runtime_domain)
+ apache_read_sys_content(container_runtime_domain)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(container_runtime_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(container_runtime_domain)
+ dbus_session_bus_client(container_runtime_domain)
+ init_dbus_chat(container_runtime_domain)
+ init_start_transient_unit(container_runtime_domain)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(container_runtime_domain)
+ systemd_dbus_chat_machined(container_runtime_domain)
+ ')
+
+ optional_policy(`
+ dnsmasq_dbus_chat(container_runtime_domain)
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat(container_runtime_domain)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(container_runtime_domain)
+')
+
+optional_policy(`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t)
+ container_manage_dirs(systemd_logind_t)
+ container_manage_files(systemd_logind_t)
+')
+
+optional_policy(`
+ udev_read_db(container_runtime_domain)
+')
+
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+ role unconfined_r types container_user_domain;
+ unconfined_domain(container_runtime_t)
+ unconfined_run_to(container_runtime_t, container_runtime_exec_t)
+ role_transition unconfined_r container_runtime_exec_t system_r;
+ allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
+ allow container_runtime_domain unconfined_t:fifo_file setattr;
+ allow unconfined_domain_type container_domain:process {transition dyntransition };
+ allow unconfined_t unlabeled_t:key manage_key_perms;
+ allow container_runtime_t unconfined_t:process transition;
+ allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
+ fs_fusefs_entrypoint(unconfined_domain_type)
+
+ domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type virtd_lxc_t;
+ ')
+ virt_read_config(container_runtime_domain)
+ virt_exec(container_runtime_domain)
+ virt_stream_connect(container_runtime_domain)
+ virt_stream_connect_sandbox(container_runtime_domain)
+ virt_exec_sandbox_files(container_runtime_domain)
+ virt_manage_sandbox_files(container_runtime_domain)
+ virt_relabel_sandbox_filesystem(container_runtime_domain)
+ # for lxc
+ virt_mounton_sandbox_file(container_runtime_domain)
+# virt_attach_sandbox_tun_iface(container_runtime_domain)
+ allow container_runtime_domain container_domain:tun_socket relabelfrom;
+ virt_sandbox_entrypoint(container_runtime_domain)
+ allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto };
+
+')
+
+tunable_policy(`container_connect_any',`
+ corenet_tcp_connect_all_ports(container_runtime_domain)
+ corenet_sendrecv_all_packets(container_runtime_domain)
+ corenet_tcp_sendrecv_all_ports(container_runtime_domain)
+')
+
+########################################
+#
+# spc local policy
+#
+allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+role system_r types spc_t;
+
+domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
+domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
+domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
+fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
+
+allow container_runtime_domain spc_t:process2 nnp_transition;
+admin_pattern(spc_t, kubernetes_file_t)
+
+allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
+allow spc_t { container_ro_file_t container_file_t }:system module_load;
+
+allow container_runtime_domain spc_t:process { setsched signal_perms };
+ps_process_pattern(container_runtime_domain, spc_t)
+allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
+allow spc_t unlabeled_t:key manage_key_perms;
+allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+
+init_dbus_chat(spc_t)
+
+optional_policy(`
+ systemd_dbus_chat_machined(spc_t)
+ systemd_dbus_chat_logind(spc_t)
+')
+
+optional_policy(`
+ dbus_chat_system_bus(spc_t)
+ dbus_chat_session_bus(spc_t)
+ dnsmasq_dbus_chat(spc_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(spc_t)
+ domain_ptrace_all_domains(spc_t)
+ # This should eventually be in upstream policy.
+ # https://github.com/fedora-selinux/selinux-policy/pull/806
+ allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
+')
+
+optional_policy(`
+ virt_transition_svirt_sandbox(spc_t, system_r)
+ virt_sandbox_entrypoint(spc_t)
+ virt_sandbox_domtrans(container_runtime_domain, spc_t)
+ virt_transition_svirt(spc_t, system_r)
+ virt_sandbox_entrypoint(container_file_t)
+ virt_sandbox_entrypoint(container_ro_file_t)
+
+ gen_require(`
+ attribute virt_domain;
+ type virtd_t;
+ ')
+ container_spc_read_state(virt_domain)
+ container_spc_rw_pipes(virt_domain)
+ allow container_runtime_t virtd_t:process transition;
+ allow container_runtime_t virt_domain:process transition;
+ allow virt_domain container_file_t:file entrypoint;
+ allow virtd_t container_file_t:file entrypoint;
+ manage_files_pattern(virt_domain, container_file_t, container_file_t)
+ manage_dirs_pattern(virt_domain, container_file_t, container_file_t)
+ manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t)
+ read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)
+ read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)
+
+ can_exec(virt_domain, container_file_t)
+
+ manage_files_pattern(virtd_t, container_file_t, container_file_t)
+ manage_dirs_pattern(virtd_t, container_file_t, container_file_t)
+ manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t)
+ read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)
+ read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)
+
+ can_exec(virtd_t, container_file_t)
+
+
+')
+
+########################################
+#
+# container_auth local policy
+#
+allow container_auth_t self:fifo_file rw_fifo_file_perms;
+allow container_auth_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit container_auth_t self:capability net_admin;
+
+container_stream_connect(container_auth_t)
+
+manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file })
+
+stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
+list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t)
+
+domain_use_interactive_fds(container_auth_t)
+
+kernel_read_net_sysctls(container_auth_t)
+
+auth_use_nsswitch(container_auth_t)
+
+files_read_etc_files(container_auth_t)
+
+miscfiles_read_localization(container_auth_t)
+
+sysnet_dns_name_resolve(container_auth_t)
+
+########################################
+#
+# container_t local policy
+#
+# Currently this is called in virt.te
+# virt_sandbox_domain_template(container)
+# typealias container_t alias svirt_lxc_net_t;
+gen_require(`
+ type container_t;
+ type container_file_t;
+')
+container_manage_files_template(container, container)
+
+typeattribute container_file_t container_file_type;
+typeattribute container_t container_domain, container_net_domain, container_user_domain;
+allow container_user_domain self:process getattr;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
+allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
+allow container_domain container_runtime_t:unix_dgram_socket sendto;
+
+allow container_domain container_runtime_domain:tun_socket relabelfrom;
+allow container_domain container_runtime_domain:fd use;
+allow container_runtime_domain container_domain:fd use;
+allow container_domain self:socket_class_set { create_socket_perms map accept };
+allow container_domain self:lnk_file setattr;
+allow container_domain self:user_namespace create;
+
+dontaudit container_domain self:capability fsetid;
+allow container_domain self:association sendto;
+allow container_domain self:dir list_dir_perms;
+dontaudit container_domain self:dir { write add_name };
+allow container_domain self:file rw_file_perms;
+allow container_domain self:lnk_file read_file_perms;
+allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:filesystem associate;
+allow container_domain self:key manage_key_perms;
+allow container_domain self:netlink_route_socket r_netlink_socket_perms;
+allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
+allow container_domain self:netlink_xfrm_socket create_socket_perms;
+allow container_domain self:packet_socket create_socket_perms;
+allow container_domain self:passwd rootok;
+allow container_domain self:peer recv;
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:sem create_sem_perms;
+allow container_domain self:shm create_shm_perms;
+allow container_domain self:socket create_socket_perms;
+allow container_domain self:tcp_socket create_socket_perms;
+allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue };
+allow container_domain self:udp_socket create_socket_perms;
+allow container_domain self:unix_dgram_socket create_socket_perms;
+allow container_domain self:unix_stream_socket create_stream_socket_perms;
+dontaudit container_domain self:capability2 block_suspend ;
+allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
+fs_rw_onload_sockets(container_domain)
+fs_fusefs_entrypoint(container_domain)
+
+
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+fs_mount_tmpfs(container_domain)
+
+dontaudit container_domain container_runtime_tmpfs_t:dir read;
+allow container_domain container_runtime_tmpfs_t:dir mounton;
+
+dev_getattr_mtrr_dev(container_domain)
+dev_list_sysfs(container_domain)
+allow container_domain sysfs_t:dir watch;
+
+dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
+
+allow container_domain self:key manage_key_perms;
+dontaudit container_domain container_domain:key search;
+
+allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow container_domain self:fifo_file manage_file_perms;
+allow container_domain self:msg all_msg_perms;
+allow container_domain self:sem create_sem_perms;
+allow container_domain self:shm create_shm_perms;
+allow container_domain self:msgq create_msgq_perms;
+allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow container_domain self:passwd rootok;
+allow container_domain self:filesystem associate;
+allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
+allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+
+kernel_getattr_proc(container_domain)
+kernel_list_all_proc(container_domain)
+kernel_read_all_sysctls(container_domain)
+kernel_dontaudit_write_kernel_sysctl(container_domain)
+kernel_read_network_state(container_domain)
+kernel_rw_net_sysctls(container_domain)
+kernel_rw_unix_sysctls(container_domain)
+kernel_dontaudit_search_kernel_sysctl(container_domain)
+kernel_dontaudit_access_check_proc(container_domain)
+kernel_dontaudit_setattr_proc_files(container_domain)
+kernel_dontaudit_setattr_proc_dirs(container_domain)
+kernel_dontaudit_write_usermodehelper_state(container_domain)
+kernel_read_irq_sysctls(container_domain)
+kernel_get_sysvipc_info(container_domain)
+
+fs_getattr_all_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_search_tmpfs(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_dontaudit_getattr_all_dirs(container_domain)
+fs_dontaudit_getattr_all_files(container_domain)
+fs_read_nsfs_files(container_domain)
+
+term_use_all_inherited_terms(container_domain)
+
+userdom_use_user_ptys(container_domain)
+userdom_rw_inherited_user_pipes(container_domain)
+
+domain_user_exemption_target(container_t)
+domain_dontaudit_link_all_domains_keyrings(container_domain)
+domain_dontaudit_search_all_domains_keyrings(container_domain)
+domain_dontaudit_search_all_domains_state(container_domain)
+
+virt_sandbox_net_domain(container_t)
+
+logging_send_syslog_msg(container_t)
+
+gen_require(`
+ type container_file_t;
+')
+# fs_associate_cgroupfs(container_file_t)
+gen_require(`
+ type cgroup_t;
+')
+
+dev_read_sysfs(container_domain)
+dev_read_mtrr(container_domain)
+dev_mounton_sysfs(container_t)
+
+fs_mounton_cgroup(container_t)
+fs_unmount_cgroup(container_t)
+
+dev_read_rand(container_domain)
+dev_write_rand(container_domain)
+dev_read_urand(container_domain)
+dev_write_urand(container_domain)
+
+files_read_kernel_modules(container_domain)
+
+allow container_file_t cgroup_t:filesystem associate;
+term_pty(container_file_t)
+logging_log_file(container_file_t)
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow container_t self:capability sys_admin;
+ allow container_t self:cap_userns sys_admin;
+')
+
+allow container_domain self:cap_userns sys_admin;
+allow container_domain self:process { getsession execstack execmem };
+
+corenet_unconfined(container_t)
+
+optional_policy(`
+ virt_default_capabilities(container_t)
+')
+kernel_rw_rpc_sysctls(container_domain)
+kernel_rw_net_sysctls(container_domain)
+kernel_read_messages(container_t)
+kernel_read_network_state(container_domain)
+kernel_dontaudit_write_proc_files(container_domain)
+
+# Container Net Domain
+corenet_tcp_bind_generic_node(container_net_domain)
+corenet_udp_bind_generic_node(container_net_domain)
+corenet_raw_bind_generic_node(container_net_domain)
+corenet_tcp_sendrecv_all_ports(container_net_domain)
+corenet_udp_sendrecv_all_ports(container_net_domain)
+corenet_udp_bind_all_ports(container_net_domain)
+corenet_tcp_bind_all_ports(container_net_domain)
+corenet_tcp_connect_all_ports(container_net_domain)
+
+allow container_net_domain self:udp_socket create_socket_perms;
+allow container_net_domain self:tcp_socket create_stream_socket_perms;
+allow container_net_domain self:tun_socket create_socket_perms;
+allow container_net_domain self:netlink_route_socket create_netlink_socket_perms;
+allow container_net_domain self:sctp_socket listen;
+allow container_net_domain self:packet_socket create_socket_perms;
+allow container_net_domain self:socket create_socket_perms;
+allow container_net_domain self:rawip_socket create_stream_socket_perms;
+allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
+allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
+
+
+kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
+kernel_unlabeled_entry_type(spc_t)
+allow container_runtime_domain unlabeled_t:key manage_key_perms;
+#kernel_dontaudit_write_usermodehelper_state(container_t)
+gen_require(`
+ type usermodehelper_t;
+')
+dontaudit container_domain usermodehelper_t:file write;
+
+fs_read_cgroup_files(container_domain)
+fs_list_cgroup_dirs(container_domain)
+
+sysnet_read_config(container_domain)
+
+allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+optional_policy(`
+ gssproxy_stream_connect(container_domain)
+')
+
+optional_policy(`
+ rpm_read_cache(container_domain)
+ rpm_read_db(container_domain)
+ rpm_transition_script(spc_t, system_r)
+')
+
+optional_policy(`
+ sssd_stream_connect(container_domain)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(container_domain)
+')
+
+tunable_policy(`container_manage_cgroup',`
+ fs_manage_cgroup_dirs(container_domain)
+ fs_manage_cgroup_files(container_domain)
+')
+
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mounton_fusefs(container_domain)
+storage_rw_fuse(container_domain)
+allow container_domain fusefs_t:file { mounton execmod };
+allow container_domain fusefs_t:filesystem remount;
+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow container_domain self:netlink_socket create_socket_perms;
+ allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
+', `
+ logging_dontaudit_send_audit_msgs(container_domain)
+')
+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(container_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type sysctl_kernel_ns_last_pid_t;
+ ')
+
+ kernel_search_network_sysctl(container_domain)
+ allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms;
+ allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms;
+')
+
+tunable_policy(`virt_sandbox_use_all_caps',`
+ allow container_domain self:capability ~{ sys_module };
+ allow container_domain self:capability2 ~{ mac_override mac_admin };
+ allow container_domain self:cap_userns ~{ sys_module };
+ allow container_domain self:cap2_userns ~{ mac_override mac_admin };
+')
+
+tunable_policy(`virt_sandbox_use_mknod',`
+ allow container_domain self:capability mknod;
+ allow container_domain self:cap_userns mknod;
+')
+
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ type unconfined_service_t;
+ type unconfined_service_exec_t;
+ ')
+
+ virt_transition_svirt_sandbox(unconfined_service_t, system_r)
+ container_filetrans_named_content(unconfined_service_t)
+ container_runtime_domtrans(unconfined_service_t)
+ role_transition unconfined_r unconfined_service_exec_t system_r;
+ allow container_runtime_domain unconfined_service_t:fifo_file setattr;
+ allow unconfined_service_t container_domain:process dyntransition;
+ allow unconfined_service_t unlabeled_t:key manage_key_perms;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_domain_type;
+ ')
+
+ container_filetrans_named_content(unconfined_domain_type)
+ allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
+ allow unconfined_domain_type unlabeled_t:key manage_key_perms;
+')
+
+#
+# container_userns_t policy
+#
+container_domain_template(container_userns, container)
+
+typeattribute container_userns_t sandbox_net_domain, container_user_domain;
+dev_mount_sysfs_fs(container_userns_t)
+dev_mounton_sysfs(container_userns_t)
+
+fs_mount_tmpfs(container_userns_t)
+fs_relabelfrom_tmpfs(container_userns_t)
+fs_remount_cgroup(container_userns_t)
+
+kernel_mount_proc(container_userns_t)
+kernel_mounton_proc(container_userns_t)
+
+term_use_generic_ptys(container_userns_t)
+term_setattr_generic_ptys(container_userns_t)
+term_mount_pty_fs(container_userns_t)
+
+allow container_userns_t self:capability ~{ sys_module };
+allow container_userns_t self:capability2 ~{ mac_override mac_admin };
+allow container_userns_t self:cap_userns ~{ sys_module };
+allow container_userns_t self:cap2_userns ~{ mac_override mac_admin };
+allow container_userns_t self:capability mknod;
+allow container_userns_t self:cap_userns mknod;
+
+optional_policy(`
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ type sysctl_t, sysctl_irq_t;
+ ')
+
+ allow container_userns_t proc_t:filesystem { remount };
+ allow container_userns_t proc_kcore_t:file mounton;
+ allow container_userns_t sysctl_irq_t:dir mounton;
+ allow container_userns_t sysctl_t:dir mounton;
+ allow container_userns_t sysctl_t:file mounton;
+')
+
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow container_userns_t self:capability sys_admin;
+ allow container_userns_t self:cap_userns sys_admin;
+')
+
+# Container Logreader
+container_domain_template(container_logreader, container)
+typeattribute container_logreader_t container_net_domain;
+logging_read_all_logs(container_logreader_t)
+# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
+allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
+logging_read_audit_log(container_logreader_t)
+logging_list_logs(container_logreader_t)
+
+# Container Logwriter
+container_domain_template(container_logwriter, container)
+typeattribute container_logwriter_t container_net_domain;
+logging_read_all_logs(container_logwriter_t)
+manage_files_pattern(container_logwriter_t, logfile, logfile)
+manage_dirs_pattern(container_logwriter_t, logfile, logfile)
+manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
+logging_manage_audit_log(container_logwriter_t)
+
+optional_policy(`
+ gen_require(`
+ type sysadm_t, staff_t, user_t;
+ role sysadm_r, staff_r, user_r;
+ attribute userdomain;
+ ')
+
+ can_exec(userdomain, container_runtime_exec_t)
+ container_manage_files(userdomain)
+ container_manage_share_dirs(userdomain)
+ container_manage_share_files(userdomain)
+
+ allow userdomain conmon_exec_t:file entrypoint;
+ container_runtime_run(sysadm_t, sysadm_r)
+ role sysadm_r types container_domain;
+ role sysadm_r types spc_t;
+
+ container_runtime_run(staff_t, staff_r)
+ role staff_r types container_user_domain;
+
+ allow userdomain self:cap_userns ~{ sys_module };
+ container_read_state(userdomain)
+ allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh };
+ container_runtime_run(user_t, user_r)
+ role user_r types container_user_domain;
+
+ staff_role_change_to(system_r)
+
+ allow staff_t container_runtime_t:process signal_perms;
+ allow staff_t container_domain:process signal_perms;
+ allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt };
+')
+
+gen_require(`
+ type init_t;
+')
+container_manage_lib_files(init_t)
+container_manage_lib_dirs(init_t)
+container_manage_share_files(init_t)
+container_manage_share_dirs(init_t)
+container_filetrans_named_content(init_t)
+container_runtime_read_tmpfs_files(init_t)
+
+gen_require(`
+ attribute device_node;
+ type device_t;
+ attribute sysctl_type;
+')
+dontaudit container_domain device_node:chr_file setattr;
+dontaudit container_domain sysctl_type:file write;
+allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt };
+
+allow container_t proc_t:filesystem remount;
+
+# Container kvm - Policy for running kata containers
+container_domain_template(container_kvm, container)
+typeattribute container_kvm_t container_net_domain, container_user_domain;
+
+type container_kvm_var_run_t;
+files_pid_file(container_kvm_var_run_t)
+filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir})
+filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers")
+
+manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
+manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
+manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
+manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
+manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
+files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
+files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
+allow container_kvm_t container_kvm_var_run_t:{file dir} mounton;
+
+allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms;
+
+container_stream_connect(container_kvm_t)
+
+allow container_kvm_t container_runtime_t:tun_socket attach_queue;
+
+dev_rw_inherited_vhost(container_kvm_t)
+dev_rw_vfio_dev(container_kvm_t)
+
+corenet_rw_inherited_tun_tap_dev(container_kvm_t)
+corecmd_exec_shell(container_kvm_t)
+corecmd_exec_bin(container_kvm_t)
+corecmd_bin_entry_type(container_kvm_t)
+
+# virtiofs causes these AVC messages.
+kernel_mount_proc(container_kvm_t)
+kernel_mounton_proc(container_kvm_t)
+kernel_unmount_proc(container_kvm_t)
+kernel_dgram_send(container_kvm_t)
+files_mounton_rootfs(container_kvm_t)
+
+auth_read_passwd(container_kvm_t)
+logging_send_syslog_msg(container_kvm_t)
+
+optional_policy(`
+ qemu_entry_type(container_kvm_t)
+ qemu_exec(container_kvm_t)
+')
+
+manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
+
+dev_rw_kvm(container_kvm_t)
+
+sssd_read_public_files(container_kvm_t)
+
+# Container init - Policy for running systemd based containers
+container_domain_template(container_init, container)
+typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain;
+
+corenet_unconfined(container_init_t)
+
+allow container_init_t device_t:filesystem { remount unmount };
+
+dev_mounton_sysfs(container_init_domain)
+
+fs_manage_cgroup_dirs(container_init_domain)
+fs_manage_cgroup_files(container_init_domain)
+fs_mounton_cgroup(container_init_domain)
+fs_unmount_cgroup(container_init_domain)
+fs_unmount_tmpfs(container_init_domain)
+
+kernel_mounton_proc(container_init_t)
+kernel_unmount_proc(container_init_t)
+
+logging_send_syslog_msg(container_init_t)
+
+allow container_init_domain proc_t:filesystem remount;
+
+optional_policy(`
+ virt_default_capabilities(container_init_t)
+')
+
+tunable_policy(`container_use_devices',`
+ allow container_domain device_node:chr_file rw_chr_file_perms;
+ allow container_domain device_node:blk_file rw_blk_file_perms;
+')
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow container_init_t self:capability sys_admin;
+ allow container_init_t self:cap_userns sys_admin;
+')
+
+allow container_init_domain self:netlink_audit_socket nlmsg_relay;
+
+# container_engine_t is for running a container engine within a container
+#
+container_domain_template(container_engine, container)
+typeattribute container_engine_t container_net_domain;
+
+fs_mounton_cgroup(container_engine_t)
+fs_unmount_cgroup(container_engine_t)
+fs_manage_cgroup_dirs(container_engine_t)
+fs_manage_cgroup_files(container_engine_t)
+fs_mount_tmpfs(container_engine_t)
+fs_write_cgroup_files(container_engine_t)
+
+allow container_engine_t proc_t:file mounton;
+allow container_engine_t sysctl_t:file mounton;
+allow container_engine_t sysfs_t:filesystem remount;
+
+kernel_mount_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
+kernel_mounton_proc(container_engine_t)
+kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
+
+term_mount_pty_fs(container_engine_t)
+
+type kubelet_t, container_runtime_domain;
+domain_type(kubelet_t)
+
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+ role unconfined_r types kubelet_t;
+ unconfined_domain(kubelet_t)
+')
+
+
+type kubelet_exec_t;
+application_executable_file(kubelet_exec_t)
+can_exec(container_runtime_t, kubelet_exec_t)
+allow kubelet_t kubelet_exec_t:file entrypoint;
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(kubelet_t)
+
+init_daemon_domain(kubelet_t, kubelet_exec_t)
+
+admin_pattern(kubelet_t, kubernetes_file_t)
+
+optional_policy(`
+ gen_require(`
+ type sysadm_t;
+ role sysadm_r;
+ attribute userdomain;
+ role unconfined_r;
+ ')
+
+ container_kubelet_run(sysadm_t, sysadm_r)
+
+ unconfined_run_to(kubelet_t, kubelet_exec_t)
+ role_transition unconfined_r kubelet_exec_t system_r;
+')
+
+# Standard container which needs to be allowed to use any device
+container_domain_template(container_device, container)
+allow container_device_t device_node:chr_file rw_chr_file_perms;
+
+# Standard container which needs to be allowed to use any device and
+# communicate with kubelet
+container_domain_template(container_device_plugin, container)
+allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_t)
+container_kubelet_stream_connect(container_device_plugin_t)
+
+# Standard container which needs to be allowed to use any device and
+# modify kubelet configuration
+container_domain_template(container_device_plugin_init, container)
+allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_init_t)
+manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
+manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
+manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
+
+optional_policy(`
+ gen_require(`
+ type syslogd_t;
+ ')
+
+ allow syslogd_t container_runtime_tmpfs_t:file { read write };
+ logging_send_syslog_msg(container_runtime_t)
+')
+
+
+manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch
deleted file mode 100644
index c11814e..0000000
--- a/distro_suse_to_distro_redhat.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc
-+++ fedora-policy-20221019/policy/modules/contrib/apache.fc
-@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
- /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
- /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
-@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]* -- <>
- ')
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
- /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]* -- <>
- ')
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
- /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -80,7 +80,7 @@ ifdef(`distro_redhat', `
- /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-
- # SuSE
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc
-+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-@@ -462,7 +462,7 @@ ifdef(`distro_redhat', `
- /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
- ')
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -491,7 +491,7 @@ ifdef(`distro_suse', `
- /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/kernel/devices.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc
-+++ fedora-policy-20221019/policy/modules/kernel/devices.fc
-@@ -148,7 +148,7 @@
- /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
- ')
- /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -22,7 +22,7 @@ ifdef(`distro_redhat',`
- /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /success -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
-@@ -189,7 +189,7 @@ ifndef(`distro_debian',`
- /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/system/authlogin.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20221019/policy/modules/system/authlogin.fc
-@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co
- /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/system/init.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.fc
-+++ fedora-policy-20221019/policy/modules/system/init.fc
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/system/init.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',`
- ')
- ')
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- optional_policy(`
- # set permissions on /tmp/.X11-unix
- xserver_setattr_xdm_tmp_dirs(initrc_t)
-Index: fedora-policy-20221019/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20221019/policy/modules/system/libraries.fc
-@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_
- /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
- /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/system/locallogin.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20221019/policy/modules/system/locallogin.te
-@@ -274,7 +274,7 @@ ifdef(`enable_mls',`
- ')
-
- # suse and debian do not use pam with sulogin...
--ifdef(`distro_suse', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
-
- allow sulogin_t self:capability sys_tty_config;
-Index: fedora-policy-20221019/policy/modules/system/logging.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20221019/policy/modules/system/logging.fc
-@@ -46,7 +46,7 @@
- /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh)
- /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
- ')
-
-Index: fedora-policy-20221019/policy/modules/system/logging.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/logging.te
-+++ fedora-policy-20221019/policy/modules/system/logging.te
-@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',`
- term_dontaudit_setattr_unallocated_ttys(syslogd_t)
- ')
-
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
- files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
- ')
diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch
deleted file mode 100644
index 031ead4..0000000
--- a/dontaudit_interface_kmod_tmpfs.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
- userdom_nnp_transition_login_userdomain(xdm_t)
- userdom_watch_user_home_dirs(xdm_t)
-
-+# SUSE uses startproc to start the display manager. While checking for running processes
-+# it goes over all running instances, triggering AVCs
-+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
-+
- #userdom_home_manager(xdm_t)
- tunable_policy(`xdm_write_home',`
- userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
-Index: fedora-policy-20221019/policy/modules/system/modutils.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/modutils.if
-+++ fedora-policy-20221019/policy/modules/system/modutils.if
-@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
- #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
- #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
- ')
-+
-+#######################################
-+##
-+## Don't audit accesses to tmp file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
-+ gen_require(`
-+ type kmod_tmpfs_t;
-+ ')
-+
-+ dontaudit $1 kmod_tmpfs_t:file { getattr };
-+')
diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2
deleted file mode 100644
index 6fb0487..0000000
--- a/fedora-policy-20221019.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede
-size 733130
diff --git a/fix_accountsd.patch b/fix_accountsd.patch
deleted file mode 100644
index 6558c5c..0000000
--- a/fix_accountsd.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/accountsd.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/accountsd.fc
-+++ fedora-policy/policy/modules/contrib/accountsd.fc
-@@ -1,6 +1,7 @@
- /usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
-
- /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-+/usr/lib/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-
- /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-
diff --git a/fix_alsa.patch b/fix_alsa.patch
deleted file mode 100644
index 0e6b04c..0000000
--- a/fix_alsa.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/alsa.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te
-+++ fedora-policy-20221019/policy/modules/contrib/alsa.te
-@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al
- userdom_manage_unpriv_user_shared_mem(alsa_t)
- userdom_search_user_home_dirs(alsa_t)
-
-+optional_policy(`
-+ gnome_read_home_config(alsa_t)
-+')
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(alsa_t)
-
diff --git a/fix_apache.patch b/fix_apache.patch
deleted file mode 100644
index 6b24b83..0000000
--- a/fix_apache.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if
-+++ fedora-policy-20221019/policy/modules/contrib/apache.if
-@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',`
-
- allow $1 httpd_t:sem r_sem_perms;
- ')
-+
-+#######################################
-+##
-+## Allow the specified domain to execute
-+## httpd_sys_content_t and manage httpd_sys_rw_content_t
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_exec_sys_content',`
-+ gen_require(`
-+ type httpd_sys_content_t;
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ apache_manage_sys_content_rw($1)
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+ can_exec($1, httpd_sys_content_t)
-+')
diff --git a/fix_auditd.patch b/fix_auditd.patch
deleted file mode 100644
index d4d94e0..0000000
--- a/fix_auditd.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/system/logging.if
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/logging.if
-+++ fedora-policy-20211111/policy/modules/system/logging.if
-@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config',
-
- files_search_etc($1)
- manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-+ allow $1 auditd_etc_t:dir mounton;
- ')
-
- ########################################
diff --git a/fix_authlogin.patch b/fix_authlogin.patch
deleted file mode 100644
index 7220120..0000000
--- a/fix_authlogin.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/system/authlogin.fc
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20211111/policy/modules/system/authlogin.fc
-@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', `
- /usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-+/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-
- /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
diff --git a/fix_automount.patch b/fix_automount.patch
deleted file mode 100644
index a702fc7..0000000
--- a/fix_automount.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/automount.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/automount.te
-+++ fedora-policy/policy/modules/contrib/automount.te
-@@ -154,6 +154,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_read_pid_files(automount_t)
-+')
-+
-+optional_policy(`
- fstools_domtrans(automount_t)
- ')
-
diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch
deleted file mode 100644
index 2ce1749..0000000
--- a/fix_bitlbee.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc
-+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-@@ -9,6 +9,5 @@
-
- /var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
-
--/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
--/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
- /var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/fix_chronyd.patch b/fix_chronyd.patch
deleted file mode 100644
index 1ea9a55..0000000
--- a/fix_chronyd.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
-@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t)
- userdom_dgram_send(chronyd_t)
-
- optional_policy(`
-+ networkmanager_read_pid_files(chronyd_t)
-+ networkmanager_dispatcher_custom_dgram_send(chronyd_t)
-+')
-+
-+optional_policy(`
-+ wicked_read_pid_files(chronyd_t)
-+')
-+
-+optional_policy(`
- cron_dgram_send(chronyd_t)
- ')
-
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc
-@@ -6,6 +6,8 @@
-
- /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
- /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-
- /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
-
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug
-
- domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t)
- ')
-+
-+########################################
-+##
-+## Send a message to NetworkManager_dispatcher_custom
-+## over a unix domain datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`networkmanager_dispatcher_custom_dgram_send',`
-+ gen_require(`
-+ type NetworkManager_dispatcher_custom_t;
-+ ')
-+
-+ allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto;
-+')
diff --git a/fix_cloudform.patch b/fix_cloudform.patch
deleted file mode 100644
index cac7161..0000000
--- a/fix_cloudform.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/cloudform.te
-===================================================================
---- cloudform.te 2022-07-18 14:06:56.735383426 +0200
-+++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200
-@@ -81,6 +81,8 @@
-
- init_dbus_chat(cloud_init_t)
-
-+snapper_dbus_chat(cloud_init_t)
-+
- kernel_read_network_state(cloud_init_t)
-
- corenet_tcp_connect_http_port(cloud_init_t)
diff --git a/fix_colord.patch b/fix_colord.patch
deleted file mode 100644
index 763641f..0000000
--- a/fix_colord.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc
-+++ fedora-policy-20211111/policy/modules/contrib/colord.fc
-@@ -6,6 +6,8 @@
-
- /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
- /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/lib/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/lib/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-
- /usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
-
-Index: fedora-policy-20211111/policy/modules/contrib/colord.te
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/colord.te
-+++ fedora-policy-20211111/policy/modules/contrib/colord.te
-@@ -17,6 +17,7 @@ type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
- init_daemon_domain(colord_t, colord_exec_t)
-+init_nnp_daemon_domain(colord_t)
-
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
diff --git a/fix_container.patch b/fix_container.patch
deleted file mode 100644
index f54d046..0000000
--- a/fix_container.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/container.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/container.te
-+++ fedora-policy-20221019/policy/modules/services/container.te
-@@ -681,6 +681,8 @@ init_dbus_chat(spc_t)
- optional_policy(`
- systemd_dbus_chat_machined(spc_t)
- systemd_dbus_chat_logind(spc_t)
-+ systemd_dbus_chat_timedated(spc_t)
-+ systemd_dbus_chat_localed(spc_t)
- ')
-
- optional_policy(`
diff --git a/fix_corecommand.patch b/fix_corecommand.patch
deleted file mode 100644
index 60362f2..0000000
--- a/fix_corecommand.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Index: fedora-policy/policy/modules/kernel/corecommands.fc
-===================================================================
---- fedora-policy.orig/policy/modules/kernel/corecommands.fc
-+++ fedora-policy/policy/modules/kernel/corecommands.fc
-@@ -86,7 +86,10 @@ ifdef(`distro_redhat',`
-
- /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-
--/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/netconfig.d/.* -- gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/mcelog/.*-error.*-trigger -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0)
-
-@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',`
- /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',`
-
- /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib'
-+/usr/lib/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',`
-
- /usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-@@ -391,6 +413,7 @@ ifdef(`distro_debian',`
- /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
- ')
-+/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_gentoo', `
- /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/fix_cron.patch b/fix_cron.patch
deleted file mode 100644
index 203162a..0000000
--- a/fix_cron.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
-@@ -34,7 +34,7 @@
-
- /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--/var/spool/cron/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0)
-+/var/spool/cron/tabs/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0)
-
- /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.* -- <>
-@@ -55,6 +55,10 @@ ifdef(`distro_redhat', `
- /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
- /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+
-+/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0)
-+/var/spool/atjobs/[^/]* -- <>
- ')
-
- ifdef(`distro_debian',`
-@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
- ')
--
--ifdef(`distro_redhat', `
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
--/var/spool/cron/lastrun/[^/]* -- <>
--/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
--')
-Index: fedora-policy-20221019/policy/modules/contrib/cron.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if
-+++ fedora-policy-20221019/policy/modules/contrib/cron.if
-@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo
- #
- interface(`cron_system_spool_entrypoint',`
- gen_require(`
-- attribute system_cron_spool_t;
-+ type system_cron_spool_t;
- ')
- allow $1 system_cron_spool_t:file entrypoint;
- ')
diff --git a/fix_dbus.patch b/fix_dbus.patch
deleted file mode 100644
index 00440bd..0000000
--- a/fix_dbus.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/dbus.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te
-+++ fedora-policy-20221019/policy/modules/contrib/dbus.te
-@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
- manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
-+allow system_dbusd_t system_dbusd_tmp_t:file execute;
-
- manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
- manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
-@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd
- files_rw_inherited_non_security_files(system_dbusd_t)
- files_watch_usr_dirs(system_dbusd_t)
- files_watch_var_lib_dirs(system_dbusd_t)
-+# bsc#1205895
-+files_watch_lib_dirs(system_dbusd_t)
-
- fs_getattr_all_fs(system_dbusd_t)
- fs_search_auto_mountpoints(system_dbusd_t)
diff --git a/fix_djbdns.patch b/fix_djbdns.patch
deleted file mode 100644
index c3015b7..0000000
--- a/fix_djbdns.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/djbdns.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/djbdns.te 2019-08-05 09:39:48.641670181 +0200
-+++ fedora-policy/policy/modules/contrib/djbdns.te 2019-08-05 09:53:08.383084236 +0200
-@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi
- allow djbdns_domain self:tcp_socket create_stream_socket_perms;
- allow djbdns_domain self:udp_socket create_socket_perms;
-
--corenet_all_recvfrom_unlabeled(djbdns_domain)
--corenet_all_recvfrom_netlabel(djbdns_domain)
--corenet_tcp_sendrecv_generic_if(djbdns_domain)
--corenet_udp_sendrecv_generic_if(djbdns_domain)
--corenet_tcp_sendrecv_generic_node(djbdns_domain)
--corenet_udp_sendrecv_generic_node(djbdns_domain)
--corenet_tcp_sendrecv_all_ports(djbdns_domain)
--corenet_udp_sendrecv_all_ports(djbdns_domain)
--corenet_tcp_bind_generic_node(djbdns_domain)
--corenet_udp_bind_generic_node(djbdns_domain)
--
--corenet_sendrecv_dns_server_packets(djbdns_domain)
--corenet_tcp_bind_dns_port(djbdns_domain)
--corenet_udp_bind_dns_port(djbdns_domain)
--
--corenet_sendrecv_dns_client_packets(djbdns_domain)
--corenet_tcp_connect_dns_port(djbdns_domain)
--
--corenet_sendrecv_generic_server_packets(djbdns_domain)
--corenet_tcp_bind_generic_port(djbdns_domain)
--corenet_udp_bind_generic_port(djbdns_domain)
--
- files_search_var(djbdns_domain)
-
- daemontools_ipc_domain(djbdns_axfrdns_t)
diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch
deleted file mode 100644
index 0471529..0000000
--- a/fix_dnsmasq.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-===================================================================
---- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te
-+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
-
- miscfiles_read_public_files(dnsmasq_t)
-+sysnet_manage_config_dirs(dnsmasq_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
- userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
diff --git a/fix_dovecot.patch b/fix_dovecot.patch
deleted file mode 100644
index f88cff1..0000000
--- a/fix_dovecot.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-===================================================================
---- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc
-+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-@@ -34,6 +34,10 @@ ifdef(`distro_redhat', `
- /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- ')
-
-+/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+
- #
- # /var
- #
diff --git a/fix_firewalld.patch b/fix_firewalld.patch
deleted file mode 100644
index 1e455b7..0000000
--- a/fix_firewalld.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te
-+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te
-@@ -131,6 +131,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ iptables_manage_var_lib_files(firewalld_t)
- iptables_domtrans(firewalld_t)
- iptables_read_var_run(firewalld_t)
- ')
-Index: fedora-policy-20211111/policy/modules/system/iptables.if
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/iptables.if
-+++ fedora-policy-20211111/policy/modules/system/iptables.if
-@@ -2,6 +2,25 @@
-
- ########################################
- ##
-+## Allow management of iptables_var_lib_t files
-+##
-+##
-+##
-+## Domain allowed to mange files
-+##
-+##
-+#
-+interface(`iptables_manage_var_lib_files',`
-+ gen_require(`
-+ type iptables_var_lib_t;
-+ ')
-+
-+ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
-+ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
-+')
-+
-+########################################
-+##
- ## Execute iptables in the iptables domain.
- ##
- ##
diff --git a/fix_fwupd.patch b/fix_fwupd.patch
deleted file mode 100644
index 30bc0ae..0000000
--- a/fix_fwupd.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/fwupd.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/fwupd.fc
-+++ fedora-policy/policy/modules/contrib/fwupd.fc
-@@ -4,6 +4,7 @@
- /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0)
-
- /usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
-+/usr/lib/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
-
- /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
- /var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
diff --git a/fix_geoclue.patch b/fix_geoclue.patch
deleted file mode 100644
index 0d05684..0000000
--- a/fix_geoclue.patch
+++ /dev/null
@@ -1,10 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/geoclue.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/geoclue.fc
-+++ fedora-policy/policy/modules/contrib/geoclue.fc
-@@ -1,4 +1,4 @@
--
-+/usr/lib/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
- /usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
-
- /var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch
deleted file mode 100644
index 3cac649..0000000
--- a/fix_hypervkvp.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc
-+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-@@ -3,8 +3,10 @@
- /usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
-
- /usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
- /usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
-
- /usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
-
- /var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/fix_init.patch b/fix_init.patch
deleted file mode 100644
index 29df1c9..0000000
--- a/fix_init.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/init.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
- corenet_all_recvfrom_netlabel(init_t)
- corenet_tcp_bind_all_ports(init_t)
- corenet_udp_bind_all_ports(init_t)
-+corenet_udp_bind_generic_node(init_t)
-+corenet_tcp_bind_generic_node(init_t)
-
- dev_create_all_files(init_t)
- dev_create_all_chr_files(init_t)
-@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
- logging_create_syslog_netlink_audit_socket(init_t)
- logging_write_var_log_dirs(init_t)
- logging_manage_var_log_symlinks(init_t)
-+logging_dgram_accept(init_t)
-
- seutil_read_config(init_t)
- seutil_read_login_config(init_t)
-@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
- corecmd_shell_domtrans(init_t, initrc_t)
-
- storage_raw_rw_fixed_disk(init_t)
-+storage_raw_read_removable_device(init_t)
-
- sysnet_read_dhcpc_state(init_t)
-
-+# bsc#1197610, find a better, generic solution
-+optional_policy(`
-+ mta_getattr_spool(init_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_initrc_read_lnk_files(init_t)
-+')
-+
- optional_policy(`
- anaconda_stream_connect(init_t)
- anaconda_create_unix_stream_sockets(init_t)
-@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
- allow init_t self:system all_system_perms;
- allow init_t self:system module_load;
- allow init_t self:unix_dgram_socket { create_socket_perms sendto };
--allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
-+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
- allow init_t self:process { getcap setcap };
- allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
--allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow init_t self:netlink_selinux_socket create_socket_perms;
- allow init_t self:unix_dgram_socket lock;
- # Until systemd is fixed
-@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
- files_create_var_lib_dirs(init_t)
- files_create_var_lib_symlinks(init_t)
- files_read_var_lib_symlinks(init_t)
-+files_read_var_files(init_t)
- files_manage_urandom_seed(init_t)
- files_list_locks(init_t)
- files_list_spool(init_t)
-@@ -684,7 +698,7 @@ fs_list_all(init_t)
- fs_list_auto_mountpoints(init_t)
- fs_register_binary_executable_type(init_t)
- fs_relabel_tmpfs_sock_file(init_t)
--fs_rw_tmpfs_files(init_t)
-+fs_rw_tmpfs_files(init_t)
- fs_relabel_cgroup_dirs(init_t)
- fs_search_cgroup_dirs(init_t)
- # for network namespaces
-@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
- create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-
- create_dirs_pattern(init_t, var_log_t, var_log_t)
-+files_manage_var_files(init_t)
-
- auth_use_nsswitch(init_t)
- auth_rw_login_records(init_t)
-@@ -1596,6 +1611,8 @@ optional_policy(`
-
- optional_policy(`
- postfix_list_spool(initrc_t)
-+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
-+ postfix_domtrans_map(init_t)
- ')
-
- optional_policy(`
diff --git a/fix_ipsec.patch b/fix_ipsec.patch
deleted file mode 100644
index 42486de..0000000
--- a/fix_ipsec.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/ipsec.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/ipsec.te
-+++ fedora-policy-20221019/policy/modules/system/ipsec.te
-@@ -87,6 +87,7 @@ allow ipsec_t self:tcp_socket create_str
- allow ipsec_t self:udp_socket create_socket_perms;
- allow ipsec_t self:packet_socket create_socket_perms;
- allow ipsec_t self:key_socket create_socket_perms;
-+allow ipsec_t self:alg_socket create_socket_perms;
- allow ipsec_t self:fifo_file read_fifo_file_perms;
- allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
- allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-@@ -269,6 +270,7 @@ allow ipsec_mgmt_t self:unix_stream_sock
- allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:udp_socket create_socket_perms;
- allow ipsec_mgmt_t self:key_socket create_socket_perms;
-+allow ipsec_mgmt_t self:alg_socket create_socket_perms;
- allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
- allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
- allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
diff --git a/fix_iptables.patch b/fix_iptables.patch
deleted file mode 100644
index bb149fd..0000000
--- a/fix_iptables.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/system/iptables.te
-===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/iptables.te
-+++ fedora-policy-20220428/policy/modules/system/iptables.te
-@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t)
- kernel_read_kernel_sysctls(iptables_t)
- kernel_use_fds(iptables_t)
- kernel_rw_net_sysctls(iptables_t)
-+kernel_rw_pipes(iptables_t)
- kernel_search_network_sysctl(iptables_t)
-
-
diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch
deleted file mode 100644
index 3760aa3..0000000
--- a/fix_irqbalance.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/irqbalance.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/irqbalance.te
-+++ fedora-policy-20221019/policy/modules/contrib/irqbalance.te
-@@ -24,7 +24,7 @@ files_pid_file(irqbalance_var_run_t)
- allow irqbalance_t self:capability { setpcap net_admin };
- dontaudit irqbalance_t self:capability sys_tty_config;
- allow irqbalance_t self:process { getcap getsched setcap signal_perms };
--allow irqbalance_t self:udp_socket create_socket_perms;
-+allow irqbalance_t self:{udp_socket netlink_generic_socket} create_socket_perms;
-
- manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
- manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
diff --git a/fix_java.patch b/fix_java.patch
deleted file mode 100644
index f1f2358..0000000
--- a/fix_java.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/java.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/java.te 2019-08-05 13:50:32.925673660 +0200
-+++ fedora-policy/policy/modules/contrib/java.te 2019-08-05 14:06:51.896425229 +0200
-@@ -21,6 +21,7 @@ roleattribute system_r java_roles;
- attribute_role unconfined_java_roles;
-
- type java_t, java_domain;
-+typealias java_t alias java_domain_t;
- type java_exec_t;
- userdom_user_application_domain(java_t, java_exec_t)
- typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
-@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java
- kernel_read_all_sysctls(java_domain)
- kernel_search_vm_sysctl(java_domain)
- kernel_read_network_state(java_domain)
--kernel_read_system_state(java_domain)
-
- corecmd_search_bin(java_domain)
-
--corenet_all_recvfrom_unlabeled(java_domain)
--corenet_all_recvfrom_netlabel(java_domain)
--corenet_tcp_sendrecv_generic_if(java_domain)
--corenet_tcp_sendrecv_generic_node(java_domain)
--
--corenet_sendrecv_all_client_packets(java_domain)
--corenet_tcp_connect_all_ports(java_domain)
--corenet_tcp_sendrecv_all_ports(java_domain)
--
- dev_read_sound(java_domain)
- dev_write_sound(java_domain)
- dev_read_urand(java_domain)
-@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain
- fs_getattr_all_fs(java_domain)
- fs_dontaudit_rw_tmpfs_files(java_domain)
-
--logging_send_syslog_msg(java_domain)
--
- miscfiles_read_localization(java_domain)
- miscfiles_read_fonts(java_domain)
-
diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch
deleted file mode 100644
index 4769ca5..0000000
--- a/fix_kernel_sysctl.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -242,6 +242,8 @@ ifdef(`distro_redhat',`
- /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0)
-
- /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t)
- logging_send_syslog_msg(systemd_sysctl_t)
-
- systemd_read_efivarfs(systemd_sysctl_t)
-+# kernel specific sysctl.conf may be in modules dir
-+allow systemd_sysctl_t modules_object_t:dir search;
-
- #######################################
- #
diff --git a/fix_libraries.patch b/fix_libraries.patch
deleted file mode 100644
index a6a228f..0000000
--- a/fix_libraries.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20210419/policy/modules/system/libraries.fc
-@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
-
- /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
-+/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0)
-+
- /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/fix_locallogin.patch b/fix_locallogin.patch
deleted file mode 100644
index cdee73c..0000000
--- a/fix_locallogin.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/locallogin.te
-===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20220624/policy/modules/system/locallogin.te
-@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
- kernel_read_kernel_sysctls(local_login_t)
- kernel_search_key(local_login_t)
- kernel_link_key(local_login_t)
-+kernel_getattr_proc(local_login_t)
-
- corecmd_list_bin(local_login_t)
- corecmd_read_bin_symlinks(local_login_t)
-@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t)
- auth_manage_pam_console_data(local_login_t)
- auth_domtrans_pam_console(local_login_t)
- auth_use_nsswitch(local_login_t)
-+auth_read_shadow(local_login_t)
-
- init_dontaudit_use_fds(local_login_t)
- init_stream_connect(local_login_t)
diff --git a/fix_logging.patch b/fix_logging.patch
deleted file mode 100644
index 8a74cb7..0000000
--- a/fix_logging.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/logging.fc
-===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20220624/policy/modules/system/logging.fc
-@@ -3,6 +3,8 @@
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
-+/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
-+/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-@@ -83,6 +85,7 @@ ifdef(`distro_redhat',`
- /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
- /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-Index: fedora-policy-20220624/policy/modules/system/logging.if
-===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/logging.if
-+++ fedora-policy-20220624/policy/modules/system/logging.if
-@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',`
-
- allow $1 syslogd_t:unix_dgram_socket sendto;
- ')
-+
-+########################################
-+##
-+## Accept a message to syslogd over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_dgram_accept',`
-+ gen_require(`
-+ type syslogd_t;
-+ ')
-+
-+ allow $1 syslogd_t:unix_dgram_socket accept;
-+')
diff --git a/fix_logrotate.patch b/fix_logrotate.patch
deleted file mode 100644
index 7cb2f23..0000000
--- a/fix_logrotate.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te
-+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te
-@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log
-
- kernel_read_system_state(logrotate_t)
- kernel_read_kernel_sysctls(logrotate_t)
-+files_manage_mounttab(logrotate_t)
-
- dev_read_urand(logrotate_t)
- dev_read_sysfs(logrotate_t)
diff --git a/fix_mcelog.patch b/fix_mcelog.patch
deleted file mode 100644
index 66c37cf..0000000
--- a/fix_mcelog.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/mcelog.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/mcelog.te
-+++ fedora-policy/policy/modules/contrib/mcelog.te
-@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t)
- # Local policy
- #
-
--allow mcelog_t self:capability sys_admin;
-+allow mcelog_t self:capability { sys_admin setgid };
- allow mcelog_t self:unix_stream_socket connected_socket_perms;
-
- allow mcelog_t mcelog_etc_t:dir list_dir_perms;
diff --git a/fix_miscfiles.patch b/fix_miscfiles.patch
deleted file mode 100644
index 9a954e0..0000000
--- a/fix_miscfiles.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/system/miscfiles.fc
-===================================================================
---- fedora-policy.orig/policy/modules/system/miscfiles.fc 2019-08-05 09:39:39.117510678 +0200
-+++ fedora-policy/policy/modules/system/miscfiles.fc 2019-08-22 12:44:01.678484113 +0200
-@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
- /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/var/lib/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
diff --git a/fix_nagios.patch b/fix_nagios.patch
deleted file mode 100644
index 08fdbf0..0000000
--- a/fix_nagios.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/nagios.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/nagios.fc
-+++ fedora-policy/policy/modules/contrib/nagios.fc
-@@ -24,6 +24,7 @@
- /var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
- /var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-+/var/lib/nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-
- /var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
-
-Index: fedora-policy/policy/modules/contrib/nagios.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/nagios.te
-+++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
- manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
- files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
-
- kernel_read_system_state(nagios_t)
diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch
deleted file mode 100644
index 85dc9f3..0000000
--- a/fix_networkmanager.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_
- sysnet_manage_config(NetworkManager_t)
- sysnet_filetrans_named_content(NetworkManager_t)
- sysnet_filetrans_net_conf(NetworkManager_t)
-+sysnet_watch_config(NetworkManager_t)
-
- systemd_login_watch_pid_dirs(NetworkManager_t)
- systemd_login_watch_session_dirs(NetworkManager_t)
-@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t
- userdom_read_user_home_content_files(NetworkManager_t)
- userdom_dgram_send(NetworkManager_t)
-
-+hostname_exec(NetworkManager_t)
-+networkmanager_systemctl(NetworkManager_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(NetworkManager_t)
- ')
-@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',`
- ')
-
- optional_policy(`
-+ nis_systemctl_ypbind(NetworkManager_t)
-+')
-+
-+optional_policy(`
- avahi_domtrans(NetworkManager_t)
- avahi_kill(NetworkManager_t)
- avahi_signal(NetworkManager_t)
-@@ -292,6 +300,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ packagekit_dbus_chat(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(NetworkManager_t)
-+')
-+
-+optional_policy(`
- bind_domtrans(NetworkManager_t)
- bind_manage_cache(NetworkManager_t)
- bind_kill(NetworkManager_t)
-@@ -419,6 +435,8 @@ optional_policy(`
- nscd_kill(NetworkManager_t)
- nscd_initrc_domtrans(NetworkManager_t)
- nscd_systemctl(NetworkManager_t)
-+ nscd_socket_use(NetworkManager_dispatcher_tlp_t)
-+ nscd_socket_use(NetworkManager_dispatcher_custom_t)
- ')
-
- optional_policy(`
-@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di
-
- init_status(NetworkManager_dispatcher_cloud_t)
- init_status(NetworkManager_dispatcher_ddclient_t)
-+init_status(NetworkManager_dispatcher_custom_t)
- init_append_stream_sockets(networkmanager_dispatcher_plugin)
- init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
- init_stream_connect(networkmanager_dispatcher_plugin)
-@@ -621,6 +640,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
-+')
-+
-+optional_policy(`
- cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
- ')
-
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- ')
-
-+#######################################
-+##
-+## Allow reading of NetworkManager link files
-+##
-+##
-+##
-+## Domain allowed to read the links
-+##
-+##
-+#
-+interface(`networkmanager_initrc_read_lnk_files',`
-+ gen_require(`
-+ type NetworkManager_initrc_exec_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute NetworkManager server in the NetworkManager domain.
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-@@ -24,6 +24,7 @@
- /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
-+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
-@@ -37,6 +38,9 @@
-
- /usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
- /usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
-+# bsc#1206355
-+/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
-+/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
-
- /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
diff --git a/fix_nis.patch b/fix_nis.patch
deleted file mode 100644
index 117562c..0000000
--- a/fix_nis.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/nis.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/nis.te
-+++ fedora-policy/policy/modules/contrib/nis.te
-@@ -78,6 +78,7 @@ manage_files_pattern(ypbind_t, ypbind_va
- files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
-
- manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
-+manage_dirs_pattern(ypbind_t, var_yp_t, var_yp_t)
-
- kernel_read_system_state(ypbind_t)
- kernel_read_kernel_sysctls(ypbind_t)
diff --git a/fix_nscd.patch b/fix_nscd.patch
deleted file mode 100644
index 56a7c50..0000000
--- a/fix_nscd.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc
-@@ -8,8 +8,10 @@
- /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
-
- /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
--/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
-+/var/run/nscd/socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-+/var/lib/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
- /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
- /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
-+
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.te
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.te
-@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
- userdom_dontaudit_search_user_home_dirs(nscd_t)
-
- optional_policy(`
-+ networkmanager_read_pid_files(nscd_t)
-+')
-+
-+optional_policy(`
-+ wicked_read_pid_files(nscd_t)
-+')
-+
-+optional_policy(`
- accountsd_dontaudit_rw_fifo_file(nscd_t)
- ')
-
diff --git a/fix_ntp.patch b/fix_ntp.patch
deleted file mode 100644
index b444775..0000000
--- a/fix_ntp.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/ntp.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/ntp.fc 2020-02-21 15:59:23.349556504 +0000
-+++ fedora-policy/policy/modules/contrib/ntp.fc 2020-02-21 16:01:41.591761350 +0000
-@@ -16,7 +16,6 @@
-
- /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-
--/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
- /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
- /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
-@@ -25,3 +24,26 @@
- /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-
- /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
-+
-+/var/lib/ntp gen_context(system_u:object_r:root_t,s0)
-+/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0)
-+/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0)
-+/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/var gen_context(system_u:object_r:var_t,s0)
-+/var/lib/ntp/var/lib gen_context(system_u:object_r:var_lib_t,s0)
-+/var/lib/ntp/var/run gen_context(system_u:object_r:var_run_t,s0)
-+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-+/var/lib/ntp/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/fix_openvpn.patch b/fix_openvpn.patch
deleted file mode 100644
index 3acf3e5..0000000
--- a/fix_openvpn.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/openvpn.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/openvpn.te
-+++ fedora-policy/policy/modules/contrib/openvpn.te
-@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal
- ##
- gen_tunable(openvpn_can_network_connect, true)
-
-+##
-+##
-+## Determine whether openvpn can
-+## change sysctl values (e.g. rp_filter)
-+##
-+##
-+gen_tunable(openvpn_allow_changing_sysctls, false)
-+
- attribute_role openvpn_roles;
-
- type openvpn_t;
-@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t
- userdom_read_inherited_user_tmp_files(openvpn_t)
- userdom_read_inherited_user_home_content_files(openvpn_t)
-
-+tunable_policy(`openvpn_allow_changing_sysctls',`
-+ kernel_rw_net_sysctls(openvpn_t)
-+')
-+
- tunable_policy(`openvpn_enable_homedirs',`
- userdom_search_user_home_dirs(openvpn_t)
- ')
-@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(openvpn_t)
-+')
-+
-+optional_policy(`
- brctl_domtrans(openvpn_t)
- ')
-
diff --git a/fix_postfix.patch b/fix_postfix.patch
deleted file mode 100644
index 9b7fb86..0000000
--- a/fix_postfix.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,21 @@
- # postfix
--/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
--/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
--/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
--ifdef(`distro_redhat', `
--/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
--/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
--/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
--/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
--/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
--/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
--/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
--/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
--/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
--/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
--', `
--/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
--/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
--/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
--/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
--/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
--/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
--/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
--/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
--/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
--/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
--')
-+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-+/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-+/usr/lib/postfix/bin/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-+/usr/lib/postfix/bin/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-+/usr/lib/postfix/bin/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-+/usr/lib/postfix/bin/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/bin/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-+/usr/lib/postfix/bin/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-+/usr/lib/postfix/bin/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
- /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
- /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
- /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
- /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-
-+/etc/postfix/system/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-+/etc/postfix/system/update_postmaps -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
-+
- /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-
- /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
--/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
-+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
- /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
- /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
- /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.te
-@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c
- allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t postfix_etc_t:file rw_file_perms;
- mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
-+# SUSE also runs this on /etc/alias
-+mta_filetrans_aliases(postfix_master_t, etc_t)
-
- can_exec(postfix_master_t, postfix_exec_t)
-
-@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t)
-
- userdom_use_inherited_user_ptys(postfix_map_t)
-
-+corecmd_exec_bin(postfix_map_t)
-+allow postfix_map_t postfix_map_exec_t:file execute_no_trans;
-+init_ioctl_stream_sockets(postfix_map_t)
-+
-+optional_policy(`
-+ mta_read_aliases(postfix_map_t)
-+')
-+
- optional_policy(`
- locallogin_dontaudit_use_fds(postfix_map_t)
- ')
-@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m
- files_search_all_mountpoints(postfix_smtp_t)
-
- optional_policy(`
-+ networkmanager_read_pid_files(postfix_smtp_t)
-+')
-+
-+optional_policy(`
-+ wicked_read_pid_files(postfix_smtp_t)
-+')
-+
-+optional_policy(`
- cyrus_stream_connect(postfix_smtp_t)
- cyrus_runtime_stream_connect(postfix_smtp_t)
- ')
diff --git a/fix_rpm.patch b/fix_rpm.patch
deleted file mode 100644
index 67cf3c4..0000000
--- a/fix_rpm.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -18,6 +18,10 @@
- /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-+/usr/sbin/zypp-refresh -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/zypper -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+
-+
- /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -56,6 +60,8 @@ ifdef(`distro_redhat', `
- /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
- /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-
-+/var/cache/zypp(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+
- /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.if
-@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',`
- logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
- logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
- logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
-+ logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log")
- files_var_filetrans($1, rpm_var_cache_t, dir, "dnf")
- files_var_filetrans($1, rpm_var_cache_t, dir, "yum")
-+ files_var_filetrans($1, rpm_var_cache_t, dir, "zypp")
- files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
- files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
- files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
- /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
- /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
- /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/zypp(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
- /etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-
- /ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
diff --git a/fix_screen.patch b/fix_screen.patch
deleted file mode 100644
index efc3cdb..0000000
--- a/fix_screen.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/screen.if
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/screen.if
-+++ fedora-policy/policy/modules/contrib/screen.if
-@@ -45,6 +45,7 @@ template(`screen_role_template',`
-
- userdom_list_user_home_dirs($1_screen_t)
- userdom_home_reader($1_screen_t)
-+ userdom_read_user_home_content_symlinks($1_screen_t)
-
- domtrans_pattern($3, screen_exec_t, $1_screen_t)
- allow $3 $1_screen_t:process { signal sigchld };
-Index: fedora-policy/policy/modules/contrib/screen.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/screen.fc
-+++ fedora-policy/policy/modules/contrib/screen.fc
-@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-+/var/run/uscreens(/.*)?' gen_context(system_u:object_r:screen_var_run_t,s0)
- /var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch
deleted file mode 100644
index 84e87ac..0000000
--- a/fix_selinuxutil.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te
-@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-+ packagekit_read_write_fifo(load_policy_t)
-+')
-+
-+optional_policy(`
- portage_dontaudit_use_fds(load_policy_t)
- ')
-
-@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t)
- logging_send_syslog_msg(setfiles_t)
-
- optional_policy(`
-+ packagekit_read_write_fifo(setfiles_t)
-+')
-+
-+optional_policy(`
- cloudform_dontaudit_write_cloud_log(setfiles_t)
- ')
-
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if
-@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config'
-
- dontaudit $1 selinux_config_t:dir search_dir_perms;
- dontaudit $1 selinux_config_t:file read_file_perms;
-+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
-+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
diff --git a/fix_sendmail.patch b/fix_sendmail.patch
deleted file mode 100644
index c3fbc09..0000000
--- a/fix_sendmail.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc
-+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc
-@@ -1,8 +1,9 @@
-
- /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-+/etc/mail/system/sm-client.pre -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-
- /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
- /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
-
--/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
-+/var/run/sendmail(/.*)? gen_context(system_u:object_r:sendmail_var_run_t,s0)
- /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te
-+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te
-@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail
- manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
- files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
-
--allow sendmail_t sendmail_var_run_t:file manage_file_perms;
--files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
-+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
-+files_pid_filetrans(sendmail_t, sendmail_var_run_t, { file dir })
-
- kernel_read_network_state(sendmail_t)
- kernel_read_kernel_sysctls(sendmail_t)
diff --git a/fix_smartmon.patch b/fix_smartmon.patch
deleted file mode 100644
index 3d965d9..0000000
--- a/fix_smartmon.patch
+++ /dev/null
@@ -1,9 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/smartmon.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/smartmon.fc
-+++ fedora-policy/policy/modules/contrib/smartmon.fc
-@@ -5,3 +5,4 @@
- /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
-
- /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
-+/var/lib/smartmontools/smartd_opts -- gen_context(system_u:object_r:etc_t,s0)
diff --git a/fix_snapper.patch b/fix_snapper.patch
deleted file mode 100644
index 045bc12..0000000
--- a/fix_snapper.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.te
-@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
- type snapperd_data_t;
- files_type(snapperd_data_t)
-
-+type snapperd_tmp_t;
-+files_tmp_file(snapperd_tmp_t)
-+
- ########################################
- #
- # snapperd local policy
-@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r
- allow snapperd_t snapperd_data_t:file relabelfrom;
- snapper_filetrans_named_content(snapperd_t)
-
-+allow snapperd_t snapperd_tmp_t:file manage_file_perms;
-+allow snapperd_t snapperd_tmp_t:dir manage_dir_perms;
-+files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir })
-+
- kernel_setsched(snapperd_t)
-
- domain_read_all_domains_state(snapperd_t)
-@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t)
- auth_use_nsswitch(snapperd_t)
-
- optional_policy(`
-+ packagekit_dbus_chat(snapperd_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(snapperd_t)
-+')
-+
-+optional_policy(`
- cron_system_entry(snapperd_t, snapperd_exec_t)
- ')
-
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc
-@@ -7,9 +7,17 @@
-
- /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
-
--/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
--/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
--/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
--/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
--/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
--HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
-+
-+# ensure that the snapshots itself aren't relabled
-+/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <>
-+/\.snapshots/[^/]*/snapshot(/.*)? <>
-+/usr/\.snapshots/[^/]*/snapshot(/.*)? <>
-+/var/\.snapshots/[^/]*/snapshot(/.*)? <>
-+/etc/\.snapshots/[^/]*/snapshot(/.*)? <>
-+HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <>
diff --git a/fix_sslh.patch b/fix_sslh.patch
deleted file mode 100644
index 5a6e49a..0000000
--- a/fix_sslh.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/sslh.te
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/sslh.te
-+++ fedora-policy/policy/modules/contrib/sslh.te
-@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals
- type sslh_t;
- type sslh_exec_t;
- init_daemon_domain(sslh_t, sslh_exec_t)
-+init_nnp_daemon_domain(sslh_t)
-
- type sslh_config_t;
- files_config_file(sslh_config_t)
-@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por
- # allow sslh to connect to any port
- corenet_tcp_sendrecv_all_ports(sslh_t)
- corenet_tcp_connect_all_ports(sslh_t)
-+ corenet_tcp_connect_all_ports(sslh_t)
- ')
-
- tunable_policy(`sslh_can_bind_any_port',`
-Index: fedora-policy/policy/modules/contrib/sslh.fc
-===================================================================
---- fedora-policy.orig/policy/modules/contrib/sslh.fc
-+++ fedora-policy/policy/modules/contrib/sslh.fc
-@@ -4,6 +4,8 @@
- /etc/rc\.d/init\.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
- /etc/sslh(/.*)? gen_context(system_u:object_r:sslh_config_t,s0)
- /etc/sslh\.cfg -- gen_context(system_u:object_r:sslh_config_t,s0)
-+/etc/conf\.d/sslh -- gen_context(system_u:object_r:sslh_config_t,s0)
-+/etc/default/sslh -- gen_context(system_u:object_r:sslh_config_t,s0)
- /etc/sysconfig/sslh -- gen_context(system_u:object_r:sslh_config_t,s0)
- /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
- /var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0)
diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch
deleted file mode 100644
index 81fb138..0000000
--- a/fix_sysnetwork.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc
-+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc
-@@ -33,9 +33,9 @@ ifdef(`distro_debian',`
- /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-
- ifdef(`distro_redhat',`
--/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
--/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0)
-@@ -103,6 +103,8 @@ ifdef(`distro_debian',`
- /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- ')
-
-+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+
- /var/run/netns -d gen_context(system_u:object_r:ifconfig_var_run_t,s0)
- /var/run/netns/[^/]+ <>
-
diff --git a/fix_systemd.patch b/fix_systemd.patch
deleted file mode 100644
index 1576754..0000000
--- a/fix_systemd.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
- xserver_dbus_chat(systemd_logind_t)
-
- optional_policy(`
-+ packagekit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
- apache_read_tmp_files(systemd_logind_t)
- ')
-
-@@ -863,6 +867,10 @@ optional_policy(`
- dbus_system_bus_client(systemd_localed_t)
- ')
-
-+optional_policy(`
-+ nscd_unconfined(systemd_hostnamed_t)
-+')
-+
- #######################################
- #
- # Hostnamed policy
-@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
- # systemd_gpt_generator domain
- #
-
--allow systemd_gpt_generator_t self:capability sys_rawio;
-+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
- allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
-
- dev_read_sysfs(systemd_gpt_generator_t)
-@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_
- systemd_create_unit_file_dirs(systemd_gpt_generator_t)
- systemd_create_unit_file_lnk(systemd_gpt_generator_t)
-
-+kernel_dgram_send(systemd_gpt_generator_t)
-+
- optional_policy(`
- udev_read_pid_files(systemd_gpt_generator_t)
- ')
diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch
deleted file mode 100644
index 530f381..0000000
--- a/fix_systemd_watch.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t)
- storage_getattr_fixed_disk_dev(systemd_sleep_t)
- storage_getattr_removable_dev(systemd_sleep_t)
-
-+#######################################
-+#
-+# Allow systemd to watch certificate dir for ca-certificates
-+#
-+watch_dirs_pattern(init_t,cert_t,cert_t)
-+
- optional_policy(`
- sysstat_domtrans(systemd_sleep_t)
- ')
diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch
deleted file mode 100644
index 159afc4..0000000
--- a/fix_thunderbird.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te
-+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te
-@@ -138,7 +138,6 @@ optional_policy(`
- optional_policy(`
- gnome_stream_connect_gconf(thunderbird_t)
- gnome_domtrans_gconfd(thunderbird_t)
-- gnome_manage_generic_home_content(thunderbird_t)
- ')
-
- optional_policy(`
diff --git a/fix_unconfined.patch b/fix_unconfined.patch
deleted file mode 100644
index 815055b..0000000
--- a/fix_unconfined.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/unconfined.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te
-+++ fedora-policy-20221019/policy/modules/system/unconfined.te
-@@ -1,5 +1,10 @@
- policy_module(unconfined, 3.5.0)
-
-+require {
-+ type var_run_t;
-+ type net_conf_t;
-+}
-+
- ########################################
- #
- # Declarations
-@@ -45,3 +50,6 @@ optional_policy(`
- optional_policy(`
- container_runtime_domtrans(unconfined_service_t)
- ')
-+
-+filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir)
-+
diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch
deleted file mode 100644
index 017c8f7..0000000
--- a/fix_unconfineduser.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
-@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
- domain_dyntrans(unconfined_t)
- ')
-
-+# FIXME this is probably caused by some wierd PAM interaction
-+corecmd_entrypoint_all_executables(unconfined_t)
-+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative
-+files_execmod_tmp(unconfined_t)
-+
- optional_policy(`
- gen_require(`
- type unconfined_t;
-@@ -214,6 +219,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_system_spool_entrypoint(unconfined_t)
-+')
-+
-+optional_policy(`
- chrome_role_notrans(unconfined_r, unconfined_t)
-
- tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -248,6 +257,18 @@ optional_policy(`
- dbus_stub(unconfined_t)
-
- optional_policy(`
-+ accountsd_dbus_chat(unconfined_dbusd_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(unconfined_dbusd_t)
-+ ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_logind(unconfined_dbusd_t)
-+ ')
-+
-+ optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch
deleted file mode 100644
index 70fe21e..0000000
--- a/fix_unprivuser.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te
-@@ -300,6 +300,13 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ rtorrent_role(user_r, user_t)
-+ # needed for tunable rtorrent_send_mails
-+ mta_role_access_system_mail(user_r)
-+')
-+
-+
-+optional_policy(`
- vmtools_run_helper(user_t, user_r)
- ')
-
diff --git a/fix_userdomain.patch b/fix_userdomain.patch
deleted file mode 100644
index 6691ad8..0000000
--- a/fix_userdomain.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/userdomain.if
-===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
-+++ fedora-policy-20220624/policy/modules/system/userdomain.if
-@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
-
- # port access is audited even if dac would not have allowed it, so dontaudit it here
- # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
- # Need the following rule to allow users to run vpnc
- corenet_tcp_bind_xserver_port($1_t)
- corenet_tcp_bind_generic_node($1_usertype)
diff --git a/fix_usermanage.patch b/fix_usermanage.patch
deleted file mode 100644
index a7d1bee..0000000
--- a/fix_usermanage.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
-===================================================================
---- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te
-+++ fedora-policy-20220428/policy/modules/admin/usermanage.te
-@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
- allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
- allow groupadd_t self:unix_dgram_socket sendto;
- allow groupadd_t self:unix_stream_socket connectto;
-+allow groupadd_t self:netlink_selinux_socket create_socket_perms;
-
- fs_getattr_xattr_fs(groupadd_t)
- fs_search_auto_mountpoints(groupadd_t)
-@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c
- allow useradd_t self:unix_stream_socket create_stream_socket_perms;
- allow useradd_t self:unix_dgram_socket sendto;
- allow useradd_t self:unix_stream_socket connectto;
-+allow useradd_t self:netlink_selinux_socket create_socket_perms;
-
- manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
- manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v
- # for getting the number of groups
- kernel_read_kernel_sysctls(useradd_t)
-
-+selinux_compute_access_vector(useradd_t)
-+
- corecmd_exec_shell(useradd_t)
- # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
- corecmd_exec_bin(useradd_t)
diff --git a/fix_wine.patch b/fix_wine.patch
deleted file mode 100644
index 17698f2..0000000
--- a/fix_wine.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20220428/policy/modules/system/libraries.fc
-@@ -90,7 +90,7 @@ ifdef(`distro_redhat',`
- /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
- /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
- /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -173,7 +173,8 @@ ifdef(`distro_redhat',`
- /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-
- /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
--/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
diff --git a/fix_xserver.patch b/fix_xserver.patch
deleted file mode 100644
index a8fd6e8..0000000
--- a/fix_xserver.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
-@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
- /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
- /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-+/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-
-@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
-
- /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
- /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
-@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
- /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0)
-
- /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
- /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
- /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
-
-+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
- ifndef(`distro_debian',`
- /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
- ')
-@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
- /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
- /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-+/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-
- /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
- /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-
- /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi
-
- kernel_read_vm_sysctls(xdm_t)
-
-+files_manage_generic_pids_symlinks(xdm_t)
-+userdom_manage_user_home_content_dirs(xdm_t)
-+userdom_manage_user_home_content_files(xdm_t)
-+
- # Allow gdm to run gdm-binary
- can_exec(xdm_t, xdm_exec_t)
- can_exec(xdm_t, xsession_exec_t)
diff --git a/packagekit.fc b/packagekit.fc
deleted file mode 100644
index b004ae0..0000000
--- a/packagekit.fc
+++ /dev/null
@@ -1,44 +0,0 @@
-/usr/lib/systemd/system/packagekit.* -- gen_context(system_u:object_r:packagekit_unit_file_t,s0)
-
-/usr/bin/packagekit -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-
-#/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:packagekit_var_lib_t,s0)
-
-/usr/bin/pkcon -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/bin/pkmon -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/packagekit-direct -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/packagekitd -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-/usr/lib/pk-offline-update -- gen_context(system_u:object_r:packagekit_exec_t,s0)
-
-#/etc/PackageKit
-#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
-#/usr/lib/tmpfiles.d
-#/usr/lib/tmpfiles.d/PackageKit.conf
-#/usr/lib64/packagekit-backend
-#/usr/lib64/packagekit-backend/libpk_backend_dummy.so
-#/usr/sbin/rcpackagekit
-#/usr/sbin/rcpackagekit-offline-update
-#/usr/share/PackageKit
-#/usr/share/PackageKit/helpers
-#/usr/share/PackageKit/helpers/test_spawn
-#/usr/share/PackageKit/helpers/test_spawn/search-name.sh
-#/usr/share/PackageKit/packagekit-background.sh
-#/usr/share/PackageKit/pk-upgrade-distro.sh
-#/usr/share/PackageKit/transactions.db
-#/usr/share/bash-completion/completions/pkcon
-#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml
-#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml
-#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service
-#/usr/share/doc/packages/PackageKit
-#/usr/share/doc/packages/PackageKit/AUTHORS
-#/usr/share/doc/packages/PackageKit/HACKING
-#/usr/share/doc/packages/PackageKit/NEWS
-#/usr/share/doc/packages/PackageKit/README
-#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules
-#/usr/share/licenses/PackageKit
-#/usr/share/licenses/PackageKit/COPYING
-#/usr/share/man/man1/pkcon.1.gz
-#/usr/share/man/man1/pkmon.1.gz
-#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
-#/var/cache/PackageKit
-
diff --git a/packagekit.if b/packagekit.if
deleted file mode 100644
index a9d1918..0000000
--- a/packagekit.if
+++ /dev/null
@@ -1,40 +0,0 @@
-## A temporary policy for packagekit.
-
-########################################
-##
-## Allow reading of fifo files
-##
-##
-##
-## Domain allowed to mange files
-##
-##
-#
-interface(`packagekit_read_write_fifo',`
- gen_require(`
- type packagekit_t;
- ')
-
- allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms;
-')
-
-########################################
-##
-## Send and receive messages from
-## packagekit over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`packagekit_dbus_chat',`
- gen_require(`
- type packagekit_t;
- class dbus send_msg;
- ')
-
- allow $1 packagekit_t:dbus send_msg;
- allow packagekit_t $1:dbus send_msg;
-')
diff --git a/packagekit.te b/packagekit.te
deleted file mode 100644
index 090ccb7..0000000
--- a/packagekit.te
+++ /dev/null
@@ -1,38 +0,0 @@
-policy_module(packagekit,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type packagekit_t;
-type packagekit_exec_t;
-init_daemon_domain(packagekit_t,packagekit_exec_t)
-
-type packagekit_unit_file_t;
-systemd_unit_file(packagekit_unit_file_t)
-
-type packagekit_var_lib_t;
-files_type(packagekit_var_lib_t)
-
-unconfined_dbus_chat(packagekit_t)
-init_dbus_chat(packagekit_t)
-optional_policy(`
- policykit_dbus_chat(packagekit_t)
-')
-
-optional_policy(`
- unconfined_domain(packagekit_t)
-')
-
-optional_policy(`
- snapper_dbus_chat(packagekit_t)
-')
-
-optional_policy(`
- systemd_dbus_chat_logind(packagekit_t)
-')
-
-optional_policy(`
- rpm_transition_script(packagekit_t,system_r)
-')
diff --git a/rebootmgr.fc b/rebootmgr.fc
deleted file mode 100644
index 156f78f..0000000
--- a/rebootmgr.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)
diff --git a/rebootmgr.if b/rebootmgr.if
deleted file mode 100644
index bb42f80..0000000
--- a/rebootmgr.if
+++ /dev/null
@@ -1,61 +0,0 @@
-
-## policy for rebootmgr
-
-########################################
-##
-## Execute rebootmgr_exec_t in the rebootmgr domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`rebootmgr_domtrans',`
- gen_require(`
- type rebootmgr_t, rebootmgr_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
-')
-
-######################################
-##
-## Execute rebootmgr in the caller domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`rebootmgr_exec',`
- gen_require(`
- type rebootmgr_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, rebootmgr_exec_t)
-')
-
-########################################
-##
-## Send and receive messages from
-## rebootmgr over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`rebootmgr_dbus_chat',`
- gen_require(`
- type rebootmgr_t;
- class dbus send_msg;
- ')
-
- allow $1 rebootmgr_t:dbus send_msg;
- allow rebootmgr_t $1:dbus send_msg;
-')
diff --git a/rebootmgr.te b/rebootmgr.te
deleted file mode 100644
index 4b4e6ab..0000000
--- a/rebootmgr.te
+++ /dev/null
@@ -1,37 +0,0 @@
-policy_module(rebootmgr, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type rebootmgr_t;
-type rebootmgr_exec_t;
-init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
-
-########################################
-#
-# rebootmgr local policy
-#
-allow rebootmgr_t self:process { fork };
-allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
-allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rebootmgr_t)
-
-files_manage_etc_files(rebootmgr_t)
-
-logging_send_syslog_msg(rebootmgr_t)
-
-miscfiles_read_localization(rebootmgr_t)
-
-systemd_start_power_services(rebootmgr_t)
-
-systemd_dbus_chat_logind(rebootmgr_t)
-
-unconfined_dbus_chat(rebootmgr_t)
-
-optional_policy(`
- dbus_system_bus_client(rebootmgr_t)
- dbus_connect_system_bus(rebootmgr_t)
-')
diff --git a/rtorrent.fc b/rtorrent.fc
deleted file mode 100644
index 562f8ad..0000000
--- a/rtorrent.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
diff --git a/rtorrent.if b/rtorrent.if
deleted file mode 100644
index 9ea4193..0000000
--- a/rtorrent.if
+++ /dev/null
@@ -1,95 +0,0 @@
-
-## policy for rtorrent
-
-########################################
-##
-## Execute rtorrent_exec_t in the rtorrent domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`rtorrent_domtrans',`
- gen_require(`
- type rtorrent_t, rtorrent_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
-')
-
-######################################
-##
-## Execute rtorrent in the caller domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`rtorrent_exec',`
- gen_require(`
- type rtorrent_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, rtorrent_exec_t)
-')
-
-########################################
-##
-## Execute rtorrent in the rtorrent domain, and
-## allow the specified role the rtorrent domain.
-##
-##
-##
-## Domain allowed to transition
-##
-##
-##
-##
-## The role to be allowed the rtorrent domain.
-##
-##
-#
-interface(`rtorrent_run',`
- gen_require(`
- type rtorrent_t;
- attribute_role rtorrent_roles;
- ')
-
- rtorrent_domtrans($1)
- roleattribute $2 rtorrent_roles;
-')
-
-########################################
-##
-## Role access for rtorrent
-##
-##
-##
-## Role allowed access
-##
-##
-##
-##
-## User domain for the role
-##
-##
-#
-interface(`rtorrent_role',`
- gen_require(`
- type rtorrent_t;
- attribute_role rtorrent_roles;
- ')
-
- roleattribute $1 rtorrent_roles;
-
- rtorrent_domtrans($2)
-
- ps_process_pattern($2, rtorrent_t)
- allow $2 rtorrent_t:process { signull signal sigkill };
-')
diff --git a/rtorrent.te b/rtorrent.te
deleted file mode 100644
index 996f7a7..0000000
--- a/rtorrent.te
+++ /dev/null
@@ -1,101 +0,0 @@
-policy_module(rtorrent, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-##
-##
-## Allow rtorrent to use send mails
-##
-##
-gen_tunable(rtorrent_send_mails, false)
-
-##
-##
-## Enable necessary permissions for rutorrent
-##
-##
-gen_tunable(rtorrent_enable_rutorrent, false)
-
-##
-##
-## Allow rtorrent to execute helper scripts in home directories
-##
-##
-gen_tunable(rtorrent_exec_scripts, false)
-
-attribute_role rtorrent_roles;
-roleattribute system_r rtorrent_roles;
-
-type rtorrent_t;
-type rtorrent_exec_t;
-application_domain(rtorrent_t, rtorrent_exec_t)
-role rtorrent_roles types rtorrent_t;
-
-########################################
-#
-# rtorrent local policy
-#
-allow rtorrent_t self:process { fork signal_perms };
-
-allow rtorrent_t self:fifo_file manage_fifo_file_perms;
-allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rtorrent_t)
-
-files_read_etc_files(rtorrent_t)
-
-miscfiles_read_localization(rtorrent_t)
-
-sysnet_dns_name_resolve(rtorrent_t)
-
-optional_policy(`
- gen_require(`
- type staff_t;
- role staff_r;
- ')
-
- rtorrent_run(staff_t, staff_r)
-')
-
-type rtorrent_port_t;
-corenet_port(rtorrent_port_t)
-allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
-
-userdom_read_user_home_content_symlinks(rtorrent_t)
-userdom_manage_user_home_content_files(rtorrent_t)
-userdom_manage_user_home_content_dirs(rtorrent_t)
-
-allow rtorrent_t self:tcp_socket { accept listen };
-
-corenet_tcp_connect_all_ports(rtorrent_t)
-
-fs_getattr_xattr_fs(rtorrent_t)
-
-userdom_use_inherited_user_terminals(rtorrent_t)
-# this might be to much
-userdom_home_manager(rtorrent_t)
-userdom_filetrans_home_content(rtorrent_t)
-
-optional_policy(`
- tunable_policy(`rtorrent_send_mails',`
- userdom_exec_user_bin_files(rtorrent_t)
- userdom_exec_user_home_content_files(rtorrent_t)
- files_manage_generic_tmp_files(rtorrent_t)
- mta_send_mail(rtorrent_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`rtorrent_enable_rutorrent',`
- apache_manage_sys_content(rtorrent_t)
- apache_exec_sys_content(rtorrent_t)
- ')
-')
-
-tunable_policy(`rtorrent_exec_scripts',`
- # execute helper scripts
- corecmd_exec_bin(rtorrent_t)
- userdom_exec_user_bin_files(rtorrent_t)
-')
diff --git a/sedoctool.patch b/sedoctool.patch
deleted file mode 100644
index 82b2eee..0000000
--- a/sedoctool.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: fedora-policy/support/sedoctool.py
-===================================================================
---- fedora-policy.orig/support/sedoctool.py
-+++ fedora-policy/support/sedoctool.py
-@@ -810,7 +810,7 @@ if booleans:
- namevalue_list = []
- if os.path.exists(booleans):
- try:
-- conf = open(booleans, 'r')
-+ conf = open(booleans, 'r', errors='replace')
- except:
- error("Could not open booleans file for reading")
-
-@@ -831,7 +831,7 @@ if modules:
- namevalue_list = []
- if os.path.exists(modules):
- try:
-- conf = open(modules, 'r')
-+ conf = open(modules, 'r', errors='replace')
- except:
- error("Could not open modules file for reading")
- namevalue_list = get_conf(conf)
diff --git a/selinux-policy-20230321.tar.xz b/selinux-policy-20230321.tar.xz
new file mode 100644
index 0000000..99b7daa
--- /dev/null
+++ b/selinux-policy-20230321.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
+size 752588
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 591aa86..361ee04 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,9 +1,168 @@
+-------------------------------------------------------------------
+Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230321:
+ * make kernel_t unconfined again
+
+-------------------------------------------------------------------
+Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230316:
+ * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
+ path
+ * allow kernel_t to relabel etc_t files
+ * allow kernel_t to relabel sysnet config files
+ * allow kernel_t to relabel systemd hwdb etc files
+ * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
+ * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
+ to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
+ management of config files
+ * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
+ interfaces to allow labeling on etc_t, not on the broader configfiles
+ attribute
+ * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
+ watch permissions reported are already fixed in a current policy.
+- Reinstate update.sh and remove container-selinux from the service.
+ Having both repos in there causes issues and update.sh makes the update
+ process easier in general. Updated README.Update
+
-------------------------------------------------------------------
Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz
- Remove erroneous SUSE man page. Will not be created with the
3.5 toolchain
+-------------------------------------------------------------------
+Tue Feb 14 21:41:54 UTC 2023 - Hu
+
+- Complete packaging rework: Move policy to git repository and
+ only use tar_scm obs service to refresh from there:
+ https://gitlab.suse.de/selinux/selinux-policy
+
+ Please use `osc service manualrun` to update this OBS package to the
+ newest git version.
+
+ * Added README.Update describing how to update this package
+ * Added _service file that pulls from selinux-policy and
+ upstream container-selinux and tars them
+ * Adapted selinux-policy.spec to build selinux-policy with
+ container-selinux
+ * Removed update.sh as no longer needed
+ * Removed suse specific modules as they are now covered by git commits
+ * packagekit.te packagekit.if packagekit.fc
+ * rebootmgr.te rebootmgr.if rebootmgr.fc
+ * rtorrent.te rtorrent.if rtorrent.fc
+ * wicked.te wicked.if wicked.fc
+ * Removed *.patch as they are now covered by git commits:
+ * distro_suse_to_distro_redhat.patch
+ * dontaudit_interface_kmod_tmpfs.patch
+ * fix_accountsd.patch
+ * fix_alsa.patch
+ * fix_apache.patch
+ * fix_auditd.patch
+ * fix_authlogin.patch
+ * fix_automount.patch
+ * fix_bitlbee.patch
+ * fix_chronyd.patch
+ * fix_cloudform.patch
+ * fix_colord.patch
+ * fix_corecommand.patch
+ * fix_cron.patch
+ * fix_dbus.patch
+ * fix_djbdns.patch
+ * fix_dnsmasq.patch
+ * fix_dovecot.patch
+ * fix_entropyd.patch
+ * fix_firewalld.patch
+ * fix_fwupd.patch
+ * fix_geoclue.patch
+ * fix_hypervkvp.patch
+ * fix_init.patch
+ * fix_ipsec.patch
+ * fix_iptables.patch
+ * fix_irqbalance.patch
+ * fix_java.patch
+ * fix_kernel.patch
+ * fix_kernel_sysctl.patch
+ * fix_libraries.patch
+ * fix_locallogin.patch
+ * fix_logging.patch
+ * fix_logrotate.patch
+ * fix_mcelog.patch
+ * fix_miscfiles.patch
+ * fix_nagios.patch
+ * fix_networkmanager.patch
+ * fix_nis.patch
+ * fix_nscd.patch
+ * fix_ntp.patch
+ * fix_openvpn.patch
+ * fix_postfix.patch
+ * fix_rpm.patch
+ * fix_rtkit.patch
+ * fix_screen.patch
+ * fix_selinuxutil.patch
+ * fix_sendmail.patch
+ * fix_smartmon.patch
+ * fix_snapper.patch
+ * fix_sslh.patch
+ * fix_sysnetwork.patch
+ * fix_systemd.patch
+ * fix_systemd_watch.patch
+ * fix_thunderbird.patch
+ * fix_unconfined.patch
+ * fix_unconfineduser.patch
+ * fix_unprivuser.patch
+ * fix_userdomain.patch
+ * fix_usermanage.patch
+ * fix_wine.patch
+ * fix_xserver.patch
+ * sedoctool.patch
+ * systemd_domain_dyntrans_type.patch
+
+-------------------------------------------------------------------
+Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz
+
+- Update to version 20230206. Refreshed:
+ * fix_entropyd.patch
+ * fix_networkmanager.patch
+ * fix_systemd_watch.patch
+ * fix_unconfineduser.patch
+- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
+ necessary as plymouth doesn't run in it's own domain in early boot
+
+-------------------------------------------------------------------
+Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz
+
+- Update to version 20230125. Refreshed:
+ * distro_suse_to_distro_redhat.patch
+ * fix_dnsmasq.patch
+ * fix_init.patch
+ * fix_ipsec.patch
+ * fix_kernel_sysctl.patch
+ * fix_logging.patch
+ * fix_rpm.patch
+ * fix_selinuxutil.patch
+ * fix_systemd_watch.patch
+ * fix_userdomain.patch
+- More flexible lib(exec) matching in fix_fwupd.patch
+- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
+- Dropped fix_container.patch, is now upstream
+- Added fix_entropyd.patch
+ * Added new interface entropyd_semaphore_filetrans to properly transfer
+ semaphore created during early boot. That doesn't work yet, so work
+ around with next item
+ * Allow reading tempfs files
+- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
+ to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
+- Added fix_rtkit.patch to fix labeling of binary
+- Modified fix_ntp.patch:
+ * Proper labeling for start-ntpd
+ * Fixed label rules for chroot path
+ * Temporarily allow dac_override for ntpd_t (bsc#1207577)
+ * Add interface ntp_manage_pid_files to allow management of pid
+ files
+- Updated fix_networkmanager.patch to allow managing ntp pid files
+
-------------------------------------------------------------------
Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5cd2ad..ede9b73 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,10 +33,15 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20221019
+Version: 20230321
Release: 0
-Source: fedora-policy-%{version}.tar.bz2
-Source1: selinux-policy-rpmlintrc
+Source0: %{name}-%{version}.tar.xz
+Source1: container.fc
+Source2: container.te
+Source3: container.if
+Source4: selinux-policy-rpmlintrc
+Source5: README.Update
+Source6: update.sh
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
@@ -70,88 +75,6 @@ Source92: customizable_types
#Source93: config.tgz
Source94: file_contexts.subs_dist
Source95: macros.selinux-policy
-Source96: update.sh
-
-Source120: packagekit.te
-Source121: packagekit.if
-Source122: packagekit.fc
-Source123: rtorrent.te
-Source124: rtorrent.if
-Source125: rtorrent.fc
-Source126: wicked.te
-Source127: wicked.if
-Source128: wicked.fc
-Source129: rebootmgr.te
-Source130: rebootmgr.if
-Source131: rebootmgr.fc
-
-Patch000: distro_suse_to_distro_redhat.patch
-Patch001: fix_djbdns.patch
-Patch002: fix_dbus.patch
-Patch004: fix_java.patch
-Patch006: fix_thunderbird.patch
-Patch007: fix_postfix.patch
-Patch008: fix_nscd.patch
-Patch009: fix_sysnetwork.patch
-Patch010: fix_logging.patch
-Patch011: fix_xserver.patch
-Patch012: fix_miscfiles.patch
-Patch013: fix_init.patch
-Patch014: fix_locallogin.patch
-Patch016: fix_iptables.patch
-Patch017: fix_irqbalance.patch
-Patch018: fix_ntp.patch
-Patch019: fix_fwupd.patch
-Patch020: fix_firewalld.patch
-Patch021: fix_logrotate.patch
-Patch022: fix_selinuxutil.patch
-Patch024: fix_corecommand.patch
-Patch025: fix_snapper.patch
-Patch026: fix_systemd.patch
-Patch027: fix_unconfined.patch
-Patch028: fix_unconfineduser.patch
-Patch029: fix_chronyd.patch
-Patch030: fix_networkmanager.patch
-Patch032: fix_accountsd.patch
-Patch033: fix_automount.patch
-Patch034: fix_colord.patch
-Patch035: fix_mcelog.patch
-Patch036: fix_sslh.patch
-Patch037: fix_nagios.patch
-Patch038: fix_openvpn.patch
-Patch039: fix_cron.patch
-Patch040: fix_usermanage.patch
-Patch041: fix_smartmon.patch
-Patch042: fix_geoclue.patch
-Patch044: fix_authlogin.patch
-Patch045: fix_screen.patch
-Patch046: fix_unprivuser.patch
-Patch047: fix_rpm.patch
-Patch048: fix_apache.patch
-Patch049: fix_nis.patch
-Patch050: fix_libraries.patch
-Patch051: fix_dovecot.patch
-# https://github.com/cockpit-project/cockpit/pull/15758
-#Patch052: fix_cockpit.patch
-Patch053: fix_systemd_watch.patch
-# kernel specific sysctl.conf (boo#1184804)
-Patch054: fix_kernel_sysctl.patch
-Patch055: fix_auditd.patch
-Patch056: fix_wine.patch
-Patch057: fix_hypervkvp.patch
-Patch058: fix_bitlbee.patch
-Patch059: systemd_domain_dyntrans_type.patch
-Patch060: fix_dnsmasq.patch
-Patch061: fix_userdomain.patch
-Patch062: fix_cloudform.patch
-Patch063: fix_alsa.patch
-Patch064: dontaudit_interface_kmod_tmpfs.patch
-Patch065: fix_sendmail.patch
-Patch066: fix_ipsec.patch
-# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included
-Patch067: fix_container.patch
-
-Patch100: sedoctool.patch
URL: https://github.com/fedora-selinux/selinux-policy.git
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -412,7 +335,16 @@ fi;
exit 0
%prep
-%autosetup -n fedora-policy-%{version} -p1
+
+# set up selinux-policy
+%autosetup -n %{name}-%{version} -p1
+
+# dirty hack for container-selinux, because selinux-policy won't build without it
+# upstream does not want to include it in main policy tree:
+# see discussion in https://github.com/containers/container-selinux/issues/186
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
+ cp $i policy/modules/services/
+done
%build
@@ -439,10 +371,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config
done
-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
- cp $i policy/modules/contrib
-done
-
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch
deleted file mode 100644
index 8376c95..0000000
--- a/systemd_domain_dyntrans_type.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/system/init.te
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/system/init.te
-+++ fedora-policy-20220124/policy/modules/system/init.te
-@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac
- allow init_t self:packet_socket create_socket_perms;
- allow init_t self:key manage_key_perms;
- allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
-+domain_dyntrans_type(init_t)
-+allow init_t self:process { dyntransition setcurrent };
-
- # is ~sys_module really needed? observed:
- # sys_boot
diff --git a/update.sh b/update.sh
index 92f709c..823357d 100644
--- a/update.sh
+++ b/update.sh
@@ -1,23 +1,27 @@
#!/bin/sh
date=$(date '+%Y%m%d')
+base_name_pattern='selinux-policy-*.tar.xz'
echo Update to $date
-rm -rf fedora-policy container-selinux
+old_tar_file=$(ls -1 $base_name_pattern)
-git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
+osc service manualrun
+
+rm -rf container-selinux
git clone --depth 1 https://github.com/containers/container-selinux.git
+rm -f container.*
+mv container-selinux/container.* .
+rm -rf container-selinux
-mv selinux-policy fedora-policy-$date
-rm -rf fedora-policy-$date/.git*
-mv container-selinux/container.* fedora-policy-$date/policy/modules/services/
+# delete old files. Might need a better sanity check
+tar_cnt=$(ls -1 $base_name_pattern | wc -l)
+if [ $tar_cnt -gt 1 ]; then
+ echo delte old file $old_tar_file
+ rm "$old_tar_file"
+ osc addremove
+fi
-rm -f fedora-policy?$date.tar*
-tar cf fedora-policy-$date.tar fedora-policy-$date
-bzip2 fedora-policy-$date.tar
-rm -rf fedora-policy-$date container-selinux
+osc status
-sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec
-
-echo "remove old tar file, then osc addremove"
diff --git a/wicked.fc b/wicked.fc
deleted file mode 100644
index 8b84838..0000000
--- a/wicked.fc
+++ /dev/null
@@ -1,50 +0,0 @@
-# not used
-#/etc/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-
-/etc/wicked(/.*)? gen_context(system_u:object_r:wicked_etc_t,s0)
-/etc/wicked/extensions/.* -- gen_context(system_u:object_r:wicked_exec_t,s0)
-
-#/etc/wicked/wicked\.conf gen_context(system_u:object_r:wicked_etc_rw_t,s0)
-#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0)
-
-/usr/lib/systemd/system/wicked.* -- gen_context(system_u:object_r:wicked_unit_file_t,s0)
-
-/sbin/ifdown -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifprobe -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifstatus -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0)
-
-/usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
-
-/usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0)
-
-#/usr/lib64/libwicked-0.6.63.so
-
-/usr/sbin/wicked -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/wickedd -- gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/sbin/wickedd-nanny -- gen_context(system_u:object_r:wicked_exec_t,s0)
-#/usr/share/wicked/schema/wireless.xml
-/var/lib/wicked(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0)
-#/etc/sysconfig/network/ifcfg-lo
-
-#/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-#/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:wicked_exec_t,s0)
-#/var/lib/wicd(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0)
-#/var/log/wicd.* -- gen_context(system_u:object_r:wicked_log_t,s0)
-
-/var/run/wicked(/.*)? gen_context(system_u:object_r:wicked_var_run_t,s0)
-
-#/etc/dbus-1
-#/etc/dbus-1/system.d
-#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
-#/etc/dbus-1/system.d/org.opensuse.Network.conf
-
-/etc/sysconfig/network/scripts(/.*)? gen_context(system_u:object_r:wicked_script_t,s0)
-/etc/sysconfig/network/scripts/samba-winbindd -- gen_context(system_u:object_r:wicked_winbind_script_t,s0)
-/etc/sysconfig/network/scripts/dhcpd-restart-hook -- gen_context(system_u:object_r:wicked_dhcp_script_t,s0)
diff --git a/wicked.if b/wicked.if
deleted file mode 100644
index 0246cda..0000000
--- a/wicked.if
+++ /dev/null
@@ -1,678 +0,0 @@
-## Manager for dynamically switching between networks.
-
-########################################
-##
-## Read and write wicked UDP sockets.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-# cjp: added for named.
-interface(`wicked_rw_udp_sockets',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:udp_socket { read write };
-')
-
-########################################
-##
-## Read and write wicked packet sockets.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-# cjp: added for named.
-interface(`wicked_rw_packet_sockets',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:packet_socket { read write };
-')
-
-#######################################
-##
-## Allow caller to relabel tun_socket
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_attach_tun_iface',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
-')
-
-########################################
-##
-## Read and write wicked netlink
-## routing sockets.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-# cjp: added for named.
-interface(`wicked_rw_routing_sockets',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:netlink_route_socket { read write };
-')
-
-########################################
-##
-## Execute wicked with a domain transition.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`wicked_domtrans',`
- gen_require(`
- type wicked_t, wicked_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, wicked_exec_t, wicked_t)
-')
-
-#######################################
-##
-## Execute wicked scripts with an automatic domain transition to initrc.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`wicked_initrc_domtrans',`
- gen_require(`
- type wicked_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, wicked_initrc_exec_t)
-')
-
-#######################################
-##
-## Allow reading of wicked link files
-##
-##
-##
-## Domain allowed to read the links
-##
-##
-#
-interface(`wicked_initrc_read_lnk_files',`
- gen_require(`
- type wicked_initrc_exec_t;
- ')
-
- read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t)
-')
-
-########################################
-##
-## Execute wicked server in the wicked domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`wicked_systemctl',`
- gen_require(`
- type wicked_unit_file_t;
- type wicked_t;
- ')
-
- systemd_exec_systemctl($1)
- init_reload_services($1)
- allow $1 wicked_unit_file_t:file read_file_perms;
- allow $1 wicked_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, wicked_t)
-')
-
-########################################
-##
-## Send and receive messages from
-## wicked over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_dbus_chat',`
- gen_require(`
- type wicked_t;
- class dbus send_msg;
- ')
-
- allow $1 wicked_t:dbus send_msg;
- allow wicked_t $1:dbus send_msg;
-')
-
-#######################################
-##
-## Read metworkmanager process state files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_read_state',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:dir search_dir_perms;
- allow $1 wicked_t:file read_file_perms;
- allow $1 wicked_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-##
-## Do not audit attempts to send and
-## receive messages from wicked
-## over dbus.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`wicked_dontaudit_dbus_chat',`
- gen_require(`
- type wicked_t;
- class dbus send_msg;
- ')
-
- dontaudit $1 wicked_t:dbus send_msg;
- dontaudit wicked_t $1:dbus send_msg;
-')
-
-########################################
-##
-## Send a generic signal to wicked
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_signal',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:process signal;
-')
-
-########################################
-##
-## Create, read, and write
-## wicked library files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_manage_lib_files',`
- gen_require(`
- type wicked_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
- allow $1 wicked_var_lib_t:file map;
-')
-
-########################################
-##
-## Read wicked lib files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_read_lib_files',`
- gen_require(`
- type wicked_var_lib_t;
- ')
-
- files_search_var_lib($1)
- list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
- read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
- allow $1 wicked_var_lib_t:file map;
-')
-
-#######################################
-##
-## Read wicked conf files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_read_conf',`
- gen_require(`
- type wicked_etc_t;
- type wicked_etc_rw_t;
- ')
-
- allow $1 wicked_etc_t:dir list_dir_perms;
- read_files_pattern($1,wicked_etc_t,wicked_etc_t)
- read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t)
-')
-
-########################################
-##
-## Read wicked PID files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_read_pid_files',`
- gen_require(`
- type wicked_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-##
-## Manage wicked PID files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_manage_pid_files',`
- gen_require(`
- type wicked_var_run_t;
- ')
-
- files_search_pids($1)
- manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t)
- manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-##
-## Manage wicked PID sock files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_manage_pid_sock_files',`
- gen_require(`
- type wicked_var_run_t;
- ')
-
- files_search_pids($1)
- manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-##
-## Create objects in /etc with a private
-## type using a type_transition.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Object classes to be created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`wicked_pid_filetrans',`
- gen_require(`
- type wicked_var_run_t;
- ')
-
- filetrans_pattern($1, wicked_var_run_t, $2, $3, $4)
-')
-
-####################################
-##
-## Connect to wicked over
-## a unix domain stream socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_stream_connect',`
- gen_require(`
- type wicked_t, wicked_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
-')
-
-########################################
-##
-## Delete wicked PID files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_delete_pid_files',`
- gen_require(`
- type wicked_var_run_t;
- ')
-
- files_search_pids($1)
- delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
-')
-
-########################################
-##
-## Execute wicked in the wicked domain, and
-## allow the specified role the wicked domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`wicked_run',`
- gen_require(`
- type wicked_t, wicked_exec_t;
- ')
-
- wicked_domtrans($1)
- role $2 types wicked_t;
-')
-
-########################################
-##
-## Allow the specified domain to append
-## to Network Manager log files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_append_log',`
- gen_require(`
- type wicked_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 wicked_log_t:dir list_dir_perms;
- append_files_pattern($1, wicked_log_t, wicked_log_t)
- allow $1 wicked_log_t:file map;
-
-')
-
-#######################################
-##
-## Allow the specified domain to manage
-## to Network Manager lib files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_manage_lib',`
- gen_require(`
- type wicked_var_lib_t;
- ')
-
- manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
- allow $1 wicked_var_lib_t:file map;
-
-')
-
-#######################################
-##
-## Send to wicked with a unix dgram socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_dgram_send',`
- gen_require(`
- type wicked_t, wicked_var_run_t;
- ')
-
- files_search_pids($1)
- dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
-')
-
-########################################
-##
-## Send sigchld to wicked.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-#
-interface(`wicked_sigchld',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:process sigchld;
-')
-
-########################################
-##
-## Send signull to wicked.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-#
-interface(`wicked_signull',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:process signull;
-')
-
-########################################
-##
-## Send sigkill to wicked.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-#
-interface(`wicked_sigkill',`
- gen_require(`
- type wicked_t;
- ')
-
- allow $1 wicked_t:process sigkill;
-')
-
-########################################
-##
-## Transition to wicked named content
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`wicked_filetrans_named_content',`
- gen_require(`
- type wicked_var_run_t;
- type wicked_var_lib_t;
- ')
-
-
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6")
-
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6")
-
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4")
- files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6")
-
- files_pid_filetrans($1, wicked_var_run_t, dir, "extension")
- files_pid_filetrans($1, wicked_var_run_t, dir, "nanny")
-
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml")
- files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
-')
-
-########################################
-##
-## Create a set of derived types for various wicked scripts
-##
-##
-##
-## The name to be used for deriving type names.
-##
-##
-#
-template(`wicked_script_template',`
- gen_require(`
- attribute wicked_plugin, wicked_script;
- type wicked_t;
- ')
-
- type wicked_$1_t, wicked_plugin;
- type wicked_$1_script_t, wicked_script;
- application_domain(wicked_$1_t, wicked_$1_script_t)
- role system_r types wicked_$1_t;
-
- domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t)
-')
diff --git a/wicked.te b/wicked.te
deleted file mode 100644
index 8747b97..0000000
--- a/wicked.te
+++ /dev/null
@@ -1,572 +0,0 @@
-policy_module(wicked, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type wicked_t;
-type wicked_exec_t;
-init_daemon_domain(wicked_t, wicked_exec_t)
-
-type wicked_initrc_exec_t;
-init_script_file(wicked_initrc_exec_t)
-
-type wicked_unit_file_t;
-systemd_unit_file(wicked_unit_file_t)
-
-type wicked_etc_t;
-files_config_file(wicked_etc_t)
-
-type wicked_etc_rw_t;
-files_config_file(wicked_etc_rw_t)
-
-#type wicked_log_t;
-#logging_log_file(wicked_log_t)
-
-type wicked_tmp_t;
-files_tmp_file(wicked_tmp_t)
-
-type wicked_var_lib_t;
-files_type(wicked_var_lib_t)
-
-type wicked_var_run_t;
-files_pid_file(wicked_var_run_t)
-
-
-# Wicked scripts
-
-attribute wicked_plugin;
-attribute wicked_script;
-type wicked_script_t, wicked_script;
-type wicked_custom_t, wicked_plugin;
-role system_r types wicked_custom_t;
-application_domain(wicked_custom_t, wicked_script_t)
-domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t)
-
-wicked_script_template(winbind);
-wicked_script_template(dhcp);
-
-#type wpa_cli_t;
-#type wpa_cli_exec_t;
-#init_system_domain(wpa_cli_t, wpa_cli_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-# wicked will ptrace itself if gdb is installed
-# and it receives a unexpected signal (rh bug #204161)
-allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
-dontaudit wicked_t self:capability sys_tty_config;
-
-allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run };
-
-ifdef(`hide_broken_symptoms',`
- # caused by some bogus kernel code
- dontaudit wicked_t self:capability sys_module;
-')
-# alternatively allow with
-# kernel_load_module( wicked_t )
-
-allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms };
-
-allow wicked_t self:process setfscreate;
-selinux_validate_context(wicked_t)
-
-tunable_policy(`deny_ptrace',`',`
- allow wicked_t self:capability sys_ptrace;
- allow wicked_t self:process ptrace;
-')
-
-allow wicked_t self:fifo_file rw_fifo_file_perms;
-allow wicked_t self:unix_dgram_socket { sendto create_socket_perms };
-allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto };
-allow wicked_t self:netlink_generic_socket create_socket_perms;
-allow wicked_t self:netlink_route_socket create_netlink_socket_perms;
-allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms;
-allow wicked_t self:netlink_socket create_socket_perms;
-allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow wicked_t self:tcp_socket create_stream_socket_perms;
-allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto };
-allow wicked_t self:udp_socket create_socket_perms;
-allow wicked_t self:packet_socket create_socket_perms;
-allow wicked_t self:rawip_socket create_socket_perms;
-allow wicked_t self:socket create_socket_perms;
-
-tunable_policy(`deny_bluetooth',`',`
- allow wicked_t self:bluetooth_socket create_stream_socket_perms;
-')
-
-#allow wicked_t wpa_cli_t:unix_dgram_socket sendto;
-
-can_exec(wicked_t, wicked_exec_t)
-#wicd
-# can_exec(wicked_t, wpa_cli_exec_t)
-
-list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
-
-list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
-
-read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
-filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file })
-
-#allow wicked_t wicked_log_t:dir setattr_dir_perms;
-#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
-#logging_log_filetrans(wicked_t, wicked_log_t, file)
-
-can_exec(wicked_t, wicked_tmp_t)
-manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
-manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
-files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file })
-
-manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
-files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file })
-
-manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
-files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file })
-
-kernel_read_system_state(wicked_t)
-kernel_read_network_state(wicked_t)
-kernel_read_kernel_sysctls(wicked_t)
-kernel_request_load_module(wicked_t)
-kernel_read_debugfs(wicked_t)
-kernel_rw_net_sysctls(wicked_t)
-kernel_dontaudit_setsched(wicked_t)
-kernel_signull(wicked_t)
-
-corenet_ib_manage_subnet_unlabeled_endports(wicked_t)
-corenet_ib_access_unlabeled_pkeys(wicked_t)
-corenet_all_recvfrom_netlabel(wicked_t)
-corenet_tcp_sendrecv_generic_if(wicked_t)
-corenet_udp_sendrecv_generic_if(wicked_t)
-corenet_raw_sendrecv_generic_if(wicked_t)
-corenet_tcp_sendrecv_generic_node(wicked_t)
-corenet_udp_sendrecv_generic_node(wicked_t)
-corenet_raw_sendrecv_generic_node(wicked_t)
-corenet_tcp_sendrecv_all_ports(wicked_t)
-corenet_udp_sendrecv_all_ports(wicked_t)
-corenet_udp_bind_generic_node(wicked_t)
-corenet_udp_bind_isakmp_port(wicked_t)
-corenet_udp_bind_dhcpc_port(wicked_t)
-corenet_tcp_connect_all_ports(wicked_t)
-corenet_sendrecv_isakmp_server_packets(wicked_t)
-corenet_sendrecv_dhcpc_server_packets(wicked_t)
-corenet_sendrecv_all_client_packets(wicked_t)
-corenet_rw_tun_tap_dev(wicked_t)
-corenet_getattr_ppp_dev(wicked_t)
-
-dev_access_check_sysfs(wicked_t)
-dev_rw_sysfs(wicked_t)
-dev_write_sysfs_dirs(wicked_t)
-dev_read_rand(wicked_t)
-dev_read_urand(wicked_t)
-dev_dontaudit_getattr_generic_blk_files(wicked_t)
-dev_getattr_all_chr_files(wicked_t)
-dev_rw_wireless(wicked_t)
-
-fs_getattr_all_fs(wicked_t)
-fs_search_auto_mountpoints(wicked_t)
-fs_list_inotifyfs(wicked_t)
-fs_read_nsfs_files(wicked_t)
-
-mls_file_read_all_levels(wicked_t)
-
-selinux_dontaudit_search_fs(wicked_t)
-
-corecmd_exec_shell(wicked_t)
-corecmd_exec_bin(wicked_t)
-
-domain_use_interactive_fds(wicked_t)
-domain_read_all_domains_state(wicked_t)
-
-files_read_etc_runtime_files(wicked_t)
-files_read_system_conf_files(wicked_t)
-files_read_usr_src_files(wicked_t)
-files_read_isid_type_files(wicked_t)
-
-storage_getattr_fixed_disk_dev(wicked_t)
-
-term_open_unallocated_ttys(wicked_t)
-
-init_read_utmp(wicked_t)
-init_dontaudit_write_utmp(wicked_t)
-init_domtrans_script(wicked_t)
-init_signull_script(wicked_t)
-init_signal_script(wicked_t)
-init_sigkill_script(wicked_t)
-
-auth_use_nsswitch(wicked_t)
-
-libs_exec_ldconfig(wicked_t)
-
-logging_send_syslog_msg(wicked_t)
-logging_send_audit_msgs(wicked_t)
-
-miscfiles_read_generic_certs(wicked_t)
-
-seutil_read_config(wicked_t)
-seutil_run_setfiles(wicked_t, system_r)
-
-sysnet_domtrans_ifconfig(wicked_t)
-sysnet_domtrans_dhcpc(wicked_t)
-sysnet_signal_dhcpc(wicked_t)
-sysnet_signull_dhcpc(wicked_t)
-sysnet_read_dhcpc_pid(wicked_t)
-sysnet_read_dhcp_config(wicked_t)
-sysnet_delete_dhcpc_pid(wicked_t)
-sysnet_kill_dhcpc(wicked_t)
-sysnet_read_dhcpc_state(wicked_t)
-sysnet_delete_dhcpc_state(wicked_t)
-sysnet_search_dhcp_state(wicked_t)
-# in /etc created by wicked will be labelled net_conf_t.
-sysnet_manage_config(wicked_t)
-sysnet_filetrans_named_content(wicked_t)
-sysnet_filetrans_net_conf(wicked_t)
-
-systemd_machined_read_pid_files(wicked_t)
-
-term_use_unallocated_ttys(wicked_t)
-
-userdom_stream_connect(wicked_t)
-userdom_dontaudit_use_unpriv_user_fds(wicked_t)
-userdom_dontaudit_use_user_ttys(wicked_t)
-# Read gnome-keyring
-userdom_read_home_certs(wicked_t)
-userdom_read_user_home_content_files(wicked_t)
-userdom_dgram_send(wicked_t)
-
-hostname_exec(wicked_t)
-wicked_systemctl(wicked_t)
-
-sysnet_manage_config_dirs(wicked_t)
-
-
-# Wicked scripts
-
-list_dirs_pattern(wicked_t, wicked_script_t, wicked_script)
-read_files_pattern(wicked_t, wicked_script_t, wicked_script)
-read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script)
-list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t)
-read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script)
-
-auth_read_passwd(wicked_plugin)
-
-corecmd_exec_bin(wicked_plugin)
-corecmd_exec_shell(wicked_winbind_t)
-
-#tunable_policy(`use_nfs_home_dirs',`
-# fs_read_nfs_files(wicked_t)
-#')
-#
-#tunable_policy(`use_samba_home_dirs',`
-# fs_read_cifs_files(wicked_t)
-#')
-
-optional_policy(`
- avahi_domtrans(wicked_t)
- avahi_kill(wicked_t)
- avahi_signal(wicked_t)
- avahi_signull(wicked_t)
- avahi_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- packagekit_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- firewalld_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- wicked_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- bind_domtrans(wicked_t)
- bind_manage_cache(wicked_t)
- bind_kill(wicked_t)
- bind_signal(wicked_t)
- bind_signull(wicked_t)
-')
-
-optional_policy(`
- bluetooth_dontaudit_read_helper_state(wicked_t)
-')
-
-optional_policy(`
- consoletype_exec(wicked_t)
-')
-
-optional_policy(`
- cron_read_system_job_lib_files(wicked_t)
-')
-
-optional_policy(`
- chronyd_domtrans_chronyc(wicked_t)
- chronyd_domtrans(wicked_t)
-')
-
-optional_policy(`
- dbus_system_domain(wicked_t, wicked_exec_t)
-
- init_dbus_chat(wicked_t)
-
- optional_policy(`
- consolekit_dbus_chat(wicked_t)
- consolekit_read_pid_files(wicked_t)
- ')
-')
-
-optional_policy(`
- dnsmasq_read_pid_files(wicked_t)
- dnsmasq_dbus_chat(wicked_t)
- dnsmasq_delete_pid_files(wicked_t)
- dnsmasq_domtrans(wicked_t)
- dnsmasq_initrc_domtrans(wicked_t)
- dnsmasq_kill(wicked_t)
- dnsmasq_signal(wicked_t)
- dnsmasq_signull(wicked_t)
- dnsmasq_systemctl(wicked_t)
-')
-
-optional_policy(`
- dnssec_trigger_domtrans(wicked_t)
- dnssec_trigger_signull(wicked_t)
- dnssec_trigger_sigkill(wicked_t)
-')
-
-optional_policy(`
- fcoe_dgram_send_fcoemon(wicked_t)
-')
-
-optional_policy(`
- howl_signal(wicked_t)
-')
-
-optional_policy(`
- gnome_dontaudit_search_config(wicked_t)
-')
-
-optional_policy(`
- iscsid_domtrans(wicked_t)
-')
-
-optional_policy(`
- iodined_domtrans(wicked_t)
-')
-
-optional_policy(`
- ipsec_domtrans_mgmt(wicked_t)
- ipsec_kill_mgmt(wicked_t)
- ipsec_signal_mgmt(wicked_t)
- ipsec_signull_mgmt(wicked_t)
- ipsec_domtrans(wicked_t)
- ipsec_kill(wicked_t)
- ipsec_signal(wicked_t)
- ipsec_signull(wicked_t)
-')
-
-optional_policy(`
- iptables_domtrans(wicked_t)
-')
-
-optional_policy(`
- l2tpd_domtrans(wicked_t)
- l2tpd_sigkill(wicked_t)
- l2tpd_signal(wicked_t)
- l2tpd_signull(wicked_t)
-')
-
-optional_policy(`
- lldpad_dgram_send(wicked_t)
-')
-
-optional_policy(`
- kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t)
-')
-
-optional_policy(`
- netutils_exec_ping(wicked_t)
- netutils_exec(wicked_t)
-')
-
-optional_policy(`
- nscd_domtrans(wicked_t)
- nscd_signal(wicked_t)
- nscd_signull(wicked_t)
- nscd_kill(wicked_t)
- nscd_initrc_domtrans(wicked_t)
- nscd_systemctl(wicked_t)
-')
-
-optional_policy(`
- # Dispatcher starting and stoping ntp
- ntp_initrc_domtrans(wicked_t)
- ntp_systemctl(wicked_t)
-')
-
-optional_policy(`
- modutils_domtrans_kmod(wicked_t)
-')
-
-optional_policy(`
- openvpn_read_config(wicked_t)
- openvpn_domtrans(wicked_t)
- openvpn_kill(wicked_t)
- openvpn_signal(wicked_t)
- openvpn_signull(wicked_t)
- openvpn_stream_connect(wicked_t)
- openvpn_noatsecure(wicked_t)
-')
-
-optional_policy(`
- policykit_dbus_chat(wicked_t)
- policykit_domtrans_auth(wicked_t)
- policykit_read_lib(wicked_t)
- policykit_read_reload(wicked_t)
- userdom_read_all_users_state(wicked_t)
-')
-
-optional_policy(`
- polipo_systemctl(wicked_t)
-')
-
-optional_policy(`
- ppp_initrc_domtrans(wicked_t)
- ppp_domtrans(wicked_t)
- ppp_manage_pid_files(wicked_t)
- ppp_kill(wicked_t)
- ppp_signal(wicked_t)
- ppp_signull(wicked_t)
- ppp_read_config(wicked_t)
- ppp_systemctl(wicked_t)
-')
-
-optional_policy(`
- rpm_exec(wicked_t)
- rpm_read_db(wicked_t)
- rpm_dontaudit_manage_db(wicked_t)
-')
-
-optional_policy(`
- samba_service_status(wicked_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(wicked_t)
-')
-
-optional_policy(`
- sysnet_manage_dhcpc_state(wicked_t)
-')
-
-optional_policy(`
- systemd_write_inhibit_pipes(wicked_t)
- systemd_read_logind_sessions_files(wicked_t)
- systemd_dbus_chat_logind(wicked_t)
- systemd_dbus_chat_hostnamed(wicked_t)
- systemd_hostnamed_manage_config(wicked_t)
-')
-
-optional_policy(`
- ssh_basic_client_template(wicked, wicked_t, system_r)
- term_use_generic_ptys(wicked_ssh_t)
- modutils_domtrans_kmod(wicked_ssh_t)
- dbus_connect_system_bus(wicked_ssh_t)
- dbus_system_bus_client(wicked_ssh_t)
-
- wicked_dbus_chat(wicked_ssh_t)
-')
-
-optional_policy(`
- udev_exec(wicked_t)
- udev_read_db(wicked_t)
- udev_read_pid_files(wicked_t)
-')
-
-optional_policy(`
- vpn_domtrans(wicked_t)
- vpn_kill(wicked_t)
- vpn_signal(wicked_t)
- vpn_signull(wicked_t)
- vpn_relabelfrom_tun_socket(wicked_t)
-')
-
-optional_policy(`
- openfortivpn_domtrans(wicked_t)
- openfortivpn_sigkill(wicked_t)
- openfortivpn_signal(wicked_t)
- openfortivpn_signull(wicked_t)
-')
-
-optional_policy(`
- openvswitch_stream_connect(wicked_t)
-')
-
-optional_policy(`
- virt_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- networkmanager_dbus_chat(wicked_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(wicked_winbind_t)
-')
-
-optional_policy(`
- sysnet_exec_ifconfig(wicked_plugin)
- sysnet_read_config(wicked_plugin)
-')
-
-optional_policy(`
- systemd_exec_systemctl(wicked_winbind_t)
- systemd_exec_systemctl(wicked_dhcp_t)
-')
-
-optional_policy(`
- samba_domtrans_smbcontrol(wicked_winbind_t)
- samba_read_config(wicked_winbind_t)
- samba_service_status(wicked_winbind_t)
-')
-
-#tunable_policy(`use_ecryptfs_home_dirs',`
-#fs_manage_ecryptfs_files(wicked_t)
-#')
-
-########################################
-#
-# wpa_cli local policy
-#
-
-#allow wpa_cli_t self:capability { dac_read_search };
-#allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
-#
-#allow wpa_cli_t wicked_t:unix_dgram_socket sendto;
-#
-#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t)
-#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file)
-#
-#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
-#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
-#
-#init_dontaudit_use_fds(wpa_cli_t)
-#init_use_script_ptys(wpa_cli_t)
-#
-#term_dontaudit_use_console(wpa_cli_t)