Accepting request 810877 from home:jsegitz:branches:security:SELinux

- Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch - Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot OBS-URL: https://build.opensuse.org/request/show/810877 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=76
2020-06-02 15:31:08 +00:00 · 2020-06-02 15:31:08 +00:00 · e10fb17535
commit e10fb17535
parent cf699a6f0f
22 changed files with 1734 additions and 17 deletions
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -12,3 +12,5 @@
 /run/systemd/generator /usr/lib/systemd/system
 /var/lib/xguest/home /home
 /var/run/netconfig /etc
+/var/adm/netconfig/md5/etc /etc
+/var/adm/netconfig/md5/var /var
--- a/fix_apache.patch
+++ b/fix_apache.patch
@ -0,0 +1,30 @@
+Index: fedora-policy/policy/modules/contrib/apache.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/apache.if
+++ fedora-policy/policy/modules/contrib/apache.if
+@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets',
+ 
+     allow $1 httpd_t:unix_stream_socket ioctl;
+ ')
+
+#######################################
+## <summary>
+##  Allow the specified domain to execute
+##  httpd_sys_content_t and manage httpd_sys_rw_content_t
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_sys_content',`
+    gen_require(`
+        type httpd_sys_content_t;
+	type httpd_sys_rw_content_t;
+    ')
+
+    apache_manage_sys_content_rw($1)
+    filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+    can_exec($1, httpd_sys_content_t)
+')
--- a/fix_authlogin.patch
+++ b/fix_authlogin.patch
@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/authlogin.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/authlogin.fc
+++ fedora-policy/policy/modules/system/authlogin.fc
+@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
+ /usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ 
+ /usr/libexec/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
+/usr/lib/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
+ 
+ /var/ace(/.*)?			gen_context(system_u:object_r:var_auth_t,s0)
+ 
--- a/fix_chronyd.patch
+++ b/fix_chronyd.patch
@ -1,15 +1,31 @@
 Index: fedora-policy/policy/modules/contrib/chronyd.te
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/chronyd.te	2020-02-19 09:36:31.776283304 +0000
-+++ fedora-policy/policy/modules/contrib/chronyd.te	2020-02-25 10:33:09.169920838 +0000
-@@ -136,6 +136,10 @@ systemd_exec_systemctl(chronyd_t)
+--- fedora-policy.orig/policy/modules/contrib/chronyd.te
+++ fedora-policy/policy/modules/contrib/chronyd.te
+@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t)
 userdom_dgram_send(chronyd_t)
 
 optional_policy(`
 +	networkmanager_read_pid_files(chronyd_t)
 +')
 +
+optional_policy(`
+	wicked_read_pid_files(chronyd_t)
+')
+
 +optional_policy(`
     cron_dgram_send(chronyd_t)
 ')
 
+Index: fedora-policy/policy/modules/contrib/chronyd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/chronyd.fc
+++ fedora-policy/policy/modules/contrib/chronyd.fc
+@@ -6,6 +6,7 @@
+ 
+ /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+ /usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/lib/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+ 
+ /usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
+ 
--- a/fix_nscd.patch
+++ b/fix_nscd.patch
@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/contrib/nscd.fc
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/nscd.fc	2020-02-25 10:33:52.706658487 +0000
-+++ fedora-policy/policy/modules/contrib/nscd.fc	2020-02-25 10:33:56.314719506 +0000
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc
+++ fedora-policy/policy/modules/contrib/nscd.fc
@@ -8,8 +8,10 @@
 /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
 
@ -16,15 +16,19 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc
 +
 Index: fedora-policy/policy/modules/contrib/nscd.te
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/nscd.te	2020-02-19 09:36:31.804283750 +0000
-+++ fedora-policy/policy/modules/contrib/nscd.te	2020-02-25 10:34:18.611090097 +0000
-@@ -127,6 +127,10 @@ userdom_dontaudit_use_unpriv_user_fds(ns
+--- fedora-policy.orig/policy/modules/contrib/nscd.te
+++ fedora-policy/policy/modules/contrib/nscd.te
+@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
 userdom_dontaudit_search_user_home_dirs(nscd_t)
 
 optional_policy(`
 +	networkmanager_read_pid_files(nscd_t)
 +')
 +
+optional_policy(`
+	wicked_read_pid_files(nscd_t)
+')
+
 +optional_policy(`
 	accountsd_dontaudit_rw_fifo_file(nscd_t)
 ')
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@ -84,3 +84,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.te
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
+@@ -687,6 +694,14 @@ corenet_tcp_connect_spamd_port(postfix_m
+ files_search_all_mountpoints(postfix_smtp_t)
+ 
+ optional_policy(`
+    networkmanager_read_pid_files(postfix_smtp_t)
+')
+
+optional_policy(`
+    wicked_read_pid_files(postfix_smtp_t)
+')
+
+optional_policy(`
+ 	cyrus_stream_connect(postfix_smtp_t)
+ ')
+ 
--- a/fix_rpm.patch
+++ b/fix_rpm.patch
@ -0,0 +1,51 @@
+Index: fedora-policy/policy/modules/contrib/rpm.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/rpm.fc
+++ fedora-policy/policy/modules/contrib/rpm.fc
+@@ -17,6 +17,10 @@
+ /usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
+ /usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+ 
+/usr/sbin/zypp-refresh		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zypper			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+
+ /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
+@@ -54,6 +58,8 @@ ifdef(`distro_redhat', `
+ /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+ /var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+ 
+/var/cache/zypp(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+ /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+Index: fedora-policy/policy/modules/contrib/rpm.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/rpm.if
+++ fedora-policy/policy/modules/contrib/rpm.if
+@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',`
+ 	logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
+ 	logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
+ 	logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+	logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log")
+ 	files_var_filetrans($1, rpm_var_cache_t, dir, "dnf")
+ 	files_var_filetrans($1, rpm_var_cache_t, dir, "yum")
+	files_var_filetrans($1, rpm_var_cache_t, dir, "zypp")
+ 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
+ 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
+ 	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+Index: fedora-policy/policy/modules/kernel/files.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/kernel/files.fc
+++ fedora-policy/policy/modules/kernel/files.fc
+@@ -67,6 +67,7 @@ ifdef(`distro_suse',`
+ /etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
+ /etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
+ /etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
+/etc/zypp(/.*)?                        		gen_context(system_u:object_r:system_conf_t,s0)
+ /etc/ostree/remotes.d(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
+ 
+ /ostree/repo(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
--- a/fix_screen.patch
+++ b/fix_screen.patch
@ -0,0 +1,22 @@
+Index: fedora-policy/policy/modules/contrib/screen.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/screen.if
+++ fedora-policy/policy/modules/contrib/screen.if
+@@ -45,6 +45,7 @@ template(`screen_role_template',`
+ 
+     userdom_list_user_home_dirs($1_screen_t)
+ 	userdom_home_reader($1_screen_t)
+        userdom_read_user_home_content_symlinks($1_screen_t)
+ 
+ 	domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ 	allow $3 $1_screen_t:process { signal sigchld };
+Index: fedora-policy/policy/modules/contrib/screen.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/screen.fc
+++ fedora-policy/policy/modules/contrib/screen.fc
+@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf	--	gen_context(sys
+ /usr/bin/tmux			--	gen_context(system_u:object_r:screen_exec_t,s0)
+ 
+ /var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/uscreens(/.*)?'                gen_context(system_u:object_r:screen_var_run_t,s0)
+ /var/run/tmux(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
--- a/fix_snapper.patch
+++ b/fix_snapper.patch
@ -1,8 +1,29 @@
 Index: fedora-policy/policy/modules/contrib/snapper.te
 ===================================================================
--- fedora-policy.orig/policy/modules/contrib/snapper.te	2020-02-19 09:36:31.880284960 +0000
-+++ fedora-policy/policy/modules/contrib/snapper.te	2020-02-24 10:57:10.311792681 +0000
-@@ -73,6 +73,10 @@ storage_raw_read_fixed_disk(snapperd_t)
+--- fedora-policy.orig/policy/modules/contrib/snapper.te
+++ fedora-policy/policy/modules/contrib/snapper.te
+@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
+ type snapperd_data_t;
+ files_type(snapperd_data_t)
+ 
+type snapperd_tmp_t;
+files_tmp_file(snapperd_tmp_t)
+
+ ########################################
+ #
+ # snapperd local policy
+@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r
+ allow snapperd_t snapperd_data_t:file relabelfrom;
+ snapper_filetrans_named_content(snapperd_t)
+ 
+allow snapperd_t snapperd_tmp_t:file manage_file_perms;
+allow snapperd_t snapperd_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir })
+
+ kernel_setsched(snapperd_t)
+ 
+ domain_read_all_domains_state(snapperd_t)
+@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t)
 auth_use_nsswitch(snapperd_t)
 
 optional_policy(`
@ -13,3 +34,31 @@ Index: fedora-policy/policy/modules/contrib/snapper.te
     cron_system_entry(snapperd_t, snapperd_exec_t)
 ')
 
+Index: fedora-policy/policy/modules/contrib/snapper.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/snapper.fc
+++ fedora-policy/policy/modules/contrib/snapper.fc
+@@ -7,9 +7,17 @@
+ 
+ /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
+ 
+-/mnt/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+-/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+-/usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+-/var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+-/etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+-HOME_ROOT/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/mnt/(.*/)?\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
+/\.snapshots(/.*)?   			gen_context(system_u:object_r:snapperd_data_t,s0)
+/usr/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
+/var/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
+/etc/\.snapshots(/.*)?   		gen_context(system_u:object_r:snapperd_data_t,s0)
+HOME_ROOT/(.*/)?\.snapshots(/.*)?   	gen_context(system_u:object_r:snapperd_data_t,s0)
+
+# ensure that the snapshots itself aren't relabled
+/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
+/\.snapshots/[^/]*/snapshot(/.*)?   			<<none>>
+/usr/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
+/var/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
+/etc/\.snapshots/[^/]*/snapshot(/.*)?   		<<none>>
+HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)?   	<<none>>
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@ -12,3 +12,15 @@ Index: fedora-policy/policy/modules/system/systemd.te
 +optional_policy(`
 	apache_read_tmp_files(systemd_logind_t)
 ')
+ 
+@@ -817,6 +821,10 @@ optional_policy(`
+         dbus_connect_system_bus(systemd_hostnamed_t)
+ ')
+ 
+optional_policy(`
+	nscd_unconfined(systemd_hostnamed_t)
+')
+
+ #######################################
+ #
+ # rfkill policy
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@ -25,10 +25,14 @@ Index: fedora-policy/policy/modules/roles/unconfineduser.te
 	chrome_role_notrans(unconfined_r, unconfined_t)
 
 	tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -244,6 +253,10 @@ optional_policy(`
+@@ -244,6 +253,14 @@ optional_policy(`
 	dbus_stub(unconfined_t)
 
 	optional_policy(`
+		networkmanager_dbus_chat(unconfined_dbusd_t)
+	')
+
+	optional_policy(`
 +		systemd_dbus_chat_logind(unconfined_dbusd_t)
 +	')
 +
--- a/fix_unprivuser.patch
+++ b/fix_unprivuser.patch
@ -0,0 +1,18 @@
+Index: fedora-policy/policy/modules/roles/unprivuser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te
+++ fedora-policy/policy/modules/roles/unprivuser.te
+@@ -281,6 +281,13 @@ ifndef(`distro_redhat',`
+ ')
+ 
+ optional_policy(`
+    rtorrent_role(user_r, user_t)
+    # needed for tunable rtorrent_send_mails
+    mta_role_access_system_mail(user_r)
+')
+
+
+optional_policy(`
+     vmtools_run_helper(user_t, user_r)
+ ')
+ 
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -405,3 +405,17 @@ kdbus = module
 # Temporary permissive module for packagekit
 #
 packagekit = module
+
+# Layer: contrib
+# Module: rtorrent
+#
+# Policy for rtorrent
+#
+rtorrent = module
+
+# Layer: contrib
+# Module: wicked
+#
+# Policy for wicked
+#
+wicked = module
--- a/rtorrent.fc
+++ b/rtorrent.fc
@ -0,0 +1 @@
+/usr/bin/rtorrent	--	gen_context(system_u:object_r:rtorrent_exec_t,s0)
--- a/rtorrent.if
+++ b/rtorrent.if
@ -0,0 +1,111 @@
+## <summary>Policy for rtorrent.</summary>
+
+############################################################
+## <summary>
+##	Role access for rtorrent
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`rtorrent_role',`
+	gen_require(`
+	    attribute_role rtorrent_roles;
+	    type rtorrent_t, rtorrent_exec_t;
+	')
+
+	roleattribute $1 rtorrent_roles;
+
+	# transition from the userdomain to the derived domain
+	domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
+
+	# allow ps to show rtorrent
+	ps_process_pattern($2, rtorrent_t)
+	allow $2 rtorrent_t:process { signull sigstop signal sigkill };
+
+	ifdef(`hide_broken_symptoms',`
+		#Leaked File Descriptors
+		dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Transition to a user torrent domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_domtrans',`
+	gen_require(`
+		type rtorrent_t, rtorrent_exec_t;
+	')
+
+	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
+')
+
+######################################
+## <summary>
+##	Execute torrent in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_exec',`
+	gen_require(`
+		type rtorrent_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rtorrent_exec_t)
+')
+
+######################################
+## <summary>
+##  Make rtorrent an entrypoint for
+##  the specified domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The domain for which cifs_t is an entrypoint.
+##  </summary>
+## </param>
+#
+interface(`rtorrent_entry_type',`
+    gen_require(`
+        type rtorrent_exec_t;
+    ')
+
+    domain_entry_file($1, rtorrent_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to user rtorrent processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_signal',`
+	gen_require(`
+		type rtorrent_t;
+	')
+
+	allow $1 rtorrent_t:process signal;
+')
--- a/rtorrent.te
+++ b/rtorrent.te
@ -0,0 +1,98 @@
+policy_module(rtorrent, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+## <desc>
+## <p>
+## Allow rtorrent to use send mails
+## </p>
+## </desc>
+gen_tunable(rtorrent_send_mails, false)
+
+## <desc>
+## <p>
+## Enable necessary permissions for rutorrent
+## </p>
+## </desc>
+gen_tunable(rtorrent_enable_rutorrent, false)
+
+attribute rtorrentdomain;
+
+attribute_role rtorrent_roles;
+roleattribute system_r rtorrent_roles;
+
+type rtorrent_t;
+type rtorrent_exec_t;
+userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)
+role rtorrent_roles types rtorrent_t;
+
+########################################
+#
+# rtorrent local policy
+#
+
+corenet_tcp_bind_commplex_main_port(rtorrent_t)
+
+type rtorrent_port_t;
+corenet_port(rtorrent_port_t)
+allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
+
+userdom_read_user_home_content_symlinks(rtorrent_t)
+
+allow rtorrent_t self:process setpgid;
+allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+allow rtorrent_t self:fifo_file rw_fifo_file_perms;
+allow rtorrent_t self:tcp_socket create_stream_socket_perms;
+allow rtorrent_t self:unix_stream_socket connectto;
+
+allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read };
+allow rtorrent_t self:udp_socket { connect create getattr };
+nscd_shm_use(rtorrent_t)
+
+#corecmd_exec_shell(rtorrent_t)
+corecmd_exec_bin(rtorrent_t)
+# execute helper scripts
+userdom_exec_user_bin_files(rtorrent_t)
+
+corenet_all_recvfrom_netlabel(rtorrent_t)
+corenet_tcp_sendrecv_generic_if(rtorrent_t)
+corenet_udp_sendrecv_generic_if(rtorrent_t)
+corenet_tcp_sendrecv_generic_node(rtorrent_t)
+corenet_udp_sendrecv_generic_node(rtorrent_t)
+corenet_tcp_sendrecv_all_ports(rtorrent_t)
+corenet_udp_sendrecv_all_ports(rtorrent_t)
+corenet_tcp_connect_all_ports(rtorrent_t)
+corenet_sendrecv_all_client_packets(rtorrent_t)
+corenet_udp_bind_all_unreserved_ports(rtorrent_t)
+
+domain_use_interactive_fds(rtorrent_t)
+auth_use_nsswitch(rtorrent_t)
+miscfiles_map_generic_certs(rtorrent_t)
+fs_getattr_xattr_fs(rtorrent_t)
+
+userdom_use_inherited_user_terminals(rtorrent_t)
+userdom_manage_user_home_content_files(rtorrent_t)
+userdom_manage_user_home_content_dirs(rtorrent_t)
+userdom_home_manager(rtorrent_t)
+userdom_filetrans_home_content(rtorrent_t)
+userdom_stream_connect(rtorrent_t)
+
+optional_policy(`
+	tunable_policy(`rtorrent_send_mails',`
+		userdom_exec_user_bin_files(rtorrent_t)
+		userdom_exec_user_home_content_files(rtorrent_t)
+		files_manage_generic_tmp_files(rtorrent_t)
+		mta_send_mail(rtorrent_t)
+	')
+')
+
+optional_policy(`
+    apache_manage_sys_content(rtorrent_t)
+
+    tunable_policy(`rtorrent_enable_rutorrent',`
+        apache_exec_sys_content(rtorrent_t)
+    ')
+')
+
--- a/sedoctool.patch
+++ b/sedoctool.patch
@ -1,7 +1,7 @@
 Index: fedora-policy/support/sedoctool.py
 ===================================================================
--- fedora-policy.orig/support/sedoctool.py	2019-08-21 13:54:02.175947408 +0200
-+++ fedora-policy/support/sedoctool.py	2019-08-21 13:57:57.323782524 +0200
+--- fedora-policy.orig/support/sedoctool.py
+++ fedora-policy/support/sedoctool.py
@@ -810,7 +810,7 @@ if booleans:
 	namevalue_list = []
 	if os.path.exists(booleans):
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jun  2 14:45:37 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- Added module for wicked
+- New patches:
+  * fix_authlogin.patch
+  * fix_screen.patch
+  * fix_unprivuser.patch
+  * fix_rpm.patch
+  * fix_apache.patch
+
+-------------------------------------------------------------------
+Thu Mar 26 09:51:45 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- Added module for rtorrent
+- Enable snapper module in minimum policy to reduce issues on BTRFS
+  Updated fix_snapper.patch to prevent relabling of snapshot
+
 -------------------------------------------------------------------
 Mon Mar  9 09:01:22 UTC 2020 - Johannes Segitz <jsegitz@suse.de>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -106,6 +106,12 @@ Source94:       file_contexts.subs_dist
 Source120:      packagekit.te
 Source121:      packagekit.if
 Source122:      packagekit.fc
+Source123:      rtorrent.te
+Source124:      rtorrent.if
+Source125:      rtorrent.fc
+Source126:      wicked.te
+Source127:      wicked.if
+Source128:      wicked.fc

 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
@ -148,6 +154,11 @@ Patch040:       fix_usermanage.patch
 Patch041:       fix_smartmon.patch
 Patch042:       fix_geoclue.patch
 Patch043:       suse_specific.patch
+Patch044:       fix_authlogin.patch
+Patch045:       fix_screen.patch
+Patch046:       fix_unprivuser.patch
+Patch047:       fix_rpm.patch
+Patch048:       fix_apache.patch

 Patch100: 	sedoctool.patch

@ -398,6 +409,11 @@ systems and used as the basis for creating other policies.
 %patch041 -p1
 %patch042 -p1
 %patch043 -p1
+%patch044 -p1
+%patch045 -p1
+%patch046 -p1
+%patch047 -p1
+%patch048 -p1

 %patch100 -p1
 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
@ -418,7 +434,7 @@ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/

-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
 cp $i policy/modules/contrib
 done

@ -584,7 +600,7 @@ if [ $1 -eq 1 ]; then
 for p in $contribpackages; do
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
 done
-for p in $basepackages dbus kerberos nscd rpm rtkit; do
+for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 /usr/sbin/semanage import -S minimum -f - << __eof
@ -598,7 +614,7 @@ instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
 for p in $contribpackages; do
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
 done
-for p in $instpackages dbus kerberos nscd rtkit; do
+for p in $instpackages snapper dbus kerberos nscd rtkit; do
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 /usr/sbin/semodule -B -s minimum
--- a/wicked.fc
+++ b/wicked.fc
@ -0,0 +1,46 @@
+# not used
+#/etc/wicked/dispatcher\.d(/.*)?	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
+#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
+
+/etc/wicked(/.*)?	gen_context(system_u:object_r:wicked_etc_t,s0)
+/etc/wicked/extensions/.* 	--	gen_context(system_u:object_r:wicked_exec_t,s0)
+
+#/etc/wicked/wicked\.conf	gen_context(system_u:object_r:wicked_etc_rw_t,s0)
+#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0)
+
+/usr/lib/systemd/system/wicked.* --	gen_context(system_u:object_r:wicked_unit_file_t,s0)
+
+/sbin/ifdown 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/sbin/ifprobe 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/sbin/ifstatus 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/sbin/ifup 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/usr/sbin/ifup 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+
+/usr/sbin/rcwicked.*		--	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
+
+/usr/lib/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
+
+#/usr/lib64/libwicked-0.6.63.so
+
+/usr/sbin/wicked 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/usr/sbin/wickedd 			--	gen_context(system_u:object_r:wicked_exec_t,s0)
+/usr/sbin/wickedd-nanny 		--	gen_context(system_u:object_r:wicked_exec_t,s0)
+#/usr/share/wicked/schema/wireless.xml
+/var/lib/wicked(/.*)?				gen_context(system_u:object_r:wicked_var_lib_t,s0)
+#/etc/sysconfig/network/ifcfg-lo
+
+#/usr/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+#/usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:wicked_exec_t,s0)
+#/var/lib/wicd(/.*)?			gen_context(system_u:object_r:wicked_var_lib_t,s0)
+#/var/log/wicd.*				--	gen_context(system_u:object_r:wicked_log_t,s0)
+
+/var/run/wicked(/.*)?		gen_context(system_u:object_r:wicked_var_run_t,s0)
+
+#/etc/dbus-1
+#/etc/dbus-1/system.d
+#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf
+#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf
+#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf
+#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
+#/etc/dbus-1/system.d/org.opensuse.Network.conf
+
--- a/wicked.if
+++ b/wicked.if
@ -0,0 +1,654 @@
+## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+##	Read and write wicked UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`wicked_rw_udp_sockets',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write wicked packet sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`wicked_rw_packet_sockets',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:packet_socket { read write };
+')
+
+#######################################
+## <summary>
+## Allow caller to relabel tun_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_attach_tun_iface',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+##	Read and write wicked netlink
+##	routing sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`wicked_rw_routing_sockets',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
+##	Execute wicked with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`wicked_domtrans',`
+	gen_require(`
+		type wicked_t, wicked_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wicked_exec_t, wicked_t)
+')
+
+#######################################
+## <summary>
+##      Execute wicked scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`wicked_initrc_domtrans',`
+        gen_require(`
+                type wicked_initrc_exec_t;
+        ')
+
+        init_labeled_script_domtrans($1, wicked_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##      Allow reading of wicked link files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to read the links
+##      </summary>
+## </param>
+#
+interface(`wicked_initrc_read_lnk_files',`
+        gen_require(`
+                type wicked_initrc_exec_t;
+        ')
+
+	read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute wicked server in the wicked domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`wicked_systemctl',`
+	gen_require(`
+		type wicked_unit_file_t;
+		type wicked_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 wicked_unit_file_t:file read_file_perms;
+	allow $1 wicked_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, wicked_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	wicked over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_dbus_chat',`
+	gen_require(`
+		type wicked_t;
+		class dbus send_msg;
+	')
+
+	allow $1 wicked_t:dbus send_msg;
+	allow wicked_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##	Read metworkmanager process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_read_state',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:dir search_dir_perms;
+	allow $1 wicked_t:file read_file_perms;
+	allow $1 wicked_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and
+##	receive messages from wicked
+##	over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`wicked_dontaudit_dbus_chat',`
+	gen_require(`
+		type wicked_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 wicked_t:dbus send_msg;
+	dontaudit wicked_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to wicked
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_signal',`
+	gen_require(`
+		type wicked_t;
+	')
+
+	allow $1 wicked_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create, read, and write
+##	wicked library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_manage_lib_files',`
+	gen_require(`
+		type wicked_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
+	allow $1 wicked_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+##	Read wicked lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_read_lib_files',`
+	gen_require(`
+		type wicked_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
+	read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
+	allow $1 wicked_var_lib_t:file map;
+')
+
+#######################################
+## <summary>
+##  Read wicked conf files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`wicked_read_conf',`
+    gen_require(`
+        type wicked_etc_t;
+        type wicked_etc_rw_t;
+    ')
+
+	allow $1 wicked_etc_t:dir list_dir_perms;
+	read_files_pattern($1,wicked_etc_t,wicked_etc_t)
+	read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t)
+')
+
+########################################
+## <summary>
+##	Read wicked PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_read_pid_files',`
+	gen_require(`
+		type wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage wicked PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_manage_pid_files',`
+	gen_require(`
+		type wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t)
+	manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage wicked PID sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_manage_pid_sock_files',`
+	gen_require(`
+		type wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create objects in /etc with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`wicked_pid_filetrans',`
+	gen_require(`
+		type wicked_var_run_t;
+	')
+
+	filetrans_pattern($1, wicked_var_run_t, $2, $3, $4)
+')
+
+####################################
+## <summary>
+##  Connect to wicked over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`wicked_stream_connect',`
+	gen_require(`
+		type wicked_t, wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
+')
+
+########################################
+## <summary>
+##	Delete wicked PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_delete_pid_files',`
+	gen_require(`
+		type wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+    delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute wicked in the wicked domain, and
+##	allow the specified role the wicked domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`wicked_run',`
+	gen_require(`
+		type wicked_t, wicked_exec_t;
+	')
+
+	wicked_domtrans($1)
+	role $2 types wicked_t;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to Network Manager log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_append_log',`
+	gen_require(`
+		type wicked_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 wicked_log_t:dir list_dir_perms;
+	append_files_pattern($1, wicked_log_t, wicked_log_t)
+	allow $1 wicked_log_t:file map;
+
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to manage
+##  to Network Manager lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`wicked_manage_lib',`
+    gen_require(`
+        type wicked_var_lib_t;
+    ')
+
+    manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t)
+    allow $1 wicked_var_lib_t:file map;
+
+')
+
+#######################################
+## <summary>
+##	Send to wicked with a unix dgram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_dgram_send',`
+	gen_require(`
+		type wicked_t, wicked_var_run_t;
+	')
+
+	files_search_pids($1)
+	dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t)
+')
+
+########################################
+## <summary>
+##	Send sigchld to wicked.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`wicked_sigchld',`
+	gen_require(`
+		type wicked_t;
+	')
+
+    allow $1 wicked_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send signull to wicked.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`wicked_signull',`
+	gen_require(`
+		type wicked_t;
+	')
+
+    allow $1 wicked_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send sigkill to wicked.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`wicked_sigkill',`
+	gen_require(`
+		type wicked_t;
+	')
+
+    allow $1 wicked_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Transition to wicked named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wicked_filetrans_named_content',`
+	gen_require(`
+		type wicked_var_run_t;
+		type wicked_var_lib_t;
+	')
+
+
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6")
+
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6")
+
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4")
+	files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6")
+
+	files_pid_filetrans($1, wicked_var_run_t, dir, "extension")
+	files_pid_filetrans($1, wicked_var_run_t, dir, "nanny")
+
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml")
+	files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
+')
--- a/wicked.te
+++ b/wicked.te
@ -0,0 +1,524 @@
+policy_module(wicked, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wicked_t;
+type wicked_exec_t;
+init_daemon_domain(wicked_t, wicked_exec_t)
+
+type wicked_initrc_exec_t;
+init_script_file(wicked_initrc_exec_t)
+
+type wicked_unit_file_t;
+systemd_unit_file(wicked_unit_file_t)
+
+type wicked_etc_t;
+files_config_file(wicked_etc_t)
+
+type wicked_etc_rw_t;
+files_config_file(wicked_etc_rw_t)
+
+#type wicked_log_t;
+#logging_log_file(wicked_log_t)
+
+type wicked_tmp_t;
+files_tmp_file(wicked_tmp_t)
+
+type wicked_var_lib_t;
+files_type(wicked_var_lib_t)
+
+type wicked_var_run_t;
+files_pid_file(wicked_var_run_t)
+
+#type wpa_cli_t;
+#type wpa_cli_exec_t;
+#init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# wicked will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit wicked_t self:capability sys_tty_config;
+
+allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run };
+
+ifdef(`hide_broken_symptoms',`
+	# caused by some bogus kernel code
+	dontaudit wicked_t self:capability sys_module;
+')
+# alternatively allow with
+# kernel_load_module( wicked_t )
+
+allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+
+allow wicked_t self:process setfscreate;
+selinux_validate_context(wicked_t)
+
+tunable_policy(`deny_ptrace',`',`
+	allow wicked_t self:capability sys_ptrace;
+	allow wicked_t self:process ptrace;
+')
+
+allow wicked_t self:fifo_file rw_fifo_file_perms;
+allow wicked_t self:unix_dgram_socket { sendto create_socket_perms };
+allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto };
+allow wicked_t self:netlink_generic_socket create_socket_perms;
+allow wicked_t self:netlink_route_socket create_netlink_socket_perms;
+allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow wicked_t self:netlink_socket create_socket_perms;
+allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow wicked_t self:tcp_socket create_stream_socket_perms;
+allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow wicked_t self:udp_socket create_socket_perms;
+allow wicked_t self:packet_socket create_socket_perms;
+allow wicked_t self:rawip_socket create_socket_perms;
+allow wicked_t self:socket create_socket_perms;
+
+tunable_policy(`deny_bluetooth',`',`
+    allow wicked_t self:bluetooth_socket create_stream_socket_perms;
+')
+
+#allow wicked_t wpa_cli_t:unix_dgram_socket sendto;
+
+can_exec(wicked_t, wicked_exec_t)
+#wicd
+# can_exec(wicked_t, wpa_cli_exec_t)
+
+list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
+read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
+read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t)
+
+list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
+read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
+read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t)
+
+read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
+manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
+manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t)
+filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file })
+
+#allow wicked_t wicked_log_t:dir setattr_dir_perms;
+#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
+#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
+#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t)
+#logging_log_filetrans(wicked_t, wicked_log_t, file)
+
+can_exec(wicked_t, wicked_tmp_t)
+manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
+manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t)
+files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file })
+
+manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
+manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
+manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t)
+files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
+manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
+manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t)
+files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(wicked_t)
+kernel_read_network_state(wicked_t)
+kernel_read_kernel_sysctls(wicked_t)
+kernel_request_load_module(wicked_t)
+kernel_read_debugfs(wicked_t)
+kernel_rw_net_sysctls(wicked_t)
+kernel_dontaudit_setsched(wicked_t)
+kernel_signull(wicked_t)
+
+corenet_ib_manage_subnet_unlabeled_endports(wicked_t)
+corenet_ib_access_unlabeled_pkeys(wicked_t)
+corenet_all_recvfrom_netlabel(wicked_t)
+corenet_tcp_sendrecv_generic_if(wicked_t)
+corenet_udp_sendrecv_generic_if(wicked_t)
+corenet_raw_sendrecv_generic_if(wicked_t)
+corenet_tcp_sendrecv_generic_node(wicked_t)
+corenet_udp_sendrecv_generic_node(wicked_t)
+corenet_raw_sendrecv_generic_node(wicked_t)
+corenet_tcp_sendrecv_all_ports(wicked_t)
+corenet_udp_sendrecv_all_ports(wicked_t)
+corenet_udp_bind_generic_node(wicked_t)
+corenet_udp_bind_isakmp_port(wicked_t)
+corenet_udp_bind_dhcpc_port(wicked_t)
+corenet_tcp_connect_all_ports(wicked_t)
+corenet_sendrecv_isakmp_server_packets(wicked_t)
+corenet_sendrecv_dhcpc_server_packets(wicked_t)
+corenet_sendrecv_all_client_packets(wicked_t)
+corenet_rw_tun_tap_dev(wicked_t)
+corenet_getattr_ppp_dev(wicked_t)
+
+dev_access_check_sysfs(wicked_t)
+dev_rw_sysfs(wicked_t)
+dev_write_sysfs_dirs(wicked_t)
+dev_read_rand(wicked_t)
+dev_read_urand(wicked_t)
+dev_dontaudit_getattr_generic_blk_files(wicked_t)
+dev_getattr_all_chr_files(wicked_t)
+dev_rw_wireless(wicked_t)
+
+fs_getattr_all_fs(wicked_t)
+fs_search_auto_mountpoints(wicked_t)
+fs_list_inotifyfs(wicked_t)
+fs_read_nsfs_files(wicked_t)
+
+mls_file_read_all_levels(wicked_t)
+
+selinux_dontaudit_search_fs(wicked_t)
+
+corecmd_exec_shell(wicked_t)
+corecmd_exec_bin(wicked_t)
+
+domain_use_interactive_fds(wicked_t)
+domain_read_all_domains_state(wicked_t)
+
+files_read_etc_runtime_files(wicked_t)
+files_read_system_conf_files(wicked_t)
+files_read_usr_src_files(wicked_t)
+files_read_isid_type_files(wicked_t)
+
+storage_getattr_fixed_disk_dev(wicked_t)
+
+term_open_unallocated_ttys(wicked_t)
+
+init_read_utmp(wicked_t)
+init_dontaudit_write_utmp(wicked_t)
+init_domtrans_script(wicked_t)
+init_signull_script(wicked_t)
+init_signal_script(wicked_t)
+init_sigkill_script(wicked_t)
+
+auth_use_nsswitch(wicked_t)
+
+libs_exec_ldconfig(wicked_t)
+
+logging_send_syslog_msg(wicked_t)
+logging_send_audit_msgs(wicked_t)
+
+miscfiles_read_generic_certs(wicked_t)
+
+seutil_read_config(wicked_t)
+seutil_run_setfiles(wicked_t, system_r)
+
+sysnet_domtrans_ifconfig(wicked_t)
+sysnet_domtrans_dhcpc(wicked_t)
+sysnet_signal_dhcpc(wicked_t)
+sysnet_signull_dhcpc(wicked_t)
+sysnet_read_dhcpc_pid(wicked_t)
+sysnet_read_dhcp_config(wicked_t)
+sysnet_delete_dhcpc_pid(wicked_t)
+sysnet_kill_dhcpc(wicked_t)
+sysnet_read_dhcpc_state(wicked_t)
+sysnet_delete_dhcpc_state(wicked_t)
+sysnet_search_dhcp_state(wicked_t)
+# in /etc created by wicked will be labelled net_conf_t.
+sysnet_manage_config(wicked_t)
+sysnet_filetrans_named_content(wicked_t)
+sysnet_filetrans_net_conf(wicked_t)
+
+systemd_machined_read_pid_files(wicked_t)
+
+term_use_unallocated_ttys(wicked_t)
+
+userdom_stream_connect(wicked_t)
+userdom_dontaudit_use_unpriv_user_fds(wicked_t)
+userdom_dontaudit_use_user_ttys(wicked_t)
+# Read gnome-keyring
+userdom_read_home_certs(wicked_t)
+userdom_read_user_home_content_files(wicked_t)
+userdom_dgram_send(wicked_t)
+
+hostname_exec(wicked_t)
+wicked_systemctl(wicked_t)
+
+sysnet_manage_config_dirs(wicked_t)
+
+#tunable_policy(`use_nfs_home_dirs',`
+#    fs_read_nfs_files(wicked_t)
+#')
+#
+#tunable_policy(`use_samba_home_dirs',`
+#    fs_read_cifs_files(wicked_t)
+#')
+
+optional_policy(`
+	avahi_domtrans(wicked_t)
+	avahi_kill(wicked_t)
+	avahi_signal(wicked_t)
+	avahi_signull(wicked_t)
+	avahi_dbus_chat(wicked_t)
+')
+
+optional_policy(`
+	packagekit_dbus_chat(wicked_t)
+')
+
+optional_policy(`
+    firewalld_dbus_chat(wicked_t)
+')
+
+optional_policy(`
+    wicked_dbus_chat(wicked_t)
+')
+
+optional_policy(`
+	bind_domtrans(wicked_t)
+	bind_manage_cache(wicked_t)
+	bind_kill(wicked_t)
+	bind_signal(wicked_t)
+	bind_signull(wicked_t)
+')
+
+optional_policy(`
+	bluetooth_dontaudit_read_helper_state(wicked_t)
+')
+
+optional_policy(`
+	consoletype_exec(wicked_t)
+')
+
+optional_policy(`
+	cron_read_system_job_lib_files(wicked_t)
+')
+
+optional_policy(`
+	chronyd_domtrans_chronyc(wicked_t)
+	chronyd_domtrans(wicked_t)
+')
+
+optional_policy(`
+	dbus_system_domain(wicked_t, wicked_exec_t)
+
+	init_dbus_chat(wicked_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(wicked_t)
+		consolekit_read_pid_files(wicked_t)
+	')
+')
+
+optional_policy(`
+	dnsmasq_read_pid_files(wicked_t)
+	dnsmasq_dbus_chat(wicked_t)
+	dnsmasq_delete_pid_files(wicked_t)
+	dnsmasq_domtrans(wicked_t)
+	dnsmasq_initrc_domtrans(wicked_t)
+	dnsmasq_kill(wicked_t)
+	dnsmasq_signal(wicked_t)
+	dnsmasq_signull(wicked_t)
+	dnsmasq_systemctl(wicked_t)
+')
+
+optional_policy(`
+    dnssec_trigger_domtrans(wicked_t)
+    dnssec_trigger_signull(wicked_t)
+    dnssec_trigger_sigkill(wicked_t)
+')
+
+optional_policy(`
+    fcoe_dgram_send_fcoemon(wicked_t)
+')
+
+optional_policy(`
+	hal_write_log(wicked_t)
+')
+
+optional_policy(`
+	howl_signal(wicked_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(wicked_t)
+')
+
+optional_policy(`
+    iscsid_domtrans(wicked_t)
+')
+
+optional_policy(`
+    iodined_domtrans(wicked_t)
+')
+
+optional_policy(`
+	ipsec_domtrans_mgmt(wicked_t)
+	ipsec_kill_mgmt(wicked_t)
+	ipsec_signal_mgmt(wicked_t)
+	ipsec_signull_mgmt(wicked_t)
+	ipsec_domtrans(wicked_t)
+	ipsec_kill(wicked_t)
+	ipsec_signal(wicked_t)
+	ipsec_signull(wicked_t)
+')
+
+optional_policy(`
+	iptables_domtrans(wicked_t)
+')
+
+optional_policy(`
+	l2tpd_domtrans(wicked_t)
+    l2tpd_sigkill(wicked_t)
+    l2tpd_signal(wicked_t)
+    l2tpd_signull(wicked_t)
+')
+
+optional_policy(`
+    lldpad_dgram_send(wicked_t)
+')
+
+optional_policy(`
+    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t)
+')
+
+optional_policy(`
+	netutils_exec_ping(wicked_t)
+    netutils_exec(wicked_t)
+')
+
+optional_policy(`
+	nscd_domtrans(wicked_t)
+	nscd_signal(wicked_t)
+	nscd_signull(wicked_t)
+	nscd_kill(wicked_t)
+	nscd_initrc_domtrans(wicked_t)
+	nscd_systemctl(wicked_t)
+')
+
+optional_policy(`
+	# Dispatcher starting and stoping ntp
+	ntp_initrc_domtrans(wicked_t)
+	ntp_systemctl(wicked_t)
+')
+
+optional_policy(`
+	modutils_domtrans_kmod(wicked_t)
+')
+
+optional_policy(`
+	openvpn_read_config(wicked_t)
+	openvpn_domtrans(wicked_t)
+	openvpn_kill(wicked_t)
+	openvpn_signal(wicked_t)
+	openvpn_signull(wicked_t)
+	openvpn_stream_connect(wicked_t)
+	openvpn_noatsecure(wicked_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(wicked_t)
+	policykit_domtrans_auth(wicked_t)
+	policykit_read_lib(wicked_t)
+	policykit_read_reload(wicked_t)
+	userdom_read_all_users_state(wicked_t)
+')
+
+optional_policy(`
+	polipo_systemctl(wicked_t)
+')
+
+optional_policy(`
+	ppp_initrc_domtrans(wicked_t)
+	ppp_domtrans(wicked_t)
+	ppp_manage_pid_files(wicked_t)
+	ppp_kill(wicked_t)
+	ppp_signal(wicked_t)
+	ppp_signull(wicked_t)
+	ppp_read_config(wicked_t)
+	ppp_systemctl(wicked_t)
+')
+
+optional_policy(`
+	rpm_exec(wicked_t)
+	rpm_read_db(wicked_t)
+	rpm_dontaudit_manage_db(wicked_t)
+')
+
+optional_policy(`
+    samba_service_status(wicked_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(wicked_t)
+')
+
+optional_policy(`
+	sysnet_manage_dhcpc_state(wicked_t)
+')
+
+optional_policy(`
+	systemd_write_inhibit_pipes(wicked_t)
+	systemd_read_logind_sessions_files(wicked_t)
+	systemd_dbus_chat_logind(wicked_t)
+	systemd_dbus_chat_hostnamed(wicked_t)
+    systemd_hostnamed_manage_config(wicked_t)
+')
+
+optional_policy(`
+    ssh_basic_client_template(wicked, wicked_t, system_r)
+    term_use_generic_ptys(wicked_ssh_t)
+    modutils_domtrans_kmod(wicked_ssh_t)
+    dbus_connect_system_bus(wicked_ssh_t)
+    dbus_system_bus_client(wicked_ssh_t)
+
+    wicked_dbus_chat(wicked_ssh_t)
+')
+
+optional_policy(`
+	udev_exec(wicked_t)
+	udev_read_db(wicked_t)
+	udev_read_pid_files(wicked_t)
+')
+
+optional_policy(`
+	vpn_domtrans(wicked_t)
+	vpn_kill(wicked_t)
+	vpn_signal(wicked_t)
+	vpn_signull(wicked_t)
+	vpn_relabelfrom_tun_socket(wicked_t)
+')
+
+optional_policy(`
+	openfortivpn_domtrans(wicked_t)
+	openfortivpn_sigkill(wicked_t)
+	openfortivpn_signal(wicked_t)
+	openfortivpn_signull(wicked_t)
+')
+
+optional_policy(`
+	openvswitch_stream_connect(wicked_t)
+')
+
+optional_policy(`
+	virt_dbus_chat(wicked_t)
+')
+
+#tunable_policy(`use_ecryptfs_home_dirs',`
+#fs_manage_ecryptfs_files(wicked_t)
+#')
+
+########################################
+#
+# wpa_cli local policy
+#
+
+#allow wpa_cli_t self:capability { dac_read_search  };
+#allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+#
+#allow wpa_cli_t wicked_t:unix_dgram_socket sendto;
+#
+#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t)
+#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file)
+#
+#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
+#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t)
+#
+#init_dontaudit_use_fds(wpa_cli_t)
+#init_use_script_ptys(wpa_cli_t)
+#
+#term_dontaudit_use_console(wpa_cli_t)
				`@ -0,0 +1 @@`
				`/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)`