selinux-policy/fix_init.patch

Index: fedora-policy-20220624/policy/modules/system/init.te
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/init.te
+++ fedora-policy-20220624/policy/modules/system/init.te
@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r
 # setuid (from /sbin/shutdown)
 # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
 
+# bsc#1197610, find a better, generic solution
+allow init_t self:file mounton;
 allow init_t self:fifo_file rw_fifo_file_perms;
 
 allow init_t self:service manage_service_perms;
@@ -267,6 +269,8 @@ corecmd_exec_bin(init_t)
 corenet_all_recvfrom_netlabel(init_t)
 corenet_tcp_bind_all_ports(init_t)
 corenet_udp_bind_all_ports(init_t)
+corenet_udp_bind_generic_node(init_t)
+corenet_tcp_bind_generic_node(init_t)
 
 dev_create_all_files(init_t)
 dev_create_all_chr_files(init_t)
@@ -396,6 +400,7 @@ logging_manage_audit_config(init_t)
 logging_create_syslog_netlink_audit_socket(init_t)
 logging_write_var_log_dirs(init_t)
 logging_manage_var_log_symlinks(init_t)
+logging_dgram_accept(init_t)
 
 seutil_read_config(init_t)
 seutil_read_login_config(init_t)
@@ -448,9 +453,19 @@ ifdef(`distro_redhat',`
 corecmd_shell_domtrans(init_t, initrc_t)
 
 storage_raw_rw_fixed_disk(init_t)
+storage_raw_read_removable_device(init_t)
 
 sysnet_read_dhcpc_state(init_t)
 
+# bsc#1197610, find a better, generic solution
+optional_policy(`
+    mta_getattr_spool(init_t)
+')
+
+optional_policy(`
+    networkmanager_initrc_read_lnk_files(init_t)
+')
+
 optional_policy(`
 	anaconda_stream_connect(init_t)
 	anaconda_create_unix_stream_sockets(init_t)
@@ -580,10 +595,10 @@ tunable_policy(`init_audit_control',`
 allow init_t self:system all_system_perms;
 allow init_t self:system module_load;
 allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
 allow init_t self:process { getcap setcap };
 allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow init_t self:netlink_selinux_socket create_socket_perms;
 allow init_t self:unix_dgram_socket lock;
 # Until systemd is fixed
@@ -642,6 +657,7 @@ files_delete_all_spool_sockets(init_t)
 files_create_var_lib_dirs(init_t)
 files_create_var_lib_symlinks(init_t)
 files_read_var_lib_symlinks(init_t)
+files_read_var_files(init_t)
 files_manage_urandom_seed(init_t)
 files_list_locks(init_t)
 files_list_spool(init_t)
@@ -679,7 +695,7 @@ fs_list_all(init_t)
 fs_list_auto_mountpoints(init_t)
 fs_register_binary_executable_type(init_t)
 fs_relabel_tmpfs_sock_file(init_t)
-fs_rw_tmpfs_files(init_t)	
+fs_rw_tmpfs_files(init_t)
 fs_relabel_cgroup_dirs(init_t)
 fs_search_cgroup_dirs(init_t)
 # for network namespaces
@@ -735,6 +751,7 @@ systemd_write_inherited_logind_sessions_
 create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 
 create_dirs_pattern(init_t, var_log_t, var_log_t)
+files_manage_var_files(init_t)
 
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
@@ -1589,6 +1606,8 @@ optional_policy(`
 
 optional_policy(`
 	postfix_list_spool(initrc_t)
+	#allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
+	postfix_domtrans_map(init_t)
 ')
 
 optional_policy(`