selinux-policy/fix_unconfineduser.patch

Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te
===================================================================
--- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te
@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all'
     domain_dyntrans(unconfined_t)
 ')
 
+# FIXME this is probably caused by some wierd PAM interaction
+corecmd_entrypoint_all_executables(unconfined_t)
+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative
+files_execmod_tmp(unconfined_t)
+
 optional_policy(`
 	gen_require(`
 		type unconfined_t;
@@ -216,6 +221,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+    cron_system_spool_entrypoint(unconfined_t)
+')
+
+optional_policy(`
 	chrome_role_notrans(unconfined_r, unconfined_t)
 
 	tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -250,6 +259,18 @@ optional_policy(`
 	dbus_stub(unconfined_t)
 
 	optional_policy(`
+		accountsd_dbus_chat(unconfined_dbusd_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(unconfined_dbusd_t)
+	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind(unconfined_dbusd_t)
+	')
+
+	optional_policy(`
 		bluetooth_dbus_chat(unconfined_t)
 	')