import CS selinux-policy-42.1.18-4.el10

.gitignore

@@ -1,2 +1,2 @@
 container-selinux.tgz
-selinux-policy-061ed78.tar.gz
+selinux-policy-9e50303.tar.gz

binsbin-convert.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/bash
+### binsbin-convert.sh
+### convert legacy filecontext entries containing /usr/sbin to /usr/bin
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+# on the terminal and to the $LOG file
+if [ "${DEBUG}" = "yes" ]; then
+  set -x
+fi
+
+# Auxiliary and log files will be created in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/binsbin-log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+  exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+# Take current file_contexts and unify whitespace separators
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+  exit
+fi
+
+if ! grep -q ^/usr/sbin ${FILE_CONTEXTS}; then
+  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /usr/sbin" >> $LOG
+  exit
+fi
+
+EXTRA_BINSBIN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_binsbin_entries_dup.txt"
+EXTRA_BINSBIN_ENTRIES="$OUTPUTDIR/extra_binsbin_entries.txt"
+EXTRA_BINSBIN_CIL="$OUTPUTDIR/extra_binsbin.cil"
+
+# Print only /usr/sbin entries
+grep ^/usr/sbin ${FILE_CONTEXTS} > ${EXTRA_BINSBIN_ENTRIES_WITHDUP}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_BINSBIN_ENTRIES_WITHDUP}
+sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
+
+# Deduplicate already existing /usr/bin=/usr/sbin entries
+while read line
+do
+  subline="/usr/bin/${line#/usr/sbin/}"
+  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
+    echo "$line"
+  fi
+done < ${EXTRA_BINSBIN_ENTRIES_WITHDUP} > ${EXTRA_BINSBIN_ENTRIES}
+
+# Change /usr/sbin to /usr/bin
+sed -i 's|^/usr/sbin|/usr/bin|' ${EXTRA_BINSBIN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_BINSBIN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_BINSBIN_ENTRIES}
+
+# Handle entries with <<none>> which do not match previous regexps
+sed -i s'/ <<none>>$/ ())/' ${EXTRA_BINSBIN_ENTRIES}
+
+# Wrap each line with an optional block
+i=1
+while read line
+do
+  echo "(optional extra_binsbin_${i}"
+  echo "  $line"
+  echo ")"
+  ((i++))
+done < ${EXTRA_BINSBIN_ENTRIES} > ${EXTRA_BINSBIN_CIL}
+
+# Load module
+[ -s ${EXTRA_BINSBIN_CIL} ] &&
+/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_BINSBIN_CIL}
+

modules-automotive.lst

@@ -0,0 +1,74 @@
+anaconda
+apache
+application
+auditadm
+authlogin
+base
+bluetooth
+bootloader
+chronyd
+clock
+cpucontrol
+daemontools
+dbus
+dhcp
+dmesg
+fstools
+fwupd
+games
+getty
+gnome
+gpg
+hostname
+init
+ipsec
+iptables
+journalctl
+kerberos
+ldap
+libraries
+loadkeys
+locallogin
+logadm
+logging
+lpd
+lvm
+mandb
+miscfiles
+modutils
+mount
+mta
+namespace
+netlabel
+netutils
+networkmanager
+nis
+oddjob
+pesign
+postgresql
+rdisc
+rpc
+rpm
+secadm
+selinuxutil
+setrans
+seunshare
+ssh
+sssd
+stalld
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+userdomain
+userhelper
+usermanage
+virt
+vlock
+xserver

modules-dropped.lst

@@ -0,0 +1,4 @@
+mailman
+mongodb
+ntp
+prelude

modules-extra.lst

@@ -1,5 +1,3 @@
-aiccu
-amtu
 antivirus
 apcupsd
 arpwatch
@@ -22,32 +20,26 @@ exim
 fail2ban
 gdomap
 hddtemp
-ktls
 l2tp
-linuxptp
 lircd
 livecd
 lttng-tools
-mailman
 man2html
 milter
 minidlna
 mock
-mongodb
 mplayer
 munin
 nagios
 nsd
 nslcd
-ntp
 nut
-openct
 openfortivpn
 openvpn
 pdns
 pingd
 postgrey
-prelude
+powerprofiles
 privoxy
 prosody
 puppet
@@ -57,6 +49,7 @@ rkhunter
 rlogin
 rshd
 smokeping
+systemd-homed
 tcpd
 tcsd
 tlp

process-modules-filtered.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+"""read modules-filtered.lst and update modules.conf
+
+Usage:
+  # enable only modules listed in the modules-filtered.lst file
+  ./process-modules-filtered.py ../../modules-filtered.lst dist/targeted/modules.conf enabled > policy/modules.conf
+
+  # disable modules listed in the modules-filtered.lst file
+  ./process-modules-filtered.py ../../modules-filtered.lst dist/targeted/modules.conf disabled > policy/modules.conf
+
+"""
+
+import sys
+
+modules = []
+for line in open(sys.argv[1]):
+    if line[0] != "#":
+        modules.append(line.strip())
+
+
+for line in open(sys.argv[2]):
+    if len(line) == 1 or line[0] == "#":
+        print(line, end='')
+        continue
+
+    (name, sep, state) = line.partition(" = ")
+
+    if state.rstrip() == "base":
+        print(line, end='')
+        continue
+
+    if not name in modules and sys.argv[3] == "enabled":
+        print(name, " = off", sep='')
+        continue
+
+    if name in modules and sys.argv[3] == "disabled":
+        print(name, " = off", sep='')
+        continue
+
+    print(line, end='')

rpm.macros

@@ -18,7 +18,10 @@
 
 # RPM macros for packages installing SELinux modules
 
+# Latest version of selinux-policy
 %_selinux_policy_version SELINUXPOLICYVERSION
+# Updated after major policy changes
+%_selinux_policy_stable_version SELINUXPOLICYSTABLE
 
 %_selinux_store_path SELINUXSTOREPATH
 %_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
@@ -31,11 +34,12 @@
 
 # %selinux_requires_min - minimal required set of packages for deploying a policy module
 %selinux_requires_min \
-Requires: selinux-policy >= %{_selinux_policy_version} \
+Requires: selinux-policy >= %{_selinux_policy_stable_version} \
+Recommends: selinux-policy >= %{_selinux_policy_version} \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
-Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
+Requires(post): selinux-policy-base >= %{_selinux_policy_stable_version} \
 Requires(post): libselinux-utils \
 Requires(post): policycoreutils \
 %{nil}

sources

@@ -1,2 +1,2 @@
-SHA512 (container-selinux.tgz) = 85ca0aa03fe4477351cb530da30e4ceb0990663ad1e3faf4a7d7c3377d7b871a25ba94b8388eb27a0802996a5b001913bbb153d0b0b154d06f24e1f0c5138b50
-SHA512 (selinux-policy-061ed78.tar.gz) = d22ff5253c9c8446cded5dba2f34f421fb9f7d9e3df187afa090a385ae14ffc580b38090da88fa36d6b249a0d9e5abf002c8d9cbe3af9045a174ba213ccdc6d9
+SHA512 (container-selinux.tgz) = c3955d9c761ac5368bfa4ec1439d6952a82ae27a9a26157d8bdd20316a2b0e89ec7e3f6e1e156183def4df4cafc8f90378335ed1c296f516e241855d52554ec5
+SHA512 (selinux-policy-9e50303.tar.gz) = 4adc6bea2d3365d6280c6d7d7437b3064ece4142a3b0c9540265a03a75a95a74b3e33cd6f9e52d3fe444086792e3256918124ce1aa69ec66dd8050b86669cb14