Update to handle labeling on /sys using systemd-tmpfiles, also support default_range transition rules

default_trans.patch

@@ -8,38 +8,3 @@ diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs
  #
  # Define sensitivities 
  #
-diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 26c13f2..2354089 100644
---- a/policy/modules/kernel/devices.fc
-+++ b/policy/modules/kernel/devices.fc
-@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
- # /sys
- #
- /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
-+/sys/devices/system/cpu/online	gen_context(system_u:object_r:cpu_online_t,s0)
- 
- /usr/lib/udev/devices(/.*)?		gen_context(system_u:object_r:device_t,s0)
- /usr/lib/udev/devices/lp.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
-diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 112bebb..8f727be 100644
---- a/policy/modules/kernel/devices.te
-+++ b/policy/modules/kernel/devices.te
-@@ -226,8 +226,8 @@ fs_type(sysfs_t)
- genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
- 
- type cpu_online_t;
--allow cpu_online_t sysfs_t:filesystem associate;
--genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
-+files_type(cpu_online_t)
-+dev_associate_sysfs(cpu_online_t)
- 
- #
- # Type for /dev/tpm
-diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..f7021a0 100644
---- a/policy/modules/kernel/kernel.fc
-+++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,2 @@
--# This module currently does not have any file contexts.
-+
-+/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)

selinux-policy.conf

@@ -0,0 +1,2 @@
+z /sys/devices/system/cpu/online - - -
+Z /sys/class/net - - -

selinux-policy.spec

@@ -10,10 +10,9 @@
 %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
 %define BUILD_MLS 1
 %endif
-%define POLICYVER 26
+%define POLICYVER 27
-%define libsepolver 2.0.44-2
+%define POLICYCOREUTILSVER 2.1.9-4
-%define POLICYCOREUTILSVER 2.0.86-12
+%define CHECKPOLICYVER 2.1.7-2
-%define CHECKPOLICYVER 2.1.5-2
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
@@ -23,8 +22,6 @@ Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-F16.patch
 patch1: unconfined_permissive.patch
-patch2: thumb.patch
-patch3: default_trans.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -44,6 +41,7 @@ Source22: users-mls
 Source23: users-targeted
 Source25: users-minimum
 Source26: file_contexts.subs_dist
+Source27: selinux-policy.conf
 
 Url: http://oss.tresys.com/repos/refpolicy/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -74,6 +72,7 @@ SELinux Base package
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
+%{_usr}/lib/tmpfiles.d/selinux-policy.conf
 
 %package doc
 Summary: SELinux policy documentation
@@ -239,8 +238,6 @@ Based off of reference policy: Checked out revision  2.20091117
 %setup -n serefpolicy-%{version} -q
 %patch -p1
 %patch1 -p1 -b .unconfined
-%patch2 -p1 -b .thumb
-#%patch3 -p1 -b .trans
 
 %install
 mkdir selinux_config
@@ -256,6 +253,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
 touch %{buildroot}%{_sysconfdir}/selinux/config
 touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
+mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
+cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
 
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/