import RHEL 10 Beta selinux-policy-40.13.9-1.el10

.gitignore

@@ -1,3 +1,2 @@
-SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-552905c.tar.gz
-SOURCES/selinux-policy-contrib-635888d.tar.gz
+container-selinux.tgz
+selinux-policy-6112821.tar.gz

.selinux-policy.metadata

@@ -1,3 +0,0 @@
-e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
-ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
-1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz

booleans-targeted.conf

@@ -22,3 +22,4 @@ unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
+use_virtualbox = true

file_contexts.subs_dist

@@ -1,7 +1,8 @@
-/run /var/run
-/run/lock /var/lock
+/var/run /run
+/var/lock /run/lock
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
+/run/systemd/generator.early /usr/lib/systemd/system
 /run/systemd/generator.late /usr/lib/systemd/system
 /lib /usr/lib
 /lib64 /usr/lib
@@ -12,9 +13,12 @@
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
+/var/named/chroot/var  /var
 /home-inst            /home
 /home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
 /var/usrlocal        /usr/local
+/var/mnt             /mnt
+/bin                 /usr/bin

modules-mls-contrib.conf

@@ -691,6 +691,13 @@ logwatch = module
 # 
 lpd = module
 
+# Layer: services
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
 # Layer: services
 # Module: mailman
 #

modules-targeted-base.conf

@@ -391,10 +391,3 @@ udev = module
 # The unconfined domain.
 # 
 unconfined = module
-
-# Layer: system
-# Module: kdbus
-#
-# Policy for kdbus.
-#
-kdbus = module

modules-targeted-contrib.conf

@@ -292,13 +292,6 @@ cfengine = module
 # 
 cgroup = module
 
-# Layer: contrib
-# Module: cgdcbxd
-#
-# cgdcbxd policy
-#
-cgdcbxd = module
-
 # Layer: apps
 # Module: chrome
 #
@@ -349,13 +342,6 @@ cmirrord = module
 # 
 cobbler = module
 
-# Layer: contrib
-# Module: cockpit
-#
-# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
-# 
-cockpit = module
-
 # Layer: services
 # Module: collectd
 #
@@ -720,6 +706,13 @@ git = module
 # 
 glance = module
 
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
+
 # Layer: apps
 # Module: gnome
 #
@@ -2005,7 +1998,7 @@ timidity = off
 tmpreaper = module
 
 # Layer: contrib
-# Module: tomcat
+# Module: glusterd
 #  
 #  policy for tomcat service
 #
@@ -2657,9 +2650,135 @@ rrdcached = module
 #
 stratisd = module
 
+# Layer: contrib
+# Module: ica
+#
+# ica
+#
+ica = module
+
+# Layer: contrib
+# Module: fedoratp
+#
+# fedoratp
+#
+fedoratp = module
+
 # Layer: contrib
 # Module: insights_client
 #
 # insights_client
 #
 insights_client = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: contrib
+# Module: rhcd
+#
+# rhcd
+#
+rhcd = module
+
+# Layer: contrib
+# Module: wireguard
+#
+# wireguard
+#
+wireguard = module
+
+# Layer: contrib
+# Module: mptcpd
+#
+# mptcpd
+#
+mptcpd = module
+
+# Layer: contrib
+# Module: rshim
+#
+# rshim
+#
+rshim = module
+
+# Layer: contrib
+# Module: keyutils
+#
+# keyutils
+#
+keyutils = module
+
+# Layer: contrib
+# Module: cifsutils
+#
+#  cifsutils - Utilities for managing CIFS mounts
+#
+cifsutils = module
+
+# Layer: contrib
+# Module: boothd
+#
+#  boothd - Booth cluster ticket manager
+#
+boothd = module
+
+# Layer: contrib
+# Module: kafs
+#
+#  kafs - Tools for kAFS
+#
+kafs = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
+
+# Layer: contrib
+# Module: fdo
+#
+#  fdo - fido device onboard protocol for IoT devices
+#
+fdo = module
+
+# Layer: contrib
+# Module: qatlib
+#
+#  qatlib - Intel QuickAssist technology library and resources management
+#
+qatlib = module
+
+# Layer: services
+# Module: virt_supplementary
+#
+# non-libvirt virtualization libraries
+#
+virt_supplementary = module
+
+# Layer: contrib
+# Module: nvme_stas
+#
+# nvme_stas
+#
+nvme_stas = module
+
+# Layer: contrib
+# Module: coreos_installer
+#
+# coreos_installer
+#
+coreos_installer = module
+
+# Layer: contrib
+# Module: afterburn
+#
+# afterburn
+#
+afterburn = module

rpm.macros

@@ -32,7 +32,6 @@
 # %selinux_requires
 %selinux_requires \
 Requires: selinux-policy >= %{_selinux_policy_version} \
-BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
@@ -48,48 +47,62 @@ Requires(post): policycoreutils-python \
 
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
+  %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
+  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
   %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
 fi \
 %{nil}
 
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
     %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
   fi \
 fi \
 %{nil}
 
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-. /etc/selinux/config \
-_policytype=%{-s*} \
-if [ -z "${_policytype}" ]; then \
-  _policytype="targeted" \
-fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+if %{_sbindir}/selinuxenabled; then \
+  if [ -e /etc/selinux/config ]; then \
+    . /etc/selinux/config \
+  fi \
+  _policytype=%{-s*} \
+  if [ -z "${_policytype}" ]; then \
+    _policytype="targeted" \
+  fi \
+  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+  fi \
 fi \
 %{nil}
 
 
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -104,7 +117,9 @@ fi \
 
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
 %selinux_set_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -143,7 +158,9 @@ fi \
 
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
 %selinux_unset_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \

selinux-check-proper-disable.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target

sources

@@ -0,0 +1,2 @@
+SHA512 (container-selinux.tgz) = 482e9d3a48c09c679539d2f9039a647d69ee1c9dd4dbef26a25d3dd350137cfe51ac8695685ae0078bc75c38d41a2e4a2554064a9111083f07ffe32aa3044d9e
+SHA512 (selinux-policy-6112821.tar.gz) = 209217ec7e38a8d5fc43dc708e30cc88fe3c7fd4d3f6101784ca99f953bc001663165b4156695edbd491dca1aeaefe0317dcf59e059bce10e2ed4639391c34e0

users-minimum

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-mls

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)

users-targeted

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)

varrun-convert.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+### varrun-convert.sh
+### convert legacy filecontext entries containing /var/run to /run
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+if [ "${DEBUG}" = "yes" ]; then
+  set -x
+fi
+
+# Look for working files and log in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+  exit
+fi
+
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+  exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
+  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
+  exit
+fi
+
+EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
+EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"
+
+# Print only /var/run entries
+grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}
+
+# Change /var/run to /run
+sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
+
+# Exception handling: packages with already duplicate entries
+sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
+
+# Handle entries with <<none>> which do not match previous regexps
+sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
+
+# Wrap each line with an optional block
+i=1
+while read line
+do
+  echo "(optional extra_var_run_${i}"
+  echo "  $line"
+  echo ")"
+  ((i++))
+done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
+
+# Load module
+/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
+