import CS selinux-policy-40.13.26-1.el10

import RHEL 10 Beta selinux-policy-40.13.9-1.el10
2025-03-27 13:21:23 +00:00 · 2024-11-20 13:49:47 +00:00
35 changed files with 1790 additions and 21772 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,2 @@
-SOURCES/container-selinux.tgz
+container-selinux.tgz
-SOURCES/selinux-policy-552905c.tar.gz
+selinux-policy-061ed78.tar.gz
 SOURCES/selinux-policy-contrib-635888d.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +0,0 @@
 e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
 ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
 1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz
--- a/SOURCES/Makefile.devel
+++ b/SOURCES/Makefile.devel
--- a/SOURCES/booleans-minimum.conf
+++ b/SOURCES/booleans-minimum.conf
@ -1,248 +0,0 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 allow_execstack = true
 # Allow ftpd to read cifs directories.
 # 
 allow_ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
 allow_ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 allow_gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
 allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
 allow_httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
 allow_kerberos = true
 # Allow rsync to modify public filesused for public file transfer services.
 # 
 allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
 allow_saslauthd_read_shadow = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
 allow_smbd_anon_write = false
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
 allow_zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
 fcron_crond = false
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
 #
 # allow httpd to send dbus messages to avahi
 httpd_dbus_avahi = true
 #
 # allow httpd to network relay
 httpd_can_network_relay = false
 # Allow httpd to use built in scripting (usually php)
 # 
 httpd_builtin_scripting = true
 # Allow http daemon to tcp connect
 # 
 httpd_can_network_connect = false
 # Allow httpd cgi support
 # 
 httpd_enable_cgi = true
 # Allow httpd to act as a FTP server bylistening on the ftp port.
 # 
 httpd_enable_ftp_server = false
 # Allow httpd to read home directories
 # 
 httpd_enable_homedirs = false
 # Run SSI execs in system CGI script domain.
 # 
 httpd_ssi_exec = false
 # Allow http daemon to communicate with the TTY
 # 
 httpd_tty_comm = false
 # Run CGI in the main httpd domain
 # 
 httpd_unified = false
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
 named_write_master_zones = false
 # Allow nfs to be exported read/write.
 # 
 nfs_export_all_rw = true
 # Allow nfs to be exported read only
 # 
 nfs_export_all_ro = true
 # Allow pppd to load kernel modules for certain modems
 # 
 pppd_can_insmod = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
 squid_connect_any = false
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 # Control users use of ping and traceroute
 # 
 user_ping = false
 # allow host key based authentication
 # 
 allow_ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
 # 
 read_untrusted_content = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow regular users direct mouse access
 # 
 user_direct_mouse = false
 # Allow users to read system messages.
 # 
 user_dmesg = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = false
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow w to display everyone
 # 
 user_ttyfile_stat = false
 # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
 # 
 write_untrusted_content = false
 # Allow all domains to talk to ttys
 # 
 allow_daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
 allow_polyinstantiation = false
 # Allow all domains to dump core
 # 
 allow_daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
 # Allow samba to export user home directories.
 # 
 samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
 allow_guest_exec_content = false
 allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=false
 # Allow postfix locat to write to mail spool
 # 
 allow_postfix_local_write_mail_spool=false
 # Allow common users to read/write noexattrfile systems
 # 
 user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
 qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
 allow_nsplugin_execmem=true
 # Allow unconfined domain to transition to confined domain
 # 
 allow_unconfined_nsplugin_transition=true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
 allow_mount_anyfile = true
--- a/SOURCES/booleans-mls.conf
+++ b/SOURCES/booleans-mls.conf
@ -1,6 +0,0 @@
 kerberos_enabled = true
 mount_anyfile = true
 polyinstantiation_enabled = true
 ftpd_is_daemon = true
 selinuxuser_ping = true
 xserver_object_manager = true
--- a/SOURCES/booleans-targeted.conf
+++ b/SOURCES/booleans-targeted.conf
@ -1,24 +0,0 @@
 gssd_read_tmp = true
 httpd_builtin_scripting = true
 httpd_enable_cgi = true
 kerberos_enabled = true
 mount_anyfile = true
 nfs_export_all_ro = true
 nfs_export_all_rw = true
 nscd_use_shm = true
 openvpn_enable_homedirs = true
 postfix_local_write_mail_spool=true
 pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_execmem = true
 selinuxuser_execmod = true
 selinuxuser_execstack = true
 selinuxuser_rw_noexattrfile=true
 selinuxuser_ping = true
 squid_connect_any = true
 telepathy_tcp_connect_generic_network_ports=true
 unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
--- a/SOURCES/booleans.subs_dist
+++ b/SOURCES/booleans.subs_dist
@ -1,54 +0,0 @@
 allow_auditadm_exec_content auditadm_exec_content
 allow_console_login login_console_enabled
 allow_cvs_read_shadow cvs_read_shadow
 allow_daemons_dump_core daemons_dump_core
 allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
 allow_daemons_use_tty daemons_use_tty
 allow_domain_fd_use domain_fd_use
 allow_execheap selinuxuser_execheap
 allow_execmod selinuxuser_execmod
 allow_execstack selinuxuser_execstack
 allow_ftpd_anon_write ftpd_anon_write
 allow_ftpd_full_access ftpd_full_access
 allow_ftpd_use_cifs ftpd_use_cifs
 allow_ftpd_use_nfs ftpd_use_nfs
 allow_gssd_read_tmp gssd_read_tmp
 allow_guest_exec_content guest_exec_content
 allow_httpd_anon_write httpd_anon_write
 allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
 allow_httpd_mod_auth_pam httpd_mod_auth_pam
 allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
 allow_kerberos kerberos_enabled
 allow_mplayer_execstack mplayer_execstack
 allow_mount_anyfile mount_anyfile
 allow_nfsd_anon_write nfsd_anon_write
 allow_polyinstantiation polyinstantiation_enabled
 allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
 allow_rsync_anon_write rsync_anon_write
 allow_saslauthd_read_shadow saslauthd_read_shadow
 allow_secadm_exec_content secadm_exec_content
 allow_smbd_anon_write smbd_anon_write
 allow_ssh_keysign ssh_keysign
 allow_staff_exec_content staff_exec_content
 allow_sysadm_exec_content sysadm_exec_content
 allow_user_exec_content user_exec_content
 allow_user_mysql_connect selinuxuser_mysql_connect_enabled
 allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
 allow_write_xshm xserver_clients_write_xshm
 allow_xguest_exec_content xguest_exec_content
 allow_xserver_execmem xserver_execmem
 allow_ypbind nis_enabled
 allow_zebra_write_config zebra_write_config
 user_direct_dri selinuxuser_direct_dri_enabled
 user_ping selinuxuser_ping
 user_share_music selinuxuser_share_music
 user_tcp_server selinuxuser_tcp_server
 sepgsql_enable_pitr_implementation postgresql_can_rsync
 sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
 sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
 sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
 clamd_use_jit antivirus_use_jit
 amavis_use_jit antivirus_use_jit
 logwatch_can_sendmail logwatch_can_network_connect_mail
 puppet_manage_all_files puppetagent_manage_all_files
 virt_sandbox_use_nfs virt_use_nfs
--- a/SOURCES/customizable_types
+++ b/SOURCES/customizable_types
@ -1,14 +0,0 @@
 container_file_t
 sandbox_file_t
 svirt_image_t
 svirt_home_t
 svirt_sandbox_file_t
 virt_content_t
 httpd_user_htaccess_t
 httpd_user_script_exec_t
 httpd_user_rw_content_t
 httpd_user_ra_content_t
 httpd_user_content_t
 git_session_content_t
 home_bin_t
 user_tty_device_t
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@ -1,20 +0,0 @@
 /run /var/run
 /run/lock /var/lock
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
 /run/systemd/generator.late /usr/lib/systemd/system
 /lib /usr/lib
 /lib64 /usr/lib
 /usr/lib64 /usr/lib
 /usr/local/lib64 /usr/lib
 /usr/local/lib32 /usr/lib
 /etc/systemd/system /usr/lib/systemd/system
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
 /home-inst            /home
 /home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
 /var/usrlocal        /usr/local
--- a/SOURCES/modules-mls-base.conf
+++ b/SOURCES/modules-mls-base.conf
@ -1,380 +0,0 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 # 
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 # 
 corecommands = base
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unlabelednet
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
--- a/SOURCES/modules-mls-contrib.conf
+++ b/SOURCES/modules-mls-contrib.conf
--- a/SOURCES/modules-targeted-base.conf
+++ b/SOURCES/modules-targeted-base.conf
@ -1,400 +0,0 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 #
 corecommands = base
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 #
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unconfined
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unconfineduser
 #
 # The unconfined user domain.
 # 
 unconfineduser = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
 # Layer: system
 # Module: unconfined
 #
 # The unconfined domain.
 # 
 unconfined = module
 # Layer: system
 # Module: kdbus
 #
 # Policy for kdbus.
 #
 kdbus = module
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
--- a/SOURCES/permissivedomains.cil
+++ b/SOURCES/permissivedomains.cil
@ -1,2 +0,0 @@
 (roleattributeset cil_gen_require system_r)
--- a/SOURCES/securetty_types-minimum
+++ b/SOURCES/securetty_types-minimum
@ -1,4 +0,0 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/SOURCES/securetty_types-mls
+++ b/SOURCES/securetty_types-mls
@ -1,6 +0,0 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
 auditadm_tty_device_t
 secureadm_tty_device_t
--- a/SOURCES/securetty_types-targeted
+++ b/SOURCES/securetty_types-targeted
@ -1,4 +0,0 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/SOURCES/setrans-minimum.conf
+++ b/SOURCES/setrans-minimum.conf
@ -1,19 +0,0 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/SOURCES/setrans-mls.conf
+++ b/SOURCES/setrans-mls.conf
@ -1,52 +0,0 @@
 #
 # Multi-Level Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be labeled with one of 16 levels and be categorized with 0-1023 
 # categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Users can modify this table to translate the MLS labels for different purpose.
 #
 # Assumptions: using below MLS labels.
 #  SystemLow
 #  SystemHigh
 #  Unclassified 
 #  Secret with compartments A and B.
 # 
 # SystemLow and SystemHigh
 s0=SystemLow
 s15:c0.c1023=SystemHigh
 s0-s15:c0.c1023=SystemLow-SystemHigh
 # Unclassified level
 s1=Unclassified
 # Secret level with compartments
 s2=Secret
 s2:c0=A
 s2:c1=B
 # ranges for Unclassified
 s0-s1=SystemLow-Unclassified
 s1-s2=Unclassified-Secret
 s1-s15:c0.c1023=Unclassified-SystemHigh
 # ranges for Secret with compartments
 s0-s2=SystemLow-Secret
 s0-s2:c0=SystemLow-Secret:A
 s0-s2:c1=SystemLow-Secret:B
 s0-s2:c0,c1=SystemLow-Secret:AB
 s1-s2:c0=Unclassified-Secret:A
 s1-s2:c1=Unclassified-Secret:B
 s1-s2:c0,c1=Unclassified-Secret:AB
 s2-s2:c0=Secret-Secret:A
 s2-s2:c1=Secret-Secret:B
 s2-s2:c0,c1=Secret-Secret:AB
 s2-s15:c0.c1023=Secret-SystemHigh
 s2:c0-s2:c0,c1=Secret:A-Secret:AB
 s2:c0-s15:c0.c1023=Secret:A-SystemHigh
 s2:c1-s2:c0,c1=Secret:B-Secret:AB
 s2:c1-s15:c0.c1023=Secret:B-SystemHigh
 s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
--- a/SOURCES/setrans-targeted.conf
+++ b/SOURCES/setrans-targeted.conf
@ -1,19 +0,0 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/SOURCES/users-minimum
+++ b/SOURCES/users-minimum
@ -1,38 +0,0 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/SOURCES/users-mls
+++ b/SOURCES/users-mls
@ -1,38 +0,0 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/SOURCES/users-targeted
+++ b/SOURCES/users-targeted
@ -1,38 +0,0 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
--- a/SOURCES/macro-expander
+++ b/SOURCES/macro-expander
--- a/modules-filtered.lst
+++ b/modules-filtered.lst
@ -0,0 +1,67 @@
 aiccu
 amtu
 antivirus
 apcupsd
 arpwatch
 asterisk
 awstats
 bcfg2
 bitlbee
 boinc
 brctl
 cobbler
 collectd
 conman
 cpufreqselector
 cvs
 ddclient
 dnssec
 drbd
 entropyd
 exim
 fail2ban
 gdomap
 hddtemp
 ktls
 l2tp
 linuxptp
 lircd
 livecd
 lttng-tools
 mailman
 man2html
 milter
 minidlna
 mock
 mongodb
 mplayer
 munin
 nagios
 nsd
 nslcd
 ntp
 nut
 openct
 openfortivpn
 openvpn
 pdns
 pingd
 postgrey
 prelude
 privoxy
 prosody
 puppet
 pwauth
 rhev
 rkhunter
 rlogin
 rshd
 smokeping
 tcpd
 tcsd
 tlp
 tor
 vnstatd
 vpn
 zabbix
 zebra
--- a/modules-minimum.lst
+++ b/modules-minimum.lst
@ -0,0 +1,50 @@
 apache
 application
 auditadm
 authlogin
 base
 bootloader
 clock
 dbus
 dmesg
 fstools
 getty
 hostname
 inetd
 init
 ipsec
 iptables
 kerberos
 libraries
 locallogin
 logadm
 logging
 lvm
 miscfiles
 modutils
 mount
 mta
 netlabel
 netutils
 nis
 postgresql
 secadm
 selinuxutil
 setrans
 seunshare
 ssh
 staff
 su
 sudo
 sysadm
 sysadm_secadm
 sysnetwork
 systemd
 udev
 unconfined
 unconfineduser
 unlabelednet
 unprivuser
 userdomain
 usermanage
 xserver
--- a/SOURCES/rpm.macros
+++ b/SOURCES/rpm.macros
@ -29,90 +29,107 @@
 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
-# %selinux_requires
+# %selinux_requires_min - minimal required set of packages for deploying a policy module
-%selinux_requires \
+%selinux_requires_min \
 Requires: selinux-policy >= %{_selinux_policy_version} \
 BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
 Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
 Requires(post): libselinux-utils \
 Requires(post): policycoreutils \
-%if 0%{?fedora} || 0%{?rhel} > 7\
+%{nil}
 # %selinux_requires
 %selinux_requires \
 %selinux_requires_min \
 Requires(post): policycoreutils-python-utils \
 %else \
 Requires(post): policycoreutils-python \
 %endif \
 %{nil}
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
 fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
+  rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
  selinuxenabled && load_policy || : \
  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
 fi \
 %{nil}
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
 fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
+    rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
    selinuxenabled && load_policy || : \
    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
  fi \
 fi \
 %{nil}
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-. /etc/selinux/config \
+if selinuxenabled; then \
-_policytype=%{-s*} \
+  if [ -e /etc/selinux/config ]; then \
-if [ -z "${_policytype}" ]; then \
+    . /etc/selinux/config \
  fi \
  _policytype=%{-s*} \
  if [ -z "${_policytype}" ]; then \
    _policytype="targeted" \
-fi \
+  fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
  fi \
 fi \
 %{nil}
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
 fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
+     fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
     rm -f %{_file_context_file_pre} \
   fi \
 fi \
 %{nil}
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
 # Requires policycoreutils-python-utils (or policycoreutils-python)
 %selinux_set_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
 fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ -d "%{_selinux_store_policy_path}" ]; then \
-  LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
+  LOCAL_MODIFICATIONS=$(semanage boolean -E) \
  if [ ! -f %_file_custom_defined_booleans ]; then \
-      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
+      echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
  fi \
  semanage_import='' \
  for boolean in %*; do \
@ -123,27 +140,30 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
          semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
          boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
          if [ -n "$boolean_customized_string" ]; then \
-              /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
+              echo $boolean_customized_string >> %_file_custom_defined_booleans \
          else \
-              /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
+              echo $boolean_local_string >> %_file_custom_defined_booleans \
          fi \
      else \
          semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
-          boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
+          boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
-          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
+          echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
      fi \
  done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
  fi \
 fi \
 %{nil}
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
 # Requires policycoreutils-python-utils (or policycoreutils-python)
 %selinux_unset_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
 fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
@ -160,10 +180,10 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
          fi \
      fi \
  done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
  fi \
 fi \
 %{nil}
--- a/selinux-check-proper-disable.service
+++ b/selinux-check-proper-disable.service
@ -0,0 +1,15 @@
 [Unit]
 Description=Check that SELinux is not disabled the unsafe way
 ConditionKernelCommandLine=!selinux=0
 After=sysinit.target
 [Service]
 Type=oneshot
 EnvironmentFile=/etc/selinux/config
 ExecCondition=test "$SELINUX" = disabled
 ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
 StandardOutput=journal+console
 SyslogLevel=warning
 [Install]
 WantedBy=multi-user.target
--- a/selinux-policy-mls.conf
+++ b/selinux-policy-mls.conf
@ -0,0 +1 @@
 selinux-policy-mls
--- a/selinux-policy-targeted.conf
+++ b/selinux-policy-targeted.conf
@ -0,0 +1 @@
 selinux-policy-targeted
--- a/SOURCES/selinux-policy.conf
+++ b/SOURCES/selinux-policy.conf
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
--- a/2
+++ b/2
@ -0,0 +1,2 @@
 SHA512 (container-selinux.tgz) = 85ca0aa03fe4477351cb530da30e4ceb0990663ad1e3faf4a7d7c3377d7b871a25ba94b8388eb27a0802996a5b001913bbb153d0b0b154d06f24e1f0c5138b50
 SHA512 (selinux-policy-061ed78.tar.gz) = d22ff5253c9c8446cded5dba2f34f421fb9f7d9e3df187afa090a385ae14ffc580b38090da88fa36d6b249a0d9e5abf002c8d9cbe3af9045a174ba213ccdc6d9
--- a/varrun-convert.sh
+++ b/varrun-convert.sh
@ -0,0 +1,95 @@
 #!/usr/bin/bash
 ### varrun-convert.sh
 ### convert legacy filecontext entries containing /var/run to /run
 ### and load an extra selinux module with the new content
 ### the script takes a policy name as an argument
 # Set DEBUG=yes before running the script to get more verbose output
 # on the terminal and to the $LOG file
 if [ "${DEBUG}" = "yes" ]; then
  set -x
 fi
 # Auxiliary and log files will be created in OUTPUTDIR
 OUTPUTDIR="/run/selinux-policy"
 LOG="$OUTPUTDIR/log"
 mkdir -p ${OUTPUTDIR}
 if [ -z ${1} ]; then
  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
  exit
 fi
 SEMODULEOPT="-s ${1}"
 [ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
 # Take current file_contexts and unify whitespace separators
 FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
 FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
 if [ ! -f ${FILE_CONTEXTS} ]; then
  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
  exit
 fi
 if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
  exit
 fi
 EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
 EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
 EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
 # Print only /var/run entries
 grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
 # Unify whitespace separators
 sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
 sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
 # Deduplicate already existing /var/run=/run entries
 while read line
 do
  subline="${line#/var}"
  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
    echo "$line"
  fi
 done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
 # Change /var/run to /run
 sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
 # Exception handling: packages with already duplicate entries
 sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
 sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
 sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
 # Change format to cil
 sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
 sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
 # Handle entries with <<none>> which do not match previous regexps
 sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
 # Wrap each line with an optional block
 i=1
 while read line
 do
  echo "(optional extra_var_run_${i}"
  echo "  $line"
  echo ")"
  ((i++))
 done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
 # Load module
 [ -s ${EXTRA_VARRUN_CIL} ] &&
 /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
Author	SHA1	Message	Date
eabdullin	3bbebedf98	import CS selinux-policy-40.13.26-1.el10	2025-03-27 13:21:23 +00:00
eabdullin	a987ac34c6	import RHEL 10 Beta selinux-policy-40.13.9-1.el10	2024-11-20 13:49:47 +00:00
		`@ -1,2 +0,0 @@`
			`(roleattributeset cil_gen_require system_r)`
		`@ -0,0 +1,2 @@`
							`SHA512 (container-selinux.tgz) = 85ca0aa03fe4477351cb530da30e4ceb0990663ad1e3faf4a7d7c3377d7b871a25ba94b8388eb27a0802996a5b001913bbb153d0b0b154d06f24e1f0c5138b50`
							`SHA512 (selinux-policy-061ed78.tar.gz) = d22ff5253c9c8446cded5dba2f34f421fb9f7d9e3df187afa090a385ae14ffc580b38090da88fa36d6b249a0d9e5abf002c8d9cbe3af9045a174ba213ccdc6d9`