.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,3 +1,4 @@
-SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-contrib-aadacd8.tar.gz
-SOURCES/selinux-policy-fa87f85.tar.gz
+/selinux-policy-*.tar.gz
+/container-selinux.tgz
+/macro-expander
+*.rpm

.selinux-policy.metadata

@@ -1,3 +0,0 @@
-34a078fbec0190b407d64c1664aaa0887204ba2e SOURCES/container-selinux.tgz
-470eeffd45f8dd003edb6ddbff4104e573b6c08d SOURCES/selinux-policy-contrib-aadacd8.tar.gz
-91c17cd38073aba5562898449fe3b4f2bbffac8e SOURCES/selinux-policy-fa87f85.tar.gz

COPYING

@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

README.md

@@ -0,0 +1,49 @@
+## Purpose
+
+SELinux Fedora Policy is a fork of the [SELinux reference policy](https://github.com/SELinuxProject/refpolicy/). The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.
+
+## Structure
+
+### GitHub
+On GitHub, we have one repository containing the policy sources.
+
+    $ cd selinux-policy
+    $ git remote -v
+    origin	git@github.com:fedora-selinux/selinux-policy.git (fetch)
+
+    $ git branch -r
+    origin/HEAD -> origin/master
+    origin/f27
+    origin/f28
+    origin/master
+    origin/rawhide
+
+Note: As opposed to dist-git, the Rawhide content resides in the _rawhide_ branch rather than _master_.
+
+### dist-git
+Package sources in dist-git are composed from the _selinux-policy_ repository snapshot tarball, _container-selinux_ policy files snapshot, the _macro-expander_ script snapshot, and from other config files.
+
+## Build process
+
+1. Clone the [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository.
+
+        $ cd ~/devel/github
+        $ git clone git@github.com:fedora-selinux/selinux-policy.git
+        $ cd selinux-policy
+
+2. Create, backport, or cherry-pick needed changes to a particular branch and push them.
+
+3. Clone the **selinux-policy** dist-git repository.
+
+        $ cd ~/devel/dist-git
+        $ fedpkg clone selinux-policy
+        $ cd selinux-policy
+
+4. Download the latest snapshot from the selinux-policy GitHub repository.
+
+        $ ./make-rhat-patches.sh
+
+5. Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.
+6. Build the package.
+
+        $ fedpkg build

SOURCES/booleans-minimum.conf

@@ -1,248 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-allow_execstack = true
-
-# Allow ftpd to read cifs directories.
-# 
-allow_ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-allow_ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-allow_gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-allow_httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-allow_zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
-# Allow all domains to talk to ttys
-# 
-allow_daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-allow_polyinstantiation = false
-
-# Allow all domains to dump core
-# 
-allow_daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-allow_xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-allow_guest_exec_content = false
-allow_xguest_exec_content = false
-
-# Only allow browser to use the web
-# 
-browser_confine_xguest=false
-
-# Allow postfix locat to write to mail spool
-# 
-allow_postfix_local_write_mail_spool=false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile=true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network=true
-
-# Allow nsplugin execmem/execstack for bad plugins
-# 
-allow_nsplugin_execmem=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-allow_unconfined_nsplugin_transition=true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-allow_mount_anyfile = true

SOURCES/booleans-mls.conf

@@ -1,6 +0,0 @@
-kerberos_enabled = true
-mount_anyfile = true
-polyinstantiation_enabled = true
-ftpd_is_daemon = true
-selinuxuser_ping = true
-xserver_object_manager = true

SOURCES/booleans-targeted.conf

@@ -1,24 +0,0 @@
-gssd_read_tmp = true
-httpd_builtin_scripting = true
-httpd_enable_cgi = true
-kerberos_enabled = true
-mount_anyfile = true
-nfs_export_all_ro = true
-nfs_export_all_rw = true
-nscd_use_shm = true
-openvpn_enable_homedirs = true
-postfix_local_write_mail_spool=true
-pppd_can_insmod = false
-privoxy_connect_any = true
-selinuxuser_direct_dri_enabled = true
-selinuxuser_execmem = true
-selinuxuser_execmod = true
-selinuxuser_execstack = true
-selinuxuser_rw_noexattrfile=true
-selinuxuser_ping = true
-squid_connect_any = true
-telepathy_tcp_connect_generic_network_ports=true
-unconfined_chrome_sandbox_transition=true
-unconfined_mozilla_plugin_transition=true
-xguest_exec_content = true
-mozilla_plugin_can_network_connect = true

SOURCES/booleans.subs_dist

@@ -1,54 +0,0 @@
-allow_auditadm_exec_content auditadm_exec_content
-allow_console_login login_console_enabled
-allow_cvs_read_shadow cvs_read_shadow
-allow_daemons_dump_core daemons_dump_core
-allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
-allow_daemons_use_tty daemons_use_tty
-allow_domain_fd_use domain_fd_use
-allow_execheap selinuxuser_execheap
-allow_execmod selinuxuser_execmod
-allow_execstack selinuxuser_execstack
-allow_ftpd_anon_write ftpd_anon_write
-allow_ftpd_full_access ftpd_full_access
-allow_ftpd_use_cifs ftpd_use_cifs
-allow_ftpd_use_nfs ftpd_use_nfs
-allow_gssd_read_tmp gssd_read_tmp
-allow_guest_exec_content guest_exec_content
-allow_httpd_anon_write httpd_anon_write
-allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
-allow_httpd_mod_auth_pam httpd_mod_auth_pam
-allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
-allow_kerberos kerberos_enabled
-allow_mplayer_execstack mplayer_execstack
-allow_mount_anyfile mount_anyfile
-allow_nfsd_anon_write nfsd_anon_write
-allow_polyinstantiation polyinstantiation_enabled
-allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
-allow_rsync_anon_write rsync_anon_write
-allow_saslauthd_read_shadow saslauthd_read_shadow
-allow_secadm_exec_content secadm_exec_content
-allow_smbd_anon_write smbd_anon_write
-allow_ssh_keysign ssh_keysign
-allow_staff_exec_content staff_exec_content
-allow_sysadm_exec_content sysadm_exec_content
-allow_user_exec_content user_exec_content
-allow_user_mysql_connect selinuxuser_mysql_connect_enabled
-allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
-allow_write_xshm xserver_clients_write_xshm
-allow_xguest_exec_content xguest_exec_content
-allow_xserver_execmem xserver_execmem
-allow_ypbind nis_enabled
-allow_zebra_write_config zebra_write_config
-user_direct_dri selinuxuser_direct_dri_enabled
-user_ping selinuxuser_ping
-user_share_music selinuxuser_share_music
-user_tcp_server selinuxuser_tcp_server
-sepgsql_enable_pitr_implementation postgresql_can_rsync
-sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
-sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
-sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
-clamd_use_jit antivirus_use_jit
-amavis_use_jit antivirus_use_jit
-logwatch_can_sendmail logwatch_can_network_connect_mail
-puppet_manage_all_files puppetagent_manage_all_files
-virt_sandbox_use_nfs virt_use_nfs

SOURCES/customizable_types

@@ -1,14 +0,0 @@
-container_file_t
-sandbox_file_t
-svirt_image_t
-svirt_home_t
-svirt_sandbox_file_t
-virt_content_t
-httpd_user_htaccess_t
-httpd_user_script_exec_t
-httpd_user_rw_content_t
-httpd_user_ra_content_t
-httpd_user_content_t
-git_session_content_t
-home_bin_t
-user_tty_device_t

SOURCES/file_contexts.subs_dist

@@ -1,20 +0,0 @@
-/run /var/run
-/run/lock /var/lock
-/run/systemd/system /usr/lib/systemd/system
-/run/systemd/generator /usr/lib/systemd/system
-/run/systemd/generator.late /usr/lib/systemd/system
-/lib /usr/lib
-/lib64 /usr/lib
-/usr/lib64 /usr/lib
-/usr/local/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
-/etc/systemd/system /usr/lib/systemd/system
-/var/lib/xguest/home /home
-/var/named/chroot/usr/lib64 /usr/lib
-/var/named/chroot/lib64 /usr/lib
-/home-inst            /home
-/home/home-inst            /home
-/var/roothome        /root
-/sbin                /usr/sbin
-/sysroot/tmp         /tmp
-/var/usrlocal        /usr/local

SOURCES/macro-expander

@@ -1,81 +0,0 @@
-#!/bin/bash
-
-function usage {
-    echo "Usage: $0 [ -c | -t [ -M ] ] <macro>"
-    echo "Options:
-  -c     generate CIL output
-  -t     generate standard policy source format (.te) allow rules - this is default
-  -M     generate complete module .te output
-"
-}
-
-function cleanup {
-    rm -rf $TEMP_STORE
-}
-
-while getopts "chMt" opt; do
-    case $opt in
-        c) GENCIL=1
-           ;;
-        t) GENTE=1
-           ;;
-        M) GENTEMODULE=1
-           ;;
-        h) usage
-           exit 0
-           ;;
-        \?) usage
-           exit 1
-           ;;
-    esac
-done
-
-shift $((OPTIND-1))
-
-SELINUX_MACRO=$1
-
-if [ -z "$SELINUX_MACRO" ]
-then
-    exit 1
-fi
-
-TEMP_STORE="$(mktemp -d)"
-cd $TEMP_STORE || exit 1
-
-IFS="("
-set $1
-SELINUX_DOMAIN="${2::-1}"
-
-echo -e "policy_module(expander, 1.0.0) \n" \
-     "gen_require(\`\n" \
-     "type $SELINUX_DOMAIN ; \n" \
-     "')" > expander.te
-
-echo "$SELINUX_MACRO" >> expander.te
-
-make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null
-
-if [ "x$GENCIL" = "x1" ]; then
-
-    make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null
-    MAKE_RESULT=$?
-
-    if [ $MAKE_RESULT -ne 2 ]
-    then
-        /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null
-        grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u
-    fi
-fi
-
-if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
-    m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
-    if [ "x$GENTEMODULE" = "x1" ]; then
-       #    sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
-        sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp
-    else
-        grep  '^\s*allow' expander.tmp | sed 's/^\s*//'
-    fi
-fi
-
-cd - > /dev/null || exit 1
-cleanup

SOURCES/modules-mls-base.conf

@@ -1,380 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module

SOURCES/modules-targeted-base.conf

@@ -1,400 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-# 
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: system
-# Module: kdbus
-#
-# Policy for kdbus.
-#
-kdbus = module

SOURCES/securetty_types-minimum

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

SOURCES/securetty_types-mls

@@ -1,6 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
-auditadm_tty_device_t
-secureadm_tty_device_t

SOURCES/securetty_types-targeted

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

SOURCES/setrans-minimum.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

SOURCES/setrans-mls.conf

@@ -1,52 +0,0 @@
-#
-# Multi-Level Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
-# categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Users can modify this table to translate the MLS labels for different purpose.
-#
-# Assumptions: using below MLS labels.
-#  SystemLow
-#  SystemHigh
-#  Unclassified 
-#  Secret with compartments A and B.
-# 
-# SystemLow and SystemHigh
-s0=SystemLow
-s15:c0.c1023=SystemHigh
-s0-s15:c0.c1023=SystemLow-SystemHigh
-
-# Unclassified level
-s1=Unclassified
-
-# Secret level with compartments
-s2=Secret
-s2:c0=A
-s2:c1=B
-
-# ranges for Unclassified
-s0-s1=SystemLow-Unclassified
-s1-s2=Unclassified-Secret
-s1-s15:c0.c1023=Unclassified-SystemHigh
-
-# ranges for Secret with compartments
-s0-s2=SystemLow-Secret
-s0-s2:c0=SystemLow-Secret:A
-s0-s2:c1=SystemLow-Secret:B
-s0-s2:c0,c1=SystemLow-Secret:AB
-s1-s2:c0=Unclassified-Secret:A
-s1-s2:c1=Unclassified-Secret:B
-s1-s2:c0,c1=Unclassified-Secret:AB
-s2-s2:c0=Secret-Secret:A
-s2-s2:c1=Secret-Secret:B
-s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c1023=Secret-SystemHigh
-s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c1023=Secret:A-SystemHigh
-s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c1023=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

SOURCES/setrans-targeted.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

SOURCES/users-minimum

@@ -1,38 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-mls

@@ -1,38 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-targeted

@@ -1,38 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

changelog

@@ -0,0 +1,624 @@
+* Mon Apr 28 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.30-1
+- Allow auditctl signal auditd
+Resolves: RHEL-87418
+- Update bootupd policy for the removing-state-file test
+Resolves: RHEL-87372
+- Allow systemd-user-runtime-dir get/set tmpfs quotas
+Resolves: RHEL-86789
+- Allow systemd-user-runtime-dir delete gnome homedir content
+Resolves: RHEL-86789
+- Confine /usr/lib/systemd/systemd-user-runtime-dir
+Resolves: RHEL-86789
+- Allow system-dbusd list systemd-machined directories
+Resolves: RHEL-86528
+- Allow NetworkManager create and use icmp_socket
+Resolves: RHEL-86258
+- Allow tuned-ppd dbus chat with xdm
+Resolves: RHEL-85849
+- Allow virt_domain write to virt_image_t files
+Resolves: RHEL-85319
+- Allow rhsmcertd connect to systemd-machined
+Resolves: RHEL-83925
+- Allow varnishd execute the prlimit64() syscall
+Resolves: RHEL-77779
+- Allow systemd-machined the kill user-namespace capability
+Resolves: RHEL-77087
+- Allow system_dbusd_t r/w unix stream sockets of unconfined_service_t
+Resolves: RHEL-62185
+- Allow tlshd read network sysctls
+Resolves: RHEL-74424
+
+* Tue Apr 15 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.29-1
+- Revert "Dontaudit access of virt-related permissive domains"
+Resolves: RHEL-79833
+- Remove permissive domains
+Resolves: RHEL-82672
+
+* Tue Apr 08 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.28-1
+- Change path of tuned and tuned-ppd to /usr/sbin
+Resolves: RHEL-69450
+- Update the pcmsensor policy
+Resolves: RHEL-80452
+- Allow dovecot-deliver read mail aliases
+Resolves: RHEL-80153
+- Allow boothd connect to systemd-machined over a unix socket
+Resolves: RHEL-75471
+- Allow chronyd-restricted sendto to chronyc
+Resolves: RHEL-82299
+- Allow chronyc sendto to chronyd-restricted
+Resolves: RHEL-82299
+- Allow cifs.idmap helper to set attributes on kernel keys
+Resolves: RHEL-83921
+- Remove ktls from modules-filtered.lst
+Resolves: RHEL-74424
+
+* Mon Mar 31 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.27-1
+- Allow afterburn to mount and read config drives
+Resolves: RHEL-82120
+- Update afterburn file transition policy
+Resolves: RHEL-82120
+- Label /run/metadata with afterburn_runtime_t
+Resolves: RHEL-82120
+- Allow afterburn list ssh home directory
+Resolves: RHEL-82120
+- Confine tuned-ppd
+Resolves: RHEL-69450
+- Update ktls policy
+Resolves: RHEL-74424
+- Add the switcheroo module
+Resolves: RHEL-83267
+- Update switcheroo policy
+Resolves: RHEL-83267
+- Confine the switcheroo-control service
+Resolves: RHEL-83267
+
+* Mon Feb 17 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.26-1
+- Rename winbind_rpcd_* types to samba_dcerpcd_*
+Resolves: RHEL-14759
+- Allow samba-dcerpcd work with ctdb cluster
+Resolves: RHEL-14759
+- Revert "Remove socket from unconfined_domain_type allow rule"
+Resolves: RHEL-77327
+- Dontaudit access of virt-related permissive domains
+Resolves: RHEL-77808
+- Add selinux_requires_min macro
+Resolves: RHEL-54715
+- Filter out EPEL related modules
+Resolves: RHEL-73505
+
+* Thu Feb 06 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.25-1
+- Update ktlshd policy to read /proc/keys and domain keyrings
+Resolves: RHEL-42672
+- Allow pcmsensor read nmi_watchdog state information
+Resolves: RHEL-52838
+- Support peer-to-peer migration of vms using ssh
+Resolves: RHEL-77351
+- Allow virt_domain read hardware state information unconditionally
+Resolves: RHEL-71270
+- Allow timemaster write to sysfs files
+Resolves: RHEL-44637
+- Allow virtqemud map svirt_image_t plain files
+Resolves: RHEL-40080
+- Allow virtqemud unmount a filesystem with extended attributes
+Resolves: RHEL-40080
+- Allow virtqemud work with nvdimm devices
+Resolves: RHEL-71656
+- Update virtqemud policy regarding the svirt_tcg_t domain
+Resolves: RHEL-71270
+- Allow virtqemud use hostdev usb devices conditionally
+Resolves: RHEL-74230
+- Support saving and restoring a VM to/from a block device
+Resolves: RHEL-76138
+- Allow virtnwfilterd dbus chat with firewalld
+Resolves: RHEL-76138
+- Allow virt_domain to use pulseaudio - conditional
+Resolves: RHEL-62763
+- Allow virtstoraged write to sysfs files
+Resolves: RHEL-44637
+- Allow irqbalance to run unconfined scripts conditionally
+Resolves: RHEL-54019
+- Allow rhsmcertd notify virt-who
+Resolves: RHEL-77114
+- Allow init mounton crypto sysctl files
+Resolves: RHEL-56250
+
+* Mon Jan 27 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.24-1
+- Allow systemd-generator connect to syslog over a unix datagram socket
+Resolves: RHEL-75879
+- Allow ssh_t to change role to system_r
+Resolves: RHEL-53972
+- Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type
+Resolves: RHEL-39893
+- Allow virtqemud manage fixed disk device nodes
+Resolves: RHEL-71656
+- Allow samba-bgqd connect to cupsd over an unix domain stream socket
+Resolves: RHEL-72861
+- Allow systemd-machined read the vsock device
+Resolves: RHEL-74280
+- Allow pcmsensor write nmi_watchdog state information
+Resolves: RHEL-52838
+- Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t
+Resolves: RHEL-52838
+
+* Fri Jan 24 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.23-2
+- Rebuild other packages with with selinux-policy-40.13.23
+Resolves: RHEL-36741
+
+* Thu Jan 23 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.23-1
+- Remove the lockdown class from the policy
+Resolves: RHEL-36741
+- Remove socket from unconfined_domain_type allow rule
+Resolves: RHEL-36741
+- Include key_socket in socket_class_set
+Resolves: RHEL-36741
+
+* Thu Jan 16 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.22-1
+- Allow staff user dbus chat with virt-dbus
+Resolves: RHEL-73914
+- Allow virtqemud domain transition to nbdkit
+Resolves: RHEL-69118
+- Add nbdkit interfaces defined conditionally
+Resolves: RHEL-69118
+- Allow svirt_t read sysfs files
+Resolves: RHEL-71270
+- Label /dev/pmem[0-9]+ with fixed_disk_device_t
+Resolves: RHEL-71656
+- Add support for the KVM guest memfd anon inodes
+Resolves: RHEL-69128
+- Allow sysadm user dbus chat with virt-dbus
+Resolves: RHEL-73914
+- Allow initrc_t transition to passwd_t
+Resolves: RHEL-71665
+- Allow unconfined_service_t transition to passwd_t
+Resolves: RHEL-71665
+
+* Wed Jan 08 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.21-1
+- Allow init create vsock socket for sshd
+Resolves: RHEL-72549
+- Support ssh connections via systemd-ssh-generator
+Resolves: RHEL-72549
+- Allow ssh generator work with systemd unit files
+Resolves: RHEL-72549
+- Confine systemd system-ssh-generator
+Resolves: RHEL-72549
+- Allow login_userdomain getattr nsfs files
+Resolves: RHEL-72549
+- Allow virtqemud send a generic signal to the ssh client domain
+Resolves: RHEL-53972
+- Add the auth_dontaudit_read_passwd_file() interface
+Resolves: RHEL-71490
+- Dontaudit request-key read /etc/passwd
+Resolves: RHEL-71490
+
+* Fri Jan 03 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.20-1
+- Allow virtqemud domain transition on numad execution
+Resolves: RHEL-65789
+- Support virt live migration using ssh
+Resolves: RHEL-53972
+- Allow ssh_t read systemd config files
+Resolves: RHEL-53972
+- Allow virtqemud permissions needed for live migration
+Resolves: RHEL-43217
+- Allow virtqemud the getpgid process permission
+Resolves: RHEL-46357
+- Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
+Resolves: RHEL-71068
+- Allow virtqemud relabelfrom virt_log_t files
+Resolves: RHEL-48236
+- Allow virtqemud relabel tun_socket
+Resolves: RHEL-71394
+- Allow gnome-remote-desktop dbus chat with policykit
+Resolves: RHEL-35877
+- Update ktlsh policy
+Resolves: RHEL-42672
+- Confine the ktls service
+Resolves: RHEL-42672
+- Allow request-key to read /etc/passwd
+Resolves: RHEL-71490
+- Allow request-key to manage all domains' keys
+Resolves: RHEL-71490
+
+* Fri Dec 20 2024 Petr Lautrbach <lautrbach@redhat.com> - 40.13.19-2
+- Rebuild with SELinux Userspace 3.8
+
+* Wed Dec 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.19-1
+- Allow systemd-journald getattr nsfs files
+Resolves: RHEL-71803
+- Allow systemd-related domains getattr nsfs files
+Resolves: RHEL-71803
+
+* Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.18-1
+- Sync dist/targeted/modules.conf with Fedora 42
+Resolves: RHEL-70850
+- Add support for sap
+Resolves: RHEL-70850
+- Allow sssd_selinux_manager_t the setcap process permission
+Resolves: RHEL-70822
+- Allow virtqemud open svirt_devpts_t char files
+Resolves: RHEL-43446
+- Fix the cups_read_pid_files() interface to use read_files_pattern
+Resolves: RHEL-69512
+
+* Thu Dec 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.17-1
+- Update samba-bgqd policy
+Resolves: RHEL-69512
+- Allow samba-bgqd read cups config files
+Resolves: RHEL-69512
+- Allow virtqemud additional permissions for tmpfs_t blk devices
+Resolves: RHEL-61235
+- Allow virtqemud rw access to svirt_image_t chr files
+Resolves: RHEL-61235
+- Allow virtqemud rw and setattr access to fixed block devices
+Resolves: RHEL-61235
+- Label /etc/mdevctl.d/scripts.d with bin_t
+Resolves: RHEL-39893
+- Fix the /etc/mdevctl\.d(/.*)? regexp
+Resolves: RHEL-39893
+- Allow virtnodedev watch mdevctl config dirs
+Resolves: RHEL-39893
+- Make mdevctl_conf_t member of the file_type attribute
+Resolves: RHEL-39893
+- Label /etc/mdevctl.d with mdevctl_conf_t
+Resolves: RHEL-39893
+- Allow virtqemud relabelfrom virt_log_t files
+Resolves: RHEL-48236
+- Allow virtqemud_t relabel virtqemud_var_run_t sock_files
+Resolves: RHEL-48236
+- Allow virtqemud relabelfrom virtqemud_var_run_t dirs
+Resolves: RHEL-48236
+- Allow svirt_tcg_t read virtqemud_t fifo_files
+Resolves: RHEL-48236
+- Allow virtqemud rw and setattr access to sev devices
+Resolves: RHEL-69128
+- Allow virtqemud directly read and write to a fixed disk
+Resolves: RHEL-61235
+- Allow svirt_t the sys_rawio capability
+Resolves: RHEL-61235
+- Allow svirt_t the sys_rawio capability
+Resolves: RHEL-61235
+- Allow virtqemud connect to sanlock over a unix stream socket
+Resolves: RHEL-44352
+- allow gdm and iiosensorproxy talk to each other via D-bus
+Resolves: RHEL-70850
+- Allow sendmail to map mail server configuration files
+Related: RHEL-54014
+- Allow procmail to read mail aliases
+Resolves: RHEL-54014
+- Grant rhsmcertd chown capability & userdb access
+Resolves: RHEL-68481
+
+* Fri Nov 29 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.16-1
+- Fix the file type for /run/systemd/generator
+Resolves: RHEL-68313
+
+* Thu Nov 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.15-1
+- Allow qatlib search the content of the kernel debugging filesystem
+Resolves: RHEL-66334
+- Allow qatlib connect to systemd-machined over a unix socket
+Resolves: RHEL-66334
+- Update policy for samba-bgqd
+Resolves: RHEL-64908
+- Allow httpd get attributes of dirsrv unit files
+Resolves: RHEL-62706
+- Allow virtstoraged read vm sysctls
+Resolves: RHEL-61742
+- Allow virtstoraged execute mount programs in the mount domain
+Resolves: RHEL-61742
+- Update policy for rpc-virtstorage
+Resolves: RHEL-61742
+- Allow virtstoraged get attributes of configfs dirs
+Resolves: RHEL-61742
+- Allow virt_driver_domain read virtd-lxc files in /proc
+Resolves: RHEL-61742
+- Allow virtstoraged manage files with virt_content_t type
+Resolves: RHEL-61742
+- Allow virtstoraged use the io_uring API
+Resolves: RHEL-61742
+- Allow virtstoraged execute lvm programs in the lvm domain
+Resolves: RHEL-61742
+- Allow svirt_t connect to unconfined_t over a unix domain socket
+Resolves: RHEL-61246
+- Label /usr/lib/node_modules_22/npm/bin with bin_t
+Resolves: RHEL-56350
+- Allow bacula execute container in the container domain
+Resolves: RHEL-39529
+- Label /run/systemd/generator with systemd_unit_file_t
+Resolves: RHEL-68313
+
+* Tue Nov 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.14-1
+- mls/modules.conf - fix typo
+- Use dist/targeted/modules.conf in build workflow
+- Fix default and dist config files
+- CI: update to actions/checkout@v4
+- Clean up and sync securetty_types
+- Bring config files from dist-git into the source repo
+- Sync users with Fedora targeted users
+
+* Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.13-1
+- Revert "Allow unconfined_t execute kmod in the kmod domain"
+Resolves: RHEL-65190
+- Add policy for /usr/libexec/samba/samba-bgqd
+Resolves: RHEL-64908
+- Label samba certificates with samba_cert_t
+Resolves: RHEL-64908
+- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
+Resolves: RHEL-64908
+- Allow rpcd read network sysctls
+Resolves: RHEL-64737
+- Label all semanage store files in /etc as semanage_store_t
+Resolves: RHEL-65864
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 40.13.12-2
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Thu Oct 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.12-1
+- Dontaudit subscription manager setfscreate and read file contexts
+Resolves: RHEL-58009
+- Allow the sysadm user use the secretmem API
+Resolves: RHEL-40953
+- Allow sudodomain list files in /var
+Resolves: RHEL-58068
+- Allow gnome-remote-desktop watch /etc directory
+Resolves: RHEL-35877
+- Allow journalctl connect to systemd-userdbd over a unix socket
+Resolves: RHEL-58072
+- systemd: allow sys_admin capability for systemd_notify_t
+Resolves: RHEL-58072
+- Allow some confined users send to lldpad over a unix dgram socket
+Resolves: RHEL-61634
+- Allow lldpad send to sysadm_t over a unix dgram socket
+Resolves: RHEL-61634
+- Allow lldpd connect to systemd-machined over a unix socket
+Resolves: RHEL-61634
+
+* Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.11-1
+- Allow ping_t read network sysctls
+Resolves: RHEL-54299
+- Label /usr/lib/node_modules/npm/bin with bin_t
+Resolves: RHEL-56350
+- Label /run/sssd with sssd_var_run_t
+Resolves: RHEL-57065
+- Allow virtqemud read virtd_t files
+Resolves: RHEL-57713
+- Allow wdmd read hardware state information
+Resolves: RHEL-57982
+- Allow wdmd list the contents of the sysfs directories
+Resolves: RHEL-57982
+- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
+Resolves: RHEL-58380
+- Allow dirsrv read network sysctls
+Resolves: RHEL-58381
+- Allow lldpad create and use netlink_generic_socket
+Resolves: RHEL-61634
+- Allow unconfined_t execute kmod in the kmod domain
+Resolves: RHEL-61755
+- Confine the pcm service
+Resolves: RHEL-52838
+- Allow iio-sensor-proxy the bpf capability
+Resolves: RHEL-62355
+- Confine iio-sensor-proxy
+Resolves: RHEL-62355
+
+* Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.10-1
+- Confine gnome-remote-desktop
+Resolves: RHEL-35877
+- Allow virtqemud get attributes of a tmpfs filesystem
+Resolves: RHEL-40855
+- Allow virtqemud get attributes of cifs files
+Resolves: RHEL-40855
+- Allow virtqemud get attributes of filesystems with extended attributes
+Resolves: RHEL-39668
+- Allow virtqemud get attributes of NFS filesystems
+Resolves: RHEL-40855
+- Add support for secretmem anon inode
+Resolves: RHEL-40953
+- Allow systemd-sleep read raw disk data
+Resolves: RHEL-49600
+- Allow systemd-hwdb send messages to kernel unix datagram sockets
+Resolves: RHEL-50810
+- Label /run/modprobe.d with modules_conf_t
+Resolves: RHEL-54591
+- Allow setsebool_t relabel selinux data files
+Resolves: RHEL-55412
+- Don't audit crontab_domain write attempts to user home
+Resolves: RHEL-56349
+- Differentiate between staff and sysadm when executing crontab with sudo
+Resolves: RHEL-56349
+- Add crontab_admin_domtrans interface
+Resolves: RHEL-56349
+- Add crontab_domtrans interface
+Resolves: RHEL-56349
+- Allow boothd connect to kernel over a unix socket
+Resolves: RHEL-58060
+- Fix label of pseudoterminals created from sudodomain
+Resolves: RHEL-58068
+- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
+Resolves: RHEL-58072
+- Allow rsyslog read systemd-logind session files
+Resolves: RHEL-40961
+- Label /dev/mmcblk0rpmb character device with removable_device_t
+Resolves: RHEL-55265
+- Label /dev/hfi1_[0-9]+ devices
+Resolves: RHEL-62836
+- Label /dev/papr-sysparm and /dev/papr-vpd
+Resolves: RHEL-56908
+- Support SGX devices
+Resolves: RHEL-62354
+- Suppress semodule's stderr
+Resolves: RHEL-59192
+
+* Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1
+- Allow virtqemud relabelfrom also for file and sock_file
+Resolves: RHEL-49763
+- Allow virtqemud relabel user tmp files and socket files
+Resolves: RHEL-49763
+- Update virtqemud policy for libguestfs usage
+Resolves: RHEL-49763
+- Label /run/libvirt/qemu/channel with virtqemud_var_run_t
+Resolves: RHEL-47274
+
+* Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1
+- Add virt_create_log() and virt_write_log() interfaces
+Resolves: RHEL-47274
+- Update libvirt policy
+Resolves: RHEL-45464
+Resolves: RHEL-49763
+- Allow svirt_tcg_t map svirt_image_t files
+Resolves: RHEL-47274
+- Allow svirt_tcg_t read vm sysctls
+Resolves: RHEL-47274
+- Additional updates stalld policy for bpf usage
+Resolves: RHEL-50356
+
+* Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1
+- Add the swtpm.if interface file for interactions with other domains
+Resolves: RHEL-47274
+- Allow virtproxyd create and use its private tmp files
+Resolves: RHEL-40499
+- Allow virtproxyd read network state
+Resolves: RHEL-40499
+- Allow virtqemud domain transition on swtpm execution
+Resolves: RHEL-47274
+Resolves: RHEL-49763
+- Allow virtqemud relabel virt_var_run_t directories
+Resolves: RHEL-47274
+Resolves: RHEL-45464
+Resolves: RHEL-49763
+- Allow virtqemud domain transition on passt execution
+Resolves: RHEL-45464
+- Allow virt_driver_domain create and use log files in /var/log
+Resolves: RHEL-40239
+- Allow virt_driver_domain connect to systemd-userdbd over a unix socket
+Resolves: RHEL-44932
+Resolves: RHEL-44898
+- Update stalld policy for bpf usage
+Resolves: RHEL-50356
+- Allow boothd connect to systemd-userdbd over a unix socket
+Resolves: RHEL-45907
+- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+Resolves: RHEL-46011
+- Allow systemd-machined manage runtime sockets
+Resolves: RHEL-49567
+- Allow ip command write to ipsec's logs
+Resolves: RHEL-41222
+- Allow init_t nnp domain transition to firewalld_t
+Resolves: RHEL-52481
+- Update qatlib policy for v24.02 with new features
+Resolves: RHEL-50377
+- Allow postfix_domain map postfix_etc_t files
+Resolves: RHEL-46327
+
+* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1
+- Allow virtnodedevd run udev with a domain transition
+Resolves: RHEL-39890
+- Allow virtnodedev_t create and use virtnodedev_lock_t
+Resolves: RHEL-39890
+- Allow svirt attach_queue to a virtqemud tun_socket
+Resolves: RHEL-44312
+- Label /run/systemd/machine with systemd_machined_var_run_t
+Resolves: RHEL-49567
+- Allow to create and delete socket files created by rhsm.service
+
+* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1
+- Allow to create and delete socket files created by rhsm.service
+Resolves: RHEL-40857
+- Allow svirt read virtqemud fifo files
+Resolves: RHEL-40350
+- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
+Resolves: RHEL-37822
+- Allow virtqemud read virt-dbus process state
+Resolves: RHEL-37822
+- Allow virtqemud run ssh client with a transition
+Resolves: RHEL-43215
+- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
+Resolves: RHEL-41168
+- Allow NetworkManager the sys_ptrace capability in user namespace
+Resolves: RHEL-46717
+- Update keyutils policy
+Resolves: RHEL-38920
+- Allow ip the setexec permission
+Resolves: RHEL-41182
+
+* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1
+- Confine libvirt-dbus
+Resolves: RHEL-37822
+- Allow sssd create and use io_uring
+Resolves: RHEL-43448
+- Allow virtqemud the kill capability in user namespace
+Resolves: RHEL-44996
+- Allow login_userdomain execute systemd-tmpfiles in the caller domain
+Resolves: RHEL-44191
+- Allow virtqemud read vm sysctls
+Resolves: RHEL-40938
+- Allow svirt_t read vm sysctls
+Resolves: RHEL-40938
+- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
+Resolves: RHEL-40859
+- Allow systemd-hostnamed read the vsock device
+Resolves: RHEL-45309
+- Allow systemd (PID 1) manage systemd conf files
+Resolves: RHEL-45304
+- Allow journald read systemd config files and directories
+Resolves: RHEL-45304
+- Allow systemd_domain read systemd_conf_t dirs
+Resolves: RHEL-45304
+- Label systemd configuration files with systemd_conf_t
+Resolves: RHEL-45304
+- Allow dhcpcd the kill capability
+Resolves: RHEL-43417
+- Add support for libvirt hooks
+Resolves: RHEL-41168
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 40.13.3-2
+- Bump release for June 2024 mass rebuild
+
+* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
+- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
+Resolves: RHEL-40205
+- Allow virt_driver_domain read files labeled unconfined_t
+Resolves: RHEL-40262
+- Allow virt_driver_domain dbus chat with policykit
+Resolves: RHEL-40346
+- Escape "interface" as a file name in a virt filetrans pattern
+Resolves: RHEL-34769
+- Allow setroubleshootd get attributes of all sysctls
+Resolves: RHEL-40923
+- Allow qemu-ga read vm sysctls
+Resolves: RHEL-40829
+- Allow sbd to trace processes in user namespace
+Resolves: RHEL-39989
+- Allow request-key execute scripts
+Resolves: RHEL-38920
+- Update policy for haproxyd
+Resolves: RHEL-40877
+
+* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
+- Allow all domains read and write z90crypt device
+Resolves: RHEL-28539
+- Allow dhcpc read /run/netns files
+Resolves: RHEL-39510
+- Allow bootupd search efivarfs dirs
+Resolves: RHEL-39514
+
+* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.1-1
+- Allow logwatch read logind sessions files
+Resolves: RHEL-30441
+- Allow sulogin relabel tty1
+Resolves: RHEL-30440
+- Dontaudit sulogin the checkpoint_restore capability
+Resolves: RHEL-30440
+- Allow postfix smtpd map aliases file
+Resolves: RHEL-35544
+- Ensure dbus communication is allowed bidirectionally
+Resolves: RHEL-35783
+- Allow various services read and write z90crypt device
+Resolves: RHEL-28539
+- Allow dhcpcd use unix_stream_socket
+Resolves: RHEL-33081
+- Allow xdm_t to watch and watch_reads mount_var_run_t
+Resolves: RHEL-36073
+- Allow plymouthd log during shutdown
+Resolves: RHEL-30455
+- Update rpm configuration for the /var/run equivalency change
+Resolves: RHEL-36094

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

ifndefy.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see
+# <http://www.gnu.org/licenses/>.
+
+# About:
+# When provided with an interface file, this script outputs a new interface
+# file, where all original interfaces are enclosed in an ifndef statement
+# dependent on their name. All indentation inside the interface file should
+# be converted to tabs before running this script.
+# 
+# Known issues:
+# - interface already enclosed in an ifndef statement is not ignored
+# - "`"  and "'" inside comments are not ignored
+# - \t is always used for indentation - may result in mixture of spaces and tabs
+
+import sys
+import os
+import re
+
+if len(sys.argv) < 1:
+    print(("Usage: {} <policy>.if > <output>.if").format(sys.argv[0]), file=sys.stderr)
+    exit(os.EX_USAGE)
+
+# ending index of interface
+end = 0
+with open(sys.argv[1], 'r') as f:
+    interfaces = f.read()
+    file_len = len(interfaces)
+
+    while end < file_len:
+        start = interfaces.find("interface(`", end)
+        if start < 0:
+            #no more interfaces
+            print(interfaces[end:], end ="")
+            break
+        name_end = interfaces.find("'", start+11)
+        name = interfaces[start+11:name_end]
+
+        # locate the end of the interface - i.e. ending apostrophe
+        reg = re.compile(r"[`']")
+        # skip the ' after interface name
+        i = name_end+1
+        # counter for the depth (` opens a new block, while ' closes it)
+        graves = 0
+        while i < file_len:
+            match = reg.search(interfaces, i)
+            if not match:
+                print("Malformed interface: {}".format(name), file=sys.stderr)
+                exit(1)
+
+            i = match.end()
+            if match.group(0) == '`':
+                graves += 1
+            else:
+                graves -= 1
+                if graves == 0:
+                    break
+
+        # keep everything between the end of previous interface and start of a new one
+        print(interfaces[end:start], end ="")
+        # interface ends in "')" -- add 1 for the edning bracket
+        end = i+1
+        # print the whole interface enclosed in "ifndef"
+        print("ifndef(`{}',`".format(name))
+        print('\n'.join([('\t' + x) if x else x for x in interfaces[start:end].split('\n')]))
+        print("')", end ="")

make-rhat-patches.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/bash
+
+DISTGIT_PATH=$(pwd)
+
+RHEL_VERSION=c10s
+#DOCKER_FEDORA_VERSION=master
+DISTGIT_BRANCH=c10s
+SELINUX_POLICY_EPEL_BRANCH=epel10
+REPO_SELINUX_POLICY=${REPO_SELINUX_POLICY:-https://github.com/fedora-selinux/selinux-policy}
+REPO_SELINUX_POLICY_BRANCH=${REPO_SELINUX_POLICY_BRANCH:-$RHEL_VERSION}
+REPO_CONTAINER_SELINUX=${REPO_CONTAINER_SELINUX:-https://github.com/containers/container-selinux}
+REPO_MACRO_EXPANDER=${REPO_MACRO_EXPANDER:-https://github.com/fedora-selinux/macro-expander.git}
+REPO_SELINUX_POLICY_EPEL=${REPO_SELINUX_POLICY_EPEL:-https://src.fedoraproject.org/rpms/selinux-policy-epel}
+
+# When -l is specified, we use locally created tarballs and don't download them from github
+DOWNLOAD_DEFAULT_GITHUB_TARBALLS=1
+if [ "$1" == "-l" ]; then
+    DOWNLOAD_DEFAULT_GITHUB_TARBALLS=0
+fi
+
+git checkout $DISTGIT_BRANCH -q
+
+POLICYSOURCES=`mktemp -d --tmpdir policysources.XXXXXX`
+pushd $POLICYSOURCES > /dev/null
+
+git clone --depth=1 -q $REPO_SELINUX_POLICY selinux-policy \
+    -b $REPO_SELINUX_POLICY_BRANCH
+git clone --depth=1 -q $REPO_CONTAINER_SELINUX container-selinux
+git clone --depth=1 -q $REPO_MACRO_EXPANDER macro-expander
+git clone --depth=1 -q $REPO_SELINUX_POLICY_EPEL selinux-policy-epel \
+    -b $SELINUX_POLICY_EPEL_BRANCH
+
+pushd selinux-policy > /dev/null
+# prepare policy patches against upstream commits matching the last upstream merge
+BASE_HEAD_ID=$(git rev-parse HEAD)
+BASE_SHORT_HEAD_ID=$(c=${BASE_HEAD_ID}; echo ${c:0:7})
+git archive --prefix=selinux-policy-$BASE_HEAD_ID/ --format tgz HEAD > $DISTGIT_PATH/selinux-policy-$BASE_SHORT_HEAD_ID.tar.gz
+LATEST_TAG=$(git describe --tags --abbrev=0 | cut -c 2-)
+popd > /dev/null
+
+pushd container-selinux > /dev/null
+# Actual container-selinux files are in master branch
+#git checkout -b ${DOCKER_FEDORA_VERSION} -t origin/${DOCKER_FEDORA_VERSION} -q
+tar -czf container-selinux.tgz container.if container.te container.fc
+popd > /dev/null
+
+pushd $DISTGIT_PATH > /dev/null
+if [ $DOWNLOAD_DEFAULT_GITHUB_TARBALLS == 1 ]; then
+    wget -O selinux-policy-${BASE_SHORT_HEAD_ID}.tar.gz https://github.com/fedora-selinux/selinux-policy/archive/${BASE_HEAD_ID}.tar.gz &> /dev/null
+fi
+cp $POLICYSOURCES/container-selinux/container-selinux.tgz .
+cp $POLICYSOURCES/macro-expander/macro-expander.sh ./macro-expander
+chmod +x ./macro-expander
+popd > /dev/null
+
+pushd selinux-policy-epel > /dev/null
+if ! grep -q -E "%global commit $BASE_HEAD_ID" selinux-policy-epel.spec; then
+    if [ -n "$LATEST_TAG" ]; then
+        LATEST_EPEL_VERSION=$(rpmspec -q --queryformat='%{version}' --srpm selinux-policy-epel.spec)
+        if [ "$LATEST_TAG" != "LATEST_EPEL_VERSION" ]; then
+            rpmdev-bumpspec -n $LATEST_TAG -c "Update to $LATEST_TAG" selinux-policy-epel.spec
+        fi
+    fi
+    sed -i "s/%global commit [^ ]*$/%global commit $BASE_HEAD_ID/" selinux-policy-epel.spec
+    git --no-pager diff --patch-with-raw --output=$DISTGIT_PATH/selinux-policy-epel-$BASE_SHORT_HEAD_ID.patch
+
+    echo "WARNING: selinux-policy-epel needs to be updated to use ${BASE_HEAD_ID}:"
+    echo ""
+    echo "    cd <selinux-policy-epel directory>"
+    echo "    fedpkg switch-branch epel10"
+    echo "    fedpkg new-sources $DISTGIT_PATH/selinux-policy-$BASE_SHORT_HEAD_ID.tar.gz $DISTGIT_PATH/container-selinux.tgz"
+    echo "    git apply $DISTGIT_PATH/selinux-policy-epel-$BASE_SHORT_HEAD_ID.patch"
+fi
+popd > /dev/null
+
+popd > /dev/null
+rm -rf $POLICYSOURCES
+
+# Update commit id in selinux-policy.spec file
+sed -i "s/%global commit [^ ]*$/%global commit $BASE_HEAD_ID/" selinux-policy.spec
+
+# Update sources
+sha512sum --tag selinux-policy-${BASE_SHORT_HEAD_ID}.tar.gz container-selinux.tgz macro-expander > sources
+
+echo -e "\nSELinux policy tarball and container-selinux.tgz with container policy files have been created."
+echo "Commit id of selinux-policy in spec file was changed to ${BASE_HEAD_ID}"

modules-filtered.lst

@@ -0,0 +1,66 @@
+aiccu
+amtu
+antivirus
+apcupsd
+arpwatch
+asterisk
+awstats
+bcfg2
+bitlbee
+boinc
+brctl
+cobbler
+collectd
+conman
+cpufreqselector
+cvs
+ddclient
+dnssec
+drbd
+entropyd
+exim
+fail2ban
+gdomap
+hddtemp
+l2tp
+linuxptp
+lircd
+livecd
+lttng-tools
+mailman
+man2html
+milter
+minidlna
+mock
+mongodb
+mplayer
+munin
+nagios
+nsd
+nslcd
+ntp
+nut
+openct
+openfortivpn
+openvpn
+pdns
+pingd
+postgrey
+prelude
+privoxy
+prosody
+puppet
+pwauth
+rhev
+rkhunter
+rlogin
+rshd
+smokeping
+tcpd
+tcsd
+tlp
+tor
+vnstatd
+vpn
+zabbix
+zebra

modules-minimum.lst

@@ -0,0 +1,50 @@
+apache
+application
+auditadm
+authlogin
+base
+bootloader
+clock
+dbus
+dmesg
+fstools
+getty
+hostname
+inetd
+init
+ipsec
+iptables
+kerberos
+libraries
+locallogin
+logadm
+logging
+lvm
+miscfiles
+modutils
+mount
+mta
+netlabel
+netutils
+nis
+postgresql
+secadm
+selinuxutil
+setrans
+seunshare
+ssh
+staff
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+unprivuser
+userdomain
+usermanage
+xserver

plans/tests.fmf

@@ -0,0 +1,23 @@
+execute:
+    how: tmt
+
+/tier1-filtered:
+    discover:
+      - how: fmf
+        url: https://src.fedoraproject.org/tests/selinux.git
+        filter: "tier:1 & tag:-failinfedora & tag:-epel"
+
+/component-filtered:
+    discover:
+      - how: fmf
+        url: https://src.fedoraproject.org/tests/selinux.git
+        filter: "component:selinux-policy & tag:-failinfedora & tag:-epel"
+
+/selinux-policy-epel:
+    discover:
+      name: tests related to selinux-policy-epel
+      how: shell
+      tests:
+        - name: check selinux-policy-epel version
+          require: [git,rpm-build]
+          test: ./tests/check-selinux-policy-epel-version.sh

rpm.macros

@@ -29,90 +29,107 @@
 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
 
-# %selinux_requires
-%selinux_requires \
+# %selinux_requires_min - minimal required set of packages for deploying a policy module
+%selinux_requires_min \
 Requires: selinux-policy >= %{_selinux_policy_version} \
-BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
 Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
 Requires(post): libselinux-utils \
 Requires(post): policycoreutils \
-%if 0%{?fedora} || 0%{?rhel} > 7\
+%{nil}
+
+# %selinux_requires
+%selinux_requires \
+%selinux_requires_min \
 Requires(post): policycoreutils-python-utils \
-%else \
-Requires(post): policycoreutils-python \
-%endif \
 %{nil}
 
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
+  semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
+  selinuxenabled && load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
 fi \
 %{nil}
 
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
+    semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
+    selinuxenabled && load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
   fi \
 fi \
 %{nil}
 
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-. /etc/selinux/config \
-_policytype=%{-s*} \
-if [ -z "${_policytype}" ]; then \
-  _policytype="targeted" \
-fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+if selinuxenabled; then \
+  if [ -e /etc/selinux/config ]; then \
+    . /etc/selinux/config \
+  fi \
+  _policytype=%{-s*} \
+  if [ -z "${_policytype}" ]; then \
+    _policytype="targeted" \
+  fi \
+  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+  fi \
 fi \
 %{nil}
 
 
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
+     fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
      rm -f %{_file_context_file_pre} \
    fi \
 fi \
 %{nil}
 
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
+# Requires policycoreutils-python-utils (or policycoreutils-python)
 %selinux_set_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ -d "%{_selinux_store_policy_path}" ]; then \
-  LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
+  LOCAL_MODIFICATIONS=$(semanage boolean -E) \
   if [ ! -f %_file_custom_defined_booleans ]; then \
-      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
+      echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
   fi \
   semanage_import='' \
   for boolean in %*; do \
@@ -123,27 +140,30 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
           semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
           boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
           if [ -n "$boolean_customized_string" ]; then \
-              /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
+              echo $boolean_customized_string >> %_file_custom_defined_booleans \
           else \
-              /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
+              echo $boolean_local_string >> %_file_custom_defined_booleans \
           fi \
       else \
           semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
-          boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
-          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
+          boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
+          echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
       fi \
   done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
   elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
   fi \
 fi \
 %{nil}
 
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
+# Requires policycoreutils-python-utils (or policycoreutils-python)
 %selinux_unset_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -160,10 +180,10 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
           fi \
       fi \
   done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
   elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
   fi \
 fi \
 %{nil}

selinux-check-proper-disable.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target

selinux-policy-mls.conf

@@ -0,0 +1 @@
+selinux-policy-mls

selinux-policy-targeted.conf

@@ -0,0 +1 @@
+selinux-policy-targeted

selinux-policy.spec

@@ -0,0 +1,762 @@
+# Conditionals for policy types (all built by default)
+%bcond targeted 1
+%bcond minimum  1
+%bcond mls      1
+
+# github repo with selinux-policy sources
+%global giturl https://github.com/fedora-selinux/selinux-policy
+%global commit 5e64484ba773c0077ab14ecbb2887947a6f51c13
+%global shortcommit %(c=%{commit}; echo ${c:0:7})
+
+%define distro redhat
+%define polyinstatiate n
+%define monolithic n
+
+%define POLICYVER 34
+%define POLICYCOREUTILSVER 3.8
+%define CHECKPOLICYVER 3.8
+Summary: SELinux policy configuration
+Name: selinux-policy
+Version: 40.13.30
+Release: 1%{?dist}
+License: GPL-2.0-or-later
+Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
+Source1: Makefile.devel
+Source2: selinux-policy.conf
+
+# Tool helps during policy development, to expand system m4 macros to raw allow rules
+# Git repo: https://github.com/fedora-selinux/macro-expander.git
+Source3: macro-expander
+
+# Include SELinux policy for container from separate container-selinux repo
+# Git repo: https://github.com/containers/container-selinux.git
+Source4: container-selinux.tgz
+
+# do not ship these modules
+Source15: modules-filtered.lst
+# modules enabled in -minimum policy
+Source16: modules-minimum.lst
+
+Source36: selinux-check-proper-disable.service
+
+# Script to convert /var/run file context entries to /run
+Source37: varrun-convert.sh
+# Configuration files to dnf-protect targeted and/or mls subpackages
+Source38: selinux-policy-targeted.conf
+Source39: selinux-policy-mls.conf
+
+# Provide rpm macros for packages installing SELinux modules
+Source5: rpm.macros
+
+Url: %{giturl}
+BuildArch: noarch
+BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
+BuildRequires: make
+BuildRequires: systemd-rpm-macros
+BuildRequires: groff
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(post): /bin/awk /usr/bin/sha512sum
+Requires(meta): (rpm-plugin-selinux if rpm-libs)
+Requires: selinux-policy-any = %{version}-%{release}
+Provides: selinux-policy-base = %{version}-%{release}
+Suggests: selinux-policy-targeted
+
+%description
+SELinux core policy package.
+Originally based off of reference policy,
+the policy has been adjusted to provide support for Fedora.
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%dir %{_datadir}/selinux
+%dir %{_datadir}/selinux/packages
+%dir %{_sysconfdir}/selinux
+%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%ghost %{_sysconfdir}/sysconfig/selinux
+%{_usr}/lib/tmpfiles.d/selinux-policy.conf
+%{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_unitdir}/selinux-check-proper-disable.service
+%{_libexecdir}/selinux/varrun-convert.sh
+
+%package sandbox
+Summary: SELinux sandbox policy
+Requires(pre): selinux-policy-base = %{version}-%{release}
+Requires(pre): selinux-policy-targeted = %{version}-%{release}
+
+%description sandbox
+SELinux sandbox policy for use with the sandbox utility.
+
+%files sandbox
+%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
+
+%post sandbox
+rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
+%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
+if %{_sbindir}/selinuxenabled ; then
+    %{_sbindir}/load_policy
+fi;
+exit 0
+
+%preun sandbox
+if [ $1 -eq 0 ] ; then
+    %{_sbindir}/semodule -n -d sandbox 2>/dev/null
+    if %{_sbindir}/selinuxenabled ; then
+        %{_sbindir}/load_policy
+    fi;
+fi;
+exit 0
+
+%package devel
+Summary: SELinux policy development files
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
+Requires: /usr/bin/make
+Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
+
+%description devel
+SELinux policy development package.
+This package contains:
+- interfaces, macros, and patterns for policy development
+- a policy example
+- the macro-expander utility
+and some additional files.
+
+%files devel
+%{_bindir}/macro-expander
+%dir %{_datadir}/selinux/devel
+%dir %{_datadir}/selinux/devel/include
+%{_datadir}/selinux/devel/include/*
+%exclude %{_datadir}/selinux/devel/include/contrib/container.if
+%dir %{_datadir}/selinux/devel/html
+%{_datadir}/selinux/devel/html/*html
+%{_datadir}/selinux/devel/html/*css
+%{_datadir}/selinux/devel/Makefile
+%{_datadir}/selinux/devel/example.*
+%{_datadir}/selinux/devel/policy.*
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
+
+%post devel
+%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
+exit 0
+
+%package doc
+Summary: SELinux policy documentation
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+
+%description doc
+SELinux policy documentation package.
+This package contains manual pages and documentation of the policy modules.
+
+%files doc
+%{_mandir}/man*/*
+%exclude %{_mandir}/man8/container_selinux.8.gz
+%doc %{_datadir}/doc/%{name}
+
+%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
+
+%define makeCmds() \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
+install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \
+install -p -m0644 ./dist/%1/users ./policy/users \
+
+%define makeModulesConf() \
+install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \
+
+%define installCmds() \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
+install -p -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
+install -p -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
+install -p -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
+install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
+rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
+%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
+rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
+rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
+rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
+%nil
+
+%define fileList() \
+%defattr(-,root,root) \
+%dir %{_sysconfdir}/selinux/%1 \
+%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
+%dir %{_sysconfdir}/selinux/%1/logins \
+%dir %{_sharedstatedir}/selinux/%1/active \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
+%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
+%dir %{_sysconfdir}/selinux/%1/policy/ \
+%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
+%{_sysconfdir}/selinux/%1/.policy.sha512 \
+%dir %{_sysconfdir}/selinux/%1/contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
+%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
+%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
+%dir %{_sysconfdir}/selinux/%1/contexts/files \
+%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
+%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
+%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
+%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
+%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
+%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
+%{_sysconfdir}/selinux/%1/booleans.subs_dist \
+%config %{_sysconfdir}/selinux/%1/contexts/files/media \
+%dir %{_sysconfdir}/selinux/%1/contexts/users \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
+%dir %{_datadir}/selinux/%1 \
+%{_datadir}/selinux/%1/base.lst \
+%{_datadir}/selinux/%1/modules.lst \
+%{_datadir}/selinux/%1/nonbasemodules.lst \
+%dir %{_sharedstatedir}/selinux/%1 \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
+%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
+%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
+%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
+%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
+%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \
+%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \
+%nil
+
+%define relabel() \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
+fi; \
+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
+     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
+     rm -f ${FILE_CONTEXT}.pre; \
+fi; \
+# rebuilding the rpm database still can sometimes result in an incorrect context \
+%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
+# In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \
+# Relabel all files under /usr/bin, in case they got installed before policy \
+# was updated and the labels were incorrect. \
+%{_sbindir}/restorecon -R /usr/bin /usr/sbin \
+if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
+    continue; \
+fi;
+
+%define preInstall() \
+if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
+     for MOD_NAME in ganesha ipa_custodia kdbus; do \
+        if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
+           %{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \
+        fi; \
+     done; \
+     . %{_sysconfdir}/selinux/config; \
+     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
+     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
+        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
+     fi; \
+     touch %{_sysconfdir}/selinux/%1/.rebuild; \
+     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
+        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
+        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
+	checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
+	if [ "$sha512" == "$checksha512" ] ; then \
+		rm %{_sysconfdir}/selinux/%1/.rebuild; \
+	fi; \
+   fi; \
+fi;
+
+%define postInstall() \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
+fi; \
+if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
+   rm %{_sysconfdir}/selinux/%2/.rebuild; \
+fi; \
+%{_sbindir}/semodule -B -n -s %2 2> /dev/null; \
+[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
+if [ %1 -eq 1 ]; then \
+   %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
+else \
+%relabel %2 \
+fi;
+
+%define modulesList() \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
+
+%define nonBaseModulesList() \
+modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
+for i in $modules; do \
+    if [ $i != "sandbox" ] && ! grep -E "^$i$" %{SOURCE15}; then \
+        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
+    else \
+        rm -rf %{buildroot}%{_sharedstatedir}/selinux/{targeted,minimum,mls}/active/modules/100/$i \
+    fi \
+done;
+
+# Make sure the config is consistent with what packages are installed in the system
+# this covers cases when system is installed with selinux-policy-{mls,minimal}
+# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
+# been rebooted yet.
+# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
+# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
+# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
+# Steps:
+# * load values from config and its backup
+# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
+# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
+# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
+%define checkConfigConsistency() \
+if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
+    . %{_sysconfdir}/selinux/.config_backup; \
+else \
+    BACKUP_SELINUXTYPE=targeted; \
+fi; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config; \
+    if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
+        if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    elif [ "%1" = "targeted" ]; then \
+        if [ "%1" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
+        if [ "%1" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    fi; \
+fi;
+
+# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
+# of variables inside so that they are easy to use later
+# This should be done in "pretrans" because config content can change during RPM operations
+# The macro has to be used in a script slot with "-p <lua>"
+%define backupConfigLua() \
+local sysconfdir = rpm.expand("%{_sysconfdir}") \
+local config_file = sysconfdir .. "/selinux/config" \
+local config_backup = sysconfdir .. "/selinux/.config_backup" \
+os.remove(config_backup) \
+if posix.stat(config_file) then \
+    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
+    local content = f:read("*all") \
+    f:close() \
+    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
+    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
+    bf:write(backup) \
+    bf:close() \
+end
+
+# Remove the local_varrun SELinux module
+%define removeVarrunModuleLua() \
+if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
+  os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
+end
+
+%build
+
+%prep
+%autosetup -p 1 -n %{name}-%{commit}
+tar -C policy/modules/contrib -xf %{SOURCE4}
+
+%install
+# Build targeted policy
+%{__rm} -fR %{buildroot}
+mkdir -p %{buildroot}%{_sysconfdir}/selinux
+mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
+touch %{buildroot}%{_sysconfdir}/selinux/config
+touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
+mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
+install -p -m0644 %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/
+mkdir -p %{buildroot}%{_bindir}
+install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir}/
+mkdir -p %{buildroot}%{_libexecdir}/selinux
+install -p -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
+
+# Always create policy module package directories
+mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
+
+mkdir -p %{buildroot}%{_datadir}/selinux/packages
+
+mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/
+
+# Install devel
+make clean
+%if %{with targeted}
+# Build targeted policy
+%makeCmds targeted mcs allow
+%makeModulesConf targeted
+%installCmds targeted mcs allow
+# install permissivedomains.cil
+%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \
+    ./dist/permissivedomains.cil
+# recreate sandbox.pp
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
+%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
+mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
+%modulesList targeted
+%nonBaseModulesList targeted
+install -p -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/
+%endif
+
+%if %{with minimum}
+# Build minimum policy
+%makeCmds minimum mcs allow
+%makeModulesConf targeted
+%installCmds minimum mcs allow
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
+install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
+%modulesList minimum
+%nonBaseModulesList minimum
+%endif
+
+%if %{with mls}
+# Build mls policy
+%makeCmds mls mls deny
+%makeModulesConf mls
+%installCmds mls mls deny
+%modulesList mls
+%nonBaseModulesList mls
+install -p -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/
+%endif
+
+# remove leftovers when save-previous=true (semanage.conf) is used
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
+
+make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
+make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
+mkdir %{buildroot}%{_datadir}/selinux/devel/
+mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
+install -p -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile
+install -p -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
+install -p -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
+%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_mandir}/man8/ -w -r %{buildroot}
+mkdir %{buildroot}%{_datadir}/selinux/devel/html
+mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
+mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
+
+mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
+install -p -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+
+mkdir -p %{buildroot}%{_unitdir}
+install -p -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
+
+%post
+%systemd_post selinux-check-proper-disable.service
+if [ ! -s %{_sysconfdir}/selinux/config ]; then
+#
+#     New install so we will default to targeted policy
+#
+echo "
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+# See also:
+# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
+#
+# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
+# fully disable SELinux during boot. If you need a system with SELinux
+# fully disabled instead of SELinux running with no policy loaded, you
+# need to pass selinux=0 to the kernel command line. You can use grubby
+# to persistently set the bootloader to boot with selinux=0:
+#
+#    grubby --update-kernel ALL --args selinux=0
+#
+# To revert back to SELinux enabled:
+#
+#    grubby --update-kernel ALL --remove-args selinux
+#
+SELINUX=enforcing
+# SELINUXTYPE= can take one of these three values:
+#     targeted - Targeted processes are protected,
+#     minimum - Modification of targeted policy. Only selected processes are protected.
+#     mls - Multi Level Security protection.
+SELINUXTYPE=targeted
+
+" > %{_sysconfdir}/selinux/config
+
+     ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
+     %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
+else
+     . %{_sysconfdir}/selinux/config
+fi
+exit 0
+
+%preun
+%systemd_preun selinux-check-proper-disable.service
+
+%postun
+%systemd_postun selinux-check-proper-disable.service
+if [ $1 = 0 ]; then
+     %{_sbindir}/setenforce 0 2> /dev/null
+     if [ ! -s %{_sysconfdir}/selinux/config ]; then
+          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+     else
+          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+     fi
+fi
+exit 0
+
+%if %{with targeted}
+%package targeted
+Summary: SELinux targeted policy
+Provides: selinux-policy-any = %{version}-%{release}
+Obsoletes: selinux-policy-targeted-sources < 2
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Conflicts:  audispd-plugins <= 1.7.7-1
+Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
+Obsoletes: cachefilesd-selinux <= 0.10-1
+Conflicts:  seedit
+Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
+Conflicts: container-selinux < 2:1.12.1-22
+Recommends: (selinux-policy-epel-targeted if epel-release)
+
+%description targeted
+SELinux targeted policy package.
+
+%pretrans targeted -p <lua>
+%backupConfigLua
+%removeVarrunModuleLua targeted
+
+%pre targeted
+%preInstall targeted
+
+%post targeted
+%checkConfigConsistency targeted
+exit 0
+
+%posttrans targeted
+%checkConfigConsistency targeted
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+%postInstall $1 targeted
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm /etc/mdevctl.d
+
+%postun targeted
+if [ $1 = 0 ]; then
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
+    if [ "$SELINUXTYPE" = "targeted" ]; then
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+
+%triggerin -- pcre2
+%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
+exit 0
+
+%triggerprein -p <lua> -- container-selinux
+%removeVarrunModuleLua targeted
+
+%triggerprein -p <lua> -- pcp-selinux
+%removeVarrunModuleLua targeted
+
+%triggerpostun -- pcp-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%triggerpostun -- container-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
+%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf
+%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
+%fileList targeted
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
+%endif
+
+%if %{with minimum}
+%package minimum
+Summary: SELinux minimum policy
+Provides: selinux-policy-any = %{version}-%{release}
+Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Conflicts:  seedit
+Conflicts: container-selinux <= 1.9.0-9
+
+%description minimum
+SELinux minimum policy package.
+
+%pretrans minimum -p <lua>
+%backupConfigLua
+
+%pre minimum
+%preInstall minimum
+if [ $1 -ne 1 ]; then
+    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
+fi
+
+%post minimum
+%checkConfigConsistency minimum
+modules=`cat %{_datadir}/selinux/minimum/modules.lst`
+basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
+enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
+if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
+    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
+fi
+if [ $1 -eq 1 ]; then
+for p in $modules; do
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
+for p in $basemodules $enabledmodules; do
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
+%{_sbindir}/semanage import -S minimum -f - << __eof
+login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
+login -m  -s unconfined_u -r s0-s0:c0.c1023 root
+__eof
+%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
+%{_sbindir}/semodule -B -s minimum 2> /dev/null
+else
+instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
+for p in $packages; do
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
+for p in $instpackages apache dbus inetd kerberos mta nis; do
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
+%{_sbindir}/semodule -B -s minimum 2> /dev/null
+%relabel minimum
+fi
+exit 0
+
+%posttrans minimum
+%checkConfigConsistency minimum
+%{_libexecdir}/selinux/varrun-convert.sh minimum
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
+
+%postun minimum
+if [ $1 = 0 ]; then
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
+    if [ "$SELINUXTYPE" = "minimum" ]; then
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
+%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
+%fileList minimum
+%{_datadir}/selinux/minimum/modules-enabled.lst
+%endif
+
+%if %{with mls}
+%package mls
+Summary: SELinux MLS policy
+Provides: selinux-policy-any = %{version}-%{release}
+Obsoletes: selinux-policy-mls-sources < 2
+Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Conflicts:  seedit
+Conflicts: container-selinux <= 1.9.0-9
+
+%description mls
+SELinux MLS (Multi Level Security) policy package.
+
+%pretrans mls -p <lua>
+%backupConfigLua
+
+%pre mls
+%preInstall mls
+
+%post mls
+%checkConfigConsistency mls
+exit 0
+
+%posttrans mls
+%checkConfigConsistency mls
+%{_libexecdir}/selinux/varrun-convert.sh mls
+%postInstall $1 mls
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
+
+%postun mls
+if [ $1 = 0 ]; then
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
+    if [ "$SELINUXTYPE" = "mls" ]; then
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
+%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf
+%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
+%fileList mls
+%endif
+
+%changelog
+%autochangelog

sources

@@ -0,0 +1,3 @@
+SHA512 (selinux-policy-5e64484.tar.gz) = 7d78db4c87533fd65bf88324f2d50f2f9f2785d8525e12d47b59e0a7c437128e34b246e26b9b8436ce0d2c859794e8cd6eb75d17f10edd3bd7ab635ba84486ea
+SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
+SHA512 (container-selinux.tgz) = fc05202dc5be8c9099b2893631e988bd5e1f5245ef38ddef482e2fd86283d48f2e306208b475bf90417d9bde4742c363fb3ae54fb0d190fbe21d0369b4225bef

tests/check-selinux-policy-epel-version.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/bash
+
+SELINUX_POLICY_VERSION=$(rpm -q --qf '%{version}' selinux-policy)
+
+TMP_DIR=`mktemp -d --tmpdir selinux-policy-epel.XXXXXX`
+pushd ${TMP_DIR} > /dev/null
+
+git clone --depth=1 -q https://src.fedoraproject.org/rpms/selinux-policy-epel -b epel10
+pushd selinux-policy-epel > /dev/null
+
+SELINUX_POLICY_EPEL_VERSION=$(rpmspec -q --queryformat='%{version}' --srpm selinux-policy-epel.spec)
+
+popd > /dev/null
+
+rm -rf ${TMP_DIR}
+
+if [ "${SELINUX_POLICY_VERSION}" != "${SELINUX_POLICY_EPEL_VERSION}" ]; then
+    echo "selinux-policy version ${SELINUX_POLICY_VERSION} does not match selinux-policy-epel version ${SELINUX_POLICY_EPEL_VERSION}"
+    echo "Please update selinux-policy-epel, see" \
+         "https://src.fedoraproject.org/rpms/selinux-policy-epel/raw/epel10/f/README.md"
+    exit 1
+fi
+
+echo "selinux-policy version ${SELINUX_POLICY_VERSION} matches selinux-policy-epel version ${SELINUX_POLICY_EPEL_VERSION}"
+exit 0

tests/tests-reboot.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            result=pass
+            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
+            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
+            grep -q '<no matches>' /tmp/avc.log || result=fail
+            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
+            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/test.log
+          - /tmp/avc.log
+          - /tmp/results.yml

tests/tests.yml

@@ -0,0 +1,10 @@
+---
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+      fmf_filter: "tier:1 | component:selinux-policy"

varrun-convert.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/bash
+### varrun-convert.sh
+### convert legacy filecontext entries containing /var/run to /run
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+# on the terminal and to the $LOG file
+if [ "${DEBUG}" = "yes" ]; then
+  set -x
+fi
+
+# Auxiliary and log files will be created in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+  exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+# Take current file_contexts and unify whitespace separators
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+  exit
+fi
+
+if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
+  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
+  exit
+fi
+
+EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
+EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
+EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
+
+# Print only /var/run entries
+grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
+
+# Deduplicate already existing /var/run=/run entries
+while read line
+do
+  subline="${line#/var}"
+  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
+    echo "$line"
+  fi
+done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
+
+# Change /var/run to /run
+sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
+
+# Exception handling: packages with already duplicate entries
+sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
+
+# Handle entries with <<none>> which do not match previous regexps
+sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
+
+# Wrap each line with an optional block
+i=1
+while read line
+do
+  echo "(optional extra_var_run_${i}"
+  echo "  $line"
+  echo ")"
+  ((i++))
+done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
+
+# Load module
+[ -s ${EXTRA_VARRUN_CIL} ] &&
+/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
+