update selinux-policy

Allow-systemd_logind_t-to-read-fixed-dist-device-BZ-.patch

@@ -1,24 +0,0 @@
-From 5a103fd1d605fb1195fbfb02361a723d0f7669aa Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Sat, 3 Nov 2018 13:06:47 +0100
-Subject: [PATCH] Allow systemd_logind_t to read fixed dist device BZ(1645631)
-
----
- policy/modules/system/systemd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index eaf0aed..008400a 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -252,6 +252,7 @@ userdom_mounton_tmp_dirs(systemd_logind_t)
- storage_setattr_removable_dev(systemd_logind_t)
- storage_setattr_scsi_generic_dev(systemd_logind_t)
- storage_setattr_fixed_disk_dev(systemd_logind_t)
-+storage_raw_read_fixed_disk(systemd_logind_t)
- 
- term_use_unallocated_ttys(systemd_logind_t)
- 
--- 
-1.8.3.1
-

Fix-bug-in-userdom_restricted_xwindows_user_template.patch

@@ -1,28 +0,0 @@
-From 0269451c9568aa7939b0fef6708d867fcd2ffd47 Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Thu, 21 Feb 2019 16:12:18 +0100
-Subject: [PATCH 083/109] Fix bug in
- userdom_restricted_xwindows_user_template() template to disallow all user
- domains to access admin_home_t
-
-Fixes: #221
----
- policy/modules/system/userdomain.if | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 90a8a7533..4988fdd41 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1345,7 +1345,7 @@ template(`userdom_restricted_xwindows_user_template',`
- 
- 	optional_policy(`
- 		pulseaudio_role($1_r, $1_usertype)
--		pulseaudio_filetrans_admin_home_content($1_usertype)
-+		pulseaudio_filetrans_home_content($1_usertype)
- 	')
- 
- 	optional_policy(`
--- 
-2.19.1
-

Fix-userdom_admin_user_template-interface-by-adding-.patch

@@ -1,28 +0,0 @@
-From a207f43eacab87fc54a175b8dd2db68ca231e965 Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Thu, 24 Jan 2019 16:46:39 +0100
-Subject: [PATCH 064/109] Fix userdom_admin_user_template() interface by adding
- bluetooth,alg,dccp create_stream_socket permissions.
-
----
- policy/modules/system/userdomain.if | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 5059b4a21..8b9abecbd 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1582,8 +1582,8 @@ template(`userdom_admin_user_template',`
- 	allow $1_t self:passwd crontab;
- 
-     allow $1_t self:bluetooth_socket create_stream_socket_perms;
--    allow $1_t self:alg_socket create_socket_perms;
--    allow $1_t self:dccp_socket create_socket_perms;
-+    allow $1_t self:alg_socket create_stream_socket_perms;
-+    allow $1_t self:dccp_socket create_stream_socket_perms;
- 
-     allow $1_t self:cap_userns sys_ptrace;
- 
--- 
-2.19.1
-

Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch

@@ -1,26 +0,0 @@
-From debf07213f1c423a3a6504dd027792b14426f07e Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Wed, 17 Oct 2018 13:24:41 +0200
-Subject: [PATCH 003/109] Fix userdom_write_user_tmp_dirs() to allow caller
- domain also read/write user_tmp_t dirs
-
----
- policy/modules/system/userdomain.if | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 44acc0cbc..5059b4a21 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -5332,6 +5332,8 @@ interface(`userdom_write_user_tmp_dirs',`
- 		type user_tmp_t;
- 	')
- 
-+	list_dirs_pattern($1, user_tmp_t, user_tmp_t)
-+	rw_dirs_pattern($1, user_tmp_t, user_tmp_t)
- 	write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
- 
--- 
-2.19.1
-

Fixing-range-for-ephemeral-ports-BZ-1518807.patch

@@ -1,33 +0,0 @@
-From f135894a52444d4912050f7b4d449f495241e791 Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Wed, 12 Dec 2018 15:55:16 +0100
-Subject: [PATCH 043/109] Fixing range for ephemeral ports BZ(1518807)
-
-Range of ephemeral ports is 32768-60999 based on:
-
- # sysctl net.ipv4.ip_local_port_range
-net.ipv4.ip_local_port_range = 32768    60999
----
- policy/modules/kernel/corenetwork.te.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index ff8ce41e8..b9b1f21e9 100644
---- a/policy/modules/kernel/corenetwork.te.in
-+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -398,10 +398,10 @@ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
- portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
- portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
- portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
--portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
- portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
- portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
--portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
- portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
- 
- ########################################
--- 
-2.19.1
-

add-allow-for-ldconfig-to-map-libsudo_util-so.patch

@@ -1,15 +1,15 @@
-From db595c32644c01e6a9e5697d03a3f480d0dbba2e Mon Sep 17 00:00:00 2001
-From: zhangchenfeng <zhangchenfeng1@huawei.com>
-Date: Wed, 14 Aug 2019 07:58:13 +0800
+From 103215eb8262f37632387014d5e35c118f231cc0 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 16 Jul 2020 17:06:14 +0800
 Subject: [PATCH] add allow for ldconfig to map /usr/libexec/libsudo_util.so
 
-reason: add allow for ldconfig to map /usr/libexec/libsudo_util.so
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
 ---
  policy/modules/system/libraries.te | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 7a660a0..0893aba 100644
+index 22696ca..9b26f75 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -95,6 +95,9 @@ files_search_usr(ldconfig_t)
@@ -21,7 +21,7 @@ index 7a660a0..0893aba 100644
 +
  init_use_script_ptys(ldconfig_t)
  init_read_script_tmp_files(ldconfig_t)
- 
+ init_manage_script_tmp_files(ldconfig_t)
 -- 
 1.8.3.1
 

add-allow-passwd-to-write-sssd-var-lib.patch

@@ -1,27 +0,0 @@
-From e237958d348766aac7f83414ed7af2ab44f8efca Mon Sep 17 00:00:00 2001
-From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Sat, 30 May 2020 10:56:41 +0800
-Subject: [PATCH] add allow passwd to write sssd var lib
-
-Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
----
- policy/modules/admin/usermanage.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1977309..426bae8 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -391,6 +391,9 @@ logging_send_syslog_msg(passwd_t)
- seutil_read_config(passwd_t)
- seutil_read_file_contexts(passwd_t)
- 
-+sssd_var_lib_map_file(passwd_t)
-+sssd_var_lib_write_file(passwd_t)
-+
- userdom_use_inherited_user_terminals(passwd_t)
- userdom_use_unpriv_users_fds(passwd_t)
- # make sure that getcon succeeds
--- 
-1.8.3.1
-

add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch

@@ -1,28 +0,0 @@
-From aa8aaac6c35fd2cc53fa35000088773935afbd1f Mon Sep 17 00:00:00 2001
-From: zhangchenfeng <zhangchenfeng1@huawei.com>
-Date: Fri, 6 Sep 2019 11:06:51 +0800
-Subject: [PATCH] Allow syslogd_t domain to send null signal to all domains on
- system
-
-Allow syslogd_t domain to send null signal to all domains on
- system
-
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 93c5b94..03a4c99 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -568,6 +568,7 @@ dev_read_kmsg(syslogd_t)
- 
- domain_read_all_domains_state(syslogd_t)
- domain_getattr_all_domains(syslogd_t)
-+domain_signull_all_domains(syslogd_t)
- domain_use_interactive_fds(syslogd_t)
- 
- files_read_etc_files(syslogd_t)
--- 
-1.8.3.1
-

add-allowed-avc-for-systemd.patch

@@ -1,62 +0,0 @@
-From 3ee8fe2590c37f451ad2ff2271b13daa128335d8 Mon Sep 17 00:00:00 2001
-From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Sat, 18 Jan 2020 12:03:36 +0800
-Subject: [PATCH] add allowed avc for systemd
-
-Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
----
- policy/modules/kernel/kernel.if  | 17 +++++++++++++++++
- policy/modules/system/init.te    |  1 +
- policy/modules/system/systemd.te |  2 ++
- 3 files changed, 20 insertions(+)
-
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index cb9602c..be3f313 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -4108,3 +4108,20 @@ interface(`kernel_unlabeled_entry_type',`
- 	allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
- ')
- 
-+########################################
-+## <summary>
-+##     add for systemd mounton
-+## </summary>
-+## <param name="domain">
-+##     <summary>
-+##     The domain for sysctl_kernel_t.
-+##     </summary>
-+## </param>
-+##
-+interface(`kernel_file_mounton','
-+       gen_require(`
-+               type sysctl_kernel_t;
-+       ')
-+
-+       allow $1 sysctl_kernel_t:file mounton;
-+')
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ffe5293..035720b 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t)
- kernel_read_core_if(init_t)
- kernel_mounton_core_if(init_t)
- kernel_get_sysvipc_info(init_t)
-+kernel_file_mounton(init_t)
- 
- # There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
- kernel_dontaudit_request_load_module(init_t)
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 22ddccf..d6ce679 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1140,3 +1140,5 @@ optional_policy(`
- optional_policy(`
-     gpg_exec(systemd_importd_t)
- ')
-+allow init_t systemd_logind_inhibit_var_run_t:dir mounton;
-+allow init_t systemd_logind_sessions_t:dir mounton;
--- 
-1.8.3.1
-

add-avc-for-kmod.patch

@@ -1,22 +1,21 @@
-From b7ba655387f31048655f4b8ad6173144237ae68f Mon Sep 17 00:00:00 2001
+From 9cc71f5e435a8cd95c1d186672ebbdb96e711a92 Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Tue, 25 Feb 2020 20:54:43 +0800
+Date: Thu, 16 Jul 2020 18:45:34 +0800
 Subject: [PATCH] add avc for kmod
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
 ---
- policy/modules/system/modutils.te            |  4 +++
- 1 files changed, 4 insertions(+)
+ policy/modules/system/modutils.te | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 4b7b884..1271b7a 100644
+index add5eca..d512b51 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
-@@ -367,3 +367,7 @@ ifdef(`distro_ubuntu',`
- 		unconfined_domain(update_modules_t)
+@@ -259,3 +259,6 @@ ifdef(`distro_gentoo',`
  	')
  ')
-+
+ 
 +# avc for openEuler
 +init_nnp_daemon_domain(insmod_t)
 +

add-avc-for-systemd-hostnamed-and-systemd-logind.patch

@@ -1,6 +1,6 @@
-From 5d8386f073adf1b835461382844738aca74cab74 Mon Sep 17 00:00:00 2001
+From f5e75734ba636d9a3db9e7fc4a9c7766b5f965aa Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Wed, 26 Feb 2020 11:48:12 +0800
+Date: Thu, 16 Jul 2020 19:01:43 +0800
 Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
@@ -9,21 +9,22 @@ Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index d6ce679..f2919f0 100644
+index 7cb36c4..72f413c 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -1140,5 +1140,11 @@ optional_policy(`
- optional_policy(`
-     gpg_exec(systemd_importd_t)
+@@ -373,6 +373,12 @@ optional_policy(`
+ 	xserver_search_xdm_tmp_dirs(systemd_logind_t)
  ')
-+
+ 
 +# avc for openEuler
- allow init_t systemd_logind_inhibit_var_run_t:dir mounton;
- allow init_t systemd_logind_sessions_t:dir mounton;
 +allow init_t systemd_logind_var_lib_t:dir { create mounton read };
 +allow init_t systemd_logind_var_run_t:dir mounton;
 +init_nnp_daemon_domain(systemd_hostnamed_t)
 +init_nnp_daemon_domain(systemd_logind_t)
++
+ ########################################
+ #
+ # systemd_machined local policy
 -- 
 1.8.3.1
 

add-avc-for-systemd-journald.patch

@@ -1,22 +1,22 @@
-From 1c571a3a7da2b3caac9dabf0fdeda623529b229a Mon Sep 17 00:00:00 2001
+From 9865bc70309c32f731d85e18f8ed29af184086cf Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Wed, 26 Feb 2020 10:52:31 +0800
+Date: Thu, 16 Jul 2020 18:54:28 +0800
 Subject: [PATCH] add avc for systemd-journald
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
 ---
  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
- policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
- policy/modules/system/init.te    |  3 +++
+ policy/modules/kernel/kernel.if  | 17 +++++++++++++++++
+ policy/modules/system/init.te    |  5 ++++-
  policy/modules/system/logging.if | 18 ++++++++++++++++++
  policy/modules/system/logging.te |  3 +++
- 5 files changed, 60 insertions(+)
+ 5 files changed, 60 insertions(+), 1 deletion(-)
 
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 155076b..2378f06 100644
+index 932b9bd..eb8c5c6 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
-@@ -7258,3 +7258,21 @@ interface(`dev_filetrans_xserver_named_dev',`
+@@ -7343,3 +7343,21 @@ interface(`dev_filetrans_xserver_named_dev',`
  	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
  	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
  ')
@@ -39,14 +39,13 @@ index 155076b..2378f06 100644
 +allow $1 kmsg_device_t:chr_file read;
 +')
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index be3f313..ed2bd3f 100644
+index 023ee09..a1bb39b 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -4125,3 +4125,21 @@ interface(`kernel_file_mounton','
- 
-        allow $1 sysctl_kernel_t:file mounton;
+@@ -4268,3 +4268,20 @@ interface(`kernel_unlabeled_entry_type',`
+ 	allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
  ')
-+
+ 
 +########################################
 +## <summary>
 +##      Access to netlink audit socket
@@ -65,21 +64,24 @@ index be3f313..ed2bd3f 100644
 +allow $1 kernel_t:netlink_audit_socket $2;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index e0d584a..afd20b0 100644
+index a92f4d8..6bccd0b 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -1871,3 +1871,6 @@ optional_policy(`
+@@ -1946,5 +1946,8 @@ optional_policy(`
+     ')
+  ')
  
- # avc for oprnEuler
+-# avc for oprnEuler
++# avc for openEuler
  systemd_manage_faillog(init_t)
 +kernel_netlink_audit_socket(init_t, getattr)
 +dev_read_kernel_msg(init_t)
 +logging_journal(init_t)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 399fe0d..7718e08 100644
+index 408dba0..526a813 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -1685,3 +1685,21 @@ interface(`logging_dgram_send',`
+@@ -1686,3 +1686,21 @@ interface(`logging_dgram_send',`
  
  	allow $1 syslogd_t:unix_dgram_socket sendto;
  ')
@@ -102,10 +104,10 @@ index 399fe0d..7718e08 100644
 +allow $1 syslogd_var_run_t:file { create rename write };
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 03a4c99..93cf69e 100644
+index cdaba23..ddeb00a 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -738,3 +738,6 @@ ifdef(`hide_broken_symptoms',`
+@@ -753,3 +753,6 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  logging_stream_connect_syslog(syslog_client_type)

add-avc-for-systemd.patch

@@ -1,33 +1,35 @@
-From 9592c9a75c610109c17eb8591611826715e3c969 Mon Sep 17 00:00:00 2001
+From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Wed, 26 Feb 2020 17:20:57 +0800
+Date: Thu, 16 Jul 2020 19:09:57 +0800
 Subject: [PATCH] add avc for systemd
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
 ---
- policy/modules/contrib/dbus.te   |  4 ++++
+ policy/modules/contrib/dbus.te   |  3 +++
  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
  policy/modules/system/init.te    |  1 +
- policy/modules/system/systemd.te |  5 +++++
- 4 files changed, 28 insertions(+)
+ policy/modules/system/systemd.te |  4 ++++
+ 4 files changed, 26 insertions(+)
 
 diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
-index 3bcff01..848342e 100644
+index 4cf41a5..2e2732d 100644
 --- a/policy/modules/contrib/dbus.te
 +++ b/policy/modules/contrib/dbus.te
-@@ -386,3 +386,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
+@@ -384,6 +384,9 @@ optional_policy(`
+ 	xserver_append_xdm_home_files(session_bus_type)
+ ')
  
- kernel_stream_connect(session_bus_type)
- systemd_login_read_pid_files(session_bus_type)
-+
 +# avc for openEuler
 +allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
 +allow init_t system_dbusd_var_run_t:sock_file read;
+ ########################################
+ #
+ # Unconfined access to this module
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 2378f06..c3659c7 100644
+index eb8c5c6..846bb94 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
-@@ -7276,3 +7276,21 @@ type kmsg_device_t;
+@@ -7361,3 +7361,21 @@ type kmsg_device_t;
  
  allow $1 kmsg_device_t:chr_file read;
  ')
@@ -50,19 +52,19 @@ index 2378f06..c3659c7 100644
 +allow $1 clock_device_t:chr_file read;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index afd20b0..8de5b08 100644
+index 6bccd0b..b7a4114 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -1874,3 +1874,4 @@ systemd_manage_faillog(init_t)
+@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t)
  kernel_netlink_audit_socket(init_t, getattr)
  dev_read_kernel_msg(init_t)
  logging_journal(init_t)
 +dev_read_clock_device(init_t)
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index f2919f0..3634510 100644
+index 72f413c..0a65c1d 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -1148,3 +1148,8 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
+@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
  allow init_t systemd_logind_var_run_t:dir mounton;
  init_nnp_daemon_domain(systemd_hostnamed_t)
  init_nnp_daemon_domain(systemd_logind_t)
@@ -70,7 +72,9 @@ index f2919f0..3634510 100644
 +init_nnp_daemon_domain(systemd_initctl_t)
 +init_nnp_daemon_domain(systemd_localed_t)
 +init_nnp_daemon_domain(systemd_machined_t)
-+init_nnp_daemon_domain(systemd_timedated_t)
+ 
+ ########################################
+ #
 -- 
 1.8.3.1
 

add-map-to-zerp-device-at-dev_rw_zero-interface.patch

@@ -1,25 +0,0 @@
-From 9c9bbde91da9f0a90ae7e70d71638ec9c2d207da Mon Sep 17 00:00:00 2001
-From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Thu, 4 Jun 2020 20:25:12 +0800
-Subject: [PATCH] add map to zerp device at dev_rw_zero interface
-
-Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
----
- policy/modules/kernel/devices.if | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index c3659c7..65c21e1 100644
---- a/policy/modules/kernel/devices.if
-+++ b/policy/modules/kernel/devices.if
-@@ -6094,6 +6094,7 @@ interface(`dev_rw_zero',`
- 	')
- 
- 	rw_chr_files_pattern($1, device_t, zero_device_t)
-+	allow $1 zero_device_t:chr_file map;
- ')
- 
- ########################################
--- 
-1.8.3.1
-

add_syslogd_t_domtrans_logrotate.patch

@@ -1,15 +0,0 @@
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 37a1c06..c524b01 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -696,6 +696,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	logrotate_domtrans(syslogd_t)
-+')
-+
-+optional_policy(`
- 	udev_read_db(syslogd_t)
- ')
- 

add_userman_access_run_dir.patch

@@ -1,52 +0,0 @@
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index e069cb5..43fed66 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t)
- files_read_etc_files(groupadd_t)
- files_read_etc_runtime_files(groupadd_t)
- files_read_usr_symlinks(groupadd_t)
-+files_search_pids(groupadd_t)
-+files_create_var_run_dirs(groupadd_t)
-+files_delete_all_pids(groupadd_t)
-+allow groupadd_t var_run_t:file *;
-+allow groupadd_t var_run_t:dir *;
- 
- # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
- corecmd_exec_bin(groupadd_t)
-@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t)
- files_search_var(passwd_t)
- files_dontaudit_search_pids(passwd_t)
- files_relabel_etc_files(passwd_t)
-+files_search_pids(passwd_t)
-+files_create_var_run_dirs(passwd_t)
-+files_delete_all_pids(passwd_t)
-+allow passwd_t var_run_t:file *;
-+allow passwd_t var_run_t:dir *;
- 
- term_search_ptys(passwd_t)
- 
-@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
- # on user home dir
- userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
- 
-+files_search_pids(sysadm_passwd_t)
-+files_create_var_run_dirs(sysadm_passwd_t)
-+files_delete_all_pids(sysadm_passwd_t)
-+allow sysadm_passwd_t var_run_t:file *;
-+allow sysadm_passwd_t var_run_t:dir *;
-+
- optional_policy(`
- 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
- ')
-@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t)
- files_manage_etc_files(useradd_t)
- files_create_var_lib_dirs(useradd_t)
- files_rw_var_lib_dirs(useradd_t)
-+files_search_pids(useradd_t)
-+files_create_var_run_dirs(useradd_t)
-+files_delete_all_pids(useradd_t)
-+allow useradd_t var_run_t:file *;
- 
- fs_search_auto_mountpoints(useradd_t)
- fs_getattr_xattr_fs(useradd_t)

allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch

@@ -1,6 +1,6 @@
-From d366d95268da066ab3e1655593010856ecead2d6 Mon Sep 17 00:00:00 2001
+From c0112cf106c1a8bc1a1e9497c025185dcb08b398 Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Thu, 4 Jun 2020 20:22:30 +0800
+Date: Thu, 16 Jul 2020 17:27:24 +0800
 Subject: [PATCH] allow ipmievd to read the process state (/proc/pid) of init
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
@@ -9,10 +9,10 @@ Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
  1 file changed, 2 insertions(+)
 
 diff --git a/policy/modules/contrib/ipmievd.te b/policy/modules/contrib/ipmievd.te
-index d36f842..2c727c3 100644
+index 286165f..ecefff4 100644
 --- a/policy/modules/contrib/ipmievd.te
 +++ b/policy/modules/contrib/ipmievd.te
-@@ -46,6 +46,8 @@ dev_read_sysfs(ipmievd_t)
+@@ -52,6 +52,8 @@ dev_rw_watchdog(ipmievd_t)
  files_read_kernel_modules(ipmievd_t)
  files_map_kernel_modules(ipmievd_t)
  

allow-systemd-to-mount-unlabeled-filesystemd.patch

@@ -1,6 +1,6 @@
-From 79198658c50f0747b4ea8636db7e349bbd6f3571 Mon Sep 17 00:00:00 2001
+From e9b8e0daa3fb3f3b7079ffb6095d9842ccda4554 Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Thu, 4 Jun 2020 20:27:15 +0800
+Date: Thu, 16 Jul 2020 19:35:21 +0800
 Subject: [PATCH] allow systemd to mount unlabeled filesystemd
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
@@ -9,17 +9,17 @@ Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8de5b08..e3e8b37 100644
+index b7a4114..d8ca280 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -282,6 +282,7 @@ files_dontaudit_mounton_modules_object(init_t)
- files_manage_mnt_dirs(init_t)
- files_manage_mnt_files(init_t)
+@@ -591,6 +591,7 @@ dev_rw_wireless(init_t)
+ files_search_all(init_t)
+ files_mounton_all_mountpoints(init_t)
  files_mounton_etc(init_t)
 +files_mounton_isid(init_t)
- 
- fs_list_inotifyfs(init_t)
- # cjp: this may be related to /dev/log
+ files_unmount_all_file_type_fs(init_t)
+ files_mounton_kernel_symbol_table(init_t)
+ files_manage_all_pid_dirs(init_t)
 -- 
 1.8.3.1
 

booleans-targeted.conf

@@ -22,3 +22,4 @@ unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
+use_virtualbox = true

bugfix-add_syslogd_t_domtrans_logrotate.patch

@@ -1,15 +0,0 @@
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index c524b01..93c5b94 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -700,6 +700,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+        logrotate_domtrans(syslogd_t)
-+')
-+
-+optional_policy(`
- 	udev_read_db(syslogd_t)
- ')
- 

file_contexts.subs_dist

@@ -12,9 +12,10 @@
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
-/var/home            /home
+/var/named/chroot/var  /var
 /home-inst            /home
 /home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
+/var/usrlocal        /usr/local

modules-mls-contrib.conf

@@ -691,6 +691,13 @@ logwatch = module
 # 
 lpd = module
 
+# Layer: services
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
 # Layer: services
 # Module: mailman
 #

modules-targeted-contrib.conf

@@ -2601,13 +2601,6 @@ sbd = module
 #
 tlp = module
 
-# Layer: contrib
-# Module: ejabberd
-#
-# ejabberd
-#
-ejabberd = module
-
 # Layer: contrib
 # Module: conntrackd
 #
@@ -2642,3 +2635,31 @@ opafm = module
 # boltd
 #
 boltd = module
+
+# Layer: contrib
+# Module: kpatch
+#
+# kpatch
+#
+kpatch = module
+
+# Layer: contrib
+# Module: timedatex
+#
+# timedatex
+#
+timedatex = module
+
+# Layer: contrib
+# Module: rrdcached
+#
+# rrdcached
+#
+rrdcached = module
+
+# Layer: contrib
+# Module: stratisd
+#
+# stratisd
+#
+stratisd = module

permissivedomains.cil

@@ -1,16 +1,2 @@
 (roleattributeset cil_gen_require system_r)
 
-(optional permissivedomains_optional_1
-    (typeattributeset cil_gen_require tangd_t)
-    (typepermissive tangd_t)
-)
-
-(optional permissivedomains_optional_2
-    (typeattributeset cil_gen_require opafm_t)
-    (typepermissive opafm_t)
-)
-
-(optional permissivedomains_optional_3
-    (typeattributeset cil_gen_require boltd_t)
-    (typepermissive boltd_t)
-)

rpm.macros

@@ -32,7 +32,6 @@
 # %selinux_requires
 %selinux_requires \
 Requires: selinux-policy >= %{_selinux_policy_version} \
-BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
@@ -48,20 +47,24 @@ Requires(post): policycoreutils-python \
 
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
+  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
+  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
 fi \
 %{nil}
 
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -69,27 +72,33 @@ fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
+    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
   fi \
 fi \
 %{nil}
 
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-. /etc/selinux/config \
-_policytype=%{-s*} \
-if [ -z "${_policytype}" ]; then \
-  _policytype="targeted" \
-fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+if %{_sbindir}/selinuxenabled; then \
+  if [ -e /etc/selinux/config ]; then \
+    . /etc/selinux/config \
+  fi \
+  _policytype=%{-s*} \
+  if [ -z "${_policytype}" ]; then \
+    _policytype="targeted" \
+  fi \
+  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+  fi \
 fi \
 %{nil}
 
 
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -104,7 +113,9 @@ fi \
 
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
 %selinux_set_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -143,7 +154,9 @@ fi \
 
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
 %selinux_unset_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \

selinux-policy.spec

@@ -5,19 +5,19 @@
 %define BUILD_TARGETED 1
 %define BUILD_MINIMUM 1
 %define BUILD_MLS 1
-%define POLICYVER 31
-%define POLICYCOREUTILSVER 2.8
-%define CHECKPOLICYVER 2.8
+%define POLICYVER 32
+%define POLICYCOREUTILSVER 3.0
+%define CHECKPOLICYVER 3.0
 
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 55
+Release: 56
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
-Source0: https://github.com/fedora-selinux/selinux-policy/archive/38fa84dc715893cab1cc76aa9c43ba325b153e10/selinux-policy-38fa84d.tar.gz
-Source1: https://github.com/fedora-selinux/selinux-policy-contrib/archive/f9b7466780b5250bf94b5d40764277bc9c5b5f62/selinux-policy-contrib-f9b7466.tar.gz
+Source0: https://github.com/fedora-selinux/selinux-policy/archive/9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/selinux-policy-9c84d68.tar.gz
+Source1: https://github.com/fedora-selinux/selinux-policy-contrib/archive/27225b9de42be65760194536680c9d596f1a1895/selinux-policy-contrib-27225b9.tar.gz
 
 # We obtain Source2~Source24 from https://src.fedoraproject.org/rpms/selinux-policy/tree/master
 Source2: modules-targeted-base.conf
@@ -49,31 +49,20 @@ Source24: rpm.macros
 # tar czvf container-selinux.tgz container.fc container.if container.te
 Source35: container-selinux.tgz
 
-Patch0: add_userman_access_run_dir.patch
-Patch1: add_syslogd_t_domtrans_logrotate.patch
-Patch2: bugfix-add_syslogd_t_domtrans_logrotate.patch
-Patch3: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
-Patch4: Fixing-range-for-ephemeral-ports-BZ-1518807.patch
-Patch5: Fix-userdom_admin_user_template-interface-by-adding-.patch
-Patch6: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
-Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
-Patch8: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch
-Patch9: add-allowed-avc-for-systemd.patch
-Patch12: Allow-local_login-to-be-access-to-var-run-files-and-.patch
-Patch13: access-to-iptables-run-file.patch
-Patch14: add-avc-for-kmod.patch
-Patch15: add-access-to-faillog-file-for-systemd.patch
-Patch16: add-avc-for-systemd-journald.patch
-Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
-Patch18: add-allowed-avc-for-systemd-1.patch
-Patch19: add-allow-to-be-access-to-sssd-dir-and-file.patch  
-Patch20: add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
-Patch21: add-map-to-zerp-device-at-dev_rw_zero-interface.patch
-Patch22: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
-Patch23: allow-systemd-to-mount-unlabeled-filesystemd.patch
-Patch24: fix-selinux-label-for-hostname-digest-list.patch
-Patch25: solve-shutdown-permission-denied-caused-by-dracut.patch
-Patch26: Allow-systemd_logind_t-to-read-fixed-dist-device-BZ-.patch
+Patch0:  Allow-local_login-to-be-access-to-var-run-files-and-.patch
+Patch1:  access-to-iptables-run-file.patch
+Patch2:  add-access-to-faillog-file-for-systemd.patch
+Patch3:  add-allow-to-be-access-to-sssd-dir-and-file.patch
+Patch4:  add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
+Patch5:  fix-selinux-label-for-hostname-digest-list.patch
+Patch6:  solve-shutdown-permission-denied-caused-by-dracut.patch
+Patch7:  add-allow-for-ldconfig-to-map-libsudo_util-so.patch
+Patch8:  add-avc-for-kmod.patch
+Patch9:  allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
+Patch10: add-avc-for-systemd-journald.patch
+Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
+Patch12: add-avc-for-systemd.patch
+Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -84,9 +73,11 @@ Requires: rpm-plugin-selinux
 %description 
 SELinux Base package for SELinux Reference Policy - modular.
 
+%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
+
 %define makeCmds() \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024  conf \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
 cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
 cp -f selinux_config/users-%1 ./policy/users \
 
@@ -99,12 +90,12 @@ if [ %3 == "contrib" ];then \
 fi; \
 
 %define installCmds() \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
-make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
-%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
+%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
+make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
@@ -114,8 +105,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
 cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
-rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
-/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
+rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
+%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
 rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
@@ -123,7 +114,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 
 %define fileList() \
 %defattr(-,root,root) \
-%{_datadir}/selinux/%1 \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
@@ -171,6 +161,10 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
+%{_datadir}/selinux/%1/base.lst \
+%{_datadir}/selinux/%1/modules-base.lst \
+%{_datadir}/selinux/%1/modules-contrib.lst \
+%{_datadir}/selinux/%1/nonbasemodules.lst \
 %{_sharedstatedir}/selinux/%1/active/commit_num \
 %{_sharedstatedir}/selinux/%1/active/users_extra \
 %{_sharedstatedir}/selinux/%1/active/homedir_template \
@@ -184,79 +178,117 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %nil
 
 %define relabel() \
-. %{_sysconfdir}/selinux/config; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
+fi; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-/usr/sbin/selinuxenabled; \
-if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
-     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
+     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
-if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
+if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
     continue; \
-fi; \
+fi;
 
 %define preInstall() \
-if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
-     if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \
-        %{_sbindir}/semodule -n -d ganesha; \
-     fi; \
+if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
+     for MOD_NAME in ganesha ipa_custodia; do \
+        if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
+           %{_sbindir}/semodule -n -d $MOD_NAME; \
+        fi; \
+     done; \
      . %{_sysconfdir}/selinux/config; \
      FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
      if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
         [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
      fi; \
-     touch /etc/selinux/%1/.rebuild; \
-     if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
-        POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
+     touch %{_sysconfdir}/selinux/%1/.rebuild; \
+     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
+        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
         sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
-	checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
+	checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
 	if [ "$sha512" == "$checksha512" ] ; then \
-		rm /etc/selinux/%1/.rebuild; \
+		rm %{_sysconfdir}/selinux/%1/.rebuild; \
 	fi; \
    fi; \
 fi;
 
 %define postInstall() \
-. %{_sysconfdir}/selinux/config; \
-if [ -e /etc/selinux/%2/.rebuild ]; then \
-   rm /etc/selinux/%2/.rebuild; \
-   /usr/sbin/semodule -B -n -s %2; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
 fi; \
-[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
+if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
+   rm %{_sysconfdir}/selinux/%2/.rebuild; \
+   %{_sbindir}/semodule -B -n -s %2; \
+fi; \
+[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
 if [ %1 -eq 1 ]; then \
-   /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
+   %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
 else \
 %relabel %2 \
 fi;
 
 %define modulesList() \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
 if [ -e ./policy/modules-contrib.conf ];then \
-	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
+	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
 fi;
 
 %define nonBaseModulesList() \
-contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
-base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
+contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
+base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
 for i in $contrib_modules $base_modules; do \
     if [ $i != "sandbox" ];then \
-        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
+        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
     fi; \
 done;
 
-%define installFactoryResetFiles() \
-mkdir -p %{buildroot}%{_datadir}/selinux/%1/default \
-cp -R --preserve=mode,ownership,timestamps,links %{buildroot}%{_sharedstatedir}/selinux/%1/active %{buildroot}%{_datadir}/selinux/%1/default/ \
-find %{buildroot}%{_datadir}/selinux/%1/default/ -name hll | xargs rm \
-find %{buildroot}%{_datadir}/selinux/%1/default/ -name lang_ext | xargs sed -i 's/pp/cil/' \
-mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
+%define checkConfigConsistency() \
+if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
+    . %{_sysconfdir}/selinux/.config_backup; \
+else \
+    BACKUP_SELINUXTYPE=targeted; \
+fi; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config; \
+    if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
+        if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    elif [ "%1" = "targeted" ]; then \
+        if [ "%1" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
+        if [ "%1" != "$SELINUXTYPE" ]; then \
+            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+        fi; \
+    fi; \
+fi;
+
+%define backupConfigLua() \
+local sysconfdir = rpm.expand("%{_sysconfdir}") \
+local config_file = sysconfdir .. "/selinux/config" \
+local config_backup = sysconfdir .. "/selinux/.config_backup" \
+os.remove(config_backup) \
+if posix.stat(config_file) then \
+    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
+    local content = f:read("*all") \
+    f:close() \
+    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
+    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
+    bf:write(backup) \
+    bf:close() \
+end
+
+%build
 
 %prep 
-%setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 1
+%setup -n %{name}-contrib-27225b9de42be65760194536680c9d596f1a1895 -q -b 1
 tar -xf %{SOURCE35}
 contrib_path=`pwd`
-%setup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -q
+%setup -n %{name}-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c -q
 
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
@@ -277,65 +309,64 @@ touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
 cp %{SOURCE21} %{buildroot}%{_usr}/lib/tmpfiles.d/
 
-mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
-mkdir -p %{buildroot}%{_usr}/share/selinux/packages
+mkdir -p %{buildroot}%{_datadir}/selinux/packages
 
 make clean
 %if %{BUILD_TARGETED}
 cp %{SOURCE22} %{buildroot}/
-%makeCmds targeted mcs n allow
+%makeCmds targeted mcs allow
 %makeModulesConf targeted base contrib
-%installCmds targeted mcs n allow
-semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
+%installCmds targeted mcs allow
+%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{buildroot}/permissivedomains.cil
 rm -rf %{buildroot}/permissivedomains.cil
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
-make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
-mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
+%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
+mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
 %modulesList targeted
 %nonBaseModulesList targeted
-%installFactoryResetFiles targeted
 %endif
 
 %if %{BUILD_MINIMUM}
-mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
-%makeCmds minimum mcs n allow
+mkdir -p %{buildroot}%{_datadir}/selinux/minimum
+%makeCmds minimum mcs allow
 %makeModulesConf targeted base contrib
-%installCmds minimum mcs n allow
-rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
+%installCmds minimum mcs allow
+rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %modulesList minimum
 %nonBaseModulesList minimum
-%installFactoryResetFiles minimum
 %endif
 
 %if %{BUILD_MLS}
-%makeCmds mls mls n deny
+%makeCmds mls mls deny
 %makeModulesConf mls base contrib
-%installCmds mls mls n deny
+%installCmds mls mls deny
 %modulesList mls
 %nonBaseModulesList mls
-%installFactoryResetFiles mls
 %endif
 
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
+
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
-make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
-make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers
-mkdir %{buildroot}%{_usr}/share/selinux/devel/
-mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
-install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
-install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
-install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
+make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
+make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
+mkdir %{buildroot}%{_datadir}/selinux/devel/
+mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
+install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
+install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
+install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
 
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE24} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
-rm -rf selinux_config
 
+rm -rf selinux_config
 %post
-if [ ! -s /etc/selinux/config ]; then
+if [ ! -s %{_sysconfdir}/selinux/config ]; then
 echo "
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -349,22 +380,22 @@ SELINUX=enforcing
 #     mls - Multi Level Security protection.
 SELINUXTYPE=targeted
 
-" > /etc/selinux/config
+" > %{_sysconfdir}/selinux/config
 
-     ln -sf ../selinux/config /etc/sysconfig/selinux 
-     restorecon /etc/selinux/config 2> /dev/null || :
+     ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
+     %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
 else
-     . /etc/selinux/config
+     . %{_sysconfdir}/selinux/config
 fi
 exit 0
 
 %postun
 if [ $1 = 0 ]; then
-     setenforce 0 2> /dev/null
-     if [ ! -s /etc/selinux/config ]; then
-          echo "SELINUX=disabled" > /etc/selinux/config
+     %{_sbindir}/setenforce 0 2> /dev/null
+     if [ ! -s %{_sysconfdir}/selinux/config ]; then
+          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
      else
-          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
      fi
 fi
 exit 0
@@ -461,57 +492,66 @@ Conflicts: container-selinux < 2:1.12.1-22
 %description targeted
 SELinux Reference policy targeted base module.
 
+%pretrans targeted -p <lua>
+%backupConfigLua
+
 %pre targeted
 %preInstall targeted
 
 %post targeted
+%checkConfigConsistency targeted
 %postInstall $1 targeted
 exit 0
 
+%posttrans targeted
+%checkConfigConsistency targeted
+
 %postun targeted
 if [ $1 = 0 ]; then
-    source /etc/selinux/config
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "targeted" ]; then
-        setenforce 0 2> /dev/null
-        if [ ! -s /etc/selinux/config ]; then
-            echo "SELINUX=disabled" > /etc/selinux/config
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
         else
-            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
         fi
     fi
 fi
 exit 0
 
 %triggerin -- pcre
-selinuxenabled && semodule -nB
+%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
 exit 0
 
 %triggerpostun -- selinux-policy-targeted < 3.12.1-74
-rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 exit 0
 
 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
 CR=$'\n'
 INPUT=""
-for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
+for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
     module=`basename $i | sed 's/.pp.disabled//'`
-    if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
-        touch /var/lib/selinux/targeted/active/modules/disabled/$p
+    if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
+        touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
     fi
 done
-for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
+for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
     INPUT="${INPUT}${CR}module -N -a $i"
 done
-for i in $(find /etc/selinux/targeted/modules/active -name \*.local); do
-    cp $i /var/lib/selinux/targeted/active
+for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
+    cp $i %{_sharedstatedir}/selinux/targeted/active
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
-if /usr/sbin/selinuxenabled ; then
-        /usr/sbin/load_policy
+if %{_sbindir}/selinuxenabled ; then
+        %{_sbindir}/load_policy
 fi
 exit 0
 
-%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
+%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
 %fileList targeted
@@ -532,80 +572,89 @@ Conflicts: container-selinux <= 1.9.0-9
 %description minimum
 SELinux Reference policy minimum base module.
 
+%pretrans minimum -p <lua>
+%backupConfigLua
+
 %pre minimum
 %preInstall minimum
 if [ $1 -ne 1 ]; then
-    /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst
+    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
 fi
 
 %post minimum
-contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
-basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
-if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
-    mkdir /var/lib/selinux/minimum/active/modules/disabled
+%checkConfigConsistency minimum
+contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
+basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
+if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
+    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
 fi
 if [ $1 -eq 1 ]; then
 for p in $contribpackages; do
-    touch /var/lib/selinux/minimum/active/modules/disabled/$p
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
 for p in $basepackages apache dbus inetd kerberos mta nis; do
-    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
-/usr/sbin/semanage import -S minimum -f - << __eof
+%{_sbindir}/semanage import -S minimum -f - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
-/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
-/usr/sbin/semodule -B -s minimum
+%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
+%{_sbindir}/semodule -B -s minimum
 else
-instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
+instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
 for p in $contribpackages; do
-    touch /var/lib/selinux/minimum/active/modules/disabled/$p
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
 for p in $instpackages apache dbus inetd kerberos mta nis; do
-    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
-/usr/sbin/semodule -B -s minimum
+%{_sbindir}/semodule -B -s minimum
 %relabel minimum
 fi
 exit 0
 
+%posttrans minimum
+%checkConfigConsistency minimum
+
 %postun minimum
 if [ $1 = 0 ]; then
-    source /etc/selinux/config
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "minimum" ]; then
-        setenforce 0 2> /dev/null
-        if [ ! -s /etc/selinux/config ]; then
-            echo "SELINUX=disabled" > /etc/selinux/config
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
         else
-            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
         fi
     fi
 fi
 exit 0
 
 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
-if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
-    rm -f /var/lib/selinux/minimum/active/modules/disabled/*
+if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
 fi
 CR=$'\n'
 INPUT=""
-for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do
+for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
     module=`basename $i | sed 's/.pp.disabled//'`
-    if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then
-        touch /var/lib/selinux/minimum/active/modules/disabled/$p
+    if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
+        touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
     fi
 done
-for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do
+for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
     INPUT="${INPUT}${CR}module -N -a $i"
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
-if /usr/sbin/selinuxenabled ; then
-    /usr/sbin/load_policy
+if %{_sbindir}/selinuxenabled ; then
+    %{_sbindir}/load_policy
 fi
 exit 0
 
-%files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
+%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u 
 %fileList minimum
@@ -625,22 +674,31 @@ Conflicts: container-selinux <= 1.9.0-9
 %description mls 
 SELinux Reference policy mls base module.
 
-%pre mls 
+%pretrans mls -p <lua>
+%backupConfigLua
+
+%pre mls
 %preInstall mls
 
-%post mls 
+%post mls
+%checkConfigConsistency mls
 %postInstall $1 mls
 exit 0
 
+%posttrans mls
+%checkConfigConsistency mls
+
 %postun mls
 if [ $1 = 0 ]; then
-    source /etc/selinux/config
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "mls" ]; then
-        setenforce 0 2> /dev/null
-        if [ ! -s /etc/selinux/config ]; then
-            echo "SELINUX=disabled" > /etc/selinux/config
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
         else
-            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
         fi
     fi
 fi
@@ -649,27 +707,30 @@ exit 0
 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138
 CR=$'\n'
 INPUT=""
-for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do
+for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
     module=`basename $i | sed 's/.pp.disabled//'`
-    if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then
-        touch /var/lib/selinux/mls/active/modules/disabled/$p
+    if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
+        touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
     fi
 done
-for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do
+for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
     INPUT="${INPUT}${CR}module -N -a $i"
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
-if /usr/sbin/selinuxenabled ; then
-        /usr/sbin/load_policy
+if %{_sbindir}/selinuxenabled ; then
+        %{_sbindir}/load_policy
 fi
 exit 0
 
-%files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
+%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
 %fileList mls
 %endif
 
 %changelog
+* Mon Jul 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-56
+- update selinux
+
 * Mon Jul 20 2020 steven <steven_ygui@163.com> - 3.14.2-55
 - add patch Allow-systemd_logind_t-to-read-fixed-dist-device-BZ-.patch
 

selinux-policy.yaml

@@ -1,4 +0,0 @@
-version_control: github
-src_repo: fedora-selinux/selinux-policy
-tag_prefix: ^v
-seperator: .