Package init

2019-09-30 11:16:49 -04:00 · 2019-09-30 11:16:49 -04:00 · fcfd975340
commit fcfd975340
34 changed files with 6645 additions and 0 deletions
--- a/Fix-bug-in-userdom_restricted_xwindows_user_template.patch
+++ b/Fix-bug-in-userdom_restricted_xwindows_user_template.patch
@ -0,0 +1,28 @@
 From 0269451c9568aa7939b0fef6708d867fcd2ffd47 Mon Sep 17 00:00:00 2001
 From: Lukas Vrabec <lvrabec@redhat.com>
 Date: Thu, 21 Feb 2019 16:12:18 +0100
 Subject: [PATCH 083/109] Fix bug in
 userdom_restricted_xwindows_user_template() template to disallow all user
 domains to access admin_home_t
 Fixes: #221
 ---
 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
 index 90a8a7533..4988fdd41 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -1345,7 +1345,7 @@ template(`userdom_restricted_xwindows_user_template',`
 	optional_policy(`
 		pulseaudio_role($1_r, $1_usertype)
 -		pulseaudio_filetrans_admin_home_content($1_usertype)
 +		pulseaudio_filetrans_home_content($1_usertype)
 	')
 	optional_policy(`
 -- 
 2.19.1
--- a/Fix-userdom_admin_user_template-interface-by-adding-.patch
+++ b/Fix-userdom_admin_user_template-interface-by-adding-.patch
@ -0,0 +1,28 @@
 From a207f43eacab87fc54a175b8dd2db68ca231e965 Mon Sep 17 00:00:00 2001
 From: Lukas Vrabec <lvrabec@redhat.com>
 Date: Thu, 24 Jan 2019 16:46:39 +0100
 Subject: [PATCH 064/109] Fix userdom_admin_user_template() interface by adding
 bluetooth,alg,dccp create_stream_socket permissions.
 ---
 policy/modules/system/userdomain.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
 index 5059b4a21..8b9abecbd 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -1582,8 +1582,8 @@ template(`userdom_admin_user_template',`
 	allow $1_t self:passwd crontab;
     allow $1_t self:bluetooth_socket create_stream_socket_perms;
 -    allow $1_t self:alg_socket create_socket_perms;
 -    allow $1_t self:dccp_socket create_socket_perms;
 +    allow $1_t self:alg_socket create_stream_socket_perms;
 +    allow $1_t self:dccp_socket create_stream_socket_perms;
     allow $1_t self:cap_userns sys_ptrace;
 -- 
 2.19.1
--- a/Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
+++ b/Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
@ -0,0 +1,26 @@
 From debf07213f1c423a3a6504dd027792b14426f07e Mon Sep 17 00:00:00 2001
 From: Lukas Vrabec <lvrabec@redhat.com>
 Date: Wed, 17 Oct 2018 13:24:41 +0200
 Subject: [PATCH 003/109] Fix userdom_write_user_tmp_dirs() to allow caller
 domain also read/write user_tmp_t dirs
 ---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
 index 44acc0cbc..5059b4a21 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -5332,6 +5332,8 @@ interface(`userdom_write_user_tmp_dirs',`
 		type user_tmp_t;
 	')
 +	list_dirs_pattern($1, user_tmp_t, user_tmp_t)
 +	rw_dirs_pattern($1, user_tmp_t, user_tmp_t)
 	write_files_pattern($1, user_tmp_t, user_tmp_t)
 ')
 -- 
 2.19.1
--- a/Fixing-range-for-ephemeral-ports-BZ-1518807.patch
+++ b/Fixing-range-for-ephemeral-ports-BZ-1518807.patch
@ -0,0 +1,33 @@
 From f135894a52444d4912050f7b4d449f495241e791 Mon Sep 17 00:00:00 2001
 From: Lukas Vrabec <lvrabec@redhat.com>
 Date: Wed, 12 Dec 2018 15:55:16 +0100
 Subject: [PATCH 043/109] Fixing range for ephemeral ports BZ(1518807)
 Range of ephemeral ports is 32768-60999 based on:
 # sysctl net.ipv4.ip_local_port_range
 net.ipv4.ip_local_port_range = 32768    60999
 ---
 policy/modules/kernel/corenetwork.te.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
 index ff8ce41e8..b9b1f21e9 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -398,10 +398,10 @@ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
 -portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
 +portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
 portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
 -portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
 +portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
 portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 ########################################
 -- 
 2.19.1
--- a/Makefile.devel
+++ b/Makefile.devel
@ -0,0 +1,22 @@
 # installation paths
 SHAREDIR := /usr/share/selinux
 AWK ?= gawk
 NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
 ifeq ($(MLSENABLED),)
 	MLSENABLED := 1
 endif
 ifeq ($(MLSENABLED),1)
 	NTYPE = mcs
 endif
 ifeq ($(NAME),mls)
 	NTYPE = mls
 endif
 TYPE ?= $(NTYPE)
 HEADERDIR := $(SHAREDIR)/devel/include
 include $(HEADERDIR)/Makefile
--- a/add_syslogd_t_domtrans_logrotate.patch
+++ b/add_syslogd_t_domtrans_logrotate.patch
@ -0,0 +1,15 @@
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
 index 37a1c06..c524b01 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -696,6 +696,10 @@ optional_policy(`
 ')
 optional_policy(`
 +	logrotate_domtrans(syslogd_t)
 +')
 +
 +optional_policy(`
 	udev_read_db(syslogd_t)
 ')
--- a/add_userman_access_run_dir.patch
+++ b/add_userman_access_run_dir.patch
@ -0,0 +1,52 @@
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
 index e069cb5..43fed66 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t)
 files_read_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 +files_search_pids(groupadd_t)
 +files_create_var_run_dirs(groupadd_t)
 +files_delete_all_pids(groupadd_t)
 +allow groupadd_t var_run_t:file *;
 +allow groupadd_t var_run_t:dir *;
 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
 corecmd_exec_bin(groupadd_t)
@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
 +files_search_pids(passwd_t)
 +files_create_var_run_dirs(passwd_t)
 +files_delete_all_pids(passwd_t)
 +allow passwd_t var_run_t:file *;
 +allow passwd_t var_run_t:dir *;
 term_search_ptys(passwd_t)
@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # on user home dir
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 +files_search_pids(sysadm_passwd_t)
 +files_create_var_run_dirs(sysadm_passwd_t)
 +files_delete_all_pids(sysadm_passwd_t)
 +allow sysadm_passwd_t var_run_t:file *;
 +allow sysadm_passwd_t var_run_t:dir *;
 +
 optional_policy(`
 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')
@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t)
 files_manage_etc_files(useradd_t)
 files_create_var_lib_dirs(useradd_t)
 files_rw_var_lib_dirs(useradd_t)
 +files_search_pids(useradd_t)
 +files_create_var_run_dirs(useradd_t)
 +files_delete_all_pids(useradd_t)
 +allow useradd_t var_run_t:file *;
 fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -0,0 +1,248 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 allow_execstack = true
 # Allow ftpd to read cifs directories.
 # 
 allow_ftpd_use_cifs = false
 # Allow ftpd to read nfs directories.
 # 
 allow_ftpd_use_nfs = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 allow_gssd_read_tmp = true
 # Allow Apache to modify public filesused for public file transfer services.
 # 
 allow_httpd_anon_write = false
 # Allow Apache to use mod_auth_pam module
 # 
 allow_httpd_mod_auth_pam = false
 # Allow system to run with kerberos
 # 
 allow_kerberos = true
 # Allow rsync to modify public filesused for public file transfer services.
 # 
 allow_rsync_anon_write = false
 # Allow sasl to read shadow
 # 
 allow_saslauthd_read_shadow = false
 # Allow samba to modify public filesused for public file transfer services.
 # 
 allow_smbd_anon_write = false
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 # Allow zebra to write it own configuration files
 # 
 allow_zebra_write_config = false
 # Enable extra rules in the cron domainto support fcron.
 # 
 fcron_crond = false
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
 #
 # allow httpd to send dbus messages to avahi
 httpd_dbus_avahi = true
 #
 # allow httpd to network relay
 httpd_can_network_relay = false
 # Allow httpd to use built in scripting (usually php)
 # 
 httpd_builtin_scripting = true
 # Allow http daemon to tcp connect
 # 
 httpd_can_network_connect = false
 # Allow httpd cgi support
 # 
 httpd_enable_cgi = true
 # Allow httpd to act as a FTP server bylistening on the ftp port.
 # 
 httpd_enable_ftp_server = false
 # Allow httpd to read home directories
 # 
 httpd_enable_homedirs = false
 # Run SSI execs in system CGI script domain.
 # 
 httpd_ssi_exec = false
 # Allow http daemon to communicate with the TTY
 # 
 httpd_tty_comm = false
 # Run CGI in the main httpd domain
 # 
 httpd_unified = false
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
 named_write_master_zones = false
 # Allow nfs to be exported read/write.
 # 
 nfs_export_all_rw = true
 # Allow nfs to be exported read only
 # 
 nfs_export_all_ro = true
 # Allow pppd to load kernel modules for certain modems
 # 
 pppd_can_insmod = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
 squid_connect_any = false
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 # Control users use of ping and traceroute
 # 
 user_ping = false
 # allow host key based authentication
 # 
 allow_ssh_keysign = false
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
 # 
 read_untrusted_content = false
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 # Allow regular users direct mouse access
 # 
 user_direct_mouse = false
 # Allow users to read system messages.
 # 
 user_dmesg = false
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = false
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 # Allow w to display everyone
 # 
 user_ttyfile_stat = false
 # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
 # 
 write_untrusted_content = false
 # Allow all domains to talk to ttys
 # 
 allow_daemons_use_tty = false
 # Allow login domains to polyinstatiate directories
 # 
 allow_polyinstantiation = false
 # Allow all domains to dump core
 # 
 allow_daemons_dump_core = true
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
 # Allow samba to export user home directories.
 # 
 samba_run_unconfined = false
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = false
 # disallow guest accounts to execute files that they can create 
 # 
 allow_guest_exec_content = false
 allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=false
 # Allow postfix locat to write to mail spool
 # 
 allow_postfix_local_write_mail_spool=false
 # Allow common users to read/write noexattrfile systems
 # 
 user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
 qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
 allow_nsplugin_execmem=true
 # Allow unconfined domain to transition to confined domain
 # 
 allow_unconfined_nsplugin_transition=true
 # System uses init upstart program
 # 
 init_upstart = true
 # Allow mount to mount any file/dir
 # 
 allow_mount_anyfile = true
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@ -0,0 +1,6 @@
 kerberos_enabled = true
 mount_anyfile = true
 polyinstantiation_enabled = true
 ftpd_is_daemon = true
 selinuxuser_ping = true
 xserver_object_manager = true
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -0,0 +1,24 @@
 gssd_read_tmp = true
 httpd_builtin_scripting = true
 httpd_enable_cgi = true
 kerberos_enabled = true
 mount_anyfile = true
 nfs_export_all_ro = true
 nfs_export_all_rw = true
 nscd_use_shm = true
 openvpn_enable_homedirs = true
 postfix_local_write_mail_spool=true
 pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_execmem = true
 selinuxuser_execmod = true
 selinuxuser_execstack = true
 selinuxuser_rw_noexattrfile=true
 selinuxuser_ping = true
 squid_connect_any = true
 telepathy_tcp_connect_generic_network_ports=true
 unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@ -0,0 +1,54 @@
 allow_auditadm_exec_content auditadm_exec_content
 allow_console_login login_console_enabled
 allow_cvs_read_shadow cvs_read_shadow
 allow_daemons_dump_core daemons_dump_core
 allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
 allow_daemons_use_tty daemons_use_tty
 allow_domain_fd_use domain_fd_use
 allow_execheap selinuxuser_execheap
 allow_execmod selinuxuser_execmod
 allow_execstack selinuxuser_execstack
 allow_ftpd_anon_write ftpd_anon_write
 allow_ftpd_full_access ftpd_full_access
 allow_ftpd_use_cifs ftpd_use_cifs
 allow_ftpd_use_nfs ftpd_use_nfs
 allow_gssd_read_tmp gssd_read_tmp
 allow_guest_exec_content guest_exec_content
 allow_httpd_anon_write httpd_anon_write
 allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
 allow_httpd_mod_auth_pam httpd_mod_auth_pam
 allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
 allow_kerberos kerberos_enabled
 allow_mplayer_execstack mplayer_execstack
 allow_mount_anyfile mount_anyfile
 allow_nfsd_anon_write nfsd_anon_write
 allow_polyinstantiation polyinstantiation_enabled
 allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
 allow_rsync_anon_write rsync_anon_write
 allow_saslauthd_read_shadow saslauthd_read_shadow
 allow_secadm_exec_content secadm_exec_content
 allow_smbd_anon_write smbd_anon_write
 allow_ssh_keysign ssh_keysign
 allow_staff_exec_content staff_exec_content
 allow_sysadm_exec_content sysadm_exec_content
 allow_user_exec_content user_exec_content
 allow_user_mysql_connect selinuxuser_mysql_connect_enabled
 allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
 allow_write_xshm xserver_clients_write_xshm
 allow_xguest_exec_content xguest_exec_content
 allow_xserver_execmem xserver_execmem
 allow_ypbind nis_enabled
 allow_zebra_write_config zebra_write_config
 user_direct_dri selinuxuser_direct_dri_enabled
 user_ping selinuxuser_ping
 user_share_music selinuxuser_share_music
 user_tcp_server selinuxuser_tcp_server
 sepgsql_enable_pitr_implementation postgresql_can_rsync
 sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
 sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
 sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
 clamd_use_jit antivirus_use_jit
 amavis_use_jit antivirus_use_jit
 logwatch_can_sendmail logwatch_can_network_connect_mail
 puppet_manage_all_files puppetagent_manage_all_files
 virt_sandbox_use_nfs virt_use_nfs
--- a/bugfix-add_syslogd_t_domtrans_logrotate.patch
+++ b/bugfix-add_syslogd_t_domtrans_logrotate.patch
@ -0,0 +1,15 @@
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
 index c524b01..93c5b94 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -700,6 +700,10 @@ optional_policy(`
 ')
 optional_policy(`
 +        logrotate_domtrans(syslogd_t)
 +')
 +
 +optional_policy(`
 	udev_read_db(syslogd_t)
 ')
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/14
+++ b/14
@ -0,0 +1,14 @@
 container_file_t
 sandbox_file_t
 svirt_image_t
 svirt_home_t
 svirt_sandbox_file_t
 virt_content_t
 httpd_user_htaccess_t
 httpd_user_script_exec_t
 httpd_user_rw_content_t
 httpd_user_ra_content_t
 httpd_user_content_t
 git_session_content_t
 home_bin_t
 user_tty_device_t
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -0,0 +1,20 @@
 /run /var/run
 /run/lock /var/lock
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
 /run/systemd/generator.late /usr/lib/systemd/system
 /lib /usr/lib
 /lib64 /usr/lib
 /usr/lib64 /usr/lib
 /usr/local/lib64 /usr/lib
 /usr/local/lib32 /usr/lib
 /etc/systemd/system /usr/lib/systemd/system
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
 /var/home            /home
 /home-inst            /home
 /home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
--- a/modules-mls-base.conf
+++ b/modules-mls-base.conf
@ -0,0 +1,380 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 # 
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 # 
 corecommands = base
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unlabelednet
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -0,0 +1,400 @@
 # Layer: kernel
 # Module: bootloader
 #
 # Policy for the kernel modules, kernel image, and bootloader.
 # 
 bootloader = module
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 #
 corecommands = base
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 #
 corenetwork = base
 # Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
 # 
 dmesg = module
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = module
 # Layer: admin
 # Module: sudo
 #
 # Execute a command with a substitute user
 # 
 sudo = module
 # Layer: admin
 # Module: su
 #
 # Run shells with substitute user and group
 # 
 su = module
 # Layer: admin
 # Module: usermanage
 #
 # Policy for managing user accounts.
 # 
 usermanage = module
 # Layer: apps
 # Module: seunshare
 #
 # seunshare executable
 # 
 seunshare = module
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = module
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = module
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: ubac
 #
 # 
 # 
 ubac = base
 # Layer: kernel
 # Module: unconfined
 #
 # The unlabelednet module.
 #
 unlabelednet = module
 # Layer: role
 # Module: auditadm
 #
 # auditadm account on tty logins
 # 
 auditadm = module
 # Layer: role
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
 # 
 logadm = module
 # Layer: role
 # Module: secadm
 #
 # secadm account on tty logins
 # 
 secadm = module
 # Layer:role
 # Module: sysadm_secadm
 #
 # System Administrator with Security Admin rules
 # 
 sysadm_secadm = module
 # Module: staff
 #
 # admin account 
 # 
 staff = module
 # Layer:role
 # Module: sysadm
 #
 # System Administrator
 # 
 sysadm = module
 # Layer: role
 # Module: unconfineduser
 #
 # The unconfined user domain.
 # 
 unconfineduser = module
 # Layer: role
 # Module: unprivuser
 #
 # Minimally privs guest account on tty logins
 # 
 unprivuser = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
 postgresql = module
 # Layer: services
 # Module: ssh
 #
 # Secure shell client and server policy.
 # 
 ssh = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = module
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = module
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = module
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = module
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = module
 # Layer: system
 # Module: hostname
 #
 # Policy for changing the system host name.
 # 
 hostname = module
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = module
 # Layer: system
 # Module: ipsec
 #
 # TCP/IP encryption
 # 
 ipsec = module
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = module
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = module
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = module
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = module
 # Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
 # 
 lvm = module
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = module
 # Layer: system
 # Module: mount
 #
 # Policy for mount.
 # 
 mount = module
 # Layer: system
 # Module: netlabel
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = module
 # Module: setrans
 # Required in base
 #
 # Policy for setrans
 # 
 setrans = module
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = module
 # Layer: system
 # Module: systemd
 #
 # Policy for systemd components
 # 
 systemd = module
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = module
 # Layer: system
 # Module: unconfined
 #
 # The unconfined domain.
 # 
 unconfined = module
 # Layer: system
 # Module: kdbus
 #
 # Policy for kdbus.
 #
 kdbus = module
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
--- a/permissivedomains.cil
+++ b/permissivedomains.cil
@ -0,0 +1,16 @@
 (roleattributeset cil_gen_require system_r)
 (optional permissivedomains_optional_1
    (typeattributeset cil_gen_require tangd_t)
    (typepermissive tangd_t)
 )
 (optional permissivedomains_optional_2
    (typeattributeset cil_gen_require opafm_t)
    (typepermissive opafm_t)
 )
 (optional permissivedomains_optional_3
    (typeattributeset cil_gen_require boltd_t)
    (typepermissive boltd_t)
 )
--- a/rpm.macros
+++ b/rpm.macros
@ -0,0 +1,169 @@
 # Copyright (C) 2017 Red Hat, Inc. All rights reserved.
 #
 #   Author: Petr Lautrbach <plautrba@redhat.com>
 #   Author: Lukáš Vrabec <lvrabec@redhat.com>
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 2
 # of the License, or (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # RPM macros for packages installing SELinux modules
 %_selinux_policy_version SELINUXPOLICYVERSION
 %_selinux_store_path SELINUXSTOREPATH
 %_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
 %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
 %_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
 # %selinux_requires
 %selinux_requires \
 Requires: selinux-policy >= %{_selinux_policy_version} \
 BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
 Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
 Requires(post): libselinux-utils \
 Requires(post): policycoreutils \
 %if 0%{?fedora} || 0%{?rhel} > 7\
 Requires(post): policycoreutils-python-utils \
 %else \
 Requires(post): policycoreutils-python \
 %endif \
 %{nil}
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
 fi \
 %{nil}
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
  fi \
 fi \
 %{nil}
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
  [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
 fi \
 %{nil}
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   if [ -f %{_file_context_file_pre} ]; then \
     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
     rm -f %{_file_context_file_pre} \
   fi \
 fi \
 %{nil}
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
 %selinux_set_booleans("s:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ -d "%{_selinux_store_policy_path}" ]; then \
  LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
  if [ ! -f %_file_custom_defined_booleans ]; then \
      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
  fi \
  semanage_import='' \
  for boolean in %*; do \
      boolean_name=${boolean%=*} \
      boolean_value=${boolean#*=} \
      boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
      if [ -n "$boolean_local_string" ]; then \
          semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
          boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
          if [ -n "$boolean_customized_string" ]; then \
              /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
          else \
              /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
          fi \
      else \
          semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
          boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
      fi \
  done; \
  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
  fi \
 fi \
 %{nil}
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
 %selinux_unset_booleans("s:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ -d "%{_selinux_store_policy_path}" ]; then \
  semanage_import='' \
  for boolean in %*; do \
      boolean_name=${boolean%=*} \
      boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
      if [ -n "$boolean_customized_string" ]; then \
          awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
          if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
              semanage_import="${semanage_import}\\n${boolean_customized_string}" \
          fi \
      fi \
  done; \
  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
  fi \
 fi \
 %{nil}
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/6
+++ b/6
@ -0,0 +1,6 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
 auditadm_tty_device_t
 secureadm_tty_device_t
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
--- a/selinux-policy-38fa84d.tar.gz
+++ b/selinux-policy-38fa84d.tar.gz
--- a/selinux-policy-contrib-f9b7466.tar.gz
+++ b/selinux-policy-contrib-f9b7466.tar.gz
--- a/selinux-policy.conf
+++ b/selinux-policy.conf
@ -0,0 +1,4 @@
 z /sys/devices/system/cpu/online - - -
 Z /sys/class/net - - -
 z /sys/kernel/uevent_helper - - -
 w /sys/fs/selinux/checkreqprot - - - - 0
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -0,0 +1,655 @@
 %define distro redhat
 %define polyinstatiate n
 %define monolithic n
 %define BUILD_DOC 1
 %define BUILD_TARGETED 1
 %define BUILD_MINIMUM 1
 %define BUILD_MLS 1
 %define POLICYVER 31
 %define POLICYCOREUTILSVER 2.8
 %define CHECKPOLICYVER 2.8
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
 Release: 41
 License: GPLv2+
 Source0: selinux-policy-38fa84d.tar.gz
 Source1: modules-targeted-base.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
 Source4: setrans-targeted.conf
 Source5: modules-mls-base.conf
 Source6: booleans-mls.conf
 Source8: setrans-mls.conf
 Source14: securetty_types-targeted
 Source15: securetty_types-mls
 Source17: booleans-minimum.conf
 Source18: setrans-minimum.conf
 Source19: securetty_types-minimum
 Source20: customizable_types
 Source22: users-mls
 Source23: users-targeted
 Source25: users-minimum
 Source26: file_contexts.subs_dist
 Source27: selinux-policy.conf
 Source28: permissivedomains.cil
 Source29: selinux-policy-contrib-f9b7466.tar.gz
 Source30: booleans.subs_dist
 Source31: modules-targeted-contrib.conf
 Source32: modules-mls-contrib.conf
 Source35: container-selinux.tgz
 Source102: rpm.macros
 Patch9000: add_userman_access_run_dir.patch
 Patch9001: add_syslogd_t_domtrans_logrotate.patch
 Patch9002: bugfix-add_syslogd_t_domtrans_logrotate.patch
 Patch9003: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
 Patch9004: Fixing-range-for-ephemeral-ports-BZ-1518807.patch
 Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch
 Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
 %description 
 SELinux Base package for SELinux Reference Policy - modular.
 %define makeCmds() \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024  conf \
 cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
 cp -f selinux_config/users-%1 ./policy/users \
 %define makeModulesConf() \
 cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
 cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
 if [ %3 == "contrib" ];then \
 	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
 	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
 fi; \
 %define installCmds() \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
 make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
 install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
 install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
 cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
 rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
 /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
 rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %nil
 %define fileList() \
 %defattr(-,root,root) \
 %{_datadir}/selinux/%1 \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
 %dir %{_sysconfdir}/selinux/%1/logins \
 %dir %{_sharedstatedir}/selinux/%1/active \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
 %dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
 %{_sysconfdir}/selinux/%1/.policy.sha512 \
 %dir %{_sysconfdir}/selinux/%1/contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
 %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %{_sysconfdir}/selinux/%1/booleans.subs_dist \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
 %{_sharedstatedir}/selinux/%1/active/commit_num \
 %{_sharedstatedir}/selinux/%1/active/users_extra \
 %{_sharedstatedir}/selinux/%1/active/homedir_template \
 %{_sharedstatedir}/selinux/%1/active/seusers \
 %{_sharedstatedir}/selinux/%1/active/file_contexts \
 %{_sharedstatedir}/selinux/%1/active/policy.kern \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
 %nil
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 /usr/sbin/selinuxenabled; \
 if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
     rm -f ${FILE_CONTEXT}.pre; \
 fi; \
 if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
    continue; \
 fi; \
 %define preInstall() \
 if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
     if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \
        %{_sbindir}/semodule -n -d ganesha; \
     fi; \
     . %{_sysconfdir}/selinux/config; \
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
     fi; \
     touch /etc/selinux/%1/.rebuild; \
     if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
        POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
 	checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
 	if [ "$sha512" == "$checksha512" ] ; then \
 		rm /etc/selinux/%1/.rebuild; \
 	fi; \
   fi; \
 fi;
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
   rm /etc/selinux/%2/.rebuild; \
   /usr/sbin/semodule -B -n -s %2; \
 fi; \
 [ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
 if [ %1 -eq 1 ]; then \
   /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
 else \
 %relabel %2 \
 fi;
 %define modulesList() \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
 if [ -e ./policy/modules-contrib.conf ];then \
 	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
 fi;
 %define nonBaseModulesList() \
 contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
 base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
 for i in $contrib_modules $base_modules; do \
    if [ $i != "sandbox" ];then \
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
    fi; \
 done;
 %define installFactoryResetFiles() \
 mkdir -p %{buildroot}%{_datadir}/selinux/%1/default \
 cp -R --preserve=mode,ownership,timestamps,links %{buildroot}%{_sharedstatedir}/selinux/%1/active %{buildroot}%{_datadir}/selinux/%1/default/ \
 find %{buildroot}%{_datadir}/selinux/%1/default/ -name hll | xargs rm \
 find %{buildroot}%{_datadir}/selinux/%1/default/ -name lang_ext | xargs sed -i 's/pp/cil/' \
 mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
 %prep 
 %setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 29
 tar -xf %{SOURCE35}
 contrib_path=`pwd`
 %autosetup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 mkdir selinux_config
 for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32}; do
 cp $i selinux_config
 done
 %install
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
 touch %{buildroot}%{_sysconfdir}/selinux/config
 touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
 cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_usr}/share/selinux/packages
 make clean
 %if %{BUILD_TARGETED}
 cp %{SOURCE28} %{buildroot}/
 %makeCmds targeted mcs n allow
 %makeModulesConf targeted base contrib
 %installCmds targeted mcs n allow
 semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
 rm -rf %{buildroot}/permissivedomains.cil
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
 make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
 mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
 %modulesList targeted
 %nonBaseModulesList targeted
 %installFactoryResetFiles targeted
 %endif
 %if %{BUILD_MINIMUM}
 mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
 %makeCmds minimum mcs n allow
 %makeModulesConf targeted base contrib
 %installCmds minimum mcs n allow
 rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %modulesList minimum
 %nonBaseModulesList minimum
 %installFactoryResetFiles minimum
 %endif
 %if %{BUILD_MLS}
 %makeCmds mls mls n deny
 %makeModulesConf mls base contrib
 %installCmds mls mls n deny
 %modulesList mls
 %nonBaseModulesList mls
 %installFactoryResetFiles mls
 %endif
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
 make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
 make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
 /usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
 mkdir %{buildroot}%{_usr}/share/selinux/devel/html
 mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html
 mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 rm -rf selinux_config
 %post
 if [ ! -s /etc/selinux/config ]; then
 echo "
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
 SELINUX=permissive
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected. 
 #     mls - Multi Level Security protection.
 SELINUXTYPE=targeted
 " > /etc/selinux/config
     ln -sf ../selinux/config /etc/sysconfig/selinux 
     restorecon /etc/selinux/config 2> /dev/null || :
 else
     . /etc/selinux/config
 fi
 exit 0
 %postun
 if [ $1 = 0 ]; then
     setenforce 0 2> /dev/null
     if [ ! -s /etc/selinux/config ]; then
          echo "SELINUX=disabled" > /etc/selinux/config
     else
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
     fi
 fi
 exit 0
 %files
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %dir %{_usr}/share/selinux
 %dir %{_usr}/share/selinux/packages
 %dir %{_sysconfdir}/selinux
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
 %package sandbox
 Summary: SELinux policy sandbox
 Requires(pre): selinux-policy-base = %{version}-%{release} selinux-policy-targeted = %{version}-%{release}
 %description sandbox
 SELinux sandbox policy used for the policycoreutils-sandbox package
 %post sandbox
 rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
 semodule -n -X 100 -i /usr/share/selinux/packages/sandbox.pp
 if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
 fi;
 exit 0
 %preun sandbox
 if [ $1 -eq 0 ] ; then
    semodule -n -d sandbox 2>/dev/null
    if /usr/sbin/selinuxenabled ; then
        /usr/sbin/load_policy
    fi;
 fi;
 exit 0
 %files sandbox
 %verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
 %package devel
 Summary: SELinux policy devel
 Requires: selinux-policy = %{version}-%{release} m4 checkpolicy >= %{CHECKPOLICYVER} /usr/bin/make
 Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
 %description devel
 SELinux policy development and man page package
 %post devel
 selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
 exit 0
 %files devel
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
 %dir %{_usr}/share/selinux/devel/html
 %{_usr}/share/selinux/devel/html/*html
 %{_usr}/share/selinux/devel/html/*css
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
 %ghost %{_sharedstatedir}/sepolgen/interface_info
 %package help
 Summary: SELinux policy documentation
 Requires: selinux-policy = %{version}-%{release}
 Provides: selinux-policy-doc
 Obsoletes: selinux-policy-doc
 %description help
 SELinux policy documentation package
 %files help
 %{_mandir}/man*/*
 %{_mandir}/ru/*/*
 %doc %{_usr}/share/doc/%{name}
 %if %{BUILD_TARGETED}
 %package targeted
 Summary:   SELinux targeted base policy
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release}
 Requires:  selinux-policy = %{version}-%{release}
 Provides:  selinux-policy-base = %{version}-%{release}
 Obsoletes: selinux-policy-targeted-sources < 2
 Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
 Obsoletes: cachefilesd-selinux <= 0.10-1
 Conflicts: audispd-plugins <= 1.7.7-1
 Conflicts: seedit
 Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
 Conflicts: container-selinux < 2:1.12.1-22
 %description targeted
 SELinux Reference policy targeted base module.
 %pre targeted
 %preInstall targeted
 %post targeted
 %postInstall $1 targeted
 exit 0
 %postun targeted
 if [ $1 = 0 ]; then
    source /etc/selinux/config
    if [ "$SELINUXTYPE" = "targeted" ]; then
        setenforce 0 2> /dev/null
        if [ ! -s /etc/selinux/config ]; then
            echo "SELINUX=disabled" > /etc/selinux/config
        else
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
        fi
    fi
 fi
 exit 0
 %triggerin -- pcre
 selinuxenabled && semodule -nB
 exit 0
 %triggerpostun -- selinux-policy-targeted < 3.12.1-74
 rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 exit 0
 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
 CR=$'\n'
 INPUT=""
 for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
    module=`basename $i | sed 's/.pp.disabled//'`
    if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
        touch /var/lib/selinux/targeted/active/modules/disabled/$p
    fi
 done
 for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
    INPUT="${INPUT}${CR}module -N -a $i"
 done
 for i in $(find /etc/selinux/targeted/modules/active -name \*.local); do
    cp $i /var/lib/selinux/targeted/active
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
 if /usr/sbin/selinuxenabled ; then
        /usr/sbin/load_policy
 fi
 exit 0
 %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
 %fileList targeted
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
 %endif
 %if %{BUILD_MINIMUM}
 %package minimum
 Summary:  SELinux minimum base policy
 Requires(pre):  coreutils selinux-policy = %{version}-%{release}
 Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
 Requires: selinux-policy = %{version}-%{release}
 Provides:  selinux-policy-base = %{version}-%{release}
 Conflicts: seedit
 Conflicts: container-selinux <= 1.9.0-9
 %description minimum
 SELinux Reference policy minimum base module.
 %pre minimum
 %preInstall minimum
 if [ $1 -ne 1 ]; then
    /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst
 fi
 %post minimum
 contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
 basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
 if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
    mkdir /var/lib/selinux/minimum/active/modules/disabled
 fi
 if [ $1 -eq 1 ]; then
 for p in $contribpackages; do
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 for p in $basepackages apache dbus inetd kerberos mta nis; do
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 /usr/sbin/semanage import -S minimum -f - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
 /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
 /usr/sbin/semodule -B -s minimum
 else
 instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
 for p in $contribpackages; do
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 for p in $instpackages apache dbus inetd kerberos mta nis; do
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
 done
 /usr/sbin/semodule -B -s minimum
 %relabel minimum
 fi
 exit 0
 %postun minimum
 if [ $1 = 0 ]; then
    source /etc/selinux/config
    if [ "$SELINUXTYPE" = "minimum" ]; then
        setenforce 0 2> /dev/null
        if [ ! -s /etc/selinux/config ]; then
            echo "SELINUX=disabled" > /etc/selinux/config
        else
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
        fi
    fi
 fi
 exit 0
 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
 if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
    rm -f /var/lib/selinux/minimum/active/modules/disabled/*
 fi
 CR=$'\n'
 INPUT=""
 for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do
    module=`basename $i | sed 's/.pp.disabled//'`
    if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then
        touch /var/lib/selinux/minimum/active/modules/disabled/$p
    fi
 done
 for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do
    INPUT="${INPUT}${CR}module -N -a $i"
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
 if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
 fi
 exit 0
 %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u 
 %fileList minimum
 %endif
 %if %{BUILD_MLS}
 %package mls 
 Summary: SELinux mls base policy
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd selinux-policy = %{version}-%{release}
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils
 Provides:  selinux-policy-base = %{version}-%{release}
 Obsoletes: selinux-policy-mls-sources < 2
 Conflicts: seedit
 Conflicts: container-selinux <= 1.9.0-9
 %description mls 
 SELinux Reference policy mls base module.
 %pre mls 
 %preInstall mls
 %post mls 
 %postInstall $1 mls
 exit 0
 %postun mls
 if [ $1 = 0 ]; then
    source /etc/selinux/config
    if [ "$SELINUXTYPE" = "mls" ]; then
        setenforce 0 2> /dev/null
        if [ ! -s /etc/selinux/config ]; then
            echo "SELINUX=disabled" > /etc/selinux/config
        else
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
        fi
    fi
 fi
 exit 0
 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138
 CR=$'\n'
 INPUT=""
 for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do
    module=`basename $i | sed 's/.pp.disabled//'`
    if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then
        touch /var/lib/selinux/mls/active/modules/disabled/$p
    fi
 done
 for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do
    INPUT="${INPUT}${CR}module -N -a $i"
 done
 echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
 if /usr/sbin/selinuxenabled ; then
        /usr/sbin/load_policy
 fi
 exit 0
 %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
 %fileList mls
 %endif
 %changelog
 * Thu Sep 12 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-41
 - Package init
--- a/setrans-minimum.conf
+++ b/setrans-minimum.conf
@ -0,0 +1,19 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/setrans-mls.conf
+++ b/setrans-mls.conf
@ -0,0 +1,52 @@
 #
 # Multi-Level Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be labeled with one of 16 levels and be categorized with 0-1023 
 # categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Users can modify this table to translate the MLS labels for different purpose.
 #
 # Assumptions: using below MLS labels.
 #  SystemLow
 #  SystemHigh
 #  Unclassified 
 #  Secret with compartments A and B.
 # 
 # SystemLow and SystemHigh
 s0=SystemLow
 s15:c0.c1023=SystemHigh
 s0-s15:c0.c1023=SystemLow-SystemHigh
 # Unclassified level
 s1=Unclassified
 # Secret level with compartments
 s2=Secret
 s2:c0=A
 s2:c1=B
 # ranges for Unclassified
 s0-s1=SystemLow-Unclassified
 s1-s2=Unclassified-Secret
 s1-s15:c0.c1023=Unclassified-SystemHigh
 # ranges for Secret with compartments
 s0-s2=SystemLow-Secret
 s0-s2:c0=SystemLow-Secret:A
 s0-s2:c1=SystemLow-Secret:B
 s0-s2:c0,c1=SystemLow-Secret:AB
 s1-s2:c0=Unclassified-Secret:A
 s1-s2:c1=Unclassified-Secret:B
 s1-s2:c0,c1=Unclassified-Secret:AB
 s2-s2:c0=Secret-Secret:A
 s2-s2:c1=Secret-Secret:B
 s2-s2:c0,c1=Secret-Secret:AB
 s2-s15:c0.c1023=Secret-SystemHigh
 s2:c0-s2:c0,c1=Secret:A-Secret:AB
 s2:c0-s15:c0.c1023=Secret:A-SystemHigh
 s2:c1-s2:c0,c1=Secret:B-Secret:AB
 s2:c1-s15:c0.c1023=Secret:B-SystemHigh
 s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
--- a/setrans-targeted.conf
+++ b/setrans-targeted.conf
@ -0,0 +1,19 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/38
+++ b/38
@ -0,0 +1,38 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)