selinux-policy: Bump version to 2.20210203.

Add patches so the core system can boot in enforcing. Change policy name to targeted.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

SPECS/selinux-policy/0002-Allow-use-of-systemd-UNIX-sockets-created-at-initrd-.patch

@@ -0,0 +1,150 @@
+From 32bf014c3bdd5da7787bdbd647a19f6197fdd1df Mon Sep 17 00:00:00 2001
+From: Krzysztof Nowicki <krissn@op.pl>
+Date: Thu, 13 Aug 2020 08:44:22 +0200
+Subject: Allow use of systemd UNIX sockets created at initrd execution
+
+Systemd uses a number of UNIX sockets for communication (notify
+socket [1], journald socket). These sockets are normally created at
+start-up after the SELinux policy is loaded, which means that the
+kernel socket objects have proper security contexts of the creating
+processes.
+
+Unfortunately things look different when the system is started with an
+initrd that is also running systemd (e.g. dracut). In such case the
+sockets are created in the initrd systemd environment before the
+SELinux policy is loaded and therefore the socket object is assigned
+the default kernel context (system_u:system_r:kernel_t). When the
+initrd systemd transfers control to the main systemd the notify socket
+descriptors are passed to the main systemd process [2]. This means
+that when the main system is running the sockets will use the default
+kernel securint context until they are recreated, which for some
+sockets (notify socket) never happens.
+
+Until there is a way to change the context of an already open socket
+object all processes, that wish to use systemd sockets need to be
+able to send datagrams to system_u:system_r:kernel_t sockets.
+
+Parts of this workaround were earlier hidden behind RedHat-specific
+rules, since this distribution is the prime user of systemd+dracut
+combo. Since other distros may want to use similar configuration it
+makes sense to enable this globally.
+
+[1] sd_notify(3)
+[2] https://github.com/systemd/systemd/issues/16714
+
+Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
+
+tmp
+---
+ policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
+ policy/modules/system/init.te    |  5 +++++
+ policy/modules/system/logging.if |  5 ++---
+ policy/modules/system/logging.te |  7 ++++---
+ 4 files changed, 29 insertions(+), 6 deletions(-)
+
+MSFT_TAG: Upstream cherry-pick
+
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index ebd73aca9..18002e67d 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -365,6 +365,24 @@ interface(`kernel_dgram_send',`
+ 	allow $1 kernel_t:unix_dgram_socket sendto;
+ ')
+
++########################################
++## <summary>
++##	Send messages to kernel netlink audit sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_rw_netlink_audit_sockets',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
++')
++
+ ########################################
+ ## <summary>
+ ##	Allows caller to load kernel modules
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index a734e1b26..62afc3ebe 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -315,6 +315,8 @@ ifdef(`init_systemd',`
+ 	kernel_setsched(init_t)
+ 	kernel_link_key(init_t)
+ 	kernel_rw_unix_sysctls(init_t)
++	kernel_rw_stream_sockets(init_t)
++	kernel_rw_unix_dgram_sockets(init_t)
+
+ 	# run systemd misc initializations
+ 	# in the initrc_t domain, as would be
+@@ -1026,6 +1028,9 @@ ifdef(`init_systemd',`
+ 	allow initrc_t systemdunit:service reload;
+ 	allow initrc_t init_script_file_type:service { stop start status reload };
+
++	# Access to notify socket for services with Type=notify
++	kernel_dgram_send(initrc_t)
++
+ 	# run systemd misc initializations
+ 	# in the initrc_t domain, as would be
+ 	# done in traditional sysvinit/upstart.
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 8a0b2ce0a..10dee6563 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
+ 		# Allow systemd-journald to check whether the process died
+ 		allow syslogd_t $1:process signull;
+
+-		ifdef(`distro_redhat',`
+-			kernel_dgram_send($1)
+-		')
++		kernel_dgram_send($1)
+ 	')
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 1400d5314..6c002e01c 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
+
+ init_use_fds(syslogd_t)
+
+-# cjp: this doesnt make sense
+-logging_send_syslog_msg(syslogd_t)
+-
+ miscfiles_read_localization(syslogd_t)
+
+ seutil_read_config(syslogd_t)
+@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
+ 	kernel_read_ring_buffer(syslogd_t)
+ 	kernel_rw_stream_sockets(syslogd_t)
+ 	kernel_rw_unix_dgram_sockets(syslogd_t)
++	kernel_rw_netlink_audit_sockets(syslogd_t)
+ 	kernel_use_fds(syslogd_t)
+
+ 	dev_read_kmsg(syslogd_t)
+@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
+ 	init_read_runtime_symlinks(syslogd_t)
+ 	init_read_state(syslogd_t)
+
++	# needed for systemd-initrd case when syslog socket is unlabelled
++	logging_send_syslog_msg(syslogd_t)
++
+ 	systemd_manage_journal_files(syslogd_t)
+
+ 	udev_read_runtime_files(syslogd_t)
+--
+2.17.1
+

SPECS/selinux-policy/0003-files-init-systemd-various-fixes.patch

@@ -0,0 +1,156 @@
+From dd0d61c8ec585ea655aff555d958a8910224ae46 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Thu, 11 Mar 2021 23:03:10 -0500
+Subject: files, init, systemd: various fixes
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+---
+ policy/modules/kernel/files.if   | 18 ++++++++++++++++++
+ policy/modules/system/init.te    | 11 ++++++++++-
+ policy/modules/system/systemd.if | 20 ++++++++++++++++++++
+ policy/modules/system/systemd.te |  3 +++
+ 4 files changed, 51 insertions(+), 1 deletion(-)
+
+MSFT_TAG: upstream cherry-pick
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 467d8a26d..cd2bc59cf 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4585,6 +4585,24 @@ interface(`files_manage_generic_tmp_dirs',`
+ 	manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
++########################################
++## <summary>
++##	Relabel temporary directories in /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_generic_tmp_dirs',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	relabel_dirs_pattern($1, tmp_t, tmp_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Manage temporary files and directories in /tmp.
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 62afc3ebe..d7ef16852 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -266,7 +266,7 @@ ifdef(`init_systemd',`
+
+ 	# setexec and setkeycreate for systemd --user
+ 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
+-	allow init_t self:capability2 { audit_read block_suspend };
++	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
+ 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 	allow init_t self:unix_dgram_socket lock;
+
+@@ -293,6 +293,11 @@ ifdef(`init_systemd',`
+ 	# /memfd:systemd-state
+ 	fs_tmpfs_filetrans(init_t, init_runtime_t, file)
+
++	# mounton is required for systemd-timesyncd
++	allow init_t init_var_lib_t:dir { manage_dir_perms mounton };
++	allow init_t init_var_lib_t:file manage_file_perms;
++	allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
++
+ 	manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+ 	manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+@@ -306,6 +311,8 @@ ifdef(`init_systemd',`
+ 	kernel_read_fs_sysctls(init_t)
+ 	kernel_list_unlabeled(init_t)
+ 	kernel_load_module(init_t)
++	kernel_request_load_module(init_t)
++	kernel_rw_fs_sysctls(init_t)
+ 	kernel_rw_kernel_sysctl(init_t)
+ 	kernel_rw_net_sysctls(init_t)
+ 	kernel_read_all_sysctls(init_t)
+@@ -389,6 +396,8 @@ ifdef(`init_systemd',`
+ 	files_list_spool(init_t)
+ 	files_manage_all_runtime_dirs(init_t)
+ 	files_manage_generic_tmp_dirs(init_t)
++	files_relabel_generic_tmp_dirs(init_t)
++	files_mounton_tmp(init_t)
+ 	files_manage_urandom_seed(init_t)
+ 	files_read_boot_files(initrc_t)
+ 	files_relabel_all_lock_dirs(init_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 33c91052d..e4dc83636 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -164,6 +164,8 @@ template(`systemd_role_template',`
+ 	systemd_status_user_runtime_units($3)
+ 	systemd_stop_user_runtime_units($3)
+
++	systemd_watch_passwd_runtime_dirs($3)
++
+ 	optional_policy(`
+ 		xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
+ 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
+@@ -1163,6 +1165,24 @@ interface(`systemd_manage_passwd_runtime_symlinks',`
+ 	allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
+ ')
+
++########################################
++## <summary>
++##   Allow a domain to watch systemd-passwd runtime dirs.
++## </summary>
++## <param name="domain">
++##   <summary>
++##     Domain allowed access.
++##   </summary>
++## </param>
++#
++interface(`systemd_watch_passwd_runtime_dirs',`
++	gen_require(`
++		type systemd_passwd_runtime_t;
++	')
++
++	allow $1 systemd_passwd_runtime_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##      manage systemd unit dirs and the files in them  (Deprecated)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 6bdd0e3fb..624ca6eaf 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -420,6 +420,7 @@ allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
+ allow systemd_generator_t self:capability dac_override;
+ allow systemd_generator_t self:process setfscreate;
+
++corecmd_exec_shell(systemd_generator_t)
+ corecmd_getattr_bin_files(systemd_generator_t)
+
+ dev_read_sysfs(systemd_generator_t)
+@@ -434,6 +435,7 @@ files_search_all_mountpoints(systemd_generator_t)
+ files_list_usr(systemd_generator_t)
+
+ fs_list_efivars(systemd_generator_t)
++fs_getattr_cgroup(systemd_generator_t)
+ fs_getattr_xattr_fs(systemd_generator_t)
+
+ init_create_runtime_files(systemd_generator_t)
+@@ -452,6 +454,7 @@ init_read_script_files(systemd_generator_t)
+ kernel_use_fds(systemd_generator_t)
+ kernel_read_system_state(systemd_generator_t)
+ kernel_read_kernel_sysctls(systemd_generator_t)
++kernel_dontaudit_getattr_proc(systemd_generator_t)
+
+ storage_raw_read_fixed_disk(systemd_generator_t)
+
+--
+2.17.1
+

SPECS/selinux-policy/0004-Enable-factory-directory-support-in-systemd-tmpfiles.patch

@@ -0,0 +1,128 @@
+From 6494358f5ac3c6a038737aa5534f81ed16049cc5 Mon Sep 17 00:00:00 2001
+From: Krzysztof Nowicki <krissn@op.pl>
+Date: Wed, 3 Feb 2021 10:00:35 +0100
+Subject: Enable factory directory support in systemd-tmpfilesd
+
+/usr/share/factory serves as a template directory for
+systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
+directory as a default source for files, which should be placed in the
+filesystem.
+
+This behaiour is controlled via a tunable as it gives
+systemd-tmpfilesd manage permissions over etc, which could be
+considered as a security risk.
+
+Relevant denials are silenced in case the policy is disabled.
+
+Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
+---
+ policy/modules/kernel/files.if   | 20 ++++++++++++++++++++
+ policy/modules/system/systemd.fc |  2 ++
+ policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+MSFT_TAG: upstream cherry-pick
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index cd2bc59cf..5924f8d38 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -3117,6 +3117,26 @@ interface(`files_manage_etc_files',`
+ 	read_lnk_files_pattern($1, etc_t, etc_t)
+ ')
+
++########################################
++## <summary>
++##	Do not audit attempts to create, read, write,
++##	and delete generic files in /etc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_dontaudit_manage_etc_files',`
++	gen_require(`
++		type etc_t;
++	')
++
++	dontaudit $1 etc_t:file manage_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Delete system configuration files in /etc.
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+index 6a6591f20..c19259f73 100644
+--- a/policy/modules/system/systemd.fc
++++ b/policy/modules/system/systemd.fc
+@@ -62,6 +62,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
+ /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
+ /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
+
++/usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)
++
+ /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
+
+ /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 624ca6eaf..e96c5defa 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false)
+ ## </desc>
+ gen_tunable(systemd_socket_proxyd_connect_any, false)
+
++## <desc>
++## <p>
++## Allow systemd-tmpfilesd to populate missing configuration files from factory
++## template directory.
++## </p>
++## </desc>
++gen_tunable(systemd_tmpfilesd_factory, false)
++
+ attribute systemd_log_parse_env_type;
+ attribute systemd_tmpfiles_conf_type;
+ attribute systemd_user_session_type;
+@@ -106,6 +114,9 @@ type systemd_detect_virt_t;
+ type systemd_detect_virt_exec_t;
+ init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
++type systemd_factory_conf_t;
++systemd_tmpfiles_conf_file(systemd_factory_conf_t)
++
+ type systemd_generator_t;
+ type systemd_generator_exec_t;
+ typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
+@@ -1298,6 +1309,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms;
+ allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
+
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
++allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
+@@ -1392,6 +1404,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+ 	files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
+
++tunable_policy(`systemd_tmpfilesd_factory', `
++	allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
++	allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
++
++	files_manage_etc_files(systemd_tmpfiles_t)
++',`
++	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
++	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
++
++	files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
++')
++
+ optional_policy(`
+ 	dbus_read_lib_files(systemd_tmpfiles_t)
+ 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
+--
+2.17.1
+

SPECS/selinux-policy/0005-Makefile-Revise-relabel-targets-to-relabel-all-secla.patch

@@ -0,0 +1,66 @@
+From 239c03e1bf200708ff4a46d59020d38d61543816 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Fri, 20 Aug 2021 17:08:38 +0000
+Subject: Makefile: Revise relabel targets to relabel all
+ seclabel filesystems.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ Makefile | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+MSFT_TAG: upstream cherry-pick
+
+diff --git a/Makefile b/Makefile
+index 9252b5a04..53f3acb3d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -320,8 +320,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+-fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
++filesystems = $(shell mount | $(AWK) '$$NF ~ /\yseclabel\y/ {print $$3}')
+
+ ########################################
+ #
+@@ -610,7 +609,7 @@ $(tags):
+ # Filesystem labeling
+ #
+ checklabels:
+-	@echo "Checking labels on filesystem types: $(fs_names)"
++	@echo "Checking labels on filesystems: $(filesystems)"
+ 	@if test -z "$(filesystems)"; then \
+ 		echo "No filesystems with extended attributes found!" ;\
+ 		false ;\
+@@ -618,7 +617,7 @@ checklabels:
+ 	$(verbose) $(SETFILES) -E -v -n $(fcpath) $(filesystems)
+
+ restorelabels:
+-	@echo "Restoring labels on filesystem types: $(fs_names)"
++	@echo "Restoring labels on filesystems: $(filesystems)"
+ 	@if test -z "$(filesystems)"; then \
+ 		echo "No filesystems with extended attributes found!" ;\
+ 		false ;\
+@@ -626,7 +625,7 @@ restorelabels:
+ 	$(verbose) $(SETFILES) -E -v $(fcpath) $(filesystems)
+
+ relabel:
+-	@echo "Relabeling filesystem types: $(fs_names)"
++	@echo "Relabeling filesystems: $(filesystems)"
+ 	@if test -z "$(filesystems)"; then \
+ 		echo "No filesystems with extended attributes found!" ;\
+ 		false ;\
+@@ -634,7 +633,7 @@ relabel:
+ 	$(verbose) $(SETFILES) -E $(fcpath) $(filesystems)
+
+ resetlabels:
+-	@echo "Resetting labels on filesystem types: $(fs_names)"
++	@echo "Resetting labels on filesystems: $(filesystems)"
+ 	@if test -z "$(filesystems)"; then \
+ 		echo "No filesystems with extended attributes found!" ;\
+ 		false ;\
+--
+2.17.1
+

SPECS/selinux-policy/0006-cronyd-Add-dac_read_search.patch

@@ -0,0 +1,28 @@
+From 83cb68e5c78713cd46943c27428dd08423f39e33 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Fri, 20 Aug 2021 18:11:23 +0000
+Subject: cronyd: Add dac_read_search.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/services/chronyd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+MSFT_TAG: upstream cherry-pick
+
+diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
+index 96121be48..bb251cb68 100644
+--- a/policy/modules/services/chronyd.te
++++ b/policy/modules/services/chronyd.te
+@@ -46,7 +46,7 @@ logging_log_file(chronyd_var_log_t)
+ # chronyd local policy
+ #
+
+-allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
++allow chronyd_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_resource sys_time };
+ allow chronyd_t self:process { getcap setcap setrlimit signal };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:fifo_file rw_fifo_file_perms;
+--
+2.17.1
+

SPECS/selinux-policy/0007-systemd-ssh-ntp-Read-fips_enabled-crypto-sysctl.patch

@@ -0,0 +1,53 @@
+From ee2b299cf796ddce789428773072fc0843a52d2a Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:37:19 +0000
+Subject: systemd, ssh, ntp: Read fips_enabled crypto sysctl.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/services/ntp.te   | 1 +
+ policy/modules/services/ssh.if   | 1 +
+ policy/modules/system/systemd.te | 1 +
+ 3 files changed, 3 insertions(+)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
+index 1626ae87a..4d7e00243 100644
+--- a/policy/modules/services/ntp.te
++++ b/policy/modules/services/ntp.te
+@@ -94,6 +94,7 @@ can_exec(ntpd_t, ntpd_exec_t)
+ kernel_read_kernel_sysctls(ntpd_t)
+ kernel_read_system_state(ntpd_t)
+ kernel_read_network_state(ntpd_t)
++kernel_read_crypto_sysctls(ntpd_t)
+ kernel_request_load_module(ntpd_t)
+
+ corenet_all_recvfrom_netlabel(ntpd_t)
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index e5edf17a3..e98aeeb03 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -209,6 +209,7 @@ template(`ssh_server_template', `
+
+ 	kernel_read_kernel_sysctls($1_t)
+ 	kernel_read_network_state($1_t)
++	kernel_read_crypto_sysctls($1_t)
+
+ 	corenet_all_recvfrom_netlabel($1_t)
+ 	corenet_tcp_sendrecv_generic_if($1_t)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index e96c5defa..ad69d4d93 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -566,6 +566,7 @@ optional_policy(`
+ dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+ kernel_read_system_state(systemd_log_parse_env_type)
++kernel_read_crypto_sysctls(systemd_log_parse_env_type)
+
+ dev_write_kmsg(systemd_log_parse_env_type)
+
+--
+2.17.1
+

SPECS/selinux-policy/0008-udev-Manage-EFI-variables.patch

@@ -0,0 +1,27 @@
+From abc4772646fd187cb1fc1b5abe37c8dd89de7507 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:41:55 +0000
+Subject: udev: Manage EFI variables.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/system/udev.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 521d7e9c7..70ad2a3c2 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -130,6 +130,7 @@ fs_list_inotifyfs(udev_t)
+ fs_read_cgroup_files(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+ fs_search_tracefs(udev_t)
++fs_manage_efivarfs_files(udev_t)
+
+ mcs_ptrace_all(udev_t)
+
+--
+2.17.1
+

SPECS/selinux-policy/0009-ntp-Handle-symlink-to-drift-directory.patch

@@ -0,0 +1,27 @@
+From ee2c186fe4ffa047d2d4113406209dad58f323ed Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:44:10 +0000
+Subject: ntp: Handle symlink to drift directory.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/services/ntp.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
+index 4d7e00243..2f4ce73d9 100644
+--- a/policy/modules/services/ntp.te
++++ b/policy/modules/services/ntp.te
+@@ -63,6 +63,7 @@ allow ntpd_t self:unix_dgram_socket sendto;
+
+ allow ntpd_t ntp_conf_t:file read_file_perms;
+
++allow ntpd_t ntp_drift_t:lnk_file read_lnk_file_perms;
+ manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ files_etc_filetrans(ntpd_t, ntp_drift_t, file)
+--
+2.17.1
+

SPECS/selinux-policy/0010-systemd-Unit-generator-fixes.patch

@@ -0,0 +1,74 @@
+From ca7569adf5381a95d740c3fb31c6fbd62af45741 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:47:07 +0000
+Subject: systemd: Unit generator fixes.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/system/miscfiles.if | 20 ++++++++++++++++++++
+ policy/modules/system/systemd.te   |  5 ++++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index ba34f0929..f8ba6137f 100644
+--- a/policy/modules/system/miscfiles.if
++++ b/policy/modules/system/miscfiles.if
+@@ -486,6 +486,26 @@ interface(`miscfiles_read_hwdata',`
+ 	read_lnk_files_pattern($1, hwdata_t, hwdata_t)
+ ')
+
++########################################
++## <summary>
++##	Allow process to get the attributes of localization info
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`miscfiles_getattr_localization',`
++	gen_require(`
++		type locale_t;
++	')
++
++	files_search_usr($1)
++	allow $1 locale_t:dir list_dir_perms;
++	allow $1 locale_t:file getattr;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow process to setattr localization info
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index ad69d4d93..00a9d335e 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -432,11 +432,12 @@ allow systemd_generator_t self:capability dac_override;
+ allow systemd_generator_t self:process setfscreate;
+
+ corecmd_exec_shell(systemd_generator_t)
+-corecmd_getattr_bin_files(systemd_generator_t)
++corecmd_exec_bin(systemd_generator_t)
+
+ dev_read_sysfs(systemd_generator_t)
+ dev_write_kmsg(systemd_generator_t)
+ dev_write_sysfs_dirs(systemd_generator_t)
++dev_read_urand(systemd_generator_t)
+
+ files_read_etc_files(systemd_generator_t)
+ files_search_runtime(systemd_generator_t)
+@@ -473,6 +474,8 @@ systemd_log_parse_environment(systemd_generator_t)
+
+ term_use_unallocated_ttys(systemd_generator_t)
+
++udev_search_runtime(systemd_generator_t)
++
+ optional_policy(`
+ 	fstools_exec(systemd_generator_t)
+ ')
+--
+2.17.1
+

SPECS/selinux-policy/0011-logging-Allow-auditd-to-stat-dispatcher-executables.patch

@@ -0,0 +1,37 @@
+From 138e989c89842cde7e2a2dbfbcae438fc4676133 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:49:05 +0000
+Subject: logging: Allow auditd to stat() dispatcher executables.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/system/logging.if | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 10dee6563..f1183690a 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -287,7 +287,7 @@ interface(`logging_signal_dispatcher',`
+ #
+ interface(`logging_dispatcher_domain',`
+ 	gen_require(`
+-		type audisp_t;
++		type audisp_t, auditd_t;
+ 		role system_r;
+ 	')
+
+@@ -296,6 +296,8 @@ interface(`logging_dispatcher_domain',`
+
+ 	role system_r types $1;
+
++	allow auditd_t $2:file getattr;
++
+ 	domtrans_pattern(audisp_t, $2, $1)
+ 	allow audisp_t $1:process { sigkill sigstop signull signal };
+
+--
+2.17.1
+

SPECS/selinux-policy/0012-systemd-Revise-tmpfiles-factory-to-allow-writing-all.patch

@@ -0,0 +1,90 @@
+From 41798c436d938860e05ba07aceadbaae39d93a5d Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:55:01 +0000
+Subject: systemd: Revise tmpfiles factory to allow writing all configs.
+
+---
+ policy/modules/system/systemd.te | 31 ++++++++++---------------------
+ 1 file changed, 10 insertions(+), 21 deletions(-)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 00a9d335e..d02855a08 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -45,14 +45,6 @@ gen_tunable(systemd_socket_proxyd_bind_any, false)
+ ## </desc>
+ gen_tunable(systemd_socket_proxyd_connect_any, false)
+
+-## <desc>
+-## <p>
+-## Allow systemd-tmpfilesd to populate missing configuration files from factory
+-## template directory.
+-## </p>
+-## </desc>
+-gen_tunable(systemd_tmpfilesd_factory, false)
+-
+ attribute systemd_log_parse_env_type;
+ attribute systemd_tmpfiles_conf_type;
+ attribute systemd_user_session_type;
+@@ -1302,6 +1294,9 @@ allow systemd_tmpfiles_t self:process { setfscreate getcap };
+ allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
+ allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
++allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
++allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
++
+ allow systemd_tmpfiles_t systemd_pstore_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
+ allow systemd_tmpfiles_t systemd_pstore_var_lib_t:file manage_file_perms;
+
+@@ -1335,13 +1330,18 @@ files_manage_all_runtime_dirs(systemd_tmpfiles_t)
+ files_delete_usr_files(systemd_tmpfiles_t)
+ files_list_home(systemd_tmpfiles_t)
+ files_list_locks(systemd_tmpfiles_t)
++files_manage_config_dirs(systemd_tmpfiles_t)
++files_manage_config_files(systemd_tmpfiles_t)
+ files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+ files_manage_var_dirs(systemd_tmpfiles_t)
+ files_manage_var_lib_dirs(systemd_tmpfiles_t)
++files_manage_all_locks(systemd_tmpfiles_t)
+ files_purge_tmp(systemd_tmpfiles_t)
+ files_read_etc_files(systemd_tmpfiles_t)
+ files_read_etc_runtime_files(systemd_tmpfiles_t)
+-files_relabel_all_lock_dirs(systemd_tmpfiles_t)
++files_relabel_config_files(systemd_tmpfiles_t)
++files_relabel_config_dirs(systemd_tmpfiles_t)
++files_relabel_all_locks(systemd_tmpfiles_t)
+ files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
+ files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+ files_relabel_var_dirs(systemd_tmpfiles_t)
+@@ -1387,6 +1387,7 @@ logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
+
+ miscfiles_manage_man_pages(systemd_tmpfiles_t)
+ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
++miscfiles_getattr_localization(systemd_tmpfiles_t)
+
+ seutil_read_config(systemd_tmpfiles_t)
+ seutil_read_file_contexts(systemd_tmpfiles_t)
+@@ -1408,18 +1409,6 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+ 	files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
+
+-tunable_policy(`systemd_tmpfilesd_factory', `
+-	allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+-	allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+-
+-	files_manage_etc_files(systemd_tmpfiles_t)
+-',`
+-	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+-	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+-
+-	files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+-')
+-
+ optional_policy(`
+ 	dbus_read_lib_files(systemd_tmpfiles_t)
+ 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
+--
+2.17.1
+

SPECS/selinux-policy/0013-systemd-User-runtime-reads-user-cgroup-files.patch

@@ -0,0 +1,28 @@
+From c0c69aee84d9bdf7de73f515d85c8b0f90bb7361 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 19:57:45 +0000
+Subject: systemd: User runtime reads user cgroup files.
+
+Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index d02855a08..97e6f5f8d 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1539,6 +1539,8 @@ fs_getattr_tmpfs(systemd_user_runtime_dir_t)
+ fs_list_tmpfs(systemd_user_runtime_dir_t)
+ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
++fs_read_cgroup_files(systemd_user_runtime_dir_t)
++fs_getattr_cgroup(systemd_user_runtime_dir_t)
+
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+
+--
+2.17.1
+

SPECS/selinux-policy/0014-logging-Add-audit_control-for-journald.patch

@@ -0,0 +1,26 @@
+From e8f14030d1b22390ae540a38040ec486f92efe4c Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 20:28:21 +0000
+Subject: logging: Add audit_control for journald.
+
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+MSFT_TAG: pending
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 6c002e01c..5a59062ac 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -510,6 +510,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
+
+ ifdef(`init_systemd',`
+ 	# for systemd-journal
++	allow syslogd_t self:capability audit_control;
+ 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ 	allow syslogd_t self:capability2 audit_read;
+ 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+--
+2.17.1
+

SPECS/selinux-policy/0015-Temporary-fix-for-wrong-audit-log-directory.patch

@@ -0,0 +1,29 @@
+From 87c428427dc494c7c614ba26ba8b4bd9a9398464 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 20:29:04 +0000
+Subject: Temporary fix for wrong audit log directory
+
+---
+ policy/modules/system/logging.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+MSFT_TAG: not upstreamable
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 5681acb51..5cbad8178 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -68,6 +68,10 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
++ifdef(`distro_mariner',`
++/var/opt/audit/log(/.*)?	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++')
++
+ /run/audit_events	-s	gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
+ /run/audispd_events	-s	gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh)
+ /run/auditd\.pid	--	gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
+--
+2.17.1
+

SPECS/selinux-policy/0016-Set-default-login-to-unconfined_u.patch

@@ -0,0 +1,22 @@
+From 73d48a64c851b45b3375d8c9dee8821edea36d1d Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
+Date: Wed, 1 Sep 2021 20:30:29 +0000
+Subject: Set default login to unconfined_u.
+
+---
+ config/appconfig-mcs/seusers | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+MSFT_TAG: not upstreamable
+
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index ce614b41b..7bad81e98 100644
+--- a/config/appconfig-mcs/seusers
++++ b/config/appconfig-mcs/seusers
+@@ -1,2 +1,2 @@
+ root:root:s0-mcs_systemhigh
+-__default__:user_u:s0
++__default__:unconfined_u:s0-mcs_systemhigh
+--
+2.17.1
+

SPECS/selinux-policy/selinux-policy.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "refpolicy-2.20200818.tar.bz2": "1488f9b94060de28addbcb29fb8437ee0d75cba15e11280dd9dfa3e09986f57b",
+  "refpolicy-2.20210203.tar.bz2": "48cbf2c63ff9003bef05e03c8d3cdddb4e8f63fef2a072ae51c987301f0b874d",
   "Makefile.devel": "cd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6"
  }
 }

cgmanifest.json

@@ -8392,8 +8392,8 @@
         "type": "other",
         "other": {
           "name": "selinux-policy",
-          "version": "2.20200818",
-          "downloadUrl": "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200818/refpolicy-2.20200818.tar.bz2"
+          "version": "2.20210203",
+          "downloadUrl": "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20210203/refpolicy-2.20210203.tar.bz2"
         }
       }
     },