From 994b93e3b411e71e2253fed15be9794b3e8d57b5 Mon Sep 17 00:00:00 2001
From: Fredrik Eriksson <feffe@fulh.ax>
Date: Sun, 1 Mar 2020 08:20:41 +0100
Subject: [PATCH] updated selinux policy; hopefully services are no longer
 started as sau_t after restart

---
 selinux/sau.te | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/selinux/sau.te b/selinux/sau.te
index 0a7533b..a8130c4 100644
--- a/selinux/sau.te
+++ b/selinux/sau.te
@@ -23,14 +23,35 @@ role system_r types sau_t;
 domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
 domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
 
-# this should be fixed, but I don't know enough selinux magic to restrict this
-# while still allowing it to inspect all open files for all processes
-unconfined_domain_noaudit(sau_t)
+domain_use_interactive_fds(sau_t)
+userdom_use_user_ptys(sau_t)
+userdom_use_all_users_fds(sau_t)
+
+# required for python
+corecmd_mmap_bin_files(sau_t)
+
+
+kernel_read_system_state(sau_t)
+domain_read_all_domains_state(sau_t)
+allow sau_t self:capability sys_ptrace;
+
+init_startstop_all_script_services(sau_t)
+init_all_labeled_script_domtrans(sau_t)
+init_use_script_ptys(sau_t)
+
+miscfiles_read_localization(sau_t)
+logging_send_syslog_msg(sau_t)
+allow sau_t self:fifo_file { read write };
+corecmd_exec_shell(sau_t)
+corecmd_exec_bin(sau_t)
+
+init_manage_script_service(sau_t)
+init_read_script_status_files(sau_t)
+allow sau_t initrc_state_t:lnk_file { getattr read };
+allow sau_t initrc_state_t:dir { search read };
 
 # Gentoo specific
 portage_domtrans(sau_t)
 
-
-# postfix
-postfix_admin(sau_t, system_r)
+dontaudit sau_t self:fifo_file { getattr ioctl };