Tiny and I think they are all obvious.
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t
mount_rw_runtime_files(bootloader_t)
+selinux_getattr_fs(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
# systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
+++ refpolicy-2.20180701/policy/modules/services/dhcp.te
@@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
+miscfiles_read_generic_certs(dhcpd_t)
miscfiles_read_localization(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -333,6 +333,7 @@ optional_policy(`
optional_policy(`
xserver_domtrans_xauth(sshd_t)
+ xserver_link_xdm_keys(sshd_t)
')
########################################
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`
########################################
## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_link_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key link;
+')
+
+########################################
+## <summary>
## Read and write the mesa shader cache.
## </summary>
## <param name="domain">
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+# for writing to ~/.local/share/sddm/xorg-session.log
+xdg_manage_data(xauth_t)
+
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
allow xserver_t xauth_home_t:file read_file_perms;
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
@@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(groupadd_t)
')
@@ -546,6 +550,10 @@ optional_policy(`
')
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(useradd_t)
')
