This should all be obvious. Index: refpolicy-2.20180701/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.te +++ refpolicy-2.20180701/policy/modules/services/cron.te @@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system corenet_udp_sendrecv_generic_node(system_cronjob_t) corenet_tcp_sendrecv_all_ports(system_cronjob_t) corenet_udp_sendrecv_all_ports(system_cronjob_t) +corenet_tcp_connect_tor_port(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) Index: refpolicy-2.20180701/policy/modules/services/devicekit.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te +++ refpolicy-2.20180701/policy/modules/services/devicekit.te @@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de kernel_getattr_message_if(devicekit_disk_t) kernel_list_unlabeled(devicekit_disk_t) kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) +kernel_read_crypto_sysctls(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) @@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk dev_getattr_mtrr_dev(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) +dev_read_rand(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_rw_sysfs(devicekit_disk_t) Index: refpolicy-2.20180701/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/lvm.te +++ refpolicy-2.20180701/policy/modules/system/lvm.te @@ -308,6 +308,7 @@ init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) +init_read_script_tmp_files(lvm_t) # for systemd-cryptsetup to talk to /run/systemd/journal/socket init_stream_connect(lvm_t) Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te @@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',` optional_policy(` devicekit_read_pid_files(ifconfig_t) + devicekit_append_inherited_log_files(ifconfig_t) ') optional_policy(`
