Bug#1109927: marked as done (unblock: refpolicy/2:2.20250213-10)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1109927: marked as done (unblock: refpolicy/2:2.20250213-10)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Jul 2025 12:41:04 +0000
Message-id: <[🔎] handler.1109927.D1109927.17535335013772477.ackdone@bugs.debian.org>
Reply-to: 1109927@bugs.debian.org
References: <E1ufeAN-00FymB-26@respighi.debian.org> <[🔎] 175353105176.2.9764614578060127153.reportbug@xev>

Your message dated Sat, 26 Jul 2025 12:38:19 +0000
with message-id <E1ufeAN-00FymB-26@respighi.debian.org>
and subject line unblock refpolicy
has caused the Debian Bug report #1109927,
regarding unblock: refpolicy/2:2.20250213-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109927
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: refpolicy/2:2.20250213-10
From: Russell Coker <russell@coker.com.au>
Date: Sat, 26 Jul 2025 21:57:31 +1000
Message-id: <[🔎] 175353105176.2.9764614578060127153.reportbug@xev>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package refpolicy

[ Reason ]
The main reason for this unblock is to get graphical desktop sessions working
under SE Linux.  This update fixes the sddm login manager, the GNOME desktop,
and some important GNOME applications.  The majority of desktop users who use
SE Linux will have serious problems without it.

Also there's a minor fix for Sympa for the new version in Trixie.

[ Impact ]
If this isn't granted then most people can't use a graphical session on SE
Linux.

[ Tests ]
I've done manual tests on all combinations of KDE, GNOME, and Phoc with sddm
and gdm3 and they all work.

[ Risks ]
This just adds extra access so it's unlikely to break things and there are
hardly any changes that affect non-graphical systems.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock refpolicy/2:2.20250213-10

diff -Nru refpolicy-2.20250213/debian/changelog refpolicy-2.20250213/debian/changelog
--- refpolicy-2.20250213/debian/changelog	2025-07-06 19:29:50.000000000 +1000
+++ refpolicy-2.20250213/debian/changelog	2025-07-25 22:36:54.000000000 +1000
@@ -1,3 +1,29 @@
+refpolicy (2:2.20250213-10) unstable; urgency=medium
+
+  * Allow user_bubblewrap_t to transition to user_t via user_home_t and
+    user_bin_t
+  * Fixes for evolution, colord, dbus, wm, and xdm.  Now the GNOME desktop
+    is fully functional and sddm works as a graphical login.
+
+ -- Russell Coker <russell@coker.com.au>  Fri, 25 Jul 2025 22:36:54 +1000
+
+refpolicy (2:2.20250213-9) unstable; urgency=medium
+
+  * Allow sympa_t to signal itself, create udp sockets, and bind to a generic
+    node
+  * Fixed labelling for /var/log/opensnitchd.log.* and
+    /var/cache/apt-xapian-index/*
+  * Allow systemd-logind to receive fds from xdm - needed for SDDM to function
+  * Labelled /usr/bin/efibootmgr as bootloader_exec_t
+  * Labelled /usr/bin/screendump as screen_exec_t
+  * Labelled /usr/sbin/veritysetup as lvm_exec_t
+  * Add a user login for Debian-gdm that gets the xdm identity
+  * Add some user_wm_t permissions for GNOME and PHOC logins, PHOC and KDE
+    Plasma with gdm3 are fully functional and GNOME is mostly functional.
+  * Add labels for /var/lib/lxc and /var/lib/misc/dnsmasq.[a-z0-9]+.leases
+
+ -- Russell Coker <russell@coker.com.au>  Sat, 19 Jul 2025 22:55:24 +1000
+
 refpolicy (2:2.20250213-8) unstable; urgency=medium
 
   * Fix syntax errors
diff -Nru refpolicy-2.20250213/debian/patches/0000-seusers-sddm refpolicy-2.20250213/debian/patches/0000-seusers-sddm
--- refpolicy-2.20250213/debian/patches/0000-seusers-sddm	2023-09-27 23:41:10.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0000-seusers-sddm	2025-07-17 16:35:43.000000000 +1000
@@ -1,24 +1,27 @@
-Index: refpolicy-2.20220427/config/appconfig-mcs/seusers
+Index: refpolicy-2.20250213/config/appconfig-mcs/seusers
 ===================================================================
---- refpolicy-2.20220427.orig/config/appconfig-mcs/seusers
-+++ refpolicy-2.20220427/config/appconfig-mcs/seusers
-@@ -1,2 +1,3 @@
+--- refpolicy-2.20250213.orig/config/appconfig-mcs/seusers
++++ refpolicy-2.20250213/config/appconfig-mcs/seusers
+@@ -1,2 +1,4 @@
  root:root:s0-mcs_systemhigh
  __default__:user_u:s0
 +sddm:xdm:s0
-Index: refpolicy-2.20220427/config/appconfig-mls/seusers
++Debian-gdm:xdm:s0
+Index: refpolicy-2.20250213/config/appconfig-mls/seusers
 ===================================================================
---- refpolicy-2.20220427.orig/config/appconfig-mls/seusers
-+++ refpolicy-2.20220427/config/appconfig-mls/seusers
-@@ -1,2 +1,3 @@
+--- refpolicy-2.20250213.orig/config/appconfig-mls/seusers
++++ refpolicy-2.20250213/config/appconfig-mls/seusers
+@@ -1,2 +1,4 @@
  root:root:s0-mls_systemhigh
  __default__:user_u:s0
 +sddm:xdm:s0
-Index: refpolicy-2.20220427/config/appconfig-standard/seusers
++Debian-gdm:xdm:s0
+Index: refpolicy-2.20250213/config/appconfig-standard/seusers
 ===================================================================
---- refpolicy-2.20220427.orig/config/appconfig-standard/seusers
-+++ refpolicy-2.20220427/config/appconfig-standard/seusers
-@@ -1,2 +1,3 @@
+--- refpolicy-2.20250213.orig/config/appconfig-standard/seusers
++++ refpolicy-2.20250213/config/appconfig-standard/seusers
+@@ -1,2 +1,4 @@
  root:root
  __default__:user_u
 +sddm:xdm:s0
++Debian-gdm:xdm:s0
diff -Nru refpolicy-2.20250213/debian/patches/0030-user-sddm refpolicy-2.20250213/debian/patches/0030-user-sddm
--- refpolicy-2.20250213/debian/patches/0030-user-sddm	2025-04-25 15:22:59.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0030-user-sddm	2025-07-17 18:45:06.000000000 +1000
@@ -69,7 +69,16 @@
 ===================================================================
 --- refpolicy-2.20250213.orig/policy/modules/kernel/corecommands.fc
 +++ refpolicy-2.20250213/policy/modules/kernel/corecommands.fc
-@@ -266,6 +266,7 @@ ifdef(`distro_gentoo',`
+@@ -114,6 +114,8 @@ ifdef(`distro_redhat',`
+ /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
++/etc/xdg/Xwayland-session.d/.*	--	gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -266,6 +268,7 @@ ifdef(`distro_gentoo',`
  /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfconf/xfconfd	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfwm4/helper-dialog --	gen_context(system_u:object_r:bin_t,s0)
@@ -414,16 +423,7 @@
  /etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
-@@ -46,6 +47,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
- /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
- 
-+/etc/xdg/Xwayland-session.d/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-+
- #
- # /opt
- #
-@@ -87,6 +90,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
+@@ -87,6 +88,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
  /usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
diff -Nru refpolicy-2.20250213/debian/patches/trixie refpolicy-2.20250213/debian/patches/trixie
--- refpolicy-2.20250213/debian/patches/trixie	2025-07-06 19:29:50.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/trixie	2025-07-22 16:06:47.000000000 +1000
@@ -69,7 +69,15 @@
  kernel_read_kernel_sysctls(systemd_logind_t)
  
  dev_getattr_dma_dev(systemd_logind_t)
-@@ -2494,7 +2494,7 @@ fs_getattr_xattr_fs(systemd_user_runtime
+@@ -1296,6 +1296,7 @@ optional_policy(`
+ 	xserver_dbus_chat(systemd_logind_t)
+ 	xserver_dbus_chat_xdm(systemd_logind_t)
+ 	xserver_read_xdm_state(systemd_logind_t)
++	xserver_use_xdm_fds(systemd_logind_t)
+ ')
+ 
+ optional_policy(`
+@@ -2494,7 +2495,7 @@ fs_getattr_xattr_fs(systemd_user_runtime
  fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
  
  kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
@@ -78,3 +86,914 @@
  
  selinux_use_status_page(systemd_user_runtime_dir_t)
  
+Index: refpolicy-2.20250213/policy/modules/services/sympa.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/sympa.te
++++ refpolicy-2.20250213/policy/modules/services/sympa.te
+@@ -30,7 +30,8 @@ allow sympa_t self:capability { chown da
+ allow sympa_t self:fifo_file rw_fifo_file_perms;
+ allow sympa_t self:tcp_socket create_socket_perms;
+ allow sympa_t self:unix_dgram_socket create_socket_perms;
+-allow sympa_t self:process signull;
++allow sympa_t self:process { signull signal };
++allow sympa_t self:udp_socket create_socket_perms;
+ 
+ allow sympa_t sympa_etc_t:dir list_dir_perms;
+ allow sympa_t sympa_etc_t:file read_file_perms;
+@@ -55,6 +56,8 @@ corecmd_bin_entry_type(sympa_t)
+ corecmd_exec_bin(sympa_t)
+ corecmd_exec_shell(sympa_t)
+ 
++corenet_udp_bind_generic_node(sympa_t)
++
+ dev_read_urand(sympa_t)
+ 
+ files_read_etc_files(sympa_t)
+Index: refpolicy-2.20250213/policy/modules/admin/apt.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/admin/apt.fc
++++ refpolicy-2.20250213/policy/modules/admin/apt.fc
+@@ -24,6 +24,7 @@ ifndef(`distro_redhat',`
+ /usr/lib/apt/apt-helper -- gen_context(system_u:object_r:apt_exec_t,s0)
+ 
+ /var/cache/apt(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
++/var/cache/apt-xapian-index`'(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
+ 
+ /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+ /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+Index: refpolicy-2.20250213/policy/modules/system/opensnitch.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/opensnitch.fc
++++ refpolicy-2.20250213/policy/modules/system/opensnitch.fc
+@@ -1,3 +1,3 @@
+ /usr/bin/opensnitchd		--	gen_context(system_u:object_r:opensnitchd_exec_t,s0)
+-/var/log/opensnitchd\.log	--	gen_context(system_u:object_r:opensnitchd_log_t,s0)
++/var/log/opensnitchd\.log.*	--	gen_context(system_u:object_r:opensnitchd_log_t,s0)
+ /etc/opensnitchd(/.*)?			gen_context(system_u:object_r:opensnitchd_conf_t,s0)
+Index: refpolicy-2.20250213/policy/modules/admin/bootloader.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/admin/bootloader.fc
++++ refpolicy-2.20250213/policy/modules/admin/bootloader.fc
+@@ -3,6 +3,7 @@
+ /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+ 
+ /usr/bin/bootctl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/bin/efibootmgr		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/bin/grub			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/bin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/bin/grub2?-install		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+@@ -15,6 +16,7 @@
+ /usr/bin/ybin.*			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ 
+ /usr/sbin/bootctl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/efibootmgr		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+Index: refpolicy-2.20250213/policy/modules/apps/screen.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/screen.fc
++++ refpolicy-2.20250213/policy/modules/apps/screen.fc
+@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf	--	gen_context(sys
+ /run/tmux(/.*)?			gen_context(system_u:object_r:screen_runtime_t,s0)
+ 
+ /usr/bin/screen		--	gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screendump	--	gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux		--	gen_context(system_u:object_r:screen_exec_t,s0)
+Index: refpolicy-2.20250213/policy/modules/system/lvm.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/lvm.fc
++++ refpolicy-2.20250213/policy/modules/system/lvm.fc
+@@ -121,6 +121,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/pvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /usr/sbin/pvs			--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /usr/sbin/pvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/veritysetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /usr/sbin/vgcfgbackup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /usr/sbin/vgcfgrestore		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /usr/sbin/vgchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+Index: refpolicy-2.20250213/policy/modules/system/fstools.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/fstools.fc
++++ refpolicy-2.20250213/policy/modules/system/fstools.fc
+@@ -14,7 +14,6 @@
+ /usr/bin/e4fsck			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/e2mmpstatus		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/usr/bin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/findfs			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -71,7 +70,6 @@
+ /usr/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/e2mmpstatus		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/usr/sbin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+Index: refpolicy-2.20250213/policy/modules/apps/gnome.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/gnome.if
++++ refpolicy-2.20250213/policy/modules/apps/gnome.if
+@@ -123,6 +123,10 @@ template(`gnome_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		xserver_read_xdm_lib_files($1_gkeyringd_t)
++	')
++
++	optional_policy(`
+ 		systemd_user_app_status($1, $1_gkeyringd_t)
+ 	')
+ ')
+@@ -822,6 +826,25 @@ interface(`gnome_mmap_gstreamer_orcexec'
+ ')
+ 
+ ########################################
++## <summary>
++##	mmap read gnome_xdg_config_t files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_mmap_read_xdg_config_files',`
++	gen_require(`
++		type gnome_xdg_config_t;
++	')
++
++	allow $1 gnome_xdg_config_t:dir list_dir_perms;
++	allow $1 gnome_xdg_config_t:file mmap_read_file_perms;
++')
++
++########################################
+ ## <summary>
+ ##	watch gnome_xdg_config_t dirs
+ ## </summary>
+Index: refpolicy-2.20250213/policy/modules/apps/wm.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/wm.if
++++ refpolicy-2.20250213/policy/modules/apps/wm.if
+@@ -57,7 +57,7 @@ template(`wm_role_template',`
+ 
+ 	allow $3 $1_wm_t:fd use;
+ 
+-	allow $1_wm_t $3:unix_stream_socket { connectto read write getopt getattr accept };
++	allow $1_wm_t $3:unix_stream_socket { connectto read write getopt ioctl getattr accept };
+ 	allow $3 $1_wm_t:unix_stream_socket { connectto read write getopt shutdown };
+ 	allow $3 $1_wm_t:fifo_file read_fifo_file_perms;
+ 
+@@ -79,6 +79,15 @@ template(`wm_role_template',`
+ 
+ 	domain_use_interactive_fds($1_wm_t)
+ 
++	files_usr_domtrans($1_wm_t, $2)
++
++	files_watch_etc_dirs($1_wm_t)
++	files_watch_usr_dirs($1_wm_t)
++	files_watch_var_lib_dirs($1_wm_t)
++
++	fs_read_cgroup_symlinks($1_wm_t)
++	fs_create_cgroup_dirs($1_wm_t)
++
+ 	mls_file_read_all_levels($1_wm_t)
+ 	mls_file_write_all_levels($1_wm_t)
+ 	mls_xwin_read_all_levels($1_wm_t)
+@@ -90,15 +99,28 @@ template(`wm_role_template',`
+ 
+ 	libs_read_lib_files($1_wm_t)
+ 
++	init_read_state($1_wm_t)
++
+ 	miscfiles_manage_fonts_cache($1_wm_t)
+ 
++	udev_list_runtime($1_wm_t)
++
++	userdom_manage_user_runtime_dirs($1_wm_t)
++
+ 	userdom_rw_user_tmpfs_files($1_wm_t)
+ 	userdom_map_user_tmpfs_files($1_wm_t)
++	userdom_manage_user_tmp_files($1_wm_t)
++	userdom_map_user_tmp_files($1_wm_t)
+ 
+ 	dev_rw_input_dev($1_wm_t)
+ 
+ 	logging_send_syslog_msg($1_wm_t)
+ 
++	xdg_watch_cache_files($1_wm_t)
++
++	xdg_watch_config_dirs($1_wm_t)
++	xdg_watch_data_dirs($1_wm_t)
++
+ 	xserver_role($1, $1_wm_t, $3, $4)
+ 	xserver_manage_core_devices($1_wm_t)
+ 
+@@ -109,7 +131,12 @@ template(`wm_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		apt_dbus_chat($1_wm_t)
++	')
++
++	optional_policy(`
+ 		dbus_connect_spec_session_bus($1, $1_wm_t)
++		dbus_getattr_session_runtime_socket($1_wm_t)
+ 		dbus_read_lib_files($1_wm_t)
+ 		dbus_spec_session_bus_client($1, $1_wm_t)
+ 		dbus_system_bus_client($1_wm_t)
+@@ -121,6 +148,15 @@ template(`wm_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		colord_dbus_chat($1_wm_t)
++	')
++
++	optional_policy(`
++		geoclue_dbus_chat($1_wm_t)
++	')
++
++	optional_policy(`
++		gnome_mmap_read_xdg_config_files($1_wm_t)
+ 		gnome_stream_connect_all_gkeyringd($1_wm_t)
+ 	')
+ 
+@@ -142,7 +178,11 @@ template(`wm_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		systemd_list_userdb_runtime_dirs($1_wm_t)
++		systemd_read_logind_runtime_files($1_wm_t)
+ 		systemd_read_logind_state($1_wm_t)
++		systemd_read_logind_sessions_files($1_wm_t)
++		systemd_search_user_runtime($1_wm_t)
+ 		systemd_use_logind_fds($1_wm_t)
+ 		systemd_user_app_status($1, $1_wm_t)
+ 		systemd_write_inherited_logind_inhibit_pipes($1_wm_t)
+@@ -290,6 +330,60 @@ interface(`wm_dontaudit_exec_tmpfs_files
+ 
+ ########################################
+ ## <summary>
++##      Allow receiving fd from wm domain
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to allow
++##      </summary>
++## </param>
++#
++interface(`wm_receive_fd',`
++	gen_require(`
++		attribute wm_domain;
++	')
++
++	allow $1 wm_domain:fd use;
++')
++
++########################################
++## <summary>
++##      Allow using socket of wm domain
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to allow
++##      </summary>
++## </param>
++#
++interface(`wm_sock_rw',`
++	gen_require(`
++		attribute wm_domain;
++	')
++
++	allow $1 wm_domain:unix_stream_socket rw_stream_socket_perms;
++')
++
++########################################
++## <summary>
++##      Allow sending fd to wm domain
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to allow
++##      </summary>
++## </param>
++#
++interface(`wm_send_fd',`
++	gen_require(`
++		attribute wm_domain;
++	')
++
++	allow wm_domain $1:fd use;
++')
++
++########################################
++## <summary>
+ ##	Create a domain for applications
+ ##	that are launched by the window
+ ##	manager.
+@@ -330,6 +424,7 @@ interface(`wm_application_domain',`
+ 
+ 	userdom_user_application_domain($1, $2)
+ 	domtrans_pattern(wm_domain, $2, $1)
++	allow $1 wm_domain:unix_stream_socket rw_stream_socket_perms;
+ ')
+ 
+ ########################################
+Index: refpolicy-2.20250213/policy/modules/services/ssh.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/ssh.te
++++ refpolicy-2.20250213/policy/modules/services/ssh.te
+@@ -180,7 +180,7 @@ tunable_policy(`allow_ssh_keysign',`
+ 
+ ifdef(`init_systemd',`
+ 	systemd_user_runtime_dir_unlink(ssh_agent_tmp_t, sock_file)
+-	systemd_user_sessions_create_sock_file(ssh_agent_tmp_t)
++	systemd_user_sessions_manage_sock_file(ssh_agent_tmp_t)
+ ')
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+Index: refpolicy-2.20250213/policy/modules/services/xserver.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/xserver.te
++++ refpolicy-2.20250213/policy/modules/services/xserver.te
+@@ -343,6 +343,9 @@ allow xdm_t self:socket create_socket_pe
+ allow xdm_t self:appletalk_socket create_socket_perms;
+ allow xdm_t self:key { link search write };
+ 
++# for sddm
++allow xdm_t xsession_exec_t:file entrypoint;
++
+ # for dbus-broker
+ allow xdm_t self:system { start reload };
+ 
+@@ -491,6 +494,8 @@ auth_write_login_records(xdm_t)
+ # Run telinit->init to shutdown.
+ init_telinit(xdm_t)
+ 
++init_get_system_status(xdm_t)
++
+ init_pgm_entrypoint(xdm_t)
+ 
+ libs_exec_lib_files(xdm_t)
+Index: refpolicy-2.20250213/policy/modules/system/systemd.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/systemd.if
++++ refpolicy-2.20250213/policy/modules/system/systemd.if
+@@ -73,6 +73,9 @@ template(`systemd_role_template',`
+ 	allow $3 $1_systemd_t:dbus send_msg;
+ 	allow $1_systemd_t $3:dbus send_msg;
+ 
++	# for gnome-session-binary
++	allow $3 $1_systemd_t:unix_dgram_socket sendto;
++
+ 	# systemctl --user rules
+ 	allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
+ 	allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
+@@ -105,11 +108,19 @@ template(`systemd_role_template',`
+ 	storage_getattr_removable_dev($1_systemd_t)
+ 	term_dontaudit_getattr_unallocated_ttys($1_systemd_t)
+ 
+-	files_search_home($1_systemd_t)
++	clock_read_adjtime($1_systemd_t)
++
++	files_exec_usr_files($1_systemd_t)
++	files_list_home($1_systemd_t)
++	files_watch_home($1_systemd_t)
+ 	files_getattr_usr_files($1_systemd_t)
+ 	files_read_usr_files($1_systemd_t)
+ 	files_watch_etc_dirs($1_systemd_t)
+ 	files_watch_root_dirs($1_systemd_t)
++	files_list_var($1_systemd_t)
++	files_watch_var_dirs($1_systemd_t)
++	files_list_var_lib($1_systemd_t)
++	files_watch_var_lib_dirs($1_systemd_t)
+ 
+ 	fs_getattr_xattr_fs($1_systemd_t)
+ 	fs_getattr_nsfs_files($1_systemd_t)
+@@ -141,6 +152,9 @@ template(`systemd_role_template',`
+ 	systemd_stop_user_manager_units($1_systemd_t)
+ 	systemd_reload_user_manager_units($1_systemd_t)
+ 
++	systemd_list_userdb_runtime_dirs($1_systemd_t)
++	systemd_stream_connect_homed($1_systemd_t)
++
+ 	# for wireplumber
+ 	systemd_read_logind_runtime_files($3)
+ 	systemd_watch_logind_runtime_dirs($3)
+@@ -155,7 +169,8 @@ template(`systemd_role_template',`
+ 	seutil_search_default_contexts($1_systemd_t)
+ 	seutil_read_file_contexts($1_systemd_t)
+ 
+-	userdom_search_user_home_dirs($1_systemd_t)
++	userdom_list_user_home_dirs($1_systemd_t)
++	userdom_watch_user_home_dirs($1_systemd_t)
+ 	userdom_list_user_home_content($1_systemd_t)
+ 	userdom_write_user_tmp_sockets($1_systemd_t)
+ 
+@@ -276,9 +291,13 @@ template(`systemd_role_template',`
+ 		xdg_read_cache_files($1_systemd_t)
+ 		xdg_read_config_files($1_systemd_t)
+ 		xdg_read_data_files($1_systemd_t)
++		xdg_watch_cache_dirs($1_systemd_t)
+ 	')
+ 
+ 	optional_policy(`
++		xserver_read_xdm_lib_files($1_systemd_t)
++		xserver_watch_xdm_lib_dirs($1_systemd_t)
++		xserver_read_xdm_state($1_systemd_t)
+ 		xserver_use_user_fonts($1_systemd_t)
+ 	')
+ ')
+@@ -3020,6 +3039,24 @@ interface(`systemd_user_sessions_create_
+ ')
+ 
+ ########################################
++## <summary>
++##    allow systemd --user to manage stream socket file
++## </summary>
++## <param name="type">
++##    <summary>
++##    type of the socket file
++##    </summary>
++## </param>
++#
++interface(`systemd_user_sessions_manage_sock_file',`
++	gen_require(`
++		attribute systemd_user_session_type;
++	')
++
++	allow systemd_user_session_type $1:sock_file manage_sock_file_perms;
++')
++
++########################################
+ ## <summary>
+ ##    Unlink user runtime entries
+ ## </summary>
+Index: refpolicy-2.20250213/policy/modules/system/xdg.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/xdg.if
++++ refpolicy-2.20250213/policy/modules/system/xdg.if
+@@ -103,6 +103,24 @@ interface(`xdg_watch_cache_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Watch the xdg cache home files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xdg_watch_cache_files',`
++	gen_require(`
++		type xdg_cache_t;
++	')
++
++	allow $1 xdg_cache_t:file watch;
++')
++
++########################################
++## <summary>
+ ##	Watch all the xdg cache home directories
+ ## </summary>
+ ## <param name="domain">
+Index: refpolicy-2.20250213/policy/modules/services/geoclue.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/geoclue.if
++++ refpolicy-2.20250213/policy/modules/services/geoclue.if
+@@ -1 +1,21 @@
+ ## <summary>Geoclue is a D-Bus service that provides location information.</summary>
++
++########################################
++## <summary>
++##      Send and receive messages from geoclue over dbus
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`geoclue_dbus_chat',`
++	gen_require(`
++		type geoclue_t;
++		class dbus send_msg;
++	')
++
++	allow $1 geoclue_t:dbus send_msg;
++	allow geoclue_t $1:dbus send_msg;
++')
+Index: refpolicy-2.20250213/policy/modules/kernel/files.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/kernel/files.if
++++ refpolicy-2.20250213/policy/modules/kernel/files.if
+@@ -5775,6 +5775,42 @@ interface(`files_usr_filetrans',`
+ 	filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+ 
++
++########################################
++## <summary>
++##      Execute a usr_t file in the specified domain.
++## </summary>
++## <desc>
++##      <p>
++##      Execute a usr_t file in the specified domain.
++##      </p>
++##      <p>
++##      No interprocess communication (signals, pipes,
++##      etc.) is provided by this interface since
++##      the domains are not owned by this module.
++##      </p>
++## </desc>
++## <param name="domain">
++##      <summary>
++##      Domain allowed to transition.
++##      </summary>
++## </param>
++## <param name="target_domain">
++##      <summary>
++##      The type of the process.
++##      </summary>
++## </param>
++#
++interface(`files_usr_domtrans',`
++	gen_require(`
++		type usr_t;
++	')
++
++	files_list_usr($1)
++	domain_transition_pattern($1, usr_t, $2)
++	type_transition $1 usr_t:process $2;
++')
++
+ ########################################
+ ## <summary>
+ ##	Search directories in /usr/src.
+Index: refpolicy-2.20250213/policy/modules/apps/evolution.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/evolution.fc
++++ refpolicy-2.20250213/policy/modules/apps/evolution.fc
+@@ -14,4 +14,5 @@ HOME_DIR/\.local/share/camel_certs(/.*)?
+ /usr/libexec/evolution/.*evolution-alarm-notify.*	--	gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+ /usr/libexec/evolution/.*evolution-exchange-storage.*	--	gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+ /usr/libexec/evolution-data-server.*	--	gen_context(system_u:object_r:evolution_server_exec_t,s0)
++/usr/libexec/evolution-data-server/evolution-alarm-notify	--	gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+ /usr/libexec/evolution-webcal.*	--	gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
+Index: refpolicy-2.20250213/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20250213/policy/modules/kernel/corecommands.fc
+@@ -177,6 +177,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+ 
+ /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/(.*/)?glib-2.0(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/postfix/configure-instance\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+Index: refpolicy-2.20250213/policy/modules/apps/evolution.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/evolution.te
++++ refpolicy-2.20250213/policy/modules/apps/evolution.te
+@@ -308,17 +308,39 @@ corecmd_exec_bin(evolution_alarm_t)
+ dev_read_urand(evolution_alarm_t)
+ 
+ files_read_usr_files(evolution_alarm_t)
++files_map_usr_files(evolution_alarm_t)
++files_watch_etc_dirs(evolution_alarm_t)
++files_watch_usr_dirs(evolution_alarm_t)
++files_watch_var_lib_dirs(evolution_alarm_t)
+ 
+ fs_dontaudit_getattr_xattr_fs(evolution_alarm_t)
+ fs_search_auto_mountpoints(evolution_alarm_t)
+ 
++logging_send_syslog_msg(evolution_alarm_t)
++
+ auth_use_nsswitch(evolution_alarm_t)
+ 
++gnome_mmap_read_xdg_config_files(evolution_alarm_t)
++
+ miscfiles_read_localization(evolution_alarm_t)
+ 
+ userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
++userdom_search_user_runtime(evolution_alarm_t)
++userdom_write_user_tmp_sockets(evolution_alarm_t)
++userdom_list_user_tmp(evolution_alarm_t)
++userdom_rw_user_tmp_files(evolution_alarm_t)
++userdom_map_user_tmp_files(evolution_alarm_t)
++userdom_watch_user_home_dirs(evolution_alarm_t)
++
++wm_rw_tmpfs_files(evolution_alarm_t)
++
++xdg_search_config_dirs(evolution_alarm_t)
++xdg_search_data_dirs(evolution_alarm_t)
++xdg_read_config_files(evolution_alarm_t)
++xdg_read_data_files(evolution_alarm_t)
+ 
+ xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
++xserver_read_xkb_libs(evolution_alarm_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+ 	fs_manage_nfs_dirs(evolution_alarm_t)
+@@ -335,6 +357,7 @@ tunable_policy(`use_samba_home_dirs',`
+ optional_policy(`
+ 	dbus_all_session_bus_client(evolution_alarm_t)
+ 	dbus_connect_all_session_bus(evolution_alarm_t)
++	dbus_write_session_runtime_socket(evolution_alarm_t)
+ 
+ 	optional_policy(`
+ 		evolution_dbus_chat(evolution_alarm_t)
+@@ -345,6 +368,10 @@ optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+ 
++optional_policy(`
++	wm_send_fd(evolution_alarm_t)
++')
++
+ ########################################
+ #
+ # Exchange local policy
+Index: refpolicy-2.20250213/policy/modules/services/dbus.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dbus.te
++++ refpolicy-2.20250213/policy/modules/services/dbus.te
+@@ -314,6 +314,14 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	wm_receive_fd(system_dbusd_t)
++')
++
++optional_policy(`
++	xdg_read_data_files(system_dbusd_t)
++')
++
++optional_policy(`
+ 	xserver_read_xdm_lib_files(system_dbusd_t)
+ 	xserver_use_xdm_fds(system_dbusd_t)
+ ')
+Index: refpolicy-2.20250213/policy/modules/system/userdomain.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/userdomain.if
++++ refpolicy-2.20250213/policy/modules/system/userdomain.if
+@@ -130,8 +130,10 @@ template(`userdom_base_user_template',`
+ 	init_get_system_status($1_t)
+ 
+ 	optional_policy(`
++		apt_dbus_chat($1_t)
+ 		apt_read_cache($1_t)
+ 		apt_read_db($1_t)
++		apt_watch_db($1_t)
+ 	')
+ 
+ 	tunable_policy(`allow_execmem',`
+@@ -159,8 +161,16 @@ template(`userdom_base_user_template',`
+ 	')
+ 
+ 	optional_policy(`
++		geoclue_dbus_chat($1_t)
++	')
++
++	optional_policy(`
+ 		kerneloops_dbus_chat($1_t)
+ 	')
++
++	optional_policy(`
++		ntp_dbus_chat($1_t)
++	')
+ ')
+ 
+ #######################################
+@@ -2048,10 +2058,10 @@ interface(`userdom_home_filetrans_user_h
+ #
+ interface(`userdom_user_home_domtrans',`
+ 	gen_require(`
+-		type user_home_dir_t, user_home_t;
++		type user_home_dir_t, user_home_t, user_bin_t;
+ 	')
+ 
+-	domain_auto_transition_pattern($1, user_home_t, $2)
++	domain_auto_transition_pattern($1, { user_home_t user_bin_t }, $2)
+ 	allow $1 user_home_dir_t:dir search_dir_perms;
+ 	files_search_home($1)
+ ')
+Index: refpolicy-2.20250213/policy/modules/admin/apt.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/admin/apt.if
++++ refpolicy-2.20250213/policy/modules/admin/apt.if
+@@ -238,6 +238,25 @@ interface(`apt_manage_db',`
+ 
+ ########################################
+ ## <summary>
++##	watch apt db dirs
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`apt_watch_db',`
++	gen_require(`
++		type apt_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 apt_var_lib_t:dir watch;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to create,
+ ##	read, write, and delete apt
+ ##	package database content.
+@@ -257,3 +276,23 @@ interface(`apt_dontaudit_manage_db',`
+ 	dontaudit $1 apt_var_lib_t:file manage_file_perms;
+ 	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
+ ')
++
++########################################
++## <summary>
++##      Send and receive messages from apt over dbus
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`apt_dbus_chat',`
++	gen_require(`
++		type apt_t;
++		class dbus send_msg;
++	')
++
++	allow $1 apt_t:dbus send_msg;
++	allow apt_t $1:dbus send_msg;
++')
+Index: refpolicy-2.20250213/policy/modules/services/dbus.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dbus.if
++++ refpolicy-2.20250213/policy/modules/services/dbus.if
+@@ -156,8 +156,17 @@ template(`dbus_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		wm_receive_fd($1_dbusd_t)
++		wm_sock_rw($1_dbusd_t)
++	')
++
++	optional_policy(`
+ 		xdg_read_data_files($1_dbusd_t)
+ 	')
++
++	optional_policy(`
++		xserver_read_xdm_lib_files($1_dbusd_t)
++	')
+ ')
+ 
+ #######################################
+Index: refpolicy-2.20250213/policy/modules/services/xserver.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/xserver.if
++++ refpolicy-2.20250213/policy/modules/services/xserver.if
+@@ -56,6 +56,9 @@ template(`xserver_restricted_role',`
+ 	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ 	files_search_tmp($2)
+ 
++	# for /run/gdm3/dbus/
++	allow $2 xdm_var_run_t:sock_file write_sock_file_perms;
++
+ 	# Communicate via System V shared memory.
+ 	allow $2 xserver_t:fd use;
+ 	allow $2 xserver_t:shm r_shm_perms;
+@@ -224,7 +227,7 @@ template(`xserver_role',`
+ 
+ 	xserver_read_xkb_libs($2)
+ 
+-	allow $2 xdm_t:unix_stream_socket { getattr accept };
++	allow $2 xdm_t:unix_stream_socket { accept rw_socket_perms };
+ 
+ 	optional_policy(`
+ 		systemd_user_app_status($1, xserver_t)
+@@ -1102,12 +1105,13 @@ interface(`xserver_read_xdm_lib_files',`
+ 		type xdm_var_lib_t;
+ 	')
+ 
++	allow $1 xdm_var_lib_t:dir list_dir_perms;
+ 	allow $1 xdm_var_lib_t:file read_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	map XDM var lib files.
++##	read and map XDM var lib files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1115,12 +1119,31 @@ interface(`xserver_read_xdm_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_map_xdm_lib_files',`
++interface(`xserver_mmap_read_xdm_lib_files',`
++	gen_require(`
++		type xdm_var_lib_t;
++	')
++
++	allow $1 xdm_var_lib_t:dir list_dir_perms;
++	allow $1 xdm_var_lib_t:file mmap_read_file_perms;
++')
++
++########################################
++## <summary>
++##      watch XDM var lib dirs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`xserver_watch_xdm_lib_dirs',`
+ 	gen_require(`
+ 		type xdm_var_lib_t;
+ 	')
+ 
+-	allow $1 xdm_var_lib_t:file map;
++	allow $1 xdm_var_lib_t:dir watch;
+ ')
+ 
+ ########################################
+Index: refpolicy-2.20250213/policy/modules/services/colord.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/colord.te
++++ refpolicy-2.20250213/policy/modules/services/colord.te
+@@ -164,8 +164,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	xserver_read_xdm_lib_files(colord_t)
+-	xserver_map_xdm_lib_files(colord_t)
++	wm_receive_fd(colord_t)
++')
++
++optional_policy(`
++	xserver_mmap_read_xdm_lib_files(colord_t)
+ 	xserver_read_xdm_state(colord_t)
+ 	xserver_use_xdm_fds(colord_t)
+ ')
+Index: refpolicy-2.20250213/policy/modules/apps/gnome.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/gnome.te
++++ refpolicy-2.20250213/policy/modules/apps/gnome.te
+@@ -35,6 +35,7 @@ userdom_user_home_content(gnome_keyring_
+ type gnome_keyring_tmp_t;
+ userdom_user_tmp_file(gnome_keyring_tmp_t)
+ userdom_user_runtime_content(gnome_keyring_tmp_t)
++systemd_user_activated_sock_file(gnome_keyring_tmp_t)
+ 
+ type gnome_xdg_cache_t;
+ xdg_cache_content(gnome_xdg_cache_t)
+Index: refpolicy-2.20250213/policy/modules/services/dnsmasq.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dnsmasq.fc
++++ refpolicy-2.20250213/policy/modules/services/dnsmasq.fc
+@@ -13,7 +13,7 @@
+ 
+ /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+ 
+-/var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
++/var/lib/misc/dnsmasq\.([a-z0-9]+\.)?leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ 
+ /var/log/dnsmasq.*		--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+Index: refpolicy-2.20250213/policy/modules/services/container.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/container.fc
++++ refpolicy-2.20250213/policy/modules/services/container.fc
+@@ -78,6 +78,7 @@ HOME_DIR/\.docker(/.*)?		gen_context(sys
+ /var/lib/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
+ 
+ /var/lib/crio(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
++/var/lib/lxc(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+ 
+ /var/lib/docker(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+ /var/lib/docker/.*/config\.env	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+Index: refpolicy-2.20250213/policy/modules/apps/bubblewrap.if
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/bubblewrap.if
++++ refpolicy-2.20250213/policy/modules/apps/bubblewrap.if
+@@ -99,6 +99,7 @@ template(`bubblewrap_role',`
+ 	userdom_manage_user_home_content_files($1_bubblewrap_t)
+ 	userdom_use_user_ptys($1_bubblewrap_t)
+ 	userdom_use_user_ttys($1_bubblewrap_t)
++	userdom_user_home_domtrans($1_bubblewrap_t, $2)
+ 
+ 	ifndef(`enable_mls',`
+ 		fs_search_removable($1_bubblewrap_t)

--- End Message ---

--- Begin Message ---

To: 1109927-done@bugs.debian.org

Subject: unblock refpolicy

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 26 Jul 2025 12:38:19 +0000

Message-id: <E1ufeAN-00FymB-26@respighi.debian.org>
Unblocked refpolicy.
--- End Message ---

Reply to:

References:
- Bug#1109927: unblock: refpolicy/2:2.20250213-10
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Processed: unblock: kio-extras/4:25.04.3-1
Next by Date: Bug#1109930: unblock: kio-extras/4:25.04.3-1
Previous by thread: Bug#1109927: unblock: refpolicy/2:2.20250213-10
Next by thread: Bug#1109928: unblock: krdc/4:25.04.3-1
Index(es):
- Date
- Thread