!217 backport some upstream patches

From: @HuaxinLuGitee 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

Add-initial-policy-for-the-usr-sbin-request-key-help.patch

@@ -0,0 +1,227 @@
+From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Mon, 30 Jan 2023 14:46:50 +0100
+Subject: [PATCH 2/5] Add initial policy for the /usr/sbin/request-key helper
+
+The kernel is hard-coded to call /sbin/request-key to handle requests
+for instantiating keys that are not found in the existing keyrings.
+
+Thus, we need to add a domain for this helper and set up a transition
+into that domain from kernel_t.
+
+request-key dispatches the key requests to further helper programs based
+on the configuration in /etc/request-key.d/*.conf and
+/etc/request-key.conf. Currently, the only known used dispatcher is
+/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle
+requests for the 'id_resolver' key type. This patch adds the minimal
+policy for this helper that is needed for an NFS mount to succeed.
+
+Policy for other request-key helper programs may need to be added in the
+future. An optional mechanism to allow any possible configuration (e.g.
+by setting up a transition over any file to unconfined_service_t) may be
+also desired. For now let's at least make the one known use case work.
+
+Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policy/modules.conf                |  7 +++++
+ policy/modules/contrib/keyutils.fc |  1 +
+ policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++
+ policy/modules/contrib/keyutils.te | 11 ++++++++
+ policy/modules/contrib/rpc.fc      |  1 +
+ policy/modules/contrib/rpc.te      | 32 ++++++++++++++++++++++
+ policy/modules/kernel/kernel.if    | 19 +++++++++++++
+ policy/modules/kernel/kernel.te    |  4 +++
+ 8 files changed, 118 insertions(+)
+ create mode 100644 policy/modules/contrib/keyutils.fc
+ create mode 100644 policy/modules/contrib/keyutils.if
+ create mode 100644 policy/modules/contrib/keyutils.te
+
+diff --git a/policy/modules.conf b/policy/modules.conf
+index 5e0678668..6f63c8cb6 100644
+--- a/policy/modules.conf
++++ b/policy/modules.conf
+@@ -3078,3 +3078,10 @@ rhcd = module
+ # wireguard
+ #
+ wireguard = module
++
++# Layer: contrib
++# Module: keyutils
++#
++#  keyutils - Linux Key Management Utilities
++#
++keyutils = module
+diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc
+new file mode 100644
+index 000000000..78c5f159f
+--- /dev/null
++++ b/policy/modules/contrib/keyutils.fc
+@@ -0,0 +1 @@
++/usr/sbin/request-key	--	gen_context(system_u:object_r:keyutils_request_exec_t,s0)
+diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if
+new file mode 100644
+index 000000000..06daab988
+--- /dev/null
++++ b/policy/modules/contrib/keyutils.if
+@@ -0,0 +1,43 @@
++## <summary>Linux Key Management Utilities</summary>
++
++#######################################
++## <summary>
++##	Execute request-key in the keyutils request domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`keyutils_request_domtrans',`
++	gen_require(`
++		type keyutils_request_t, keyutils_request_exec_t;
++	')
++
++	domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t)
++')
++
++########################################
++## <summary>
++##	Allows to perform key instantiation callout
++##	by transitioning to the specified domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The process type entered by request-key.
++##	</summary>
++## </param>
++## <param name="entrypoint">
++##	<summary>
++##	The executable type for the entrypoint.
++##	</summary>
++## </param>
++#
++interface(`keyutils_request_domtrans_to',`
++	gen_require(`
++		type keyutils_request_t;
++	')
++
++	domtrans_pattern(keyutils_request_t, $2, $1)
++')
+diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te
+new file mode 100644
+index 000000000..2ea1d5e38
+--- /dev/null
++++ b/policy/modules/contrib/keyutils.te
+@@ -0,0 +1,11 @@
++policy_module(keyutils, 1.0)
++
++type keyutils_request_exec_t;
++files_type(keyutils_request_exec_t)
++
++type keyutils_request_t;
++domain_type(keyutils_request_t)
++domain_entry_file(keyutils_request_t, keyutils_request_exec_t)
++
++kernel_view_key(keyutils_request_t)
++kernel_read_key(keyutils_request_t)
+diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
+index 3825ef707..06a6c009c 100644
+--- a/policy/modules/contrib/rpc.fc
++++ b/policy/modules/contrib/rpc.fc
+@@ -32,6 +32,7 @@
+ /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
++/usr/sbin/nfsidmap	--	gen_context(system_u:object_r:nfsidmap_exec_t,s0)
+ 
+ #
+ # /var
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index f94cfa5d2..c83492a56 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -434,3 +434,35 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_rw_xdm_tmp_files(gssd_t)
+ ')
++
++########################################
++#
++# nfsidmap policy
++#
++
++type nfsidmap_exec_t;
++files_type(nfsidmap_exec_t)
++
++type nfsidmap_t;
++domain_type(nfsidmap_t)
++domain_entry_file(nfsidmap_t, nfsidmap_exec_t)
++
++allow nfsidmap_t self:key write;
++allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms;
++
++kernel_setattr_key(nfsidmap_t)
++
++sysnet_read_config(nfsidmap_t)
++
++optional_policy(`
++	auth_read_passwd_file(nfsidmap_t)
++')
++
++optional_policy(`
++	logging_send_syslog_msg(nfsidmap_t)
++')
++
++optional_policy(`
++	# /etc/request-key.d/id_resolver.conf
++	keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t)
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 166586f66..adb71ed3a 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',`
+ 
+ 	dontaudit $1 kernel_t:key view;
+ ')
++
++########################################
++## <summary>
++##	Allow to set attributes on the kernel key ring.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_setattr_key',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:key setattr;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allows caller to read the ring buffer.
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index f7ac8cd1f..0a27fa7ae 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -410,6 +410,10 @@ optional_policy(`
+ 	kerberos_filetrans_home_content(kernel_t)
+ ')
+ 
++optional_policy(`
++	keyutils_request_domtrans(kernel_t)
++')
++
+ optional_policy(`
+ 	init_dbus_chat(kernel_t)
+ 	init_sigchld(kernel_t)
+-- 
+2.33.0
+

Add-journalctl-the-sys_resource-capability.patch

@@ -0,0 +1,35 @@
+From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 3 Feb 2023 17:20:51 +0100
+Subject: [PATCH 4/5] Add journalctl the sys_resource capability
+
+The journalctl command runs in the journalctl_t domain when executed by
+a confined user (user, staff, sysadm). When is invoked with pager,
+prctl() is called to change the process name.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager)
+type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc:  denied  { sys_resource } for  pid=25516 comm=(pager) capability=sys_resource  scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1
+
+Resolves: rhbz#2136189
+---
+ policy/modules/contrib/journalctl.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te
+index 5b4329c80..b22b6a713 100644
+--- a/policy/modules/contrib/journalctl.te
++++ b/policy/modules/contrib/journalctl.te
+@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t;
+ #
+ # journalctl local policy
+ #
++allow journalctl_t self:capability sys_resource;
+ allow journalctl_t self:process { fork setrlimit signal_perms };
+ 
+ allow journalctl_t self:fifo_file manage_fifo_file_perms;
+-- 
+2.33.0
+

Additional-support-for-rpmdb_migrate.patch

@@ -0,0 +1,64 @@
+From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 31 Jan 2023 19:12:39 +0100
+Subject: [PATCH 1/5] Additional support for rpmdb_migrate
+
+Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t")
+commit, selinux-policy supports the rpmdb-migrate.service which is
+executed after the first boot to a newer Fedora release to migrate the
+rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm.
+Additional permissions started to be required recently.
+
+Resolves: rhbz#2164752
+---
+ policy/modules/contrib/rpm.te | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 247f1fa7a..cf5539abb 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -260,26 +260,33 @@ optional_policy(`
+ # rpmdb local policy
+ #
+ 
+-allow rpmdb_t rpm_var_lib_t:file map;
+-allow rpmdb_t rpmdb_tmp_t:file map;
++can_exec(rpmdb_t, rpm_exec_t)
+ 
+ manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+ manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+-files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
+-files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
++read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
++allow rpmdb_t rpm_var_lib_t:file map;
+ 
+ manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
+ manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
+ files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir })
++allow rpmdb_t rpmdb_tmp_t:file map;
+ 
+-term_use_all_inherited_terms(rpmdb_t)
+-
+-auth_dontaudit_read_passwd(rpmdb_t)
++corecmd_exec_bin(rpmdb_t)
++corecmd_exec_shell(rpmdb_t)
+ 
+ files_rw_inherited_non_security_files(rpmdb_t)
++files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
++files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
+ 
+ sysnet_dontaudit_read_config(rpmdb_t)
+ 
++term_use_all_inherited_terms(rpmdb_t)
++
++optional_policy(`
++	auth_dontaudit_read_passwd(rpmdb_t)
++')
++
+ optional_policy(`
+ 	miscfiles_read_generic_certs(rpmdb_t)
+ ')
+-- 
+2.33.0
+

Allow-certmonger-read-the-contents-of-the-sysfs-file.patch

@@ -0,0 +1,31 @@
+From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 7 Feb 2023 11:04:09 +0100
+Subject: [PATCH 5/5] Allow certmonger read the contents of the sysfs
+ filesystem
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
+type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null)
+type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc:  denied  { open } for  pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
+---
+ policy/modules/contrib/certmonger.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
+index e721254ae..c72f05b44 100644
+--- a/policy/modules/contrib/certmonger.te
++++ b/policy/modules/contrib/certmonger.te
+@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t)
+ 
+ dev_read_rand(certmonger_t)
+ dev_read_urand(certmonger_t)
++dev_read_sysfs(certmonger_t)
+ 
+ domain_use_interactive_fds(certmonger_t)
+ 
+-- 
+2.33.0
+

Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch

@@ -0,0 +1,35 @@
+From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 3 Feb 2023 18:15:19 +0100
+Subject: [PATCH 3/5] Allow nm-dispatcher plugins read generic files in /proc
+
+It turns out the systemctl command needs to read /proc/cpuinfo at
+the aarch64 architecture, so the permission was allowed for the
+networkmanager_dispatcher_plugin attribute.
+
+The commit addresses the following AVC denial:
+type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service
+type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null)
+type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { open } for  pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
+type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { read } for  pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
+
+Resolves: rhbz#2164845
+---
+ policy/modules/contrib/networkmanager.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
+index 0e3218929..ef77fdb32 100644
+--- a/policy/modules/contrib/networkmanager.te
++++ b/policy/modules/contrib/networkmanager.te
+@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc
+ 
+ read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t)
+ 
++kernel_read_proc_files(networkmanager_dispatcher_plugin)
+ kernel_request_load_module(NetworkManager_dispatcher_ddclient_t)
+ 
+ auth_read_passwd(networkmanager_dispatcher_plugin)
+-- 
+2.33.0
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 38.6
-Release: 4
+Release: 5
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -64,6 +64,11 @@ Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
 Patch11: Allow-login_pgm-setcap-permission.patch
+Patch12: Additional-support-for-rpmdb_migrate.patch
+Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch
+Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
+Patch15: Add-journalctl-the-sys_resource-capability.patch
+Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -743,6 +748,9 @@ exit 0
 %endif
 
 %changelog
+* Wed May 31 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-5
+- backport some upstream patches
+
 * Wed Mar 29 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-4
 - allow login_pgm setcap permission