update avc for openEuler

2020-02-26 14:13:26 +08:00 · 2020-02-26 14:13:26 +08:00 · 32ea5da141
commit 32ea5da141
parent d81e448206
10 changed files with 554 additions and 12 deletions
--- a/Allow-local_login-to-be-access-to-var-run-files-and-.patch
+++ b/Allow-local_login-to-be-access-to-var-run-files-and-.patch
@ -0,0 +1,44 @@
+From ce4e53c392075f01176743a66d6f55026d3a1aba Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 19:03:50 +0800
+Subject: [PATCH] Allow local_login to be access to var run files and rasdaemon
+ to write sysfs files
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/contrib/rasdaemon.te | 2 ++
+ policy/modules/system/locallogin.te | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/policy/modules/contrib/rasdaemon.te b/policy/modules/contrib/rasdaemon.te
+index dcdca44..c4c46b5 100644
+--- a/policy/modules/contrib/rasdaemon.te
+++ b/policy/modules/contrib/rasdaemon.te
+@@ -49,3 +49,5 @@ optional_policy(`
+     dmidecode_exec(rasdaemon_t)
+ ')
+ 
+# avc for openEuler
+allow rasdaemon_t sysfs_t:file write;
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 5412cfe..ce749ce 100644
+--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
+@@ -201,6 +201,9 @@ optional_policy(`
+     xserver_rw_xdm_keys(local_login_t)
+ ')
+ 
+# avc for openEuler
+allow local_login_t var_run_t:file { getattr open read };
+
+ #################################
+ #
+ # Sulogin local policy
+@@ -287,3 +290,4 @@ ifdef(`sulogin_no_pam', `
+ optional_policy(`
+ 	plymouthd_exec_plymouth(sulogin_t)
+ ')
+
+-- 
+1.8.3.1
+
--- a/access-to-iptables-run-file.patch
+++ b/access-to-iptables-run-file.patch
@ -0,0 +1,51 @@
+From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 20:15:44 +0800
+Subject: [PATCH] access to iptables run file
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/contrib/firewalld.te |  3 +++
+ policy/modules/system/iptables.if   | 18 ++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
+index 8b78b37..f1cbf0a 100644
+--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
+@@ -139,3 +139,6 @@ optional_policy(`
+ optional_policy(`
+ 	networkmanager_read_state(firewalld_t)
+ ')
+
+# avc for openEuler
+iptables_var_run_file(firewalld_t)
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index 5e1a4a5..6bdd8cf 100644
+--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
+@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',`
+ 	allow $1 iptables_var_run_t:dir list_dir_perms;
+ 	read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
+ ')
+
+#####################################
+## <summary>
+##      Access to iptables run files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`iptables_var_run_file',`
+gen_require(`
+type iptables_var_run_t;
+')
+
+allow $1 iptables_var_run_t:file { lock open read };
+')
+-- 
+1.8.3.1
+
--- a/add-access-to-faillog-file-for-systemd.patch
+++ b/add-access-to-faillog-file-for-systemd.patch
@ -0,0 +1,52 @@
+From 6b63c0acdb2e2435e4294f2de08dd376db15e4e8 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 21:02:54 +0800
+Subject: [PATCH] add access to faillog file for systemd
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/authlogin.if | 19 +++++++++++++++++++
+ policy/modules/system/init.te      |  3 +++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 728a1c4..6f35819 100644
+--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
+@@ -2413,3 +2413,22 @@ interface(`auth_login_manage_key',`
+ 
+ 	allow $1 login_pgm:key manage_key_perms;
+ ')
+
+########################################
+## <summary>
+##      Manage the login failure log for systemd.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_faillog',`
+gen_require(`
+type faillog_t;
+')
+
+allow $1 faillog_t:dir { add_name write };
+allow $1 faillog_t:file create;
+')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 035720b..e0d584a 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1868,3 +1868,6 @@ optional_policy(`
+         ccs_read_config(daemon)
+     ')
+  ')
+
+# avc for oprnEuler
+systemd_manage_faillog(init_t)
+-- 
+1.8.3.1
+
--- a/add-allow-to-be-access-to-sssd-dir-and-file.patch
+++ b/add-allow-to-be-access-to-sssd-dir-and-file.patch
@ -0,0 +1,110 @@
+From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 18:30:13 +0800
+Subject: [PATCH] add allow to be access to sssd dir and file
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/admin/usermanage.te |  8 +++++
+ policy/modules/contrib/sssd.if     | 72 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 43fed66..c8580a7 100644
+--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
+@@ -663,3 +663,11 @@ optional_policy(`
+ optional_policy(`
+ 	stapserver_manage_lib(useradd_t)
+ ')
+
+# avc for openEuler
+sssd_var_lib_dir(groupadd_t)
+sssd_var_lib_map_file(groupadd_t)
+sssd_var_lib_create_file(groupadd_t)
+sssd_var_lib_write_file(groupadd_t)
+sssd_var_lib_map_file(useradd_t)
+sssd_var_lib_write_file(useradd_t)
+diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
+index 50eee3f..1b61ccd 100644
+--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
+@@ -576,3 +576,75 @@ interface(`sssd_admin',`
+ 	allow $1 sssd_unit_file_t:service all_service_perms;
+ 
+ ')
+
+########################################
+## <summary>
+##      Allow to be access to sssd lib dir.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_dir',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:dir { add_name write };
+')
+
+########################################
+## <summary>
+##      Allow to map sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_map_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+##      Allow to write sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_write_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file write;
+')
+
+########################################
+## <summary>
+##      Allow to create sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_create_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file create;
+')
+-- 
+1.8.3.1
+
--- a/add-allow-to-plymouthd-stream-connect-for-agetty.patch
+++ b/add-allow-to-plymouthd-stream-connect-for-agetty.patch
@ -0,0 +1,24 @@
+From c1ecad14ce600f2c3c04bec6e7f49f6ef9fefa76 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 18:45:58 +0800
+Subject: [PATCH] add allow to plymouthd stream connect for agetty
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/getty.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index d1967ba..c386dfe 100644
+--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
+@@ -165,3 +165,6 @@ optional_policy(`
+ optional_policy(`
+ 	udev_read_db(getty_t)
+ ')
+
+# avc for openEuler
+plymouthd_stream_connect(getty_t)
+-- 
+1.8.3.1
+
--- a/add-allowed-avc-for-systemd-1.patch
+++ b/add-allowed-avc-for-systemd-1.patch
@ -0,0 +1,76 @@
+From 9592c9a75c610109c17eb8591611826715e3c969 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Wed, 26 Feb 2020 17:20:57 +0800
+Subject: [PATCH] add avc for systemd
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/contrib/dbus.te   |  4 ++++
+ policy/modules/kernel/devices.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te    |  1 +
+ policy/modules/system/systemd.te |  5 +++++
+ 4 files changed, 28 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index 3bcff01..848342e 100644
+--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
+@@ -386,3 +386,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
+ 
+ kernel_stream_connect(session_bus_type)
+ systemd_login_read_pid_files(session_bus_type)
+
+# avc for openEuler
+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
+allow init_t system_dbusd_var_run_t:sock_file read;
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 2378f06..c3659c7 100644
+--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
+@@ -7276,3 +7276,21 @@ type kmsg_device_t;
+ 
+ allow $1 kmsg_device_t:chr_file read;
+ ')
+
+########################################
+## <summary>
+##      Allow to read the clock device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`dev_read_clock_device',`
+gen_require(`
+type clock_device_t;
+')
+
+allow $1 clock_device_t:chr_file read;
+')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index afd20b0..8de5b08 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1874,3 +1874,4 @@ systemd_manage_faillog(init_t)
+ kernel_netlink_audit_socket(init_t, getattr)
+ dev_read_kernel_msg(init_t)
+ logging_journal(init_t)
+dev_read_clock_device(init_t)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f2919f0..3634510 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1148,3 +1148,8 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
+ allow init_t systemd_logind_var_run_t:dir mounton;
+ init_nnp_daemon_domain(systemd_hostnamed_t)
+ init_nnp_daemon_domain(systemd_logind_t)
+init_nnp_daemon_domain(systemd_coredump_t)
+init_nnp_daemon_domain(systemd_initctl_t)
+init_nnp_daemon_domain(systemd_localed_t)
+init_nnp_daemon_domain(systemd_machined_t)
+init_nnp_daemon_domain(systemd_timedated_t)
+-- 
+1.8.3.1
+
--- a/add-avc-for-kmod.patch
+++ b/add-avc-for-kmod.patch
@ -0,0 +1,25 @@
+From b7ba655387f31048655f4b8ad6173144237ae68f Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Tue, 25 Feb 2020 20:54:43 +0800
+Subject: [PATCH] add avc for kmod
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/modutils.te            |  4 +++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 4b7b884..1271b7a 100644
+--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
+@@ -367,3 +367,7 @@ ifdef(`distro_ubuntu',`
+ 		unconfined_domain(update_modules_t)
+ 	')
+ ')
+
+# avc for openEuler
+init_nnp_daemon_domain(insmod_t)
+
+-- 
+1.8.3.1
+
--- a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch
+++ b/add-avc-for-systemd-hostnamed-and-systemd-logind.patch
@ -0,0 +1,29 @@
+From 5d8386f073adf1b835461382844738aca74cab74 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Wed, 26 Feb 2020 11:48:12 +0800
+Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/systemd.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index d6ce679..f2919f0 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1140,5 +1140,11 @@ optional_policy(`
+ optional_policy(`
+     gpg_exec(systemd_importd_t)
+ ')
+
+# avc for openEuler
+ allow init_t systemd_logind_inhibit_var_run_t:dir mounton;
+ allow init_t systemd_logind_sessions_t:dir mounton;
+allow init_t systemd_logind_var_lib_t:dir { create mounton read };
+allow init_t systemd_logind_var_run_t:dir mounton;
+init_nnp_daemon_domain(systemd_hostnamed_t)
+init_nnp_daemon_domain(systemd_logind_t)
+-- 
+1.8.3.1
+
--- a/add-avc-for-systemd-journald.patch
+++ b/add-avc-for-systemd-journald.patch
@ -0,0 +1,117 @@
+From 1c571a3a7da2b3caac9dabf0fdeda623529b229a Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Wed, 26 Feb 2020 10:52:31 +0800
+Subject: [PATCH] add avc for systemd-journald
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/kernel/devices.if | 18 ++++++++++++++++++
+ policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
+ policy/modules/system/init.te    |  3 +++
+ policy/modules/system/logging.if | 18 ++++++++++++++++++
+ policy/modules/system/logging.te |  3 +++
+ 5 files changed, 60 insertions(+)
+
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 155076b..2378f06 100644
+--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
+@@ -7258,3 +7258,21 @@ interface(`dev_filetrans_xserver_named_dev',`
+ 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
+ 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+ ')
+
+########################################
+## <summary>
+##      Allow to read the kernel messages
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`dev_read_kernel_msg',`
+gen_require(`
+type kmsg_device_t;
+')
+
+allow $1 kmsg_device_t:chr_file read;
+')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index be3f313..ed2bd3f 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -4125,3 +4125,21 @@ interface(`kernel_file_mounton','
+ 
+        allow $1 sysctl_kernel_t:file mounton;
+ ')
+
+########################################
+## <summary>
+##      Access to netlink audit socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_netlink_audit_socket',`
+gen_require(`
+type kernel_t;
+')
+
+allow $1 kernel_t:netlink_audit_socket $2;
+')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index e0d584a..afd20b0 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1871,3 +1871,6 @@ optional_policy(`
+ 
+ # avc for oprnEuler
+ systemd_manage_faillog(init_t)
+kernel_netlink_audit_socket(init_t, getattr)
+dev_read_kernel_msg(init_t)
+logging_journal(init_t)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 399fe0d..7718e08 100644
+--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
+@@ -1685,3 +1685,21 @@ interface(`logging_dgram_send',`
+ 
+ 	allow $1 syslogd_t:unix_dgram_socket sendto;
+ ')
+
+#######################################
+## <summary>
+##      Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_journal',`
+gen_require(`
+type syslogd_var_run_t;
+')
+
+allow $1 syslogd_var_run_t:file { create rename write };
+')
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 03a4c99..93cf69e 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -738,3 +738,6 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ 
+ logging_stream_connect_syslog(syslog_client_type)
+
+# avc for openEuler
+init_nnp_daemon_domain(syslogd_t)
+-- 
+1.8.3.1
+
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 47
+Release: 48
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

@ -49,16 +49,25 @@ Source24: rpm.macros
 # tar czvf container-selinux.tgz container.fc container.if container.te
 Source35: container-selinux.tgz

-Patch9000: add_userman_access_run_dir.patch
-Patch9001: add_syslogd_t_domtrans_logrotate.patch
-Patch9002: bugfix-add_syslogd_t_domtrans_logrotate.patch
-Patch9003: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
-Patch9004: Fixing-range-for-ephemeral-ports-BZ-1518807.patch
-Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch
-Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
-Patch9007: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
-Patch9008: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch
-Patch9009: add-allowed-avc-for-systemd.patch
+Patch0: add_userman_access_run_dir.patch
+Patch1: add_syslogd_t_domtrans_logrotate.patch
+Patch2: bugfix-add_syslogd_t_domtrans_logrotate.patch
+Patch3: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
+Patch4: Fixing-range-for-ephemeral-ports-BZ-1518807.patch
+Patch5: Fix-userdom_admin_user_template-interface-by-adding-.patch
+Patch6: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
+Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
+Patch8: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch
+Patch9: add-allowed-avc-for-systemd.patch
+Patch10: add-allow-to-be-access-to-sssd-dir-and-file.patch  
+Patch11: add-allow-to-plymouthd-stream-connect-for-agetty.patch
+Patch12: Allow-local_login-to-be-access-to-var-run-files-and-.patch
+Patch13: access-to-iptables-run-file.patch
+Patch14: add-avc-for-kmod.patch
+Patch15: add-access-to-faillog-file-for-systemd.patch
+Patch16: add-avc-for-systemd-journald.patch
+Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
+Patch18: add-allowed-avc-for-systemd-1.patch

 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@ -241,11 +250,13 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
 %setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 1
 tar -xf %{SOURCE35}
 contrib_path=`pwd`
-%autosetup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -p1
+%setup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -q

 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib

+%autopatch -p1
+
 mkdir selinux_config
 for i in %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20}; do
 cp $i selinux_config
@ -653,6 +664,9 @@ exit 0
 %endif

 %changelog
+* Wed Feb 26 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-48
+- update avc for openEuler
+
 * Sun Jan 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-47
 - set selinux to permissive