From 376ce47dad2634d983242e87f588d185f40dda87 Mon Sep 17 00:00:00 2001
From: luhuaxin <1539327763@qq.com>
Date: Sat, 29 May 2021 14:50:37 +0800
Subject: [PATCH] allow kdump_t net_admin capability

---
 ...t-Allow-kdump_t-net_admin-capability.patch | 26 +++++++++++++++++++
 selinux-policy.spec                           |  6 ++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 backport-Allow-kdump_t-net_admin-capability.patch

diff --git a/backport-Allow-kdump_t-net_admin-capability.patch b/backport-Allow-kdump_t-net_admin-capability.patch
new file mode 100644
index 0000000..c1a6a9a
--- /dev/null
+++ b/backport-Allow-kdump_t-net_admin-capability.patch
@@ -0,0 +1,26 @@
+From 027923e5647f7f0d1ecbaa7fc4d03cbd193a1424 Mon Sep 17 00:00:00 2001
+From: LuLuLu <1539327763@qq.com>
+Date: Tue, 25 May 2021 20:06:29 +0800
+Subject: [PATCH] Allow kdump_t net_admin capability
+
+When reboot with kexec, kdump_t process needs net_admin capability to run ifdown.
+---
+ policy/modules/contrib/kdump.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
+index a253134..7e73c65 100644
+--- a/policy/modules/contrib/kdump.te
++++ b/policy/modules/contrib/kdump.te
+@@ -41,7 +41,7 @@ files_tmp_file(kdumpctl_tmp_t)
+ # kdump local policy
+ #
+ 
+-allow kdump_t self:capability { sys_admin sys_boot dac_read_search  };
++allow kdump_t self:capability { sys_admin sys_boot dac_read_search net_admin };
+ #allow kdump_t self:capability2 compromise_kernel;
+ 
+ allow kdump_t self:udp_socket create_socket_perms;
+-- 
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fd87081..1f011d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 66
+Release: 67
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -73,6 +73,7 @@ Patch20: add-avc-for-openEuler-1.patch
 Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
 Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch
 Patch23: allow-rpcbind-to-bind-all-port.patch
+patch24: backport-Allow-kdump_t-net_admin-capability.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -738,6 +739,9 @@ exit 0
 %endif
 
 %changelog
+* Sat May 29 2021 luhuaxin <1539327763@qq.com> - 3.14.2-67
+- allow kdump_t net_admin capability
+
 * Thu Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66
 - allow rpcbind to bind all port