backport upstream patches

backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch

@@ -0,0 +1,72 @@
+From 6a6fff9f00a02723d3a9c58e892e12a527df8efa Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 16 Nov 2021 20:50:48 +0100
+Subject: [PATCH] Allow PID 1 and dbus-broker IPC with a systemd user session
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6a6fff9f00a02723d3a9c58e892e12a527df8efa
+Conflict: NA
+
+systemd-stdio-bridge is invoked using systemd-run to connect to a user
+bus from a privileged context:
+systemd-run -M.host -PGq --wait -pUser=user1 -pPAMName=login systemd-stdio-bridge -punix:path=${XDG_RUNTIME_DIR}/bus
+
+The commands sequence is as follows:
+1. dnf invokes rpm
+2. a scriptlet is called from rpm
+3. the scriptlet calls /usr/lib/systemd/systemd-update-helper
+4. systemd-update-helper calls systemctl --user <uid>@ ...
+5. in the systemctl binary, sd-bus invokes systemd-run
+6. which invokes systemd-stdio-bridge as the user
+7. systemctl communicates with the user manager over the bridge
+
+Refer to this commit for more information:
+https://github.com/systemd/systemd/pull/17967/commits/1b630835dff
+
+Addresses the following AVC denials:
+----
+type=AVC msg=audit(11/15/2021 08:56:59.167:1097) : avc:  denied  { read write } for  pid=458 comm=dbus-broker path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+----
+type=AVC msg=audit(11/15/2021 08:56:59.168:1098) : avc:  denied  { read write } for  pid=1 comm=systemd path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+----
+type=PROCTITLE msg=audit(11/15/2021 08:56:59.184:1100) : proctitle=(o-bridge)
+type=SYSCALL msg=audit(11/15/2021 08:56:59.184:1100) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffca74d78a0 a3=0x0 items=0 ppid=1 pid=6580 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(11/15/2021 08:56:59.184:1100) : avc:  denied  { ioctl } for  pid=6580 comm=(o-bridge) path=socket:[37803] dev="sockfs" ino=37803 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+----
+
+Resolves: rhbz#2023332
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.te | 4 ++++
+ policy/modules/system/init.te  | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index a426d29..76fb3b6 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -236,6 +236,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	userdom_rw_stream(system_dbusd_t)
++')
++
++optional_policy(`
+ 	virt_list_sandbox_dirs(system_dbusd_t)
+ ')
+ 
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index b261f08..22e363a 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -872,6 +872,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	userdom_exec_user_bin_files(init_t)
++	userdom_rw_stream(init_t)
+ ')
+ 
+ ########################################
+-- 
+1.8.3.1
+

backport-Allow-admin-userdomains-use-socketpair.patch

@@ -0,0 +1,46 @@
+From fd807226d8aeb7a06e4f94974e116feedebaed59 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 6 Jan 2022 09:26:43 +0100
+Subject: [PATCH] Allow admin userdomains use socketpair()
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/fd807226d8aeb7a06e4f94974e116feedebaed59
+Conflict: NA
+
+In cockpit, the bridge uses socketpair() to communicate to subprocesses.
+For executing administrative commands, "sudo cockpit-bridge" is spawned,
+and the permissions to read and write from the socket are required.
+
+Simplified reproducer:
+$ python3 -c 'import socket, subprocess; r = socket.socketpair(); p = subprocess.Popen(["sudo", "whoami"], stdout=r[0]); print(p.wait()); print(r[1].recv(100))'
+
+sudo succeeds, but recv() hangs as the data flow is blocked.
+
+This commit addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/06/2022 03:07:28.526:5532) : proctitle=sudo whoami
+type=EXECVE msg=audit(01/06/2022 03:07:28.526:5532) : argc=2 a0=sudo a1=whoami
+type=SYSCALL msg=audit(01/06/2022 03:07:28.526:5532) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f302b08c470 a1=0x7f302b106450 a2=0x7ffe20fef5b8 a3=0xffffffffffffff01 items=2 ppid=567183 pid=567184 auid=admin uid=admin gid=admin euid=root suid=root fsuid=root egid=admin sgid=admin fsgid=admin tty=pts1 ses=6 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(01/06/2022 03:07:28.526:5532) : avc:  denied  { read write } for  pid=567184 comm=sudo path=socket:[690408] dev="sockfs" ino=690408 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
+
+Resolves: rhbz#1814569
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/sudo.if | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index 24ede58..4b8f975 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -58,7 +58,7 @@ template(`sudo_role_template',`
+ 	allow $1_sudo_t $3:file read_file_perms;;
+ 	allow $1_sudo_t $3:key search;
+ 
+-	allow $1_sudo_t $1_t:unix_stream_socket connectto;
++	allow $1_sudo_t $1_t:unix_stream_socket { connectto read write };
+ 
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+-- 
+1.8.3.1
+

backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch

@@ -0,0 +1,44 @@
+From 8ef66bbca8c278a7f9c2c13c792d885324a120e1 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Nov 2021 11:32:40 +0100
+Subject: [PATCH] Allow cloud-init dbus chat with systemd-logind
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8ef66bbca8c278a7f9c2c13c792d885324a120e1
+Conflict: NA
+
+When cloud-init executes a user data script to build a new image
+template and there are commands using su or sudo, the process goes
+through PAM stack for su/sudo which typically includes pam_systemd.
+This PAM module calls systemd-logind to create a session for the user.
+Then systemd-logind attempts to dbus send the results back to
+cloud-init, but SELinux policy did not contain such permissions, which
+resulted in 25 seconds delay:
+
+Jan  1 08:00:00 hostname dbus[12345]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
+Jan  1 08:00:25 hostname dbus[12345]: [system] Failed to activate service 'org.freedesktop.login1': timed out
+
+Addresses the following AVC denial:
+
+type=USER_AVC msg=audit(1637751660.446:66): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.19 spid=723 tpid=1434 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+
+Resolves: rhbz#2009769
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/cloudform.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/cloudform.te b/policy/modules/contrib/cloudform.te
+index 2f19544..80b9cbc 100644
+--- a/policy/modules/contrib/cloudform.te
++++ b/policy/modules/contrib/cloudform.te
+@@ -105,6 +105,7 @@ miscfiles_read_localization(cloud_init_t)
+ selinux_validate_context(cloud_init_t)
+ 
+ systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_dbus_chat_logind(cloud_init_t)
+ systemd_dbus_chat_timedated(cloud_init_t)
+ systemd_exec_systemctl(cloud_init_t)
+ systemd_start_all_services(cloud_init_t)
+-- 
+1.8.3.1
+

backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch

@@ -0,0 +1,37 @@
+From 359d7cdc59a69c39c9f1d00890002dc7150b918a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 7 Dec 2021 18:08:01 +0100
+Subject: [PATCH] Allow dnsmasq watch /etc/dnsmasq.d directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/359d7cdc59a69c39c9f1d00890002dc7150b918a
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(12/07/2021 09:38:48.124:320) : proctitle=/usr/sbin/dnsmasq
+type=PATH msg=audit(12/07/2021 09:38:48.124:320) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(12/07/2021 09:38:48.124:320) : cwd=/
+type=SYSCALL msg=audit(12/07/2021 09:38:48.124:320) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x8 a1=0x5586fa914c70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5720 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)
+type=AVC msg=audit(12/07/2021 09:38:48.124:320) : avc:  denied  { watch } for  pid=5720 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#2029866
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dnsmasq.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
+index 0d5c7e4..de7c0c0 100644
+--- a/policy/modules/contrib/dnsmasq.te
++++ b/policy/modules/contrib/dnsmasq.te
+@@ -52,6 +52,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms;
+ 
+ read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+ list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++watch_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+ 
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+-- 
+1.8.3.1
+

backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch

@@ -0,0 +1,39 @@
+From 25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Mon, 31 Jan 2022 13:06:49 +0100
+Subject: [PATCH] Allow domtrans to sssd_t and role access to sssd
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
+Conflict: NA
+
+After previous fix in bugzilla arise a SELinux
+error with role. Processes running under
+unconfined_r do not have access to sssd_t.
+Allow domain transition from rpm_script_t to
+sssd_t and allow the rpm_script_roles in the
+sssd domain.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 0866d95..b09dfe1 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -489,6 +489,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	sssd_run_sssd(rpm_script_t, rpm_script_roles)
++')
++
++optional_policy(`
+ 	tzdata_domtrans(rpm_t)
+ 	tzdata_run(rpm_script_t, rpm_script_roles)
+ ')
+-- 
+1.8.3.1
+

backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch

@@ -0,0 +1,30 @@
+From ab3afa4143e5d84daaa27a11743af3a6eb09c3df Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 23 Dec 2021 10:52:01 +0100
+Subject: [PATCH] Allow haproxy get attributes of cgroup filesystems
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ab3afa4143e5d84daaa27a11743af3a6eb09c3df
+Conflict: NA
+
+Resolves: rhbz#2035133
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rhcs.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
+index 3d9199e..b143e2b 100644
+--- a/policy/modules/contrib/rhcs.te
++++ b/policy/modules/contrib/rhcs.te
+@@ -665,6 +665,8 @@ dev_list_sysfs(haproxy_t)
+ dev_read_rand(haproxy_t)
+ dev_read_urand(haproxy_t)
+ 
++fs_getattr_cgroup(haproxy_t)
++
+ sysnet_dns_name_resolve(haproxy_t)
+ 
+ tunable_policy(`haproxy_connect_any',`
+-- 
+1.8.3.1
+

backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch

@@ -0,0 +1,30 @@
+From b1497c15f68bf0ceac2b19684582266e717bd079 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 23 Dec 2021 10:53:06 +0100
+Subject: [PATCH] Allow haproxy get attributes of filesystems with extended
+ attributes
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b1497c15f68bf0ceac2b19684582266e717bd079
+Conflict: NA
+
+Resolves: rhbz#2035132
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rhcs.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
+index b143e2b..c6633bb 100644
+--- a/policy/modules/contrib/rhcs.te
++++ b/policy/modules/contrib/rhcs.te
+@@ -666,6 +666,7 @@ dev_read_rand(haproxy_t)
+ dev_read_urand(haproxy_t)
+ 
+ fs_getattr_cgroup(haproxy_t)
++fs_getattr_xattr_fs(haproxy_t)
+ 
+ sysnet_dns_name_resolve(haproxy_t)
+ 
+-- 
+1.8.3.1
+

backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch

@@ -0,0 +1,45 @@
+From e7f00c5591082ab84c055ba250b361eefa19eb0d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 3 Jan 2022 12:27:28 +0100
+Subject: [PATCH] Allow lldpd connect to snmpd with a unix domain stream socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7f00c5591082ab84c055ba250b361eefa19eb0d
+Conflict: NA
+
+If the lldpd service is configured to enable the SNMP subagent
+(using the -x option), the lldpd process tries to connect to snmpd's
+agentx. By default, the /var/agentx/master socket file is used.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/03/22 06:21:57.359:417) : proctitle=/usr/sbin/lldpd -x
+type=PATH msg=audit(01/03/22 06:21:57.359:417) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(01/03/22 06:21:57.359:417) : cwd=/
+type=SOCKADDR msg=audit(01/03/22 06:21:57.359:417) : saddr={ saddr_fam=local path=/var/agentx/master }
+type=SYSCALL msg=audit(01/03/22 06:21:57.359:417) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x5586e8de9980 a2=0x6e a3=0x0 items=1 ppid=1 pid=12595 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
+type=AVC msg=audit(01/03/22 06:21:57.359:417) : avc:  denied  { search } for  pid=12595 comm=lldpd name=agentx dev="vda1" ino=2034987 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#1991029
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/lldpad.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
+index cccbc09..075893c 100644
+--- a/policy/modules/contrib/lldpad.te
++++ b/policy/modules/contrib/lldpad.te
+@@ -83,6 +83,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	snmp_stream_connect(lldpad_t)
++')
++
++optional_policy(`
+     sysnet_read_config(lldpad_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch

@@ -0,0 +1,56 @@
+From c0b38cf988df48613209e48007eefd748480d52f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 2 Dec 2021 10:55:46 +0100
+Subject: [PATCH] Allow lldpd use an snmp subagent over a tcp socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c0b38cf988df48613209e48007eefd748480d52f
+Conflict: NA
+
+When lldpd enables an snmp subagent for a tcp socket instead of udp:
+LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705"
+
+the following permissions are required:
+- allow lldpd create and use tcp socket
+- name_connect to the agentx_port_t port
+
+Addresses the following AVC denials:
+
+type=PROCTITLE msg=audit(12/02/21 06:16:32.721:425) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
+type=SYSCALL msg=audit(12/02/21 06:16:32.721:425) : arch=x86_64 syscall=socket success=yes exit=17 a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
+type=AVC msg=audit(12/02/21 06:16:32.721:425) : avc:  denied  { create } for  pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
+
+type=PROCTITLE msg=audit(12/02/21 06:16:32.721:426) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
+type=SYSCALL msg=audit(12/02/21 06:16:32.721:426) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x11 a1=0x7ffff0e22c30 a2=0x10 a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
+type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc:  denied  { name_connect } for  pid=129232 comm=lldpd dest=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket permissive=1
+type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc:  denied  { connect } for  pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
+
+Resolves: rhbz#2028379
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/lldpad.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
+index 000fafb..cccbc09 100644
+--- a/policy/modules/contrib/lldpad.te
++++ b/policy/modules/contrib/lldpad.te
+@@ -32,6 +32,7 @@ allow lldpad_t self:fifo_file rw_fifo_file_perms;
+ allow lldpad_t self:unix_stream_socket { accept connectto listen };
+ allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
+ allow lldpad_t self:packet_socket create_socket_perms;
++allow lldpad_t self:tcp_socket create_socket_perms;
+ allow lldpad_t self:udp_socket create_socket_perms;
+ 
+ manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t)
+@@ -54,6 +55,8 @@ auth_read_passwd(lldpad_t)
+ 
+ corecmd_exec_bin(lldpad_t)
+ 
++corenet_tcp_connect_agentx_port(lldpad_t)
++
+ dev_read_sysfs(lldpad_t)
+ 
+ fs_getattr_tmpfs(lldpad_t)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-open-read-map-system-journal.patch

@@ -0,0 +1,40 @@
+From 4d93e16f67ad41d2f72071f965c780b587303846 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 26 Nov 2021 17:28:14 +0100
+Subject: [PATCH] Allow login_userdomain open/read/map system journal
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4d93e16f67ad41d2f72071f965c780b587303846
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(27.10.2021 15:45:16.341:455) : proctitle=systemctl status user@1001
+type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc:  denied  { read } for  pid=4764 comm=systemctl name=system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
+type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc:  denied  { open } for  pid=4764 comm=systemctl path=/run/log/journal/edb15570307f47dd805feee9003d4e08/system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
+type=SYSCALL msg=audit(27.10.2021 15:45:16.341:455) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7fff96d6e1c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=4739 pid=4764 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=10 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null)
+
+Resolves: rhbz#2017838
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 6a959c5..b936a81 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -410,6 +410,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	logging_mmap_journal(login_userdomain)
++	logging_read_syslog_pid(login_userdomain)
++')
++
++optional_policy(`
+ 	pkcs_tmpfs_named_filetrans(login_userdomain)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch

@@ -0,0 +1,29 @@
+From dbb20e7f9fb98fc322d925b66da0abc7258957cf Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 9 Nov 2021 18:35:11 +0100
+Subject: [PATCH] Allow redis get attributes of filesystems with extended
+ attributes
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dbb20e7f9fb98fc322d925b66da0abc7258957cf
+Conflict: NA
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/redis.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
+index 093f28d..fb6a3dc 100644
+--- a/policy/modules/contrib/redis.te
++++ b/policy/modules/contrib/redis.te
+@@ -99,6 +99,7 @@ tunable_policy(`redis_enable_notify',`
+     corecmd_exec_shell(redis_t)
+ 
+ 	fs_getattr_tmpfs(redis_t)
++	fs_getattr_xattr_fs(redis_t)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch

@@ -0,0 +1,29 @@
+From 174740ce047312bb8e3ca19b3ee95766f0dc55b4 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 7 Dec 2021 15:17:15 +0100
+Subject: [PATCH] Allow rhsmcertd get attributes of tmpfs_t filesystems
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/174740ce047312bb8e3ca19b3ee95766f0dc55b4
+Conflict: NA
+
+Resolves: rhbz#2015820
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rhsmcertd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
+index abd3227..7ebff7b 100644
+--- a/policy/modules/contrib/rhsmcertd.te
++++ b/policy/modules/contrib/rhsmcertd.te
+@@ -101,6 +101,7 @@ files_create_boot_flag(rhsmcertd_t)
+ files_dontaudit_write_all_mountpoints(rhsmcertd_t)
+ 
+ fs_dontaudit_write_configfs_dirs(rhsmcertd_t)
++fs_getattr_tmpfs(rhsmcertd_t)
+ fs_read_xenfs_files(rhsmcertd_t)
+ 
+ auth_map_passwd(rhsmcertd_t)
+-- 
+1.8.3.1
+

backport-Allow-rpmdb-read-admin-home-config-files.patch

@@ -0,0 +1,39 @@
+From f402b06808835ad1a8aa393739efff1e40eaf8e8 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 16 Nov 2021 22:37:25 +0100
+Subject: [PATCH] Allow rpmdb read admin home config files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f402b06808835ad1a8aa393739efff1e40eaf8e8
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(11/16/2021 16:31:45.105:1455) : proctitle=/usr/bin/rpmdb --rebuilddb
+type=PATH msg=audit(11/16/2021 16:31:45.105:1455) : item=0 name=/root/.rpmmacros inode=110039 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(11/16/2021 16:31:45.105:1455) : cwd=/root
+type=SYSCALL msg=audit(11/16/2021 16:31:45.105:1455) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x560b2126e2a0 a2=O_RDONLY a3=0x0 items=1 ppid=40819 pid=59445 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=20 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(11/16/2021 16:31:45.105:1455) : avc:  denied  { open } for  pid=59445 comm=rpmdb path=/root/.rpmmacros dev="sda2" ino=110039 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
+
+Resolves: rhbz#2023163
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 9d2f4e6..f01d07c 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -279,6 +279,10 @@ files_rw_inherited_non_security_files(rpmdb_t)
+ 
+ sysnet_dontaudit_read_config(rpmdb_t)
+ 
++optional_policy(`
++	userdom_read_admin_home_files(rpmdb_t)
++')
++
+ ########################################
+ #
+ # rpm-script Local policy
+-- 
+1.8.3.1
+

backport-Allow-rpmdb-read-generic-SSL-certificates.patch

@@ -0,0 +1,39 @@
+From c1d7b1ba04a91894032b88bec9d9e76b27678a3d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 16 Nov 2021 22:42:02 +0100
+Subject: [PATCH] Allow rpmdb read generic SSL certificates
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c1d7b1ba04a91894032b88bec9d9e76b27678a3d
+Conflict: NA
+
+Addresses the following AVC denials:
+type=PROCTITLE msg=audit(11/16/2021 16:29:00.780:1008) : proctitle=/usr/bin/rpmdb --rebuilddb
+type=PATH msg=audit(11/16/2021 16:29:00.780:1008) : item=0 name=/etc/pki/tls/openssl.cnf inode=145355 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(11/16/2021 16:29:00.780:1008) : cwd=/mnt/testarea/test
+type=SYSCALL msg=audit(11/16/2021 16:29:00.780:1008) : arch=x86_64 syscall=openat success=yes exit=10 a0=0xffffff9c a1=0x5579d5c35320 a2=O_RDONLY a3=0x0 items=1 ppid=1344 pid=4427 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc:  denied  { open } for  pid=4427 comm=rpmdb path=/etc/pki/tls/openssl.cnf dev="vda1" ino=145355 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
+type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc:  denied  { search } for  pid=4427 comm=rpmdb name=pki dev="vda1" ino=136481 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index f01d07c..0866d95 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -280,6 +280,10 @@ files_rw_inherited_non_security_files(rpmdb_t)
+ sysnet_dontaudit_read_config(rpmdb_t)
+ 
+ optional_policy(`
++	miscfiles_read_generic_certs(rpmdb_t)
++')
++
++optional_policy(`
+ 	userdom_read_admin_home_files(rpmdb_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-smbcontrol-use-additional-socket-types.patch

@@ -0,0 +1,40 @@
+From 0269eebb529eef5288b4b6dd1c62604dbd230230 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 23 Nov 2021 14:32:54 +0100
+Subject: [PATCH] Allow smbcontrol use additional socket types
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0269eebb529eef5288b4b6dd1c62604dbd230230
+Conflict: NA
+
+In order to set debug level, smbcontrol was allowed to:
+- create and use udp socket
+- create and use netlink route sockets, read route configuration state
+
+AVC denials example:
+
+type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100
+type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc:  denied  { create } for  pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
+
+Resolves: rhbz#2025931
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/samba.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index 72322f5..cb89bcf 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -718,6 +718,8 @@ allow smbcontrol_t self:capability2 block_suspend;
+ allow smbcontrol_t self:process { signal signull };
+ # internal communication is often done using fifo and unix sockets.
+ allow smbcontrol_t self:fifo_file rw_file_perms;
++allow smbcontrol_t self:netlink_route_socket r_netlink_socket_perms;
++allow smbcontrol_t self:udp_socket create_socket_perms;
+ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+ allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
+ 
+-- 
+1.8.3.1
+

backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch

@@ -0,0 +1,37 @@
+From c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 18 Nov 2021 19:29:01 +0100
+Subject: [PATCH] Allow sudodomain send a null signal to sshd processes
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c5082c2dc80dbbd549ca9a246ef97ef6cf20a277
+Conflict: NA
+
+This denial appears when maxlogins is specified in PAM limits configuration:
+type=PROCTITLE msg=audit(11/18/21 13:22:44.231:774) : proctitle=sudo -u staff echo
+type=SYSCALL msg=audit(11/18/21 13:22:44.231:774) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x1a2c a1=SIG0 a2=0x4 a3=0x7ffd93c089cf items=0 ppid=6747 pid=6748 auid=staff uid=root gid=staff euid=root suid=root fsuid=root egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(11/18/21 13:22:44.231:774) : avc:  denied  { signull } for  pid=6748 comm=sudo scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
+
+Resolves: rhbz#1966945
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/sudo.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
+index b281028..333b465 100644
+--- a/policy/modules/admin/sudo.te
++++ b/policy/modules/admin/sudo.te
+@@ -129,6 +129,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	ssh_signull(sudodomain)
++')
++
++optional_policy(`
+     systemd_write_inherited_logind_sessions_pipes(sudodomain)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch

@@ -0,0 +1,35 @@
+From 3b826a9f34d86388fde3a07a9dcfeccdc762bafe Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 20 Dec 2021 11:47:29 +0100
+Subject: [PATCH] Allow sudodomains execute passwd in the passwd domain
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b826a9f34d86388fde3a07a9dcfeccdc762bafe
+Conflict: NA
+
+When an unprivileged user in the sysadm_r role executes passwd
+through sudo, it transitions into sysadm_sudo_t domain by default.
+With this commit, the process transitions back to sysadm_t.
+
+Resolves: rhbz#1943572
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/sudo.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index e79eef7..356b150 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -98,6 +98,9 @@ template(`sudo_role_template',`
+ 		kerberos_read_config($1_sudo_t)
+ 	')
+ 
++	optional_policy(`
++		usermanage_domtrans_passwd($1_sudo_t)
++	')
+ ')
+ 
+ ########################################
+-- 
+1.8.3.1
+

backport-Allow-svnserve-send-mail-from-the-system.patch

@@ -0,0 +1,41 @@
+From c43df4f0131a7870beef94eb9c5a5fb048379566 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Nov 2021 16:13:35 +0100
+Subject: [PATCH] Allow svnserve send mail from the system
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c43df4f0131a7870beef94eb9c5a5fb048379566
+Conflict: NA
+
+If a svn hook needs to send an e-mail, the service needs to be allowed
+to execute an MTA program. In this commit, the mta_send_mail() interface
+call for svnserve_t was added to allow permissions to execute types from
+the mta_exec_type attribute which currently is:
+- courier_exec_t
+- exim_exec_t
+- postfix_postdrop_t
+- sendmail_exec_t
+
+Resolves: rhbz#2004843
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/svnserve.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
+index 874e7c2..c603551 100644
+--- a/policy/modules/contrib/svnserve.te
++++ b/policy/modules/contrib/svnserve.te
+@@ -90,6 +90,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mta_send_mail(svnserve_t)
++')
++
++optional_policy(`
+     sasl_connect(svnserve_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch

@@ -0,0 +1,74 @@
+From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 22 Dec 2021 13:06:33 +0100
+Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b
+Conflict: NA
+
+When an unprivileged user in the sysadm_r role executes systemctl
+through sudo, it transitions into sysadm_sudo_t domain by default.
+With this commit, the process transitions back to sysadm_t.
+
+The systemd_domtrans_systemctl() interface was added.
+
+Resolves: rhbz#2013749
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/sudo.if     |  5 +++++
+ policy/modules/system/systemd.if | 23 +++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index f6df896..24ede58 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -101,6 +101,11 @@ template(`sudo_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		systemd_domtrans_systemctl($1_sudo_t, $3)
++		systemd_systemctl_entrypoint($3)
++	')
++
++	optional_policy(`
+ 		userdom_write_user_tmp_sockets($1_sudo_t)
+ 	')
+ 
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index ec58e33..351438c 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',`
+ 
+ #######################################
+ ## <summary>
++##	Execute systemctl in the specified domain
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access.
++## 	</summary>
++## </param>
++## <param name="target_domain">
++##      <summary>
++##      Domain to transition to.
++##      </summary>
++## </param>
++#
++interface(`systemd_domtrans_systemctl',`
++	gen_require(`
++		type systemd_systemctl_exec_t;
++	')
++
++	domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2)
++')
++
++#######################################
++## <summary>
+ ##      Create a file type used for systemd unit files.
+ ## </summary>
+ ## <param name="script_file">
+-- 
+1.8.3.1
+

backport-Allow-systemd-read-unlabeled-symbolic-links.patch

@@ -0,0 +1,69 @@
+From 07b06a7f6cb1f41b92de5d29d21ac89c4d362457 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 7 Dec 2021 17:15:44 +0100
+Subject: [PATCH] Allow systemd read unlabeled symbolic links
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/07b06a7f6cb1f41b92de5d29d21ac89c4d362457
+Conflict: NA
+
+On a system boot systemd starts to launch services in the current target.
+When it attempts to access a symbolic link which is critical for systemd
+to continue and the symlink is unlabeled, the autorelabel target cannot
+be reached to start relabeling and fix the unlabeled files.
+This scenario applies to /etc/localtime when it was changed in SELinux
+disabled mode.
+
+Since this commit, systemd is allowed the read access to symbolic links
+with the unlabeled_t type.
+
+Resolves: rhbz#2021835
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te   |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 62845c1..1b684f5 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -2922,6 +2922,24 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
+ 
+ ########################################
+ ## <summary>
++##	Read unlabeled symbolic links.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_read_unlabeled_lnk_files',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Read and write unlabeled block device nodes.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 22e363a..0de5f4a 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -588,6 +588,7 @@ tunable_policy(`deny_bluetooth',`',`
+ ')
+ 
+ kernel_list_unlabeled(init_t)
++kernel_read_unlabeled_lnk_files(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_all_sysctls(init_t)
+ kernel_rw_security_state(init_t)
+-- 
+1.8.3.1
+

backport-Allow-tlp-dbus-chat-with-NetworkManager.patch

@@ -0,0 +1,35 @@
+From e8ff8cb50ada4155ec179b016729df1b78fb55c8 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 5 Nov 2021 17:52:02 +0100
+Subject: [PATCH] Allow tlp dbus-chat with NetworkManager
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e8ff8cb50ada4155ec179b016729df1b78fb55c8
+Conflict: NA
+
+Addresses the following AVC denial:
+type=USER_AVC msg=audit(05/11/21 09:11:56.868:303) : pid=1076 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
+
+Resolves: rhbz#2013439
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/tlp.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te
+index 35432f1..b9491ee 100644
+--- a/policy/modules/contrib/tlp.te
++++ b/policy/modules/contrib/tlp.te
+@@ -88,6 +88,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	networkmanager_dbus_chat(tlp_t)
++')
++
++optional_policy(`
+     sssd_read_public_files(tlp_t)
+     sssd_stream_connect(tlp_t)
+ ')
+-- 
+1.8.3.1
+

backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch

@@ -0,0 +1,47 @@
+From 901ac5314982f5600ef11691969b9af89aeba772 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 20 Dec 2021 14:21:33 +0100
+Subject: [PATCH] Allow userdomains use pam_ssh_agent_auth for passwordless
+ sudo
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/901ac5314982f5600ef11691969b9af89aeba772
+Conflict: NA
+
+The pam_ssh_agent_auth module can be used for granting permissions based
+on SSH agent requests. When configured for using in the sudo pam module,
+it requires permissions for sudodomain to use the user socket file and
+stream connect to its corresponding userdomain.
+
+Resolves: rhbz#1917879
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/sudo.if | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index 356b150..f6df896 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -58,6 +58,8 @@ template(`sudo_role_template',`
+ 	allow $1_sudo_t $3:file read_file_perms;;
+ 	allow $1_sudo_t $3:key search;
+ 
++	allow $1_sudo_t $1_t:unix_stream_socket connectto;
++
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+ 
+@@ -99,6 +101,10 @@ template(`sudo_role_template',`
+ 	')
+ 
+ 	optional_policy(`
++		userdom_write_user_tmp_sockets($1_sudo_t)
++	')
++
++	optional_policy(`
+ 		usermanage_domtrans_passwd($1_sudo_t)
+ 	')
+ ')
+-- 
+1.8.3.1
+

backport-Ensure-that-run-systemd-are-properly-labeled.patch

@@ -0,0 +1,40 @@
+From 5c05ced263586a9e7e92a045ab7b8e4454d6f4ff Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Tue, 30 Nov 2021 18:50:55 -0500
+Subject: [PATCH] Ensure that `/run/systemd/*` are properly labeled
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5c05ced263586a9e7e92a045ab7b8e4454d6f4ff
+Conflict: NA
+
+`/run/systemd/generator.{early,late}` were not covered by the type_transition rules.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/init.if | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index ced08f3..7bd438e 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -3288,7 +3288,7 @@ interface(`init_filetrans_named_content',`
+ 		type initrc_var_run_t;
+ 		type machineid_t;
+ 		type initctl_t;
+-        type systemd_unit_file_t;
++        	type systemd_unit_file_t;
+ 	')
+ 
+ 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+@@ -3296,6 +3296,8 @@ interface(`init_filetrans_named_content',`
+ 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ 	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.early")
++	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch

@@ -0,0 +1,33 @@
+From 84f1d7c3fe6113effd8eedc2a6602c72fd5d482c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 18 Nov 2021 19:08:05 +0100
+Subject: [PATCH] Update userdom_exec_user_tmp_files() with an entrypoint rule
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84f1d7c3fe6113effd8eedc2a6602c72fd5d482c
+Conflict: NA
+
+The userdom_exec_user_tmp_files() interface contains rules
+to allow execution of user temporary files, but there were no rules
+containing the executable type as entrypoint.
+
+Resolves: rhbz#1966945
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index d5a4094..cb56d28 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -556,6 +556,7 @@ interface(`userdom_exec_user_tmp_files',`
+ 		type user_tmp_t;
+ 	')
+ 
++	allow $1 user_tmp_t:file entrypoint;
+ 	exec_files_pattern($1, user_tmp_t, user_tmp_t)
+ 	dontaudit $1 user_tmp_t:sock_file execute;
+ 	files_search_tmp($1)
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 7
+Release: 8
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -66,6 +66,30 @@ Patch10: add-avc-for-systemd.patch
 
 Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
 Patch6001: backport-Allow-chage-domtrans-to-sssd.patch
+Patch6002: backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch
+Patch6003: backport-Allow-tlp-dbus-chat-with-NetworkManager.patch
+Patch6004: backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch
+Patch6005: backport-Allow-rpmdb-read-admin-home-config-files.patch
+Patch6006: backport-Allow-rpmdb-read-generic-SSL-certificates.patch
+Patch6007: backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch
+Patch6008: backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch
+Patch6009: backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch
+Patch6010: backport-Allow-svnserve-send-mail-from-the-system.patch
+Patch6011: backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch
+Patch6012: backport-Allow-smbcontrol-use-additional-socket-types.patch
+Patch6013: backport-Allow-login_userdomain-open-read-map-system-journal.patch
+Patch6014: backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch
+Patch6015: backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch
+Patch6016: backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch
+Patch6017: backport-Allow-systemd-read-unlabeled-symbolic-links.patch
+Patch6018: backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch
+Patch6019: backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch
+Patch6020: backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch
+Patch6021: backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch
+Patch6022: backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch
+Patch6023: backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch
+Patch6024: backport-Allow-admin-userdomains-use-socketpair.patch
+Patch6025: backport-Ensure-that-run-systemd-are-properly-labeled.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -736,6 +760,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Sep 2 2022 lujie <lujie54@huawei.com> - 35.5-8
+- backport upstream patches
+
 * Thu Aug 18 2022 xuwenlong <xuwenlong16@huawei.com> - 35.5-7
 - Allow chage domtrans to sssd