diff --git a/add-avc-for-systemd-selinux-page.patch b/add-avc-for-systemd-selinux-page.patch
new file mode 100644
index 0000000..8e26311
--- /dev/null
+++ b/add-avc-for-systemd-selinux-page.patch
@@ -0,0 +1,123 @@
+From 1a6889def34747b606f4e520fbff72fe86f90b0f Mon Sep 17 00:00:00 2001
+From: lujie42 <572084868@qq.com>
+Date: Tue, 24 Aug 2021 15:38:40 +0800
+Subject: [PATCH] add avc for systemd no17479
+
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/kernel/domain.te | 4 ++--
+ policy/modules/kernel/selinux.if | 2 +-
+ policy/modules/system/logging.te | 1 +
+ policy/modules/system/systemd.if | 7 ++++---
+ policy/modules/system/systemd.te | 3 +++
+ 5 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 8e52b17..27b112c 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -510,7 +510,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- systemd_dbus_chat_resolved(domain)
++ systemd_chat_resolved(domain)
+ systemd_login_status(unconfined_domain_type)
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+@@ -519,7 +519,7 @@ optional_policy(`
+ systemd_filetrans_named_content(named_filetrans_domain)
+ systemd_filetrans_named_hostname(named_filetrans_domain)
+ systemd_filetrans_home_content(named_filetrans_domain)
+- systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
++ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index ac70efb..a2ab3fc 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -324,7 +324,7 @@ interface(`selinux_get_enforce_mode',`
+ dev_search_sysfs($1)
+ selinux_get_fs_mount($1)
+ allow $1 security_t:dir list_dir_perms;
+- allow $1 security_t:file read_file_perms;
++ allow $1 security_t:file mmap_read_file_perms;
+ allow $1 security_t:lnk_file read_lnk_file_perms;
+ ')
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index df4e985..482fe6d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -622,6 +622,7 @@ term_write_unallocated_ttys(syslogd_t)
+ term_use_generic_ptys(syslogd_t)
+
+ init_stream_connect(syslogd_t)
++init_read_pid_files(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 514bbd7..6503c87 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -2345,8 +2345,8 @@ interface(`systemd_map_resolved_exec_files',`
+
+ ########################################
+ ##
+-## Send and receive messages from
+-## systemd resolved over dbus.
++## Exchange messages with
++## systemd resolved over dbus or varlink.
+ ##
+ ##
+ ##
+@@ -2354,13 +2354,14 @@ interface(`systemd_map_resolved_exec_files',`
+ ##
+ ##
+ #
+-interface(`systemd_dbus_chat_resolved',`
++interface(`systemd_chat_resolved',`
+ gen_require(`
+ type systemd_resolved_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_resolved_t:dbus send_msg;
++ allow $1 systemd_resolved_t:unix_stream_socket connectto;
+ allow systemd_resolved_t $1:dbus send_msg;
+ ps_process_pattern(systemd_resolved_t, $1)
+ ')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 1e96c31..7849d51 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -13,6 +13,7 @@ attribute systemd_private_tmp_type;
+
+ attribute systemd_read_efivarfs_type;
+ fs_read_efivarfs_files(systemd_read_efivarfs_type)
++read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
+
+ systemd_domain_template(systemd_logger)
+ systemd_domain_template(systemd_logind)
+@@ -501,6 +502,7 @@ corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
+ corenet_udp_bind_dhcpd_port(systemd_networkd_t)
+
+ fs_read_xenfs_files(systemd_networkd_t)
++fs_read_nsfs_files(systemd_networkd_t)
+
+ dev_read_sysfs(systemd_networkd_t)
+ dev_write_kmsg(systemd_networkd_t)
+@@ -1066,6 +1068,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+
+--
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f356921..12f22ef 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.2
-Release: 72
+Release: 73
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
@@ -112,7 +112,9 @@ Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch
Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch
Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
-Patch6039: add-qemu_exec_t-for-stratovirt.patch
+
+Patch9000: add-qemu_exec_t-for-stratovirt.patch
+Patch9001: add-avc-for-systemd-selinux-page.patch
BuildArch: noarch
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -779,6 +781,9 @@ exit 0
%endif
%changelog
+* Fri Aug 20 2021 ExtinctFire -3.14.2-73
+- Add avc for systemd selinux page
+
* Fri Aug 20 2021 mingyang -3.14.2-72
- Add qemu_exec_t for stratovirt