update upstream patches

backport-Allow-administrative-users-the-bpf-capability.patch

@@ -0,0 +1,38 @@
+From 0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 12 Jan 2022 17:39:33 +0100
+Subject: [PATCH] Allow administrative users the bpf capability
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b
+Conflict: NA
+
+The userdom_admin_user_template() template for creating an
+administrative user was updated with the bpf capability so that
+e. g. users in the sysadm_r role can run perf.
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/12/2022 10:45:01.065:855) : proctitle=perf record -o /dev/null echo test
+type=SYSCALL msg=audit(01/12/2022 10:45:01.065:855) : arch=x86_64 syscall=bpf success=no exit=ENOENT(No such file or directory) a0=BPF_PROG_GET_NEXT_ID a1=0x7fffd756dba0 a2=0x78 a3=0x3b items=0 ppid=9065 pid=9066 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=7 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(01/12/2022 10:45:01.065:855) : avc:  denied  { bpf } for  pid=9066 comm=perf capability=unknown-capability(39)  scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.if | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index cb56d28..eea0894 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1640,6 +1640,8 @@ template(`userdom_admin_user_template',`
+ 	# $1_t local policy
+ 	#
+ 
++	allow $1_t self:capability2 bpf;
++
+ 	# Manipulate other users crontab.
+ 	allow $1_t self:passwd crontab;
+ 
+-- 
+1.8.3.1
+

backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch

@@ -0,0 +1,35 @@
+From ed80bcd8541d224ec18de995fb7dbb3c1bd5732c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 7 Jan 2022 17:35:22 +0100
+Subject: [PATCH] Allow fcoemon request the kernel to load a module
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ed80bcd8541d224ec18de995fb7dbb3c1bd5732c
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=AVC msg=audit(1641434692.558:116): avc:  denied  { module_request } for  pid=2995 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
+type=SYSCALL msg=audit(1641434692.558:116): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffdd90301c0 a3=7fec871ae3e0 items=0 ppid=1 pid=2995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fcoemon exe=/usr/sbin/fcoemon subj=s
+
+Resolves: rhbz#2034463
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/fcoe.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
+index d46768a..18a30e7 100644
+--- a/policy/modules/contrib/fcoe.te
++++ b/policy/modules/contrib/fcoe.te
+@@ -34,6 +34,8 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
+ 
++kernel_request_load_module(fcoemon_t)
++
+ dev_rw_sysfs(fcoemon_t)
+ dev_create_sysfs_files(fcoemon_t)
+ 
+-- 
+1.8.3.1
+

backport-Allow-gssproxy-access-to-various-system-files.patch

@@ -0,0 +1,44 @@
+From 02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Jan 2022 17:36:15 +0100
+Subject: [PATCH] Allow gssproxy access to various system files.
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/02d90bb3e2fc39d67a7d07cec5ca113bd0a53421
+Conflict: NA
+
+gssproxy was allowed to:
+- read system state information in /proc
+- read from random number generator devices (e.g., /dev/random)
+- read hardware state information
+
+Resolves: rhbz#2026974
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/gssproxy.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
+index f48457c..aa53de0 100644
+--- a/policy/modules/contrib/gssproxy.te
++++ b/policy/modules/contrib/gssproxy.te
+@@ -41,6 +41,7 @@ files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_fil
+ 
+ kernel_rw_rpc_sysctls(gssproxy_t)
+ kernel_read_network_state(gssproxy_t)
++kernel_read_system_state(gssproxy_t)
+ 
+ domain_use_interactive_fds(gssproxy_t)
+ domain_read_all_domains_state(gssproxy_t)
+@@ -51,7 +52,9 @@ fs_getattr_all_fs(gssproxy_t)
+ 
+ auth_use_nsswitch(gssproxy_t)
+ 
++dev_read_rand(gssproxy_t)
+ dev_read_urand(gssproxy_t)
++dev_read_sysfs(gssproxy_t)
+ dev_rw_crypto(gssproxy_t)
+ 
+ logging_send_syslog_msg(gssproxy_t)
+-- 
+1.8.3.1
+

backport-Allow-gssproxy-read-and-write-z90crypt-device.patch

@@ -0,0 +1,42 @@
+From d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Jan 2022 17:18:30 +0100
+Subject: [PATCH] Allow gssproxy read and write z90crypt device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b
+Conflict: NA
+
+This permission is required on s390x systems with the Crypto Express
+adapter card. The z90crypt device driver acts as the interface to the
+PCI cryptography hardware and performs asynchronous encryption
+operations (RSA) as used during the SSL handshake.
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(26.11.2021 17:43:04.211:26) : proctitle=/usr/sbin/gssproxy -D
+type=AVC msg=audit(26.11.2021 17:43:04.211:26) : avc:  denied  { read write } for  pid=859 comm=gssproxy name=icastats_0 dev="tmpfs" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=0
+type=SYSCALL msg=audit(26.11.2021 17:43:04.211:26) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffdec7c2fb a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=0 ppid=1 pid=859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null)
+
+Resolves: rhbz#2026974
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/gssproxy.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
+index 18d08d1..872079f 100644
+--- a/policy/modules/contrib/gssproxy.te
++++ b/policy/modules/contrib/gssproxy.te
+@@ -52,6 +52,7 @@ fs_getattr_all_fs(gssproxy_t)
+ auth_use_nsswitch(gssproxy_t)
+ 
+ dev_read_urand(gssproxy_t)
++dev_rw_crypto(gssproxy_t)
+ 
+ logging_send_syslog_msg(gssproxy_t)
+ 
+-- 
+1.8.3.1
+

backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch

@@ -0,0 +1,35 @@
+From dc1a9f92b95e7adb963383681b8cab44f1e2a044 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Jan 2022 17:25:03 +0100
+Subject: [PATCH] Allow gssproxy read, write, and map ica tmpfs files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc1a9f92b95e7adb963383681b8cab44f1e2a044
+Conflict: NA
+
+These permissions are necessary for domains working
+with the ICA crypto accelerator.
+
+Resolves: rhbz#2026974
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/gssproxy.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
+index 872079f..f48457c 100644
+--- a/policy/modules/contrib/gssproxy.te
++++ b/policy/modules/contrib/gssproxy.te
+@@ -68,6 +68,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	ica_rw_map_tmpfs_files(gssproxy_t)
++')
++
++optional_policy(`
+     ipa_read_lib(gssproxy_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch

@@ -0,0 +1,36 @@
+From 747521e0f639f1aec372e87cd2e0cbed13d9416b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 10:15:43 +0100
+Subject: [PATCH] Allow kpropd get attributes of cgroup filesystems
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/747521e0f639f1aec372e87cd2e0cbed13d9416b
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/12/2022 17:58:09.626:7104) : proctitle=/usr/sbin/kpropd
+type=PATH msg=audit(01/12/2022 17:58:09.626:7104) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(01/12/2022 17:58:09.626:7104) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f78a1e413ae a1=0x7ffd080f54c0 a2=0x7f78a2137260 a3=0x0 items=1 ppid=1 pid=132239 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
+type=AVC msg=audit(01/12/2022 17:58:09.626:7104) : avc:  denied  { getattr } for  pid=132239 comm=kpropd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/kerberos.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
+index 4289d79..b4d3c3e 100644
+--- a/policy/modules/contrib/kerberos.te
++++ b/policy/modules/contrib/kerberos.te
+@@ -385,6 +385,8 @@ dev_read_urand(kpropd_t)
+ 
+ files_search_tmp(kpropd_t)
+ 
++fs_getattr_cgroup(kpropd_t)
++
+ selinux_validate_context(kpropd_t)
+ 
+ auth_use_nsswitch(kpropd_t)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch

@@ -0,0 +1,72 @@
+From 7c18d0afc7f6b93319902dc1e5305fe66a060019 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 19:17:31 +0100
+Subject: [PATCH] Allow login_userdomain create session_dbusd tmp socket files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7c18d0afc7f6b93319902dc1e5305fe66a060019
+Conflict: NA
+
+The dbus_create_session_tmp_sock_files() interface was added.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(13.1.2022 18:56:38.180:8372) : proctitle=(systemd)
+type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=1 name=/run/user/1001/bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=0 name=/run/user/1001/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SOCKADDR msg=audit(13.1.2022 18:56:38.180:8372) : saddr={ saddr_fam=local path=/run/user/1001/bus }
+type=SYSCALL msg=audit(13.1.2022 18:56:38.180:8372) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x562410fef860 a2=0x15 a3=0x0 items=2 ppid=1 pid=24940 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=23 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(13.1.2022 18:56:38.180:8372) : avc:  denied  { create } for  pid=24940 comm=systemd name=bus scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.if      | 18 ++++++++++++++++++
+ policy/modules/system/userdomain.te |  4 ++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
+index e04af61..deb6f10 100644
+--- a/policy/modules/contrib/dbus.if
++++ b/policy/modules/contrib/dbus.if
+@@ -901,6 +901,24 @@ interface(`dbus_delete_session_tmp_sock_files',`
+ 
+ ########################################
+ ## <summary>
++##      Create session_dbusd tmp socket files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dbus_create_session_tmp_sock_files',`
++        gen_require(`
++                type session_dbusd_tmp_t;
++        ')
++
++	create_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Allow systemctl dbus services
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index b936a81..9f778ee 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -404,6 +404,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	dbus_create_session_tmp_sock_files(login_userdomain)
++')
++
++optional_policy(`
+ 	gnome_watch_generic_data_home_dirs(login_userdomain)
+ 	gnome_watch_home_config_dirs(login_userdomain)
+ 	gnome_watch_home_config_files(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch

@@ -0,0 +1,38 @@
+From 0ed8e5127011aa4a75f57c250b5cc89b71949179 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 22:57:07 +0100
+Subject: [PATCH] Allow login_userdomain watch accountsd lib directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0ed8e5127011aa4a75f57c250b5cc89b71949179
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(3.1.2022 08:48:10.041:403) : proctitle=/usr/bin/plasmashell --no-respawn
+type=PATH msg=audit(3.1.2022 08:48:10.041:403) : item=0 name=/var/lib/AccountsService/icons inode=102167247 dev=fd:00 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:accountsd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 08:48:10.041:403) : arch=x86_64 syscall=inotify_add_watch success=yes exit=16 a0=0xd a1=0x556d0da251b8 a2=0x2000fc6 a3=0x7f74d2859329 items=1 ppid=1775 pid=1944 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 08:48:10.041:403) : avc:  denied  { watch } for  pid=1944 comm=plasmashell path=/var/lib/AccountsService/icons dev="dm-0" ino=102167247 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:accountsd_var_lib_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 86617c3..465e0a3 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -409,6 +409,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	accountsd_watch_lib(login_userdomain)
++')
++
++optional_policy(`
+ 	dbus_create_session_tmp_sock_files(login_userdomain)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-generic-directories-in-.patch

@@ -0,0 +1,35 @@
+From 7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 22:38:29 +0100
+Subject: [PATCH] Allow login_userdomain watch generic directories in /tmp
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(13.1.2022 21:50:49.647:21417) : proctitle=/usr/lib64/firefox/firefox --sm-client-id 10cddccc67000160673165200000017210015
+type=PATH msg=audit(13.1.2022 21:50:49.647:21417) : item=0 name=/tmp inode=1 dev=00:25 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(13.1.2022 21:50:49.647:21417) : arch=x86_64 syscall=inotify_add_watch success=yes exit=21 a0=0x50 a1=0x7fee2f76f1d0 a2=0x1002fce a3=0xdaddb2ff3800000 items=1 ppid=1775 pid=1088343 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=GeckoMain exe=/usr/lib64/firefox/firefox subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(13.1.2022 21:50:49.647:21417) : avc:  denied  { watch } for  pid=1088343 comm=GeckoMain path=/tmp dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 9f778ee..cc2d309 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -389,6 +389,7 @@ dev_watch_generic_dirs(login_userdomain)
+ files_watch_etc_dirs(login_userdomain)
+ files_watch_usr_dirs(login_userdomain)
+ files_watch_var_lib_dirs(login_userdomain)
++files_watch_generic_tmp_dirs(login_userdomain)
+ 
+ fs_create_cgroup_files(login_userdomain)
+ fs_watch_cgroup_files(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-localization-directorie.patch

@@ -0,0 +1,74 @@
+From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 22:53:08 +0100
+Subject: [PATCH] Allow login_userdomain watch localization directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a
+Conflict: NA
+
+The miscfiles_watch_localization_dirs() interface was added.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad
+type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username
+type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc:  denied  { watch } for  pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/miscfiles.if  | 24 ++++++++++++++++++++++++
+ policy/modules/system/userdomain.te |  1 +
+ 2 files changed, 25 insertions(+)
+
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index b63a391..e7f73d8 100644
+--- a/policy/modules/system/miscfiles.if
++++ b/policy/modules/system/miscfiles.if
+@@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',`
+ 
+ ########################################
+ ## <summary>
++##	Allow process to watch localization directories.
++## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to watch localization directories
++##	(e.g. /usr/share/zoneinfo/) for changes.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`miscfiles_watch_localization_dirs',`
++	gen_require(`
++		type locale_t;
++	')
++
++	watch_dirs_pattern($1, locale_t, locale_t)
++')
++
++########################################
++## <summary>
+ ##	Allow process to watch localization files.
+ ## </summary>
+ ## <desc>
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 824af18..86617c3 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain)
+ fs_create_cgroup_files(login_userdomain)
+ fs_watch_cgroup_files(login_userdomain)
+ 
++miscfiles_watch_localization_dirs(login_userdomain)
+ miscfiles_watch_localization_symlinks(login_userdomain)
+ 
+ mount_watch_pid_dirs(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch

@@ -0,0 +1,35 @@
+From f519626b841561d71f7ef751b446a598871477bf Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 14 Jan 2022 17:13:08 +0100
+Subject: [PATCH] Allow login_userdomain watch systemd-logind PID directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f519626b841561d71f7ef751b446a598871477bf
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:392) : proctitle=/usr/bin/wireplumber
+type=PATH msg=audit(3.1.2022 08:48:02.005:392) : item=0 name=/run/systemd/seats/ inode=72 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 08:48:02.005:392) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x11 a1=0x7f214c69d027 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 08:48:02.005:392) : avc:  denied  { watch } for  pid=2305 comm=wireplumber path=/run/systemd/seats dev="tmpfs" ino=72 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 465e0a3..5643687 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -432,6 +432,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	systemd_login_watch_pid_dirs(login_userdomain)
+ 	systemd_login_watch_session_dirs(login_userdomain)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-various-files-and-dirs.patch

@@ -0,0 +1,49 @@
+From 0675ab63c83c96dd65d9793c5ff2835253329bba Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 22:43:33 +0100
+Subject: [PATCH] Allow login_userdomain watch various files and dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0675ab63c83c96dd65d9793c5ff2835253329bba
+Conflict: NA
+
+Addresses the following AVC denials:
+
+type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:986) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
+type=PATH msg=audit(3.1.2022 14:44:22.064:986) : item=0 name=/etc/fstab inode=100663543 dev=fd:00 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 14:44:22.064:986) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x18 a1=0x56518e638958 a2=0xcc6 a3=0x56518e6392d0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 14:44:22.064:986) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/etc/fstab dev="dm-0" ino=100663543 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
+
+type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:987) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
+type=PATH msg=audit(3.1.2022 14:44:22.064:987) : item=0 name=/var/run inode=1 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 14:44:22.064:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x1a a1=0x7f74ecdfae35 a2=0x100 a3=0x0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 14:44:22.064:987) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/run dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
+
+type=PROCTITLE msg=audit(3.1.2022 14:44:22.213:989) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
+type=PATH msg=audit(3.1.2022 14:44:22.213:989) : item=0 name=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop inode=1684078 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 14:44:22.213:989) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0xf a1=0x7f74d8001438 a2=0x2000fc6 a3=0x7f74f2f73329 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 14:44:22.213:989) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop dev="dm-0" ino=1684078 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index cc2d309..824af18 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -387,8 +387,11 @@ tunable_policy(`deny_bluetooth',`',`
+ dev_watch_generic_dirs(login_userdomain)
+ 
+ files_watch_etc_dirs(login_userdomain)
++files_watch_etc_files(login_userdomain)
+ files_watch_usr_dirs(login_userdomain)
++files_watch_usr_files(login_userdomain)
+ files_watch_var_lib_dirs(login_userdomain)
++files_watch_var_run_dirs(login_userdomain)
+ files_watch_generic_tmp_dirs(login_userdomain)
+ 
+ fs_create_cgroup_files(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-smbcontrol-read-the-network-state-information.patch

@@ -0,0 +1,36 @@
+From 72bf03e76b3dd93ee4d29b573574cc394c74220b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 7 Jan 2022 18:24:37 +0100
+Subject: [PATCH] Allow smbcontrol read the network state information
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72bf03e76b3dd93ee4d29b573574cc394c74220b
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(12/15/2021 14:56:51.308:2289) : proctitle=smbcontrol winbind ping
+type=AVC msg=audit(12/15/2021 14:56:51.308:2289) : avc:  denied  { read } for  pid=39355 comm=smbcontrol name=unix dev="proc" ino=4026532055 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
+type=SYSCALL msg=audit(12/15/2021 14:56:51.308:2289) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fffd5d76250 a1=R_OK a2=0x8 a3=0x562d2bf87764 items=0 ppid=36929 pid=39355 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
+
+Resolves: rhbz#2038157
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/samba.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index cb89bcf..daf5349 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -743,6 +743,8 @@ samba_read_config(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+ samba_read_winbind_pid(smbcontrol_t)
+ 
++kernel_read_network_state(smbcontrol_t)
++
+ domain_use_interactive_fds(smbcontrol_t)
+ 
+ dev_read_urand(smbcontrol_t)
+-- 
+1.8.3.1
+

backport-Allow-sshd-read-filesystem-sysctl-files.patch

@@ -0,0 +1,34 @@
+From 84dd4309ad6d644edea2c3cf448f516f4e008c04 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 11 Jan 2022 15:17:27 +0100
+Subject: [PATCH] Allow sshd read filesystem sysctl files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84dd4309ad6d644edea2c3cf448f516f4e008c04
+Conflict: NA
+
+This permissions is required when "nofile unlimited" is configured
+in the system resources limits for a user.
+
+echo "testuser hard nofile unlimited" >> /etc/security/limits.d/testuser.conf
+
+Resolves: rhbz#2036585
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/services/ssh.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index 10126e7..bf988b7 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -303,6 +303,7 @@ allow sshd_t sshd_keytab_t:file read_file_perms;
+ 
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
++kernel_read_fs_sysctls(sshd_t)
+ kernel_read_net_sysctls(sshd_t)
+ 
+ files_search_all(sshd_t)
+-- 
+1.8.3.1
+

backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch

@@ -0,0 +1,42 @@
+From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Jan 2022 17:15:56 +0100
+Subject: [PATCH] Allow sssd_kcm read and write z90crypt device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a
+Conflict: NA
+
+This permission is required on s390x systems with the Crypto Express
+adapter card. The z90crypt device driver acts as the interface to the
+PCI cryptography hardware and performs asynchronous encryption
+operations (RSA) as used during the SSL handshake.
+
+Addresses the following AVC denial:
+PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files
+type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc:  denied  { read write } for  pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
+type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null)
+
+Resolves: rhbz#2026974
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/sssd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
+index b510dca..e5c8673 100644
+--- a/policy/modules/contrib/sssd.te
++++ b/policy/modules/contrib/sssd.te
+@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t)
+ 
+ dev_read_urand(sssd_t)
+ dev_read_sysfs(sssd_t)
++dev_rw_crypto(sssd_t)
+ 
+ domain_read_all_domains_state(sssd_t)
+ domain_obj_id_change_exemption(sssd_t)
+-- 
+1.8.3.1
+

backport-Allow-sysadm_t-start-and-stop-transient-services.patch

@@ -0,0 +1,34 @@
+From 489674d8ad8253a18cf88425f2fe3dbf265d03a1 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 17 Jan 2022 12:44:10 +0100
+Subject: [PATCH] Allow sysadm_t start and stop transient services
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/489674d8ad8253a18cf88425f2fe3dbf265d03a1
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=USER_AVC msg=audit(01/07/2022 03:27:48.362:345) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root cmdline="" scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=1  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' # Date:      Mon Jan 17 12:44:10 2022 +0100
+
+Resolves: rhbz#2031065
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index fae8028..d9e11b6 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -81,6 +81,8 @@ init_exec(sysadm_t)
+ init_exec_script_files(sysadm_t)
+ init_dbus_chat(sysadm_t)
+ init_script_role_transition(sysadm_r)
++init_start(sysadm_t)
++init_stop(sysadm_t)
+ init_status(sysadm_t)
+ init_reboot(sysadm_t)
+ init_halt(sysadm_t)
+-- 
+1.8.3.1
+

backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch

@@ -0,0 +1,39 @@
+From 9ca08c39af36079809e9247957d86e86009a3e6a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 19:23:19 +0100
+Subject: [PATCH] Allow systemd-coredump read and write usermodehelper state
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9ca08c39af36079809e9247957d86e86009a3e6a
+Conflict: NA
+
+When systemd (PID1) crashes, it freezes and systemd services cannot be
+started, so coredump handling with systemd-coredump will not work
+either. As frozen systemd does not collect zombies any longer, it looks
+reasonable to avoid spawning further processes as much as possible.
+
+Therefore systemd-coredump will write "|/bin/false" to the
+kernel.core_pattern kernel tunable when it detects that it was PID 1
+that had crashed to disable coredumping.
+
+Resolves: rhbz#1982961
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index edd4354..5a78a8c 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1055,6 +1055,8 @@ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_cor
+ mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+ init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump")
+ 
++kernel_rw_usermodehelper_state(systemd_coredump_t)
++
+ dev_write_kmsg(systemd_coredump_t)
+ 
+ # To read info about the crashed process from /proc
+-- 
+1.8.3.1
+

backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch

@@ -0,0 +1,46 @@
+From 4ed22744f5a99c1f2b997b915b340de7abe8d15d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 21:08:14 +0100
+Subject: [PATCH] Allow systemd-coredump userns capabilities and root mounton
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4ed22744f5a99c1f2b997b915b340de7abe8d15d
+Conflict: NA
+
+systemd-coredump forks a child process to perform core file analysis
+(comm=(sd-parse-elf)), and before doing the actual analysis, it sets
+up a sandbox using mount and user namespaces.
+
+Refer to https://github.com/systemd/systemd/commit/61aea456c1
+for the systemd upstream change.
+
+Resolves: rhbz#2031356
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 5a78a8c..ea2b27e 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1040,7 +1040,7 @@ systemd_read_efivarfs(systemd_sysctl_t)
+ # setgid setuid - to set own credentials to match the dumped process credentials
+ # setpcap - to drop capabilities
+ allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace };
+-allow systemd_coredump_t self:cap_userns sys_ptrace;
++allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace };
+ 
+ # To set its capability set
+ allow systemd_coredump_t self:process setcap;
+@@ -1067,6 +1067,8 @@ domain_read_all_domains_state(systemd_coredump_t)
+ files_read_non_security_files(systemd_coredump_t)
+ files_map_non_security_files(systemd_coredump_t)
+ 
++files_mounton_rootfs(systemd_coredump_t)
++
+ fs_getattr_nsfs_files(systemd_coredump_t)
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch

@@ -0,0 +1,68 @@
+From 3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 22:12:03 +0100
+Subject: [PATCH] Allow systemd-io-bridge ioctl rpm_script_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f
+Conflict: NA
+
+The permission to allow systemd-io-bridge ioctl rpm_script_t
+with a unix domain stream socket was added to the policy.
+It may be required when rpm packages are updated.
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(3.1.2022 01:17:50.921:486) : proctitle=(o-bridge)
+type=SYSCALL msg=audit(3.1.2022 01:17:50.921:486) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Pro toto zařízení nevhodné ioctl) a0=0x0 a1=TCGETS a2=0x7ffe8195d1e0 a3=0x7f9ea8a35ca0 items=0 ppid=1 pid=2846 auid=sddm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(3.1.2022 01:17:50.921:486) : avc:  denied  { ioctl } for  pid=2846 comm=(o-bridge) path=socket:[43260] dev="sockfs" ino=43260 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+
+Resolves: rhbz#2024489
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
+index db809c6..190f3e2 100644
+--- a/policy/modules/contrib/rpm.if
++++ b/policy/modules/contrib/rpm.if
+@@ -957,3 +957,21 @@ interface(`rpm_admin',`
+ 
+ 	rpm_run($1, $2)
+ ')
++
++## <summary>
++##	Allow the specified domain to ioctl rpm_script_t
++##	with a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_script_ioctl_stream_sockets',`
++	gen_require(`
++		type rpm_script_t;
++	')
++
++	allow $1 rpm_script_t:unix_stream_socket ioctl;
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 0de5f4a..a81f5da 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -516,6 +516,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	rpm_read_db(init_t)
++	rpm_script_ioctl_stream_sockets(init_t)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch

@@ -0,0 +1,69 @@
+From 13c9a34e3e717785cf37706a964294733f6c5b00 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 13 Jan 2022 19:09:13 +0100
+Subject: [PATCH] Allow systemd-logind delete session_dbusd tmp socket files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/13c9a34e3e717785cf37706a964294733f6c5b00
+Conflict: NA
+
+The dbus_delete_session_tmp_sock_files() interface was added.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1001
+type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x560b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null)
+type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc:  denied  { unlink } for  pid=26510 comm=systemd-user-ru name=bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
+
+Resolves: rhbz#2039671
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.if   | 18 ++++++++++++++++++
+ policy/modules/system/systemd.te |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
+index 71c77a0..e04af61 100644
+--- a/policy/modules/contrib/dbus.if
++++ b/policy/modules/contrib/dbus.if
+@@ -883,6 +883,24 @@ interface(`dbus_write_session_tmp_sock_files',`
+ 
+ ########################################
+ ## <summary>
++##      Delete session_dbusd tmp socket files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dbus_delete_session_tmp_sock_files',`
++        gen_require(`
++                type session_dbusd_tmp_t;
++        ')
++
++	delete_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Allow systemctl dbus services
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 43fffdc..edd4354 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -364,6 +364,7 @@ optional_policy(`
+ optional_policy(`
+ 	dbus_connect_system_bus(systemd_logind_t)
+ 	dbus_system_bus_client(systemd_logind_t)
++	dbus_delete_session_tmp_sock_files(systemd_logind_t)
+     dbus_manage_session_tmp_dirs(systemd_logind_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-tlp-read-its-systemd-unit.patch

@@ -0,0 +1,32 @@
+From 6f8f2fbdaa248e9d8967456b79888b4484ca9ad7 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Jan 2022 21:51:47 +0100
+Subject: [PATCH] Allow tlp read its systemd unit
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6f8f2fbdaa248e9d8967456b79888b4484ca9ad7
+Conflict: NA
+
+A tlp script executes systemctl to get status of the tlp service unit.
+
+Resolves: rhbz#2013451
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/tlp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te
+index b9491ee..e2de3b2 100644
+--- a/policy/modules/contrib/tlp.te
++++ b/policy/modules/contrib/tlp.te
+@@ -28,6 +28,8 @@ allow tlp_t self:udp_socket create_socket_perms;
+ allow tlp_t self:unix_dgram_socket create_socket_perms;
+ allow tlp_t self:netlink_generic_socket create_socket_perms;
+ 
++allow tlp_t tlp_unit_file_t:file read_file_perms;
++
+ manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+ manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+ files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
+-- 
+1.8.3.1
+

backport-Allow-virt_domain-map-vhost-devices.patch

@@ -0,0 +1,67 @@
+From 7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 7 Jan 2022 18:17:12 +0100
+Subject: [PATCH] Allow virt_domain map vhost devices
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0
+Conflict: NA
+
+The dev_map_vhost() interface was added.
+
+This commit addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(12/26/2021 22:21:14.465:1513) : proctitle=/usr/libexec/qemu-kvm -name guest=r9,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/
+type=AVC msg=audit(12/26/2021 22:21:14.465:1513) : avc:  denied  { map } for  pid=31328 comm=CPU 0/KVM path=/dev/vhost-vdpa-0 dev="devtmpfs" ino=876 scontext=system_u:system_r:svirt_t:s0:c135,c969 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0
+type=SYSCALL msg=audit(12/26/2021 22:21:14.465:1513) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=31328 auid=unset uid=unknown(107) gid=unknown(107) euid=unknown(107) suid=unknown(107) fsuid=unknown(107) egid=unknown(107) sgid=unknown(107) fsgid=unknown(107) tty=(none) ses=unset comm=CPU 0/KVM exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c135,c969 key=(null)
+
+Resolves: rhbz#2035702
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/virt.te   |  1 +
+ policy/modules/kernel/devices.if | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index b14222b..340056b 100644
+--- a/policy/modules/contrib/virt.te
++++ b/policy/modules/contrib/virt.te
+@@ -969,6 +969,7 @@ dev_rw_infiniband_dev(virt_domain)
+ dev_rw_dri(virt_domain)
+ dev_rw_tpm(virt_domain)
+ dev_rw_xserver_misc(virt_domain)
++dev_map_vhost(virt_domain)
+ 
+ domain_use_interactive_fds(virt_domain)
+ 
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index f7f8e98..51d9ab4 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -5964,6 +5964,24 @@ interface(`dev_rw_inherited_vhost',`
+ 
+ ########################################
+ ## <summary>
++##	Allow map the vhost devices
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_map_vhost',`
++	gen_require(`
++		type device_t, vhost_device_t;
++	')
++
++	allow $1 vhost_device_t:chr_file map;
++')
++
++########################################
++## <summary>
+ ##	Read and write VMWare devices.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 8
+Release: 9
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -90,6 +90,28 @@ Patch6022: backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch
 Patch6023: backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch
 Patch6024: backport-Allow-admin-userdomains-use-socketpair.patch
 Patch6025: backport-Ensure-that-run-systemd-are-properly-labeled.patch
+Patch6026: backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch
+Patch6027: backport-Allow-virt_domain-map-vhost-devices.patch
+Patch6028: backport-Allow-smbcontrol-read-the-network-state-information.patch
+Patch6029: backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch
+Patch6030: backport-Allow-gssproxy-read-and-write-z90crypt-device.patch
+Patch6031: backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch
+Patch6032: backport-Allow-gssproxy-access-to-various-system-files.patch
+Patch6033: backport-Allow-tlp-read-its-systemd-unit.patch
+Patch6034: backport-Allow-sshd-read-filesystem-sysctl-files.patch
+Patch6035: backport-Allow-sysadm_t-start-and-stop-transient-services.patch
+Patch6036: backport-Allow-administrative-users-the-bpf-capability.patch
+Patch6037: backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch
+Patch6038: backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch
+Patch6039: backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch
+Patch6040: backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch
+Patch6041: backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch
+Patch6042: backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch
+Patch6043: backport-Allow-login_userdomain-watch-generic-directories-in-.patch
+Patch6044: backport-Allow-login_userdomain-watch-various-files-and-dirs.patch
+Patch6045: backport-Allow-login_userdomain-watch-localization-directorie.patch
+Patch6046: backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch
+Patch6047: backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -760,6 +782,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-9
+- backport upstream patches
+
 * Fri Sep 2 2022 lujie <lujie54@huawei.com> - 35.5-8
 - backport upstream patches