!224 selinux-policy:update version to 38.21

From: @jinlun123123 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

Add-initial-policy-for-the-usr-sbin-request-key-help.patch

@@ -1,227 +0,0 @@
-From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Mon, 30 Jan 2023 14:46:50 +0100
-Subject: [PATCH 2/5] Add initial policy for the /usr/sbin/request-key helper
-
-The kernel is hard-coded to call /sbin/request-key to handle requests
-for instantiating keys that are not found in the existing keyrings.
-
-Thus, we need to add a domain for this helper and set up a transition
-into that domain from kernel_t.
-
-request-key dispatches the key requests to further helper programs based
-on the configuration in /etc/request-key.d/*.conf and
-/etc/request-key.conf. Currently, the only known used dispatcher is
-/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle
-requests for the 'id_resolver' key type. This patch adds the minimal
-policy for this helper that is needed for an NFS mount to succeed.
-
-Policy for other request-key helper programs may need to be added in the
-future. An optional mechanism to allow any possible configuration (e.g.
-by setting up a transition over any file to unconfined_service_t) may be
-also desired. For now let's at least make the one known use case work.
-
-Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain")
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policy/modules.conf                |  7 +++++
- policy/modules/contrib/keyutils.fc |  1 +
- policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++
- policy/modules/contrib/keyutils.te | 11 ++++++++
- policy/modules/contrib/rpc.fc      |  1 +
- policy/modules/contrib/rpc.te      | 32 ++++++++++++++++++++++
- policy/modules/kernel/kernel.if    | 19 +++++++++++++
- policy/modules/kernel/kernel.te    |  4 +++
- 8 files changed, 118 insertions(+)
- create mode 100644 policy/modules/contrib/keyutils.fc
- create mode 100644 policy/modules/contrib/keyutils.if
- create mode 100644 policy/modules/contrib/keyutils.te
-
-diff --git a/policy/modules.conf b/policy/modules.conf
-index 5e0678668..6f63c8cb6 100644
---- a/policy/modules.conf
-+++ b/policy/modules.conf
-@@ -3078,3 +3078,10 @@ rhcd = module
- # wireguard
- #
- wireguard = module
-+
-+# Layer: contrib
-+# Module: keyutils
-+#
-+#  keyutils - Linux Key Management Utilities
-+#
-+keyutils = module
-diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc
-new file mode 100644
-index 000000000..78c5f159f
---- /dev/null
-+++ b/policy/modules/contrib/keyutils.fc
-@@ -0,0 +1 @@
-+/usr/sbin/request-key	--	gen_context(system_u:object_r:keyutils_request_exec_t,s0)
-diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if
-new file mode 100644
-index 000000000..06daab988
---- /dev/null
-+++ b/policy/modules/contrib/keyutils.if
-@@ -0,0 +1,43 @@
-+## <summary>Linux Key Management Utilities</summary>
-+
-+#######################################
-+## <summary>
-+##	Execute request-key in the keyutils request domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`keyutils_request_domtrans',`
-+	gen_require(`
-+		type keyutils_request_t, keyutils_request_exec_t;
-+	')
-+
-+	domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allows to perform key instantiation callout
-+##	by transitioning to the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The process type entered by request-key.
-+##	</summary>
-+## </param>
-+## <param name="entrypoint">
-+##	<summary>
-+##	The executable type for the entrypoint.
-+##	</summary>
-+## </param>
-+#
-+interface(`keyutils_request_domtrans_to',`
-+	gen_require(`
-+		type keyutils_request_t;
-+	')
-+
-+	domtrans_pattern(keyutils_request_t, $2, $1)
-+')
-diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te
-new file mode 100644
-index 000000000..2ea1d5e38
---- /dev/null
-+++ b/policy/modules/contrib/keyutils.te
-@@ -0,0 +1,11 @@
-+policy_module(keyutils, 1.0)
-+
-+type keyutils_request_exec_t;
-+files_type(keyutils_request_exec_t)
-+
-+type keyutils_request_t;
-+domain_type(keyutils_request_t)
-+domain_entry_file(keyutils_request_t, keyutils_request_exec_t)
-+
-+kernel_view_key(keyutils_request_t)
-+kernel_read_key(keyutils_request_t)
-diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
-index 3825ef707..06a6c009c 100644
---- a/policy/modules/contrib/rpc.fc
-+++ b/policy/modules/contrib/rpc.fc
-@@ -32,6 +32,7 @@
- /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
- /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
- /usr/sbin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
-+/usr/sbin/nfsidmap	--	gen_context(system_u:object_r:nfsidmap_exec_t,s0)
- 
- #
- # /var
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index f94cfa5d2..c83492a56 100644
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -434,3 +434,35 @@ optional_policy(`
- optional_policy(`
- 	xserver_rw_xdm_tmp_files(gssd_t)
- ')
-+
-+########################################
-+#
-+# nfsidmap policy
-+#
-+
-+type nfsidmap_exec_t;
-+files_type(nfsidmap_exec_t)
-+
-+type nfsidmap_t;
-+domain_type(nfsidmap_t)
-+domain_entry_file(nfsidmap_t, nfsidmap_exec_t)
-+
-+allow nfsidmap_t self:key write;
-+allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+kernel_setattr_key(nfsidmap_t)
-+
-+sysnet_read_config(nfsidmap_t)
-+
-+optional_policy(`
-+	auth_read_passwd_file(nfsidmap_t)
-+')
-+
-+optional_policy(`
-+	logging_send_syslog_msg(nfsidmap_t)
-+')
-+
-+optional_policy(`
-+	# /etc/request-key.d/id_resolver.conf
-+	keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t)
-+')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 166586f66..adb71ed3a 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',`
- 
- 	dontaudit $1 kernel_t:key view;
- ')
-+
-+########################################
-+## <summary>
-+##	Allow to set attributes on the kernel key ring.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_setattr_key',`
-+	gen_require(`
-+		type kernel_t;
-+	')
-+
-+	allow $1 kernel_t:key setattr;
-+')
-+
- ########################################
- ## <summary>
- ##	Allows caller to read the ring buffer.
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index f7ac8cd1f..0a27fa7ae 100644
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -410,6 +410,10 @@ optional_policy(`
- 	kerberos_filetrans_home_content(kernel_t)
- ')
- 
-+optional_policy(`
-+	keyutils_request_domtrans(kernel_t)
-+')
-+
- optional_policy(`
- 	init_dbus_chat(kernel_t)
- 	init_sigchld(kernel_t)
--- 
-2.33.0
-

Add-journalctl-the-sys_resource-capability.patch

@@ -1,35 +0,0 @@
-From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Feb 2023 17:20:51 +0100
-Subject: [PATCH 4/5] Add journalctl the sys_resource capability
-
-The journalctl command runs in the journalctl_t domain when executed by
-a confined user (user, staff, sysadm). When is invoked with pager,
-prctl() is called to change the process name.
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager)
-type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
-type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc:  denied  { sys_resource } for  pid=25516 comm=(pager) capability=sys_resource  scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1
-
-Resolves: rhbz#2136189
----
- policy/modules/contrib/journalctl.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te
-index 5b4329c80..b22b6a713 100644
---- a/policy/modules/contrib/journalctl.te
-+++ b/policy/modules/contrib/journalctl.te
-@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t;
- #
- # journalctl local policy
- #
-+allow journalctl_t self:capability sys_resource;
- allow journalctl_t self:process { fork setrlimit signal_perms };
- 
- allow journalctl_t self:fifo_file manage_fifo_file_perms;
--- 
-2.33.0
-

Additional-support-for-rpmdb_migrate.patch

@@ -1,64 +0,0 @@
-From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 31 Jan 2023 19:12:39 +0100
-Subject: [PATCH 1/5] Additional support for rpmdb_migrate
-
-Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t")
-commit, selinux-policy supports the rpmdb-migrate.service which is
-executed after the first boot to a newer Fedora release to migrate the
-rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm.
-Additional permissions started to be required recently.
-
-Resolves: rhbz#2164752
----
- policy/modules/contrib/rpm.te | 21 ++++++++++++++-------
- 1 file changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
-index 247f1fa7a..cf5539abb 100644
---- a/policy/modules/contrib/rpm.te
-+++ b/policy/modules/contrib/rpm.te
-@@ -260,26 +260,33 @@ optional_policy(`
- # rpmdb local policy
- #
- 
--allow rpmdb_t rpm_var_lib_t:file map;
--allow rpmdb_t rpmdb_tmp_t:file map;
-+can_exec(rpmdb_t, rpm_exec_t)
- 
- manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
- manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
--files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
--files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
-+read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
-+allow rpmdb_t rpm_var_lib_t:file map;
- 
- manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
- manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
- files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir })
-+allow rpmdb_t rpmdb_tmp_t:file map;
- 
--term_use_all_inherited_terms(rpmdb_t)
--
--auth_dontaudit_read_passwd(rpmdb_t)
-+corecmd_exec_bin(rpmdb_t)
-+corecmd_exec_shell(rpmdb_t)
- 
- files_rw_inherited_non_security_files(rpmdb_t)
-+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
-+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
- 
- sysnet_dontaudit_read_config(rpmdb_t)
- 
-+term_use_all_inherited_terms(rpmdb_t)
-+
-+optional_policy(`
-+	auth_dontaudit_read_passwd(rpmdb_t)
-+')
-+
- optional_policy(`
- 	miscfiles_read_generic_certs(rpmdb_t)
- ')
--- 
-2.33.0
-

Allow-certmonger-read-the-contents-of-the-sysfs-file.patch

@@ -1,31 +0,0 @@
-From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 7 Feb 2023 11:04:09 +0100
-Subject: [PATCH 5/5] Allow certmonger read the contents of the sysfs
- filesystem
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
-type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null)
-type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc:  denied  { open } for  pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
----
- policy/modules/contrib/certmonger.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
-index e721254ae..c72f05b44 100644
---- a/policy/modules/contrib/certmonger.te
-+++ b/policy/modules/contrib/certmonger.te
-@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t)
- 
- dev_read_rand(certmonger_t)
- dev_read_urand(certmonger_t)
-+dev_read_sysfs(certmonger_t)
- 
- domain_use_interactive_fds(certmonger_t)
- 
--- 
-2.33.0
-

Allow-login_pgm-setcap-permission.patch

@@ -1,42 +0,0 @@
-From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Mar 2023 12:22:12 +0100
-Subject: [PATCH] Allow login_pgm setcap permission
-
-There is a pam_cap module as a part of the libcap package. When a
-capability is added to the login process using pam_cap, the setcap
-permission is required.
-
-Example setup:
-
- echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf
- echo "auth required pam_cap.so" >> /etc/pam.d/postlogin
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser [priv]
-type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
-type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc:  denied  { setcap } for  pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
-
-Resolves: rhbz#2172541
-Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
----
- policy/modules/system/authlogin.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index feabf67ab..2c3628a31 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
- allow login_pgm self:netlink_selinux_socket create_socket_perms; 
- allow login_pgm self:capability ipc_lock;
- dontaudit login_pgm self:capability net_admin;
--allow login_pgm self:process setkeycreate;
-+allow login_pgm self:process { setcap setkeycreate };
- allow login_pgm self:key manage_key_perms;
- userdom_manage_all_users_keys(login_pgm)
- allow login_pgm nsswitch_domain:key manage_key_perms;
--- 
-2.33.0
-

Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch

@@ -1,35 +0,0 @@
-From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Feb 2023 18:15:19 +0100
-Subject: [PATCH 3/5] Allow nm-dispatcher plugins read generic files in /proc
-
-It turns out the systemctl command needs to read /proc/cpuinfo at
-the aarch64 architecture, so the permission was allowed for the
-networkmanager_dispatcher_plugin attribute.
-
-The commit addresses the following AVC denial:
-type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service
-type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null)
-type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { open } for  pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
-type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { read } for  pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
-
-Resolves: rhbz#2164845
----
- policy/modules/contrib/networkmanager.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
-index 0e3218929..ef77fdb32 100644
---- a/policy/modules/contrib/networkmanager.te
-+++ b/policy/modules/contrib/networkmanager.te
-@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc
- 
- read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t)
- 
-+kernel_read_proc_files(networkmanager_dispatcher_plugin)
- kernel_request_load_module(NetworkManager_dispatcher_ddclient_t)
- 
- auth_read_passwd(networkmanager_dispatcher_plugin)
--- 
-2.33.0
-

Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch

@@ -5,15 +5,16 @@ Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
  without a transition"
 
 This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.
+
 ---
- policy/modules/kernel/kernel.te | 12 +++---------
- 1 file changed, 3 insertions(+), 9 deletions(-)
+ policy/modules/kernel/kernel.te | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
 
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index f7ac8cd1f..2df33b0ac 100644
+index fc6f5f8..daf0801 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t)
+@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t)
  term_use_all_terms(kernel_t)
  term_use_ptmx(kernel_t)
  
@@ -28,10 +29,13 @@ index f7ac8cd1f..2df33b0ac 100644
 -role system_r types kernel_generic_helper_t;
 -corecmd_bin_entry_type(kernel_generic_helper_t)
 -corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
+-
+-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms;
 +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 +corecmd_exec_bin(kernel_t)
  
  domain_use_all_fds(kernel_t)
  domain_signal_all_domains(kernel_t)
 -- 
-2.25.1
+2.27.0
+

selinux-policy.spec

@@ -11,12 +11,12 @@
 
 Summary: SELinux policy configuration
 Name:    selinux-policy
-Version: 38.6
-Release: 5
+Version: 38.21
+Release: 1
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
-Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.6.tar.gz
+Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz
 
 # Tool helps during policy development, to expand system m4 macros to raw allow rules
 # Git repo: https://github.com/fedora-selinux/macro-expander.git
@@ -63,12 +63,6 @@ Patch7:  add-avc-for-os-1.patch
 Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
-Patch11: Allow-login_pgm-setcap-permission.patch
-Patch12: Additional-support-for-rpmdb_migrate.patch
-Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch
-Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
-Patch15: Add-journalctl-the-sys_resource-capability.patch
-Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -748,6 +742,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1
+- update version to 38.21
+
 * Wed May 31 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-5
 - backport some upstream patches