!171 update upstream patches

From: @lujie42 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch

@@ -0,0 +1,31 @@
+From 34264caf221fc43e17aefeeda0d1115eb89655e0 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 7 Feb 2022 18:27:52 +0100
+Subject: [PATCH] Add the map permission to common_anon_inode_perm permission
+ set
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/34264caf221fc43e17aefeeda0d1115eb89655e0
+Conflict: NA
+
+Resolves: rhbz#2025714
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/support/obj_perm_sets.spt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
+index 1a2108a..2b84320 100644
+--- a/policy/support/obj_perm_sets.spt
++++ b/policy/support/obj_perm_sets.spt
+@@ -280,7 +280,7 @@ define(`userfaultfd_anon_inode_perms',`
+ #
+ # Anonymous inode files (anon_inode)
+ #
+-define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl read write }')
++define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl map read write }')
+ 
+ ########################################
+ #
+-- 
+1.8.3.1
+

backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch

@@ -0,0 +1,32 @@
+From 51422c4a4277924046514a18b67a38b896d698f0 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 28 Jan 2022 17:40:25 +0100
+Subject: [PATCH] Allow ModemManager connect to the unconfined user domain
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/51422c4a4277924046514a18b67a38b896d698f0
+Conflict: NA
+
+The modemmanager_t domain was allowed to connect to unconfined_t
+over a unix domain stream socket.
+
+Resolves: rhbz#1961571
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/modemmanager.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
+index 857ed6b..9a132b2 100644
+--- a/policy/modules/contrib/modemmanager.te
++++ b/policy/modules/contrib/modemmanager.te
+@@ -82,3 +82,7 @@ optional_policy(`
+ 	udev_read_db(modemmanager_t)
+ 	udev_manage_pid_files(modemmanager_t)
+ ')
++
++optional_policy(`
++	unconfined_stream_connect(modemmanager_t)
++')
+-- 
+1.8.3.1
+

backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch

@@ -0,0 +1,51 @@
+From f0cb46186be7437cd78c96271938b3902cec10b7 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 26 Jan 2022 10:54:36 +0100
+Subject: [PATCH] Allow NetworkManager talk with unconfined user over unix
+ domain dgram socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f0cb46186be7437cd78c96271938b3902cec10b7
+Conflict: NA
+
+This permission is required for wpa_cli be able to communicate with the
+wpa_supplicant service in CLI. The wpa control interface socket file is
+open in /run/wpa_supplicant, the client socket in /tmp.
+
+This issue possibly started to appear after unconfined_t was removed from the
+unpriv_user_domain attribute with the 4b4eec49a55 ("Removed adding to
+attribute unpriv_userdomain from userdom_unpriv_type template") commit.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/24/2022 02:56:04.040:501) : proctitle=/usr/sbin/wpa_supplicant -g /run/wpa_supplicant/global -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s
+type=PATH msg=audit(01/24/2022 02:56:04.040:501) : item=0 name=/tmp/wpa_ctrl_26793-1 inode=730142 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(01/24/2022 02:56:04.040:501) : cwd=/
+type=SOCKADDR msg=audit(01/24/2022 02:56:04.040:501) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_26793-1 }
+type=SYSCALL msg=audit(01/24/2022 02:56:04.040:501) : arch=x86_64 syscall=sendto success=yes exit=5 a0=0x5 a1=0x5556370a4860 a2=0x5 a3=0x0 items=1 ppid=1 pid=26219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+type=AVC msg=audit(01/24/2022 02:56:04.040:501) : avc:  denied  { sendto } for  pid=26219 comm=wpa_supplicant path=/tmp/wpa_ctrl_26793-1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
+
+Resolves: rhbz#2044048
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/networkmanager.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
+index 8230910..1a53f51 100644
+--- a/policy/modules/contrib/networkmanager.te
++++ b/policy/modules/contrib/networkmanager.te
+@@ -498,6 +498,11 @@ optional_policy(`
+ 	openvswitch_stream_connect(NetworkManager_t)
+ ')
+ 
++optional_policy(`
++	unconfined_dgram_send(NetworkManager_t)
++')
++
++
+ tunable_policy(`use_ecryptfs_home_dirs',`
+ 	fs_manage_ecryptfs_files(NetworkManager_t)
+ ')
+-- 
+1.8.3.1
+

backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch

@@ -0,0 +1,44 @@
+From 435388f6b50495a6615b811b129ca6d3020f7355 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 10 Feb 2022 11:38:56 +0100
+Subject: [PATCH] Allow alsa bind mixer controls to led triggers
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/435388f6b50495a6615b811b129ca6d3020f7355
+Conflict: NA
+
+Since v5.13, the kernel has support to bind certain alsa mixer controls
+to LED triggers from userspace to control the mute-LEDS found on some
+devices (typically embedded inside the keyboard's mute keys).
+
+To allow that, alsa needs to be able to execute "modprobe snd_ctl_led"
+and write to /sys/class/sound/ctl-led/speaker/ and .../mic.
+
+Resolves: rhbz#1958210
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/alsa.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
+index aee9fe8..3f1a7b0 100644
+--- a/policy/modules/contrib/alsa.te
++++ b/policy/modules/contrib/alsa.te
+@@ -82,12 +82,14 @@ corecmd_exec_bin(alsa_t)
+ 
+ dev_getattr_fs(alsa_t)
+ dev_read_sound(alsa_t)
+-dev_read_sysfs(alsa_t)
++dev_rw_sysfs(alsa_t)
+ dev_read_urand(alsa_t)
+ dev_write_sound(alsa_t)
+ 
+ files_search_var_lib(alsa_t)
+ 
++modutils_domtrans_kmod(alsa_t)
++
+ term_dontaudit_use_console(alsa_t)
+ term_dontaudit_use_generic_ptys(alsa_t)
+ term_dontaudit_use_all_ptys(alsa_t)
+-- 
+1.8.3.1
+

backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch

@@ -0,0 +1,33 @@
+From d5b75d954771da98c36fb7af90e24a14fb01c184 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 31 Jan 2022 12:47:23 +0100
+Subject: [PATCH] Allow alsactl set group Process ID of a process
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d5b75d954771da98c36fb7af90e24a14fb01c184
+Conflict: NA
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1624169904.74:1152): avc:  denied  { setpgid } for  pid=115535 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=0
+
+Resolves: rhbz#1974051
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/alsa.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
+index 97f3815..aee9fe8 100644
+--- a/policy/modules/contrib/alsa.te
++++ b/policy/modules/contrib/alsa.te
+@@ -43,7 +43,7 @@ systemd_unit_file(alsa_unit_file_t)
+ 
+ allow alsa_t self:capability { dac_read_search  setgid setuid ipc_owner sys_nice };
+ dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+-allow alsa_t self:process { getsched setsched signal_perms };
++allow alsa_t self:process { getsched setpgid setsched signal_perms };
+ allow alsa_t self:sem create_sem_perms;
+ allow alsa_t self:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket { accept listen };
+-- 
+1.8.3.1
+

backport-Allow-confined-sysadmin-to-use-tool-vipw.patch

@@ -0,0 +1,46 @@
+From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Fri, 4 Feb 2022 12:04:16 +0100
+Subject: [PATCH] Allow confined sysadmin to use tool vipw
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e
+Conflict: NA
+
+Allow confined sysadmin to use vipw and vigr, which edits passwd,
+shadow, group, gshadow.. Dontaudit manage files and dir labeled
+with admin_home_t. Also vipw need to use sss_cache tool.
+Allow domain transition from sysadm_passwd_t to sssd_exec_t.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/usermanage.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index a67fcc4..8fdbfbc 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t)
+ logging_send_syslog_msg(sysadm_passwd_t)
+ 
+ userdom_use_unpriv_users_fds(sysadm_passwd_t)
++userdom_dontaudit_manage_admin_dir(sysadm_passwd_t)
++userdom_dontaudit_manage_admin_files(sysadm_passwd_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+@@ -509,6 +511,10 @@ optional_policy(`
+ 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+ ')
+ 
++optional_policy(`
++	sssd_domtrans(sysadm_passwd_t)
++')
++
+ ########################################
+ #
+ # Useradd local policy
+-- 
+1.8.3.1
+

backport-Allow-init-delete-generic-tmp-named-pipes.patch

@@ -0,0 +1,64 @@
+From da5328319db49846fb698d262c13f06230091bfb Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 28 Jan 2022 19:01:45 +0100
+Subject: [PATCH] Allow init delete generic tmp named pipes
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/da5328319db49846fb698d262c13f06230091bfb
+Conflict: NA
+
+The files_delete_tmp_pipes() interface was added.
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1628676879.222:1003): avc:  denied  { unlink } for  pid=1 comm="systemd" name="controller_log_37116" dev="tmpfs" ino=1235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0
+
+Resolves: rhbz#1992562
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/files.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te  |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index bca6f15..53e463c 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -6153,6 +6153,24 @@ interface(`files_delete_tmp_sockets',`
+ 
+ ########################################
+ ## <summary>
++##	Delete generic tmp named pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_tmp_pipes',`
++       gen_require(`
++		type tmp_t;
++       ')
++
++       delete_fifo_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index a81f5da..09a6925 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -648,6 +648,7 @@ files_read_kernel_modules(init_t)
+ files_map_kernel_modules(init_t)
+ files_dontaudit_mounton_isid(init_t)
+ files_delete_tmp_files(init_t)
++files_delete_tmp_pipes(init_t)
+ files_delete_tmp_sockets(init_t)
+ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
+-- 
+1.8.3.1
+

backport-Allow-init-read-stratis-data-symlinks.patch

@@ -0,0 +1,63 @@
+From a27476b303259a43324be8533ddba68e7a6dd37e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 2 Feb 2022 16:21:01 +0100
+Subject: [PATCH] Allow init read stratis data symlinks
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a27476b303259a43324be8533ddba68e7a6dd37e
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=AVC msg=audit(02/02/22 09:39:31.790:2813) : avc:  denied  { read } for  pid=1 comm=systemd name=fs1 dev="devtmpfs" ino=363096 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1
+
+Resolves: rhbz#2048514
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/stratisd.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te      |  4 ++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/contrib/stratisd.if b/policy/modules/contrib/stratisd.if
+index de2427e..32e7e66 100644
+--- a/policy/modules/contrib/stratisd.if
++++ b/policy/modules/contrib/stratisd.if
+@@ -115,3 +115,21 @@ interface(`stratisd_admin',`
+ 		systemd_read_fifo_file_passwd_run($1)
+ 	')
+ ')
++
++########################################
++## <summary>
++##	Read stratisd data symlinks
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`stratisd_data_read_lnk_files',`
++	gen_require(`
++		type stratisd_data_t;
++	')
++
++	allow $1 stratisd_data_t:lnk_file read_lnk_file_perms;
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 09a6925..033f189 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -839,6 +839,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	stratisd_data_read_lnk_files(init_t)
++')
++
++optional_policy(`
+ 	systemd_filetrans_named_content(init_t)
+     systemd_write_inhibit_pipes(init_t)
+ ')
+-- 
+1.8.3.1
+

backport-Allow-iptables-list-cgroup-directories.patch

@@ -0,0 +1,33 @@
+From 72f789dd7c218919a18dd7130d37e92e7a92b994 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 16 Feb 2022 17:40:40 +0100
+Subject: [PATCH] Allow iptables list cgroup directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72f789dd7c218919a18dd7130d37e92e7a92b994
+Conflict: NA
+
+Addresses the following AVC denial:
+[ 1591.423033] audit: type=1400 audit(1632734301.322:867): avc:  denied  { ioctl } for  pid=11021 comm="iptables" path="/sys/fs/cgroup" dev="tmpfs" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#2008097
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/iptables.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
+index 495ee29..3374bff 100644
+--- a/policy/modules/system/iptables.te
++++ b/policy/modules/system/iptables.te
+@@ -51,6 +51,8 @@ files_manage_system_conf_files(iptables_t)
+ files_etc_filetrans_system_conf(iptables_t)
+ files_etc_filetrans(iptables_t, system_conf_t, dir)
+ 
++fs_list_cgroup_dirs(iptables_t)
++
+ manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+ 
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-map-var-lib-directories.patch

@@ -0,0 +1,34 @@
+From 2a15cfd1d0705acd84d18f3cdc669cc24ed7492f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 9 Feb 2022 21:59:23 +0100
+Subject: [PATCH] Allow login_userdomain map /var/lib/directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2a15cfd1d0705acd84d18f3cdc669cc24ed7492f
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(02/09/22 21:26:39.579:1065) : proctitle=/usr/bin/gnome-software --gapplication-service
+type=MMAP msg=audit(02/09/22 21:26:39.579:1065) : fd=57 flags=MAP_PRIVATE
+type=SYSCALL msg=audit(02/09/22 21:26:39.579:1065) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x16630 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(02/09/22 21:26:39.579:1065) : avc:  denied  { map } for  pid=2148 comm=pool-org.gnome. path=/var/lib/flatpak/repo/objects/2f/e0503898de4e28a3382ba6d7ecdc0376cabaea9e838991464eb821c46b7ff3.dirtree dev="vda2" ino=387029 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 32d69b4..69b460f 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -386,6 +386,7 @@ tunable_policy(`deny_bluetooth',`',`
+ 
+ dev_watch_generic_dirs(login_userdomain)
+ 
++files_map_var_lib_files(login_userdomain)
+ files_watch_etc_dirs(login_userdomain)
+ files_watch_etc_files(login_userdomain)
+ files_watch_system_conf_dirs(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-read-systemd-runtime-files.patch

@@ -0,0 +1,35 @@
+From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 9 Feb 2022 21:30:24 +0100
+Subject: [PATCH] Allow login_userdomain read systemd runtime files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user
+type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/
+type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc:  denied  { read } for  pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index bcb3043..f1f68f7 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain)
+ 
+ optional_policy(`
+ 	init_mmap_read_var_lib_files(login_userdomain)
++	init_read_pid_files(login_userdomain)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch

@@ -0,0 +1,37 @@
+From 6d6afe09b0fd44f074e545d9642b0cc66264486e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 9 Feb 2022 21:54:36 +0100
+Subject: [PATCH] Allow login_userdomain watch library and fonts dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d6afe09b0fd44f074e545d9642b0cc66264486e
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(02/09/22 21:48:51.576:15952) : proctitle=/usr/bin/gnome-software --gapplication-service
+type=PATH msg=audit(02/09/22 21:48:51.576:15952) : item=0 name=/usr/lib64/gnome-software/plugins-16 inode=31777 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(02/09/22 21:48:51.576:15952) : cwd=/home/staff
+type=SYSCALL msg=audit(02/09/22 21:48:51.576:15952) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414dd770 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(02/09/22 21:48:51.576:15952) : avc:  denied  { watch } for  pid=2148 comm=gmain path=/usr/lib64/gnome-software/plugins-16 dev="vda2" ino=31777 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index a833ada..32d69b4 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -398,6 +398,9 @@ files_watch_generic_tmp_dirs(login_userdomain)
+ fs_create_cgroup_files(login_userdomain)
+ fs_watch_cgroup_files(login_userdomain)
+ 
++libs_watch_lib_dirs(login_userdomain)
++
++miscfiles_watch_fonts_dirs(login_userdomain)
+ miscfiles_watch_localization_dirs(login_userdomain)
+ miscfiles_watch_localization_symlinks(login_userdomain)
+ 
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-system-configuration-di.patch

@@ -0,0 +1,69 @@
+From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 9 Feb 2022 21:52:01 +0100
+Subject: [PATCH] Allow login_userdomain watch system configuration dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1
+Conflict: NA
+
+The files_watch_system_conf_dirs() interface was added.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service
+type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff
+type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc:  denied  { watch } for  pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/files.if      | 19 +++++++++++++++++++
+ policy/modules/system/userdomain.te |  1 +
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 53e463c..b375a7e 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',`
+     read_lnk_files_pattern($1, etc_t, system_conf_t)
+ ')
+ 
++#######################################
++## <summary>
++##	Watch manageable system configuration dirs in /etc
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_watch_system_conf_dirs',`
++	gen_require(`
++		type etc_t, system_conf_t;
++	')
++
++	files_search_etc($1)
++	watch_dirs_pattern($1, system_conf_t, system_conf_t)
++')
++
+ ######################################
+ ## <summary>
+ ##  Manage manageable system configuration files in /etc.
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index f1f68f7..a833ada 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain)
+ 
+ files_watch_etc_dirs(login_userdomain)
+ files_watch_etc_files(login_userdomain)
++files_watch_system_conf_dirs(login_userdomain)
+ files_watch_usr_dirs(login_userdomain)
+ files_watch_usr_files(login_userdomain)
+ files_watch_var_lib_dirs(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch

@@ -0,0 +1,35 @@
+From b909895c58d7709343e59e24f115d5ede1f46944 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 14 Jan 2022 17:16:43 +0100
+Subject: [PATCH] Allow login_userdomain watch systemd-machined PID directories
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b909895c58d7709343e59e24f115d5ede1f46944
+Conflict: NA
+
+Addresses the following AVC denial:
+-
+type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:393) : proctitle=/usr/bin/wireplumber
+type=PATH msg=audit(3.1.2022 08:48:02.005:393) : item=0 name=/run/systemd/machines/ inode=75 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_machined_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(3.1.2022 08:48:02.005:393) : arch=x86_64 syscall=inotify_add_watch success=yes exit=4 a0=0x11 a1=0x7f214c69d052 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(3.1.2022 08:48:02.005:393) : avc:  denied  { watch } for  pid=2305 comm=wireplumber path=/run/systemd/machines dev="tmpfs" ino=75 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 5643687..573ad14 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -434,6 +434,7 @@ optional_policy(`
+ optional_policy(`
+ 	systemd_login_watch_pid_dirs(login_userdomain)
+ 	systemd_login_watch_session_dirs(login_userdomain)
++	systemd_machined_watch_pid_dirs(login_userdomain)
+ ')
+ 
+ ############################################################
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch

@@ -0,0 +1,37 @@
+From d0f957291c4282f74b675e476ccd64d074178e7b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 18 Jan 2022 08:54:45 +0100
+Subject: [PATCH] Allow login_userdomain write to session_dbusd tmp socket
+ files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0f957291c4282f74b675e476ccd64d074178e7b
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(01/17/2022 18:06:43.240:4086) : proctitle=/usr/lib/systemd/systemd --user
+type=PATH msg=audit(01/17/2022 18:06:43.240:4086) : item=0 name=/proc/self/fd/27 inode=15 dev=00:34 mode=socket,666 ouid=user31979 ogid=user31979 rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(01/17/2022 18:06:43.240:4086) : cwd=/
+type=SYSCALL msg=audit(01/17/2022 18:06:43.240:4086) : arch=x86_64 syscall=utimensat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd627865d0 a2=0x0 a3=0x0 items=1 ppid=1 pid=97102 auid=user31979 uid=user31979 gid=user31979 euid=user31979 suid=user31979 fsuid=user31979 egid=user31979 sgid=user31979 fsgid=user31979 tty=(none) ses=19 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(01/17/2022 18:06:43.240:4086) : avc:  denied  { write } for  pid=97102 comm=systemd name=bus dev="tmpfs" ino=15 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 573ad14..33557e4 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -414,6 +414,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	dbus_create_session_tmp_sock_files(login_userdomain)
++	dbus_write_session_tmp_sock_files(login_userdomain)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch

@@ -0,0 +1,35 @@
+From 5269978ad17fff8988f94a2327fa750e5d70c14d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 2 Feb 2022 11:29:39 +0100
+Subject: [PATCH] Allow sanlock get attributes of filesystems with extended
+ attributes
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5269978ad17fff8988f94a2327fa750e5d70c14d
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(01/28/2022 09:41:01.094:1832) : proctitle=/usr/sbin/sanlock daemon
+type=AVC msg=audit(01/28/2022 09:41:01.094:1832) : avc:  denied  { getattr } for  pid=37165 comm=sanlock name=/ dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
+type=SYSCALL msg=audit(01/28/2022 09:41:01.094:1832) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fdade30b49d a1=0x7ffeeeb41a70 a2=0x49 a3=0x1000 items=0 ppid=1 pid=37165 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
+
+Resolves: rhbz#2047811
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/sanlock.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
+index 04bd655..914062b 100644
+--- a/policy/modules/contrib/sanlock.te
++++ b/policy/modules/contrib/sanlock.te
+@@ -96,6 +96,7 @@ domain_use_interactive_fds(sanlock_t)
+ files_read_mnt_symlinks(sanlock_t)
+ 
+ fs_getattr_cgroup(sanlock_t)
++fs_getattr_xattr_fs(sanlock_t)
+ fs_rw_cephfs_files(sanlock_t)
+ 
+ storage_raw_rw_fixed_disk(sanlock_t)
+-- 
+1.8.3.1
+

backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch

@@ -0,0 +1,77 @@
+From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Thu, 10 Feb 2022 11:46:13 +0100
+Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5
+Conflict: NA
+
+Vigr mechanism of editing group and passwd
+files work on principle of recreating the current
+file with new changes. Due to this mechanism is
+need to again relabel file with selinux label.
+Creating interface allowing relabel to the passwd_file_t
+type. Allow relabeling for sysadm_passwd_t domain.
+Allow dac_override permission for sysadm_passwd_t type.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/usermanage.te |  3 ++-
+ policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 8fdbfbc..155fb68 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -433,7 +433,7 @@ optional_policy(`
+ # Password admin local policy
+ #
+ 
+-allow sysadm_passwd_t self:capability { chown dac_read_search  fsetid setuid setgid sys_resource };
++allow sysadm_passwd_t self:capability { chown dac_override dac_read_search  fsetid setuid setgid sys_resource };
+ allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sysadm_passwd_t self:process { setrlimit setfscreate };
+ allow sysadm_passwd_t self:fd use;
+@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t)
+ auth_manage_passwd(sysadm_passwd_t)
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
++auth_relabelto_passwd_files(sysadm_passwd_t)
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+ auth_use_nsswitch(sysadm_passwd_t)
+ 
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index ad55205..b5b3702 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',`
+ 
+ #######################################
+ ## <summary>
++##	Relabel to the
++##	password file type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_relabelto_passwd_files',`
++	gen_require(`
++		type passwd_file_t;
++	')
++
++	files_search_etc($1)
++	allow $1 passwd_file_t:file relabelto;
++')
++
++#######################################
++## <summary>
+ ##	Append to the login failure log.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch

@@ -10,27 +10,57 @@ The dbus_delete_session_tmp_sock_files() interface was added.
 
 Addresses the following AVC denial:
 
-type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1001
-type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x560b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null)
-type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc:  denied  { unlink } for  pid=26510 comm=systemd-user-ru name=bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
+type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 100
+1
+type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogi
+d=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_
+fver=0 cap_frootid=0
+type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staf
+f rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_froo
+tid=0
+type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x56
+0b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=
+root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir su
+bj=system_u:system_r:systemd_logind_t:s0 key=(null)
+type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc:  denied  { unlink } for  pid=26510 comm=systemd-user-ru name=
+bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t:
+s0 tclass=sock_file permissive=1
 
 Resolves: rhbz#2039671
 Signed-off-by: lujie54 <lujie54@huawei.com>
 ---
- policy/modules/contrib/dbus.if   | 18 ++++++++++++++++++
+ policy/modules/contrib/dbus.if   | 36 ++++++++++++++++++++++++++++++++++++
  policy/modules/system/systemd.te |  1 +
- 2 files changed, 19 insertions(+)
+ 2 files changed, 37 insertions(+)
 
 diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
-index 71c77a0..e04af61 100644
+index 6f923ad..70e7bcd 100644
 --- a/policy/modules/contrib/dbus.if
 +++ b/policy/modules/contrib/dbus.if
-@@ -883,6 +883,24 @@ interface(`dbus_write_session_tmp_sock_files',`
+@@ -863,6 +863,42 @@ interface(`dbus_manage_session_tmp_dirs',`
+ 	manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ ')
  
- ########################################
- ## <summary>
++######################################
++## <summary>
++##      Write to session_dbusd tmp socket files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dbus_write_session_tmp_sock_files',`
++	gen_require(`
++		type session_dbusd_tmp_t;
++	')
++
++	write_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
++')
++
++########################################
++## <summary>
 +##      Delete session_dbusd tmp socket files.
 +## </summary>
 +## <param name="domain">
@@ -47,16 +77,14 @@ index 71c77a0..e04af61 100644
 +	delete_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
  ## Allow systemctl dbus services
- ## </summary>
- ## <param name="domain">
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 43fffdc..edd4354 100644
+index a62f1fe..2b54d0b 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -364,6 +364,7 @@ optional_policy(`
+@@ -363,6 +363,7 @@ optional_policy(`
  optional_policy(`
  	dbus_connect_system_bus(systemd_logind_t)
  	dbus_system_bus_client(systemd_logind_t)

backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch

@@ -0,0 +1,30 @@
+From 2bd78f27bb7a806bf89070c31e4f813b61f1155e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 14 Feb 2022 10:51:06 +0100
+Subject: [PATCH] Allow systemd-networkd create and use netlink netfilter
+ socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2bd78f27bb7a806bf89070c31e4f813b61f1155e
+Conflict: NA
+
+Resolves: rhbz#2054006
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 2d8db7e..476e2d3 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -490,6 +490,7 @@ allow systemd_networkd_t self:process { getcap setcap };
+ 
+ allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
++allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
+ allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+ allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+ allow systemd_networkd_t self:packet_socket create_socket_perms;
+-- 
+1.8.3.1
+

backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch

@@ -0,0 +1,114 @@
+From 569208d534e1a53d75b187ec44ecda856ee6139c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 26 Jan 2022 14:41:59 +0100
+Subject: [PATCH] Allow systemd services watch dbusd pid directory and its
+ parents
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/569208d534e1a53d75b187ec44ecda856ee6139c
+Conflict: NA
+
+The following services were allowed to watch /run/dbus and all its
+parents:
+- systemd-hostnamed
+- systemd-machined
+- systemd-networkd
+- systemd-resolved
+- systemd-timesyncd and systemd-timedated
+
+These permissions are required when the services start earlier than
+dbus-broker manages to establish the socket communication, e. g. after
+
+  $ systemctl disable NetworkManager && systemctl enable systemd-networkd
+
+The dbus_watch_pid_dir_path() interface was added. The redundant
+dbus_watch_pid_dirs() calls were removed.
+
+Resolves: rhbz#2031668
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.if   | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te |  7 +++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
+index deb6f10..7ec03b1 100644
+--- a/policy/modules/contrib/dbus.if
++++ b/policy/modules/contrib/dbus.if
+@@ -606,6 +606,27 @@ interface(`dbus_watch_pid_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Watch system dbusd pid directory and all its parents
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dbus_watch_pid_dir_path',`
++	gen_require(`
++		type system_dbusd_var_run_t;
++	')
++
++	files_watch_root_dirs($1)
++	files_watch_var_run_dirs($1)
++	files_search_pids($1)
++	allow $1 system_dbusd_var_run_t:dir watch_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Read and write system dbus tmp socket files.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index ea2b27e..2d8db7e 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -458,6 +458,7 @@ getty_start_services(systemd_machined_t)
+ optional_policy(`
+ 	dbus_connect_system_bus(systemd_machined_t)
+ 	dbus_system_bus_client(systemd_machined_t)
++	dbus_watch_pid_dir_path(systemd_machined_t)
+ ')
+ 
+ optional_policy(`
+@@ -536,6 +537,7 @@ init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "net
+ optional_policy(`
+     dbus_system_bus_client(systemd_networkd_t)
+     dbus_connect_system_bus(systemd_networkd_t)
++	dbus_watch_pid_dir_path(systemd_networkd_t)
+     dbus_read_pid_files(systemd_networkd_t)
+     dbus_read_pid_sock_files(systemd_networkd_t)
+     systemd_dbus_chat_logind(systemd_networkd_t)
+@@ -862,6 +864,7 @@ userdom_dbus_send_all_users(systemd_hostnamed_t)
+ optional_policy(`
+         dbus_system_bus_client(systemd_hostnamed_t)
+         dbus_connect_system_bus(systemd_hostnamed_t)
++	dbus_watch_pid_dir_path(systemd_hostnamed_t)
+ ')
+ 
+ optional_policy(`
+@@ -978,7 +981,7 @@ optional_policy(`
+         dbus_system_bus_client(systemd_timedated_t)
+         dbus_connect_system_bus(systemd_timedated_t)
+         dbus_read_pid_sock_files(systemd_timedated_t)
+-	dbus_watch_pid_dirs(systemd_timedated_t)
++	dbus_watch_pid_dir_path(systemd_timedated_t)
+ 	dbus_watch_pid_sock_files(systemd_timedated_t)
+ ')
+ 
+@@ -1168,8 +1171,8 @@ optional_policy(`
+ 	dbus_connect_system_bus(systemd_resolved_t)
+     dbus_read_pid_files(systemd_resolved_t)
+     dbus_read_pid_sock_files(systemd_resolved_t)
++	dbus_watch_pid_dir_path(systemd_resolved_t)
+ 	dbus_watch_pid_sock_files(systemd_resolved_t)
+-	dbus_watch_pid_dirs(systemd_resolved_t)
+     systemd_dbus_chat_logind(systemd_resolved_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-timedatex-dbus-chat-with-xdm.patch

@@ -0,0 +1,36 @@
+From 40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 28 Jan 2022 17:04:07 +0100
+Subject: [PATCH] Allow timedatex dbus chat with xdm
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/40a8223b142eb3ed9d63869b5dc447b0ede4ebf3
+Conflict: NA
+
+Addresses the following USER_AVC denial:
+
+type=USER_AVC msg=audit(1642064568.655:164): pid=942 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=:1.201 spid=6469 tpid=6505 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
+
+Resolves: rhbz#2040214
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/timedatex.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te
+index 003c4c3..3a2e4db 100644
+--- a/policy/modules/contrib/timedatex.te
++++ b/policy/modules/contrib/timedatex.te
+@@ -57,6 +57,10 @@ optional_policy(`
+     init_dbus_chat(timedatex_t)
+ 
+     policykit_dbus_chat(timedatex_t)
++
++	optional_policy(`
++		xserver_dbus_chat_xdm(timedatex_t)
++	')
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch

@@ -0,0 +1,32 @@
+From d9bf0729b58d4e3c0c66015961013c1cb64c4a24 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 20 Jan 2022 17:15:18 +0100
+Subject: [PATCH] Allow tumblerd write to session_dbusd tmp socket files
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d9bf0729b58d4e3c0c66015961013c1cb64c4a24
+Conflict: NA
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1642635456.954:3314): avc:  denied  { write } for  pid=104519 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
+
+Resolves: rhbz#2042696
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/thumb.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/thumb.te b/policy/modules/contrib/thumb.te
+index 0444a36..27eb72c 100644
+--- a/policy/modules/contrib/thumb.te
++++ b/policy/modules/contrib/thumb.te
+@@ -146,6 +146,7 @@ optional_policy(`
+ 	dbus_stream_connect_session_bus(thumb_t)
+ 	dbus_chat_session_bus(thumb_t)
+ 	dbus_system_bus_client(thumb_t)
++	dbus_write_session_tmp_sock_files(thumb_t)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch

@@ -0,0 +1,31 @@
+From d251c0553ecc432f0aa8a6769e76795902b9ebcd Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 8 Feb 2022 18:33:51 +0100
+Subject: [PATCH] Update chronyd_pid_filetrans() to allow create dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d251c0553ecc432f0aa8a6769e76795902b9ebcd
+Conflict: NA
+
+The chronyd_pid_filetrans() interface was updated so that the caller
+domain is now allowed to create the /run/chrony-dhcp directory.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/chronyd.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
+index 3d47264..cad4d31 100644
+--- a/policy/modules/contrib/chronyd.if
++++ b/policy/modules/contrib/chronyd.if
+@@ -252,6 +252,7 @@ interface(`chronyd_pid_filetrans',`
+                 type chronyd_var_run_t;
+         ')
+ 
++	create_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
+         files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp")
+ ')
+ 
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 9
+Release: 10
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -112,6 +112,28 @@ Patch6044: backport-Allow-login_userdomain-watch-various-files-and-dirs.patch
 Patch6045: backport-Allow-login_userdomain-watch-localization-directorie.patch
 Patch6046: backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch
 Patch6047: backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch
+Patch6048: backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch
+Patch6049: backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch
+Patch6050: backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch
+Patch6051: backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch
+Patch6052: backport-Allow-timedatex-dbus-chat-with-xdm.patch
+Patch6053: backport-Allow-init-delete-generic-tmp-named-pipes.patch
+Patch6054: backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch
+Patch6055: backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch
+Patch6056: backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch
+Patch6057: backport-Allow-init-read-stratis-data-symlinks.patch
+Patch6058: backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch
+Patch6059: backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch
+Patch6060: backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch
+Patch6061: backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch
+Patch6062: backport-Allow-login_userdomain-read-systemd-runtime-files.patch
+Patch6063: backport-Allow-login_userdomain-watch-system-configuration-di.patch
+Patch6064: backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch
+Patch6065: backport-Allow-login_userdomain-map-var-lib-directories.patch
+Patch6066: backport-Allow-confined-sysadmin-to-use-tool-vipw.patch
+Patch6067: backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch
+Patch6068: backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch
+Patch6069: backport-Allow-iptables-list-cgroup-directories.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -782,6 +804,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-10
+- backport upstream patches
+
 * Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-9
 - backport upstream patches