!175 update upstream patches

From: @lujie42 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Add-systemd_getattr_generic_unit_files-interface.patch

@@ -0,0 +1,45 @@
+From 9010f07e78944ccab50bcf3bf2640f6aad3cc8cb Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 30 Mar 2022 21:29:47 +0200
+Subject: [PATCH] Add systemd_getattr_generic_unit_files() interface
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9010f07e78944ccab50bcf3bf2640f6aad3cc8cb
+Conflict: NA
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.if | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 351438c..5567da7 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -1597,6 +1597,24 @@ interface(`systemd_unit_file_filetrans',`
+ 
+ #######################################
+ ## <summary>
++##	Get attributes of generic systemd unit files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_getattr_generic_unit_files',`
++	gen_require(`
++		type systemd_unit_file_t;
++	')
++
++	getattr_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
++')
++
++#######################################
++## <summary>
+ ##  Create a directory in the /usr/lib/systemd/system directory.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

backport-Add-the-corecmd_watch_bin_dirs-interface.patch

@@ -0,0 +1,48 @@
+From 88072fd293ddd3e83c0625199d6f0561dcad99d7 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 8 Apr 2022 11:48:14 +0200
+Subject: [PATCH] Add the corecmd_watch_bin_dirs() interface
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/88072fd293ddd3e83c0625199d6f0561dcad99d7
+Conflict: NA
+
+Note the bin_t type is also used as a default type for files
+in /usr/libexec and some additional paths.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
+index 70b6b35..d88c5c0 100644
+--- a/policy/modules/kernel/corecommands.if
++++ b/policy/modules/kernel/corecommands.if
+@@ -201,6 +201,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Watch bin directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corecmd_watch_bin_dirs',`
++	gen_require(`
++		type bin_t;
++	')
++
++	allow $1 bin_t:dir watch_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of files in bin directories.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

backport-Add-the-init_append_stream_sockets-interface.patch

@@ -0,0 +1,46 @@
+From 4536c1c32c0ed377b1c31aab18819dfb1a46b91e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 1 Apr 2022 19:21:10 +0200
+Subject: [PATCH] Add the init_append_stream_sockets() interface
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4536c1c32c0ed377b1c31aab18819dfb1a46b91e
+Conflict: NA
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/init.if | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 7bd438e..4b3bb59 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -2789,6 +2789,25 @@ interface(`init_rw_stream_sockets',`
+ 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Allow the specified domain to append to
++##	init unix domain stream sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_append_stream_sockets',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:unix_stream_socket append;
++')
++
+ #######################################
+ ## <summary>
+ ##  Allow the specified domain to write to
+-- 
+1.8.3.1
+

backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch

@@ -0,0 +1,61 @@
+From 05e940f535497768c2b4a8c37365b5b5156eda75 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 25 Feb 2022 14:16:52 +0100
+Subject: [PATCH] Allow chronyd send a message to sosreport over datagram
+ socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/05e940f535497768c2b4a8c37365b5b5156eda75
+Conflict: NA
+
+The sosreport_dgram_send() interface was added.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/chronyd.te   |  4 ++++
+ policy/modules/contrib/sosreport.if | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
+index 8da80de..142139d 100644
+--- a/policy/modules/contrib/chronyd.te
++++ b/policy/modules/contrib/chronyd.te
+@@ -175,6 +175,10 @@ optional_policy(`
+     rolekit_dgram_send(chronyd_t)
+ ')
+ 
++optional_policy(`
++	sosreport_dgram_send(chronyd_t)
++')
++
+ ########################################
+ #
+ # Local policy
+diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
+index c5fbb7a..44b13a8 100644
+--- a/policy/modules/contrib/sosreport.if
++++ b/policy/modules/contrib/sosreport.if
+@@ -166,3 +166,21 @@ interface(`sosreport_dbus_chat',`
+         allow $1 sosreport_t:dbus send_msg;
+         allow sosreport_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++##	Send a message to sosreport over the datagram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sosreport_dgram_send',`
++	gen_require(`
++		type sosreport_t;
++	')
++
++	allow $1 sosreport_t:unix_dgram_socket sendto;
++')
+-- 
+1.8.3.1
+

backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch

@@ -0,0 +1,47 @@
+From bd3f86ee9fbae47287d63c496ba936348627122b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 31 Mar 2022 10:55:05 +0200
+Subject: [PATCH] Allow chronyd talk with unconfined user over unix domain
+ dgram socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bd3f86ee9fbae47287d63c496ba936348627122b
+Conflict: NA
+
+This permission is required by applications which use the unix datagram
+socket to communicate with chronyd directly, e.g. for monitoring
+purposes. The other direction of communication is allowed by a rule for
+unconfined_domain_type.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(03/17/2022 12:11:19.881:312) : proctitle=/usr/sbin/chronyd
+type=PATH msg=audit(03/17/2022 12:11:19.881:312) : item=0 name=/run/chrony/chronyc.sock inode=39486 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(03/17/2022 12:11:19.881:312) : cwd=/
+type=SOCKADDR msg=audit(03/17/2022 12:11:19.881:312) : saddr={ saddr_fam=local path=/run/chrony/chronyc.sock }
+type=SYSCALL msg=audit(03/17/2022 12:11:19.881:312) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffeef72f20 a2=0x0 a3=0x0 items=1 ppid=1 pid=680 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
+type=AVC msg=audit(03/17/2022 12:11:19.881:312) : avc:  denied  { sendto } for  pid=680 comm=chronyd path=/run/chrony/chronyc.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
+
+Resolves: rhbz#2065313
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/chronyd.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
+index 142139d..342735b 100644
+--- a/policy/modules/contrib/chronyd.te
++++ b/policy/modules/contrib/chronyd.te
+@@ -179,6 +179,10 @@ optional_policy(`
+ 	sosreport_dgram_send(chronyd_t)
+ ')
+ 
++optional_policy(`
++	unconfined_dgram_send(chronyd_t)
++')
++
+ ########################################
+ #
+ # Local policy
+-- 
+1.8.3.1
+

backport-Allow-init-watch-and-watch_reads-user-ttys.patch

@@ -0,0 +1,81 @@
+From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 1 Mar 2022 20:20:25 +0100
+Subject: [PATCH] Allow init watch and watch_reads user ttys
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9
+Conflict: NA
+
+The term_watch_user_ttys() and term_watch_reads_user_ttys()
+interfaces were added.
+
+Resolves: rhbz#2058823
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++
+ policy/modules/system/init.te     |  2 ++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index b058850..615d215 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ 	term_dontaudit_use_all_ttys($1)
+ ')
+ 
++########################################
++## <summary>
++##	Watch user tty device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`term_watch_user_ttys',`
++	gen_require(`
++		type user_tty_device_t;
++	')
++
++	allow $1 user_tty_device_t:chr_file watch_chr_file_perms;
++')
++
++########################################
++## <summary>
++##	Watch_reads user tty device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`term_watch_reads_user_ttys',`
++	gen_require(`
++		type user_tty_device_t;
++	')
++
++	allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms;
++')
++
+ ####################################
+ ## <summary>
+ ##      Getattr on the virtio console.
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 033f189..a838cdd 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -377,6 +377,8 @@ term_watch_console_dev(init_t)
+ term_watch_reads_console_dev(init_t)
+ term_watch_unallocated_ttys(init_t)
+ term_watch_reads_unallocated_ttys(init_t)
++term_watch_user_ttys(init_t)
++term_watch_reads_user_ttys(init_t)
+ 
+ # Run init scripts.
+ init_domtrans_script(init_t)
+-- 
+1.8.3.1
+

backport-Allow-keepalived-setsched-and-sys_nice.patch

@@ -0,0 +1,42 @@
+From 7342ec730a9702ec4ba42d6b57c56bc3be82e12b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 12 Apr 2022 19:00:54 +0200
+Subject: [PATCH] Allow keepalived setsched and sys_nice
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7342ec730a9702ec4ba42d6b57c56bc3be82e12b
+Conflict: NA
+
+These permissions are particularly required on high load systems
+when a keepalived child process may request to use more cpu resouces.
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(04/12/22 05:56:21.085:38) : proctitle=/usr/sbin/keepalived -D
+type=SYSCALL msg=audit(04/12/22 05:56:21.085:38) : arch=x86_64 syscall=sched_setscheduler success=no exit=EPERM(Operation not permitted) a0=0x41c a1=SCHED_RR|SCHED_RESET_ON_FORK a2=0x7fff2554107c a3=0x0 items=0 ppid=1051 pid=1052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
+type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc:  denied  { setsched } for  pid=1052 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1
+type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc:  denied  { sys_nice } for  pid=1052 comm=keepalived capability=sys_nice  scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=1
+
+Resolves: rhbz#2008033
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/keepalived.te | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
+index 831ada9..89bc0d6 100644
+--- a/policy/modules/contrib/keepalived.te
++++ b/policy/modules/contrib/keepalived.te
+@@ -37,8 +37,8 @@ files_tmpfs_file(keepalived_tmpfs_t)
+ # keepalived local policy
+ #
+ 
+-allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_ptrace };
+-allow keepalived_t self:process { signal_perms getpgid setpgid };
++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
++allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
+ allow keepalived_t self:icmp_socket create_socket_perms;
+ allow keepalived_t self:netlink_socket create_socket_perms;
+ allow keepalived_t self:netlink_generic_socket create_socket_perms;
+-- 
+1.8.3.1
+

backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch

@@ -0,0 +1,29 @@
+From dd7761e72c40b6d826a760ea9167ca17dec8c546 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 8 Apr 2022 14:10:08 +0200
+Subject: [PATCH] Allow pcscd the sys_ptrace userns capability
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dd7761e72c40b6d826a760ea9167ca17dec8c546
+Conflict: NA
+
+Resolves: rhbz#2073169
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/pcscd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
+index 1fdd845..d0d83da 100644
+--- a/policy/modules/contrib/pcscd.te
++++ b/policy/modules/contrib/pcscd.te
+@@ -24,6 +24,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ allow pcscd_t self:capability {  dac_read_search fsetid };
+ dontaudit pcscd_t self:capability { sys_admin };
+ allow pcscd_t self:capability2 { wake_alarm };
++allow pcscd_t self:cap_userns sys_ptrace;
+ allow pcscd_t self:process { signal signull };
+ dontaudit pcscd_t self:process setsched;
+ allow pcscd_t self:fifo_file rw_fifo_file_perms;
+-- 
+1.8.3.1
+

backport-Allow-pppd-create-a-file-in-the-locks-directory.patch

@@ -0,0 +1,33 @@
+From 699f4dcf2a9b39a02427bd859c91c625e11998a6 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 8 Apr 2022 15:50:13 +0200
+Subject: [PATCH] Allow pppd create a file in the locks directory
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/699f4dcf2a9b39a02427bd859c91c625e11998a6
+Conflict: NA
+
+So far, a rule for creating a private lock dir was defined in the
+policy. Since this commit there is also a rule for a plain file.
+
+Resolves: rhbz#2022902
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/ppp.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
+index c2da84b..9b08134 100644
+--- a/policy/modules/contrib/ppp.te
++++ b/policy/modules/contrib/ppp.te
+@@ -106,7 +106,7 @@ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+ filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+ 
+ manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+-files_lock_filetrans(pppd_t, pppd_lock_t, dir)
++files_lock_filetrans(pppd_t, pppd_lock_t, { dir file })
+ files_search_locks(pppd_t)
+ 
+ manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
+-- 
+1.8.3.1
+

backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch

@@ -0,0 +1,36 @@
+From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 3 Mar 2022 16:57:41 +0100
+Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9
+Conflict: NA
+
+The rngd service starts as root to be able to access some resources
+like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid
+and rgid/egid/sgid.
+
+Resolves: rhbz#2058914
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rngd.te | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
+index 316d210..ca8c996 100644
+--- a/policy/modules/contrib/rngd.te
++++ b/policy/modules/contrib/rngd.te
+@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t)
+ # Local policy
+ #
+ 
+-allow rngd_t self:capability { ipc_lock sys_admin };
+-allow rngd_t self:process { setsched signal };
++allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
++allow rngd_t self:process { setcap setsched signal };
+ allow rngd_t self:fifo_file rw_fifo_file_perms;
+ allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow rngd_t self:unix_stream_socket { accept listen };
+-- 
+1.8.3.1
+

backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch

@@ -0,0 +1,36 @@
+From d99577b16e8be3de46528fa81133efd2dd40b7c5 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 14 Mar 2022 12:51:49 +0100
+Subject: [PATCH] Allow rpmdb create directory in /usr/lib/sysimage
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d99577b16e8be3de46528fa81133efd2dd40b7c5
+Conflict: NA
+
+With the 5f69c12c67d (Support /usr/lib/sysimage/rpm as the rpmdb path)
+commit, the policy supports relocation of the rpmdb path to
+/usr/lib/sysimage/rpm. The rpm-rebuilddb command needs to have a file
+transition defined for the new path, too, which also needs to be without
+a directory name as the new directory is created as
+/usr/lib/sysimage/rpmrebuilddb.PID.
+
+Resolves: rhbz#2061141
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index b09dfe1..247f1fa 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -265,6 +265,7 @@ allow rpmdb_t rpmdb_tmp_t:file map;
+ 
+ manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+ manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
++files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
+ files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
+ 
+ manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
+-- 
+1.8.3.1
+

backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch

@@ -0,0 +1,93 @@
+From 37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Tue, 22 Feb 2022 09:48:33 +0100
+Subject: [PATCH] Allow sosreport dbus chat abrt systemd timedatex
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef
+Conflict: NA
+
+Create sosreport dbus chat interface.
+
+Allow abrt, systemd and timedatex to dbus chat sosreport
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/abrt.te      |  1 +
+ policy/modules/contrib/sosreport.if | 20 ++++++++++++++++++++
+ policy/modules/contrib/timedatex.te |  5 ++++-
+ policy/modules/system/systemd.te    |  4 ++++
+ 4 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
+index a68c7fd..02a12df 100644
+--- a/policy/modules/contrib/abrt.te
++++ b/policy/modules/contrib/abrt.te
+@@ -350,6 +350,7 @@ optional_policy(`
+ #')
+ 
+ optional_policy(`
++	sosreport_dbus_chat(abrt_t)
+ 	sosreport_domtrans(abrt_t)
+ 	sosreport_read_tmp_files(abrt_t)
+ 	sosreport_delete_tmp_files(abrt_t)
+diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
+index f6db7a7..c5fbb7a 100644
+--- a/policy/modules/contrib/sosreport.if
++++ b/policy/modules/contrib/sosreport.if
+@@ -146,3 +146,23 @@ interface(`sosreport_signull',`
+ 	allow $1 sosreport_t:process signull;
+ ')
+ 
++########################################
++## <summary>
++##      Send and receive messages from
++##      sosreport over dbus.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`sosreport_dbus_chat',`
++        gen_require(`
++                type sosreport_t;
++                class dbus send_msg;
++        ')
++
++        allow $1 sosreport_t:dbus send_msg;
++        allow sosreport_t $1:dbus send_msg;
++')
+diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te
+index 3a2e4db..6a640fa 100644
+--- a/policy/modules/contrib/timedatex.te
++++ b/policy/modules/contrib/timedatex.te
+@@ -64,6 +64,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-    userdom_dbus_send_all_users(timedatex_t)
++    sosreport_dbus_chat(timedatex_t)
+ ')
+ 
++optional_policy(`
++    userdom_dbus_send_all_users(timedatex_t)
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 476e2d3..97cc111 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -545,6 +545,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    sosreport_dbus_chat(systemd_networkd_t)
++')
++
++optional_policy(`
+     udev_read_db(systemd_networkd_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch

@@ -0,0 +1,75 @@
+From b22b33e612363001d74e283e53b04192a51f7c5f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 14 Apr 2022 19:31:18 +0200
+Subject: [PATCH] Allow sssd domtrans to pkcs_slotd_t
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b22b33e612363001d74e283e53b04192a51f7c5f
+Conflict: NA
+
+When sssd is configured to use smart cards login, any authentication
+(e.g. sudo) will raise this AVC meaning smart card login was prevented
+from working:
+
+type=AVC msg=audit(1620803381.118:24793): avc:  denied  { getattr } for  pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0
+
+Sudo uses pam to authenticate a user. In pam stack, there is the sssd
+pam module which talks through some IPC to sssd's p11_child.
+This sssd's p11_child loads through p11-kit every pkcs11 module
+installed in the system, which includes the opencryptoki pkcs11 module.
+Opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon,
+handling the communication with HW devices or soft tokens.
+
+The pkcs_domtrans() interface was added.
+
+Resolves: rhbz#1959705
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/pkcs.if | 19 +++++++++++++++++++
+ policy/modules/contrib/sssd.te |  1 +
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
+index 423d061..eb97d23 100644
+--- a/policy/modules/contrib/pkcs.if
++++ b/policy/modules/contrib/pkcs.if
+@@ -118,6 +118,25 @@ interface(`pkcs_getattr_exec_files',`
+ 
+ ########################################
+ ## <summary>
++##	Transition to pkcs_slotd
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pkcs_domtrans',`
++	gen_require(`
++		type pkcs_slotd_t, pkcs_slotd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, pkcs_slotd_exec_t, pkcs_slotd_t)
++')
++
++########################################
++## <summary>
+ ##	Create specific objects in the tmpfs directories
+ ##	with a private type.
+ ## </summary>
+diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
+index 80c0b62..f5c7d98 100644
+--- a/policy/modules/contrib/sssd.te
++++ b/policy/modules/contrib/sssd.te
+@@ -221,6 +221,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	pkcs_domtrans(sssd_t)
+     pkcs_read_lock(sssd_t)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch

@@ -0,0 +1,30 @@
+From 9935be1702ce951d1582e80ae8d747183ed34a5e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 8 Apr 2022 14:02:48 +0200
+Subject: [PATCH] Allow system dbus daemon watch generic directories in
+ /var/lib
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9935be1702ce951d1582e80ae8d747183ed34a5e
+Conflict: NA
+
+Resolves: rhbz#1928365
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index 76fb3b6..ced5149 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -107,6 +107,7 @@ dev_rw_inherited_dri(system_dbusd_t)
+ files_read_var_lib_symlinks(system_dbusd_t)
+ files_rw_inherited_non_security_files(system_dbusd_t)
+ files_watch_usr_dirs(system_dbusd_t)
++files_watch_var_lib_dirs(system_dbusd_t)
+ 
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
+-- 
+1.8.3.1
+

backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch

@@ -0,0 +1,33 @@
+From 8398b1833c1168ac30ef8e13db39f50c187503cb Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 14 Apr 2022 18:37:38 +0200
+Subject: [PATCH] Allow systemd-gpt-auto-generator create and use
+ netlink_kobject_uevent_socket
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8398b1833c1168ac30ef8e13db39f50c187503cb
+Conflict: NA
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1649951765.765:599): avc:  denied  { create } for  pid=35143 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=netlink_kobject_uevent_socket permissive=0
+
+Resolves: rhbz#2075589
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 8fe3eb9..a9308b8 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1106,6 +1106,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
+ #
+ 
+ allow systemd_gpt_generator_t self:capability sys_rawio;
++allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ dev_read_sysfs(systemd_gpt_generator_t)
+ dev_write_kmsg(systemd_gpt_generator_t)
+-- 
+1.8.3.1
+

backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch

@@ -0,0 +1,31 @@
+From 676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 24 Feb 2022 12:29:52 +0100
+Subject: [PATCH] Allow systemd-logind dbus chat with sosreport
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6
+Conflict: NA
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 3eabe11..8d96c4b 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -404,6 +404,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	sosreport_dbus_chat(systemd_logind_t)
++')
++
++optional_policy(`
+ 	# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+ 	xserver_search_xdm_tmp_dirs(systemd_logind_t)
+ ')
+-- 
+1.8.3.1
+

backport-Allow-systemd-sysctl-read-the-security-state-informa.patch

@@ -0,0 +1,34 @@
+From 6d9183e183a32e3ff2caadaa4942f56aa82abe91 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 21 Feb 2022 12:55:00 +0100
+Subject: [PATCH] Allow systemd-sysctl read the security state information
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d9183e183a32e3ff2caadaa4942f56aa82abe91
+Conflict: NA
+
+Addresses the following AVC denial:
+Feb 19 14:19:22 audit[641]: AVC avc:  denied  { read } for  pid=641 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=400 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
+Feb 19 14:19:22 audit[641]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd162b13d0 a2=80102 a3=0 items=0 ppid=1 pid=641 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
+Feb 19 14:19:22 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-sysctl"
+
+Resolves: rhbz#2056207
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 97cc111..3eabe11 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1024,6 +1024,7 @@ allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
+ kernel_dgram_send(systemd_sysctl_t)
+ kernel_request_load_module(systemd_sysctl_t)
+ kernel_rw_all_sysctls(systemd_sysctl_t)
++kernel_read_security_state(systemd_sysctl_t)
+ kernel_write_security_state(systemd_sysctl_t)
+ 
+ files_read_system_conf_files(systemd_sysctl_t)
+-- 
+1.8.3.1
+

backport-Allow-userdomain-read-symlinks-in-var-lib.patch

@@ -0,0 +1,36 @@
+From dc983b88ad1043c43de1cc19d579debcd10a778d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 15 Feb 2022 11:44:23 +0100
+Subject: [PATCH] Allow userdomain read symlinks in /var/lib
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc983b88ad1043c43de1cc19d579debcd10a778d
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(02/15/22 11:39:56.020:247) : proctitle=/usr/bin/gnome-software --gapplication-service
+type=PATH msg=audit(02/15/22 11:39:56.020:247) : item=0 name=/var/lib/flatpak/appstream/flathub/x86_64/active/appstream.xml.gz nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(02/15/22 11:39:56.020:247) : cwd=/home/user
+type=SYSCALL msg=audit(02/15/22 11:39:56.020:247) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fb66c6f8da0 a1=F_OK a2=0x0 a3=0x20 items=1 ppid=1460 pid=2035 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=3 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=user_u:user_r:user_t:s0 key=(null)
+type=AVC msg=audit(02/15/22 11:39:56.020:247) : avc:  denied  { read } for  pid=2035 comm=pool-org.gnome. name=active dev="vda2" ino=387091 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 69b460f..3ac8c12 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -387,6 +387,7 @@ tunable_policy(`deny_bluetooth',`',`
+ dev_watch_generic_dirs(login_userdomain)
+ 
+ files_map_var_lib_files(login_userdomain)
++files_read_var_lib_symlinks(login_userdomain)
+ files_watch_etc_dirs(login_userdomain)
+ files_watch_etc_files(login_userdomain)
+ files_watch_system_conf_dirs(login_userdomain)
+-- 
+1.8.3.1
+

backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch

@@ -0,0 +1,34 @@
+From a203bc37147e4480375faebc76021e7548790c70 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 14 Mar 2022 14:20:15 +0100
+Subject: [PATCH] Label /var/run/ecblp0 pipe with cupsd_var_run_t
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a203bc37147e4480375faebc76021e7548790c70
+Conflict: NA
+
+With the edce3e31ec2 (Label /var/run/ecblp0 as cupsd_var_run_t) commit,
+default file context for /var/run/ecblp0 was defined for a plain file
+instead of a named pipe which is actually used by epson drivers.
+
+Resolves: rhbz#2061427
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/cups.fc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
+index f09217f..467eb7e 100644
+--- a/policy/modules/contrib/cups.fc
++++ b/policy/modules/contrib/cups.fc
+@@ -70,7 +70,7 @@
+ /var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+ /var/run/hplip(/.*)		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/ecblp0		--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/ecblp0		-p	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/hp.*\.pid	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/hp.*\.port	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+-- 
+1.8.3.1
+

backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch

@@ -0,0 +1,90 @@
+From f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 8 Jul 2022 15:20:59 +0200
+Subject: [PATCH] Support using systemd-update-helper in rpm scriptlets
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498
+Conflict: NA
+
+Addresses the following AVC denials, dontaudited by default:
+type=AVC msg=audit(07/08/2022 15:03:18.969:819) : avc:  denied  { read write } for  pid=1 comm=systemd path=socket:[47621] dev="sockfs" ino=47621 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
+
+type=PROCTITLE msg=audit(07/08/2022 15:06:59.478:968) : proctitle=dbus-broker --log 4 --controller 9 --machine-id 31c23619ce0349e999f66291729cc4f6 --max-bytes 536870912 --max-fds 4096 --max-matc
+type=SYSCALL msg=audit(07/08/2022 15:06:59.478:968) : arch=x86_64 syscall=recvmsg success=yes exit=720 a0=0x10 a1=0x7ffe701a5890 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0xffffffff items=0 ppid=561 pid=567 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(07/08/2022 15:06:59.478:968) : avc:  denied  { read write } for  pid=567 comm=dbus-broker path=socket:[51281] dev="sockfs" ino=51281 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
+
+The rpm_script_rw_stream_sockets() interface was added.
+
+Resolves: rhbz#2100528
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/dbus.te |  4 ++++
+ policy/modules/contrib/rpm.if  | 20 ++++++++++++++++++++
+ policy/modules/system/init.te  |  1 +
+ 3 files changed, 25 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index ced5149..a0f5679 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -215,6 +215,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	rpm_script_rw_stream_sockets(system_dbusd_t)
++')
++
++optional_policy(`
+     snapper_read_inherited_pipe(system_dbusd_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
+index 190f3e2..c6833ba 100644
+--- a/policy/modules/contrib/rpm.if
++++ b/policy/modules/contrib/rpm.if
+@@ -958,6 +958,7 @@ interface(`rpm_admin',`
+ 	rpm_run($1, $2)
+ ')
+ 
++#######################################
+ ## <summary>
+ ##	Allow the specified domain to ioctl rpm_script_t
+ ##	with a unix domain stream socket.
+@@ -975,3 +976,22 @@ interface(`rpm_script_ioctl_stream_sockets',`
+ 
+ 	allow $1 rpm_script_t:unix_stream_socket ioctl;
+ ')
++
++#######################################
++## <summary>
++##	Allow the specified domain read and write to rpm_script_t
++##	over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_script_rw_stream_sockets',`
++	gen_require(`
++		type rpm_script_t;
++	')
++
++	allow $1 rpm_script_t:unix_stream_socket { read write };
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f772288..f12a937 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -521,6 +521,7 @@ optional_policy(`
+ optional_policy(`
+ 	rpm_read_db(init_t)
+ 	rpm_script_ioctl_stream_sockets(init_t)
++	rpm_script_rw_stream_sockets(init_t)
+ ')
+ 
+ optional_policy(`
+-- 
+1.8.3.1
+

backport-filesystem-add-fs_use_trans-for-ramfs.patch

@@ -0,0 +1,42 @@
+From a7697467e082ffd4f68a9e03539db3578b5f34d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 27 Oct 2021 21:18:27 +0200
+Subject: [PATCH] filesystem: add fs_use_trans for ramfs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a7697467e082ffd4f68a9e03539db3578b5f34d5
+Conflict: NA
+
+Enable extended attributes for inodes on ramfs filesystems, similar to
+tmpfs filesystems.
+
+For example systemd uses ramfs for service credentials[1], and xattr
+support is needed for per service based labeling[2].
+
+[1]: https://www.freedesktop.org/software/systemd/man/systemd-creds.html
+[2]: https://github.com/systemd/systemd/pull/21158
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/filesystem.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 1941da1..6a2ad8c 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -178,7 +178,7 @@ genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
+ type ramfs_t;
+ fs_type(ramfs_t)
+ files_mountpoint(ramfs_t)
+-genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
++fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0);
+ 
+ type romfs_t;
+ fs_type(romfs_t)
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 10
+Release: 11
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -134,6 +134,27 @@ Patch6066: backport-Allow-confined-sysadmin-to-use-tool-vipw.patch
 Patch6067: backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch
 Patch6068: backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch
 Patch6069: backport-Allow-iptables-list-cgroup-directories.patch
+Patch6070: backport-filesystem-add-fs_use_trans-for-ramfs.patch
+Patch6071: backport-Allow-userdomain-read-symlinks-in-var-lib.patch
+Patch6072: backport-Allow-systemd-sysctl-read-the-security-state-informa.patch
+Patch6073: backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch
+Patch6074: backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch
+Patch6075: backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch
+Patch6076: backport-Allow-init-watch-and-watch_reads-user-ttys.patch
+Patch6077: backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch
+Patch6078: backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch
+Patch6079: backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch
+Patch6080: backport-Add-systemd_getattr_generic_unit_files-interface.patch
+Patch6081: backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch
+Patch6082: backport-Add-the-init_append_stream_sockets-interface.patch
+Patch6083: backport-Add-the-corecmd_watch_bin_dirs-interface.patch
+Patch6084: backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch
+Patch6085: backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch
+Patch6086: backport-Allow-pppd-create-a-file-in-the-locks-directory.patch
+Patch6087: backport-Allow-keepalived-setsched-and-sys_nice.patch
+Patch6088: backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch
+Patch6089: backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch
+Patch6090: backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -804,6 +825,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-11
+- backport upstream patches
+
 * Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-10
 - backport upstream patches