allow passwd to map and write sssd var lib

add-allow-passwd-to-write-sssd-var-lib.patch

@@ -0,0 +1,27 @@
+From e237958d348766aac7f83414ed7af2ab44f8efca Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Sat, 30 May 2020 10:56:41 +0800
+Subject: [PATCH] add allow passwd to write sssd var lib
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/admin/usermanage.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 1977309..426bae8 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -391,6 +391,9 @@ logging_send_syslog_msg(passwd_t)
+ seutil_read_config(passwd_t)
+ seutil_read_file_contexts(passwd_t)
+ 
++sssd_var_lib_map_file(passwd_t)
++sssd_var_lib_write_file(passwd_t)
++
+ userdom_use_inherited_user_terminals(passwd_t)
+ userdom_use_unpriv_users_fds(passwd_t)
+ # make sure that getcon succeeds
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 52
+Release: 53
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -67,6 +67,7 @@ Patch16: add-avc-for-systemd-journald.patch
 Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
 Patch18: add-allowed-avc-for-systemd-1.patch
 Patch19: add-allow-to-be-access-to-sssd-dir-and-file.patch  
+Patch20: add-allow-passwd-to-write-sssd-var-lib.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -663,6 +664,9 @@ exit 0
 %endif
 
 %changelog
+* Sat May 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-53
+- allow passwd to map and write sssd var lib
+
 * Fri Mar 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-52
 - use container-selinux.tgz of 2.73, the same version as package container-selinux