update upstream patches

backport-Add-bgpd-sys_chroot-capability.patch

@@ -0,0 +1,33 @@
+From 384a8eeec175cc19f18ae74950cb0d8db0e0ce1b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 23 Sep 2022 18:46:54 +0200
+Subject: [PATCH] Add bgpd sys_chroot capability
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(09/23/2022 13:39:42.856:6958) : proctitle=/usr/sbin/bgpd -R
+type=PATH msg=audit(09/23/2022 13:39:42.856:6958) : item=0 name=/var/empty/bgpd inode=644194 dev=00:1e mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(09/23/2022 13:39:42.856:6958) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55af72eb04e7 a1=0x7f06fcd615b3 a2=0x0 a3=0x7f06fcd46ac0 items=1 ppid=115054 pid=115055 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bgpd exe=/usr/sbin/bgpd subj=system_u:system_r:zebra_t:s0 key=(null)
+type=AVC msg=audit(09/23/2022 13:39:42.856:6958) : avc:  denied  { sys_chroot } for  pid=115055 comm=bgpd capability=sys_chroot  scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:system_r:zebra_t:s0 tclass=capability permissive=0
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/zebra.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
+index 91a604150..bae270d59 100644
+--- a/policy/modules/contrib/zebra.te
++++ b/policy/modules/contrib/zebra.te
+@@ -40,7 +40,7 @@ files_pid_file(zebra_var_run_t)
+ # Local policy
+ #
+ 
+-allow zebra_t self:capability { setgid setuid net_admin net_raw };
++allow zebra_t self:capability { setgid setuid sys_chroot net_admin net_raw };
+ dontaudit zebra_t self:capability sys_tty_config;
+ allow zebra_t self:process { signal_perms getcap setcap };
+ allow zebra_t self:file rw_file_perms;
+-- 
+2.27.0
+

backport-Add-numad-the-ipc_owner-capability.patch

@@ -0,0 +1,35 @@
+From 8cc57cc64467d6e60eac92d6ffc9f9d550e948a2 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 21 Sep 2022 17:20:28 +0200
+Subject: [PATCH] Add numad the ipc_owner capability
+
+This permission is required when the cpu allocation in a vm definition contains
+<vcpu placement="auto" />
+which means cpuset option will be configured by querying numad.
+
+Addresses the following AVC denial:
+
+type=AVC msg=audit(1637903670.950:2626): avc:  denied  { ipc_owner } for  pid=72952 comm="numad" capability=15  scontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=capability permissive=0
+
+Resolves: rhbz#2026968
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/numad.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
+index cf8f99b02..97f923b25 100644
+--- a/policy/modules/contrib/numad.te
++++ b/policy/modules/contrib/numad.te
+@@ -23,7 +23,7 @@ files_pid_file(numad_var_run_t)
+ # numad local policy
+ #
+ 
+-allow numad_t self:capability { kill sys_nice sys_ptrace } ;
++allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ;
+ allow numad_t self:fifo_file rw_fifo_file_perms;
+ allow numad_t self:msgq create_msgq_perms;
+ allow numad_t self:msg { send receive };
+-- 
+2.27.0
+

backport-Allow-httpd-read-network-sysctls.patch

@@ -0,0 +1,34 @@
+From d98fa390807abca9bc1631f2562d0bba46b67bfd Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 5 Sep 2022 15:39:30 +0200
+Subject: [PATCH] Allow httpd read network sysctls
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume
+type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
+type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc:  denied  { open } for  pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
+type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc:  denied  { read } for  pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
+
+Resolves: rhbz#2122886
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0e4d4bf87..13e72686c 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -597,6 +597,7 @@ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ 
+ kernel_read_kernel_sysctls(httpd_t)
++kernel_read_net_sysctls(httpd_t)
+ # for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
+ kernel_read_network_state(httpd_t)
+-- 
+2.27.0
+

backport-Allow-init-map-its-private-tmp-files.patch

@@ -0,0 +1,29 @@
+From 74d69e714236347f733e83eb1c623148628d89c6 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 26 Sep 2022 17:59:13 +0200
+Subject: [PATCH] Allow init map its private tmp files
+
+Addresses the following AVC denial:
+type=AVC msg=audit(11/24/2021 01:50:26.378:167) : avc:  denied  { map } for  pid=1414 comm=cpupower-gui-he path=/var/tmp/ffi6reIpN (deleted) dev="nvme0n1p3" ino=88707980 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0
+
+Resolves: rhbz#2026228
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index c81f0d0be..fd03f1d03 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -208,6 +208,7 @@ manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
+ manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
+ manage_sock_files_pattern(init_t, init_tmp_t, init_tmp_t)
+ files_tmp_filetrans(init_t, init_tmp_t, { file sock_file })
++allow init_t init_tmp_t:file map;
+ 
+ manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
+ manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
+-- 
+2.27.0
+

backport-Allow-init-read-write-inherited-user-fifo-files.patch

@@ -0,0 +1,42 @@
+From 95d7034936ed5f2d01ffcf55a52a5d3c3c8a7825 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 21 Sep 2022 13:41:18 +0200
+Subject: [PATCH] Allow init read/write inherited user fifo files
+
+This commit backs the usage of "systemd-run --pipe" when standard input,
+output, and error of the transient service are inherited from the
+systemd-run command itself. The --pipe switch allows systemd-run to be
+used within shell pipelines.
+
+Addresses the following AVC denials:
+
+type=AVC msg=audit(09/21/2022 05:24:28.596:328) : avc:  denied  { write } for  pid=1 comm=systemd path=pipe:[16980] dev="pipefs" ino=16980 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
+
+type=AVC msg=audit(09/21/2022 05:34:12.088:422) : avc:  denied  { read } for  pid=1 comm=systemd path=pipe:[18554] dev="pipefs" ino=18554 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
+
+type=PROCTITLE msg=audit(09/21/2022 05:36:42.853:427) : proctitle=(grep)
+type=SYSCALL msg=audit(09/21/2022 05:36:42.853:427) : arch=x86_64 syscall=ioctl success=no exit=EACCES(Permission denied) a0=0x0 a1=TCGETS a2=0x7ffebe2ae1c0 a3=0x0 items=0 ppid=1 pid=1269 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(grep) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(09/21/2022 05:36:42.853:427) : avc:  denied  { ioctl } for  pid=1269 comm=(grep) path=pipe:[18588] dev="pipefs" ino=18588 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
+
+Resolves: rhbz#2036829
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 33052c66f..f369aa50e 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -413,7 +413,7 @@ userdom_manage_tmp_sockets(init_t)
+ userdom_delete_user_tmp_files(init_t)
+ userdom_delete_user_home_content_files(init_t)
+ userdom_connectto_stream(init_t)
+-
++userdom_rw_inherited_user_pipes(init_t)
+ userdom_transition_login_userdomain(init_t)
+ userdom_nnp_transition_login_userdomain(init_t)
+ userdom_noatsecure_login_userdomain(init_t)
+-- 
+2.27.0
+

backport-Allow-init-remount-all-file_type-filesystems.patch

@@ -0,0 +1,63 @@
+From 355731c1c456907fc7097257e50e4c0377f17953 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 7 Sep 2022 09:41:19 +0200
+Subject: [PATCH] Allow init remount all file_type filesystems
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(1650874039.465:8427): proctitle="(coredump)"
+type=PATH msg=audit(1650874039.465:8427): item=0 name="/proc/self/fd/4" inode=256 dev=00:32 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(1650874039.465:8427): arch=c000003e syscall=165 success=yes exit=0 a0=0 a1=7ffeea790a00 a2=0 a3=1021 items=1 ppid=1 pid=208737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(coredump)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(1650874039.465:8427): avc:  denied  { remount } for  pid=208737 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1
+
+Resolves: rhbz#2125693
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/kernel/files.if | 18 ++++++++++++++++++
+ policy/modules/system/init.te  |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 2bb2908df..165eb4a12 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -1947,6 +1947,24 @@ interface(`files_unmount_all_file_type_fs',`
+ 	allow $1 file_type:filesystem unmount;
+ ')
+ 
++########################################
++## <summary>
++##	Remount all filesystems with the type of a file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_remount_all_file_type_fs',`
++	gen_require(`
++		attribute file_type;
++	')
++
++	allow $1 file_type:filesystem remount;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read all non-authentication related
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f369aa50e..c81f0d0be 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -627,6 +627,7 @@ dev_rw_wireless(init_t)
+ files_search_all(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
++files_remount_all_file_type_fs(init_t)
+ files_mounton_kernel_symbol_table(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_write_all_pid_sockets(init_t)
+-- 
+2.27.0
+

backport-Allow-ipsec_t-read-write-tpm-devices.patch

@@ -0,0 +1,30 @@
+From c836064999e34f071b4b411c47b87d544cd8f6d4 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 31 Aug 2022 18:58:39 +0200
+Subject: [PATCH] Allow ipsec_t read/write tpm devices
+
+Addresses the following AVC denial:
+
+type=AVC msg=audit(1652729361.214:334): avc:  denied  { getattr } for  pid=1642 comm="charon" path="/dev/tpmrm0" dev="devtmpfs" ino=135 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0
+
+Resolves: rhbz#2086926
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/system/ipsec.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
+index 43186c0b9..cd432b15f 100644
+--- a/policy/modules/system/ipsec.te
++++ b/policy/modules/system/ipsec.te
+@@ -180,6 +180,7 @@ corenet_rw_tun_tap_dev(ipsec_t)
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+ dev_read_urand(ipsec_t)
++dev_rw_tpm(ipsec_t)
+ 
+ domain_use_interactive_fds(ipsec_t)
+ 
+-- 
+2.27.0
+

backport-Allow-login_userdomain-watch-various-directories.patch

@@ -0,0 +1,133 @@
+From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 9 Sep 2022 09:33:18 +0200
+Subject: [PATCH] Allow login_userdomain watch various directories
+
+The inotify_add_watch(2) syscalls are called by plasmashell and some
+other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings).
+
+Addresses the following AVC denials examples:
+
+type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn
+type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc:  denied  { watch } for  pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
+
+type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004
+type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc:  denied  { watch } for  pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
+
+The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces
+were added.
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpc.if       | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if     | 18 ++++++++++++++++++
+ policy/modules/system/userdomain.te | 13 +++++++++++++
+ 3 files changed, 50 insertions(+)
+
+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
+index 0c6410612..b234bca58 100644
+--- a/policy/modules/contrib/rpc.if
++++ b/policy/modules/contrib/rpc.if
+@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',`
+ 	manage_files_pattern($1, exports_t, exports_t)
+ ')
+ 
++########################################
++## <summary>
++##	Watch nfs file exports
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpc_watch_exports',`
++	gen_require(`
++		type exports_t;
++	')
++
++	files_search_etc($1)
++	allow $1 exports_t:file watch_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute domain in nfsd domain.
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 8ffd4988f..f669f866c 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',`
+ 	allow $1 unlabeled_t:file rw_file_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Watch unlabeled directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_watch_unlabeled_dirs',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:dir watch_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts by caller to get the
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 5576a97cb..1cf86a09e 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',`
+ 	allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
+ ')
+ 
++kernel_watch_unlabeled_dirs(login_userdomain)
++
++auth_watch_passwd(login_userdomain)
++
++corecmd_watch_bin_dirs(login_userdomain)
++
+ dev_watch_generic_dirs(login_userdomain)
+ 
+ files_map_var_lib_files(login_userdomain)
+ files_read_var_lib_symlinks(login_userdomain)
+ files_watch_etc_dirs(login_userdomain)
+ files_watch_etc_files(login_userdomain)
++files_watch_root_dirs(login_userdomain)
+ files_watch_system_conf_dirs(login_userdomain)
+ files_watch_usr_dirs(login_userdomain)
+ files_watch_usr_files(login_userdomain)
+@@ -441,10 +448,16 @@ optional_policy(`
+ 	pkcs_tmpfs_named_filetrans(login_userdomain)
+ ')
+ 
++optional_policy(`
++	rpc_watch_exports(login_userdomain)
++')
++
++
+ optional_policy(`
+ 	systemd_login_watch_pid_dirs(login_userdomain)
+ 	systemd_login_watch_session_dirs(login_userdomain)
+ 	systemd_machined_watch_pid_dirs(login_userdomain)
++	systemd_resolved_watch_pid_dirs(login_userdomain)
+ ')
+ 
+ ############################################################
+-- 
+2.27.0
+

backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch

@@ -0,0 +1,46 @@
+From 7d20b237ff092cd615045ff25a3d0c9c741f145d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 9 Sep 2022 17:22:52 +0200
+Subject: [PATCH] Allow login_userdomain write to boltd named pipes
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(5.9.2022 23:01:30.921:15103) : proctitle=systemd-stdio-bridge -punix:path=/run/user/1000/bus
+type=PATH msg=audit(5.9.2022 23:01:30.921:15103) : item=0 name= inode=32185282 dev=00:08 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(5.9.2022 23:01:30.921:15103) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x0 a1=0x7f7a005b7093 a2=0x7fff374a7080 a3=0x1000 items=1 ppid=1 pid=1870519 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=10 comm=systemd-stdio-b exe=/usr/bin/systemd-stdio-bridge subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(5.9.2022 23:01:30.921:15103) : avc:  denied  { getattr } for  pid=1870519 comm=systemd-stdio-b path=socket:[32185282] dev="sockfs" ino=32185282 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/rpm.if       | 2 +-
+ policy/modules/system/userdomain.te | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
+index c6833ba7d..ec09e164d 100644
+--- a/policy/modules/contrib/rpm.if
++++ b/policy/modules/contrib/rpm.if
+@@ -993,5 +993,5 @@ interface(`rpm_script_rw_stream_sockets',`
+ 		type rpm_script_t;
+ 	')
+ 
+-	allow $1 rpm_script_t:unix_stream_socket { read write };
++	allow $1 rpm_script_t:unix_stream_socket { rw_socket_perms };
+ ')
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 1cf86a09e..bdccda7ea 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -452,6 +452,9 @@ optional_policy(`
+ 	rpc_watch_exports(login_userdomain)
+ ')
+ 
++optional_policy(`
++	rpm_script_rw_stream_sockets(login_userdomain)
++')
+ 
+ optional_policy(`
+ 	systemd_login_watch_pid_dirs(login_userdomain)
+-- 
+2.27.0
+

backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch

@@ -0,0 +1,77 @@
+From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Tue, 6 Sep 2022 15:19:59 +0200
+Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs
+
+Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing.
+Addresses the following AVC denial:
+type=AVC msg=audit(1642589553.515:244): avc:  denied  { search } for  pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+Resolves: bz#2041845
+
+Allow pmdaproc search accesses on the directory /var/account.
+Add interface to allow search process accounting data.
+Addresses the following AVC denial:
+type=AVC msg=audit(1642589553.499:243): avc:  denied  { search } for  pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0
+Resolves: bz#2041843
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/acct.if | 18 ++++++++++++++++++
+ policy/modules/contrib/pcp.te  |  5 +++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
+index bc4038b45..86dcc1d5f 100644
+--- a/policy/modules/contrib/acct.if
++++ b/policy/modules/contrib/acct.if
+@@ -60,6 +60,24 @@ interface(`acct_exec_data',`
+ 	can_exec($1, acct_data_t)
+ ')
+ 
++########################################
++## <summary>
++##      Search process accounting data.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`acct_search_data',`
++        gen_require(`
++                type acct_data_t;
++        ')
++
++        search_dirs_pattern($1, acct_data_t, acct_data_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete
+diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
+index 66200d46f..920456afc 100644
+--- a/policy/modules/contrib/pcp.te
++++ b/policy/modules/contrib/pcp.te
+@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t)
+ fs_list_cgroup_dirs(pcp_pmcd_t)
+ fs_read_cgroup_files(pcp_pmcd_t)
+ fs_read_nfsd_files(pcp_pmcd_t)
++fs_search_tracefs_dirs(pcp_pmcd_t)
+ 
+ init_read_utmp(pcp_pmcd_t)
+ 
+@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t)
+ userdom_read_user_tmp_files(pcp_pmcd_t)
+ userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)
+ 
++optional_policy(`
++	acct_search_data(pcp_pmcd_t)
++')
++
+ optional_policy(`
+ 	cron_read_pid_files(pcp_pmcd_t)
+ ')
+-- 
+2.27.0
+

backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch

@@ -0,0 +1,30 @@
+From b7cd8535f926e9f6e38499714f0d97b12b77dde6 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 22 Aug 2022 12:25:09 +0200
+Subject: [PATCH] Allow ssh client read kerberos homedir config files
+
+Addresses the following AVC denial:
+type=PATH msg=audit(22.8.2022 10:09:52.495:4019) : item=0 name=/home/user/.k5identity inode=15144919 dev=fd:03 mode=file,664 ouid=user ogid=user rdev=00:00 obj=staff_u:object_r:krb5_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(22.8.2022 10:09:52.495:4019) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564acca009b0 a2=O_RDONLY a3=0x0 items=1 ppid=78842 pid=439750 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=pts12 ses=3 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(22.8.2022 10:09:52.495:4019) : avc:  denied  { open } for  pid=439750 comm=ssh path=/home/user/.k5identity dev="dm-3" ino=15144919 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:krb5_home_t:s0 tclass=file permissive=1
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/services/ssh.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index bf988b7f2..15b611e46 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -246,6 +246,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	kerberos_read_home_content(ssh_t)
+ 	kerberos_read_keytab(ssh_t)
+ ')
+ 
+-- 
+2.27.0
+

backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch

@@ -0,0 +1,65 @@
+From 3478cb66bc08866173e82fa070c160c0c03513bd Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 30 Sep 2022 16:08:55 +0200
+Subject: [PATCH] Allow sss daemons read/write unnamed pipes of cloud-init
+
+The cloudform_rw_pipes() interface was added.
+
+Addresses the following AVC denials:
+[   10.779755] fedora audit[812]: AVC avc:  denied  { read } for  pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
+[   10.779916] fedora audit[812]: AVC avc:  denied  { write } for  pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
+
+Resolves: rhbz#2073265
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/cloudform.if | 18 ++++++++++++++++++
+ policy/modules/contrib/sssd.te      |  4 ++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/contrib/cloudform.if b/policy/modules/contrib/cloudform.if
+index 55fe0d668..4a17c4872 100644
+--- a/policy/modules/contrib/cloudform.if
++++ b/policy/modules/contrib/cloudform.if
+@@ -41,6 +41,24 @@ interface(`cloudform_init_domtrans',`
+ 	domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
+ ')
+ 
++########################################
++## <summary>
++##	Read and write unnamed cloud-init pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cloudform_rw_pipes',`
++	gen_require(`
++		type cloud_init_t;
++	')
++
++	allow $1 cloud_init_t:fifo_file rw_fifo_file_perms;
++')
++
+ ######################################
+ ## <summary>
+ ##	Execute mongod in the caller domain.
+diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
+index f5c7d980d..90d04fd91 100644
+--- a/policy/modules/contrib/sssd.te
++++ b/policy/modules/contrib/sssd.te
+@@ -185,6 +185,10 @@ optional_policy(`
+     bind_read_cache(sssd_t)
+ ')
+ 
++optional_policy(`
++	cloudform_rw_pipes(sssd_t)
++')
++
+ optional_policy(`
+ 	dbus_system_bus_client(sssd_t)
+ 	dbus_connect_system_bus(sssd_t)
+-- 
+2.27.0
+

backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch

@@ -0,0 +1,50 @@
+From 5adbc14b634b60c5bd779fb22c5bf4a674a83020 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 9 Sep 2022 17:21:10 +0200
+Subject: [PATCH] Allow staff_u and user_u users write to bolt pipe
+
+Addresses the following AVC denial:
+-
+type=PROCTITLE msg=audit(6.9.2022 07:26:55.355:15479) : proctitle=boltctl power
+type=SYSCALL msg=audit(6.9.2022 07:26:55.355:15479) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f341adfd940 a2=MSG_CMSG_CLOEXEC a3=0x7fff30353080 items=0 ppid=1832290 pid=1905598 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts18 ses=3 comm=gdbus exe=/usr/bin/boltctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(6.9.2022 07:26:55.355:15479) : avc:  denied  { write } for  pid=1905598 comm=gdbus path=/run/boltd/power/1.guard.fifo dev="tmpfs" ino=95970 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=1
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/roles/staff.te      | 4 ++++
+ policy/modules/roles/unprivuser.te | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index a573eba03..907710baf 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -103,6 +103,10 @@ optional_policy(`
+ 	blueman_dbus_chat(staff_t)
+ ')
+ 
++optional_policy(`
++	boltd_write_var_run_pipes(staff_t)
++')
++
+ optional_policy(`
+ 	kdumpgui_dbus_chat(staff_t)
+ ')
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index 56a8be217..a4781914e 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -66,6 +66,10 @@ optional_policy(`
+ 	bluetooth_role(user_r, user_t)
+ ')
+ 
++optional_policy(`
++	boltd_write_var_run_pipes(user_t)
++')
++
+ optional_policy(`
+ 	colord_dbus_chat(user_t)
+ ')
+-- 
+2.27.0
+

backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch

@@ -0,0 +1,38 @@
+From 8304d9b80b3cb22e429d2113cf81dca07d306dd7 Mon Sep 17 00:00:00 2001
+From: Quintin Hill <stuff@quintin.me.uk>
+Date: Fri, 2 Sep 2022 16:44:37 +0100
+Subject: [PATCH] Allow systemd-gpt-auto-generator to check for empty dirs
+
+systemd-gpt-auto-generator wants to check that certain subdirectories of / are empty before generating mount units for them this is not permitted by policy.
+
+Addresses:
+systemd-gpt-auto-generator[388]: Cannot check if "/home" is empty: Permission denied
+kernel: audit: type=1400 audit(1662118200.418:80): avc:  denied  { read } for  pid=388 comm="systemd-gpt-aut" name="home" dev="sda2" ino=3180 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0
+audit[388]: AVC avc:  denied  { read } for  pid=388 comm="systemd-gpt-aut" name="var" dev="sda2" ino=362569 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
+systemd-gpt-auto-generator[388]: Cannot check if "/var" is empty: Permission denied
+
+Resolves: rhbz#2123765
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/system/systemd.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a9308b8cc..028820491 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1112,6 +1112,11 @@ dev_read_sysfs(systemd_gpt_generator_t)
+ dev_write_kmsg(systemd_gpt_generator_t)
+ dev_read_rand(systemd_gpt_generator_t)
+ 
++files_list_boot(systemd_gpt_generator_t)
++files_list_home(systemd_gpt_generator_t)
++files_list_tmp(systemd_gpt_generator_t)
++files_list_usr(systemd_gpt_generator_t)
++files_list_var(systemd_gpt_generator_t)
+ 
+ fstools_exec(systemd_gpt_generator_t)
+ 
+-- 
+2.27.0
+

backport-Allow-utempter-append-to-login_userdomain-stream.patch

@@ -0,0 +1,64 @@
+From 1c0959233b2d061dffb8e6d34b4f49d664d68af9 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 9 Sep 2022 17:38:35 +0200
+Subject: [PATCH] Allow utempter append to login_userdomain stream
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(23.8.2022 11:20:02.949:5147) : proctitle=/usr/libexec/utempter/utempter add :0
+type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33828998 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=0 name=/usr/libexec/utempter/utempter inode=35940312 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=EXECVE msg=audit(23.8.2022 11:20:02.949:5147) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:0
+type=SYSCALL msg=audit(23.8.2022 11:20:02.949:5147) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559ff13c4220 a1=0x559ff13c5170 a2=0x7ffc47314488 a3=0x8 items=2 ppid=544463 pid=544464 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=utmp sgid=utmp fsgid=utmp tty=pts17 ses=3 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(23.8.2022 11:20:02.949:5147) : avc:  denied  { append } for  pid=544464 comm=utempter path=socket:[935095] dev="sockfs" ino=935095 scontext=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
+
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/system/authlogin.te  |  1 +
+ policy/modules/system/userdomain.if | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 1885fa699..feabf67ab 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -423,6 +423,7 @@ domain_use_interactive_fds(utempter_t)
+ 
+ logging_search_logs(utempter_t)
+ 
++userdom_append_stream_userdomain(utempter_t)
+ userdom_use_inherited_user_terminals(utempter_t)
+ # Allow utemper to write to /tmp/.xses-*
+ userdom_write_user_tmp_files(utempter_t)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e14a3c58f..43192ae29 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -6637,6 +6637,24 @@ interface(`userdom_login_userdomain',`
+     typeattribute $1 login_userdomain;
+ ')
+ 
++########################################
++## <summary>
++##	Append to login_userdomain stream.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_append_stream_userdomain',`
++	gen_require(`
++		attribute login_userdomain;
++	')
++
++	allow $1 login_userdomain:unix_stream_socket { getattr append };
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to check the 
+-- 
+2.27.0
+

backport-Allow-xenstored-change-its-hard-resource-limits.patch

@@ -0,0 +1,32 @@
+From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 26 Sep 2022 15:00:49 +0200
+Subject: [PATCH] Allow xenstored change its hard resource limits
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid
+type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null)
+type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc:  denied  { setrlimit } for  pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0
+
+Resolves: rhbz#2125693
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/xen.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
+index bbda6032b..6e1e83b4d 100644
+--- a/policy/modules/contrib/xen.te
++++ b/policy/modules/contrib/xen.te
+@@ -423,6 +423,7 @@ optional_policy(`
+ #
+ 
+ allow xenstored_t self:capability { dac_read_search  ipc_lock sys_resource };
++allow xenstored_t self:process setrlimit;
+ allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+ allow xenstored_t self:unix_dgram_socket create_socket_perms;
+ 
+-- 
+2.27.0
+

backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch

@@ -0,0 +1,38 @@
+From 284df66be2e1432333b8134606b30fd76c877123 Mon Sep 17 00:00:00 2001
+From: Milos Malik <mmalik@redhat.com>
+Date: Wed, 7 Sep 2022 09:57:13 +0200
+Subject: [PATCH] blueman-mechanism can read ~/.local/lib/python*/site-packages
+ directory
+
+If the ~/.local/lib/python*/site-packages/ directory exists in root's
+home directory then the blueman-mechanism service tries to read that
+directory during its start.
+
+The blueman-mechanism program is written in Python and I believe that
+Python is trying to find locally installed python modules.
+
+In order to avoid these SELinux denials, SELinux policy should allow
+the access.
+
+Resolves: BZ#2027044
+Signed-off-by: lujie42 <lujie54@huawei.com>
+---
+ policy/modules/contrib/blueman.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te
+index 4389ad441..305c5270c 100644
+--- a/policy/modules/contrib/blueman.te
++++ b/policy/modules/contrib/blueman.te
+@@ -93,7 +93,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	gnome_search_gconf(blueman_t)
++	gnome_search_gconf_data_dir(blueman_t)
+ ')
+ 
+ optional_policy(`
+-- 
+2.27.0
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 13
+Release: 14
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -174,6 +174,23 @@ Patch6106: backport-Allow-openvswitch-fsetid-capability.patch
 Patch6107: backport-Allow-launch-xenstored-read-filesystem-sysctls.patch
 Patch6108: backport-Allow-login_userdomain-check-status-of-mount-units.patch
 Patch6109: backport-Allow-xdm-read-the-kernel-key-ring.patch
+Patch6110: backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch
+Patch6111: backport-Allow-ipsec_t-read-write-tpm-devices.patch
+Patch6112: backport-Allow-httpd-read-network-sysctls.patch
+Patch6113: backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch
+Patch6114: backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch
+Patch6115: backport-Allow-login_userdomain-watch-various-directories.patch
+Patch6116: backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch
+Patch6117: backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch
+Patch6118: backport-Allow-utempter-append-to-login_userdomain-stream.patch
+Patch6119: backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch
+Patch6120: backport-Allow-init-read-write-inherited-user-fifo-files.patch
+Patch6121: backport-Add-numad-the-ipc_owner-capability.patch
+Patch6122: backport-Add-bgpd-sys_chroot-capability.patch
+Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch
+Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch
+Patch6125: backport-Allow-init-map-its-private-tmp-files.patch
+Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -845,6 +862,9 @@ exit 0
 %endif
 
 %changelog
+* Sun Nov 27 2022 lujie <lujie54@huawei.com> - 35.5-14
+- backport upstream patches
+
 * Mon Sep 19 2022 xinghe <xinghe2@h-partners.com> - 35.5-13
 - allow map postfix_master_t