!31 同步20.09分支补丁到master分支

From: @HuaxinLuGitee
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001

add_userman_access_run_dir.patch

@@ -0,0 +1,52 @@
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index e069cb5..43fed66 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t)
+ files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
++files_search_pids(groupadd_t)
++files_create_var_run_dirs(groupadd_t)
++files_delete_all_pids(groupadd_t)
++allow groupadd_t var_run_t:file *;
++allow groupadd_t var_run_t:dir *;
+ 
+ # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
+ corecmd_exec_bin(groupadd_t)
+@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t)
+ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
++files_search_pids(passwd_t)
++files_create_var_run_dirs(passwd_t)
++files_delete_all_pids(passwd_t)
++allow passwd_t var_run_t:file *;
++allow passwd_t var_run_t:dir *;
+ 
+ term_search_ptys(passwd_t)
+ 
+@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+ 
++files_search_pids(sysadm_passwd_t)
++files_create_var_run_dirs(sysadm_passwd_t)
++files_delete_all_pids(sysadm_passwd_t)
++allow sysadm_passwd_t var_run_t:file *;
++allow sysadm_passwd_t var_run_t:dir *;
++
+ optional_policy(`
+ 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+ ')
+@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t)
+ files_manage_etc_files(useradd_t)
+ files_create_var_lib_dirs(useradd_t)
+ files_rw_var_lib_dirs(useradd_t)
++files_search_pids(useradd_t)
++files_create_var_run_dirs(useradd_t)
++files_delete_all_pids(useradd_t)
++allow useradd_t var_run_t:file *;
+ 
+ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)

allow-systemd-hostnamed-and-logind-read-policy.patch

@@ -0,0 +1,34 @@
+From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001
+From: HuaxinLuGitee <1539327763@qq.com>
+Date: Tue, 22 Sep 2020 20:44:36 +0800
+Subject: [PATCH] commit 2
+
+---
+ policy/modules/system/systemd.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 7cb36c4..a98d366 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t)
+ 
+ xserver_dbus_chat(systemd_logind_t)
+ 
++allow systemd_logind_t security_t:file mmap_read_file_perms;
++
+ optional_policy(`
+ 	apache_read_tmp_files(systemd_logind_t)
+ ')
+@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t)
+ userdom_read_all_users_state(systemd_hostnamed_t)
+ userdom_dbus_send_all_users(systemd_hostnamed_t)
+ 
++allow systemd_hostnamed_t security_t:file mmap_read_file_perms;
++
+ optional_policy(`
+         dbus_system_bus_client(systemd_hostnamed_t)
+         dbus_connect_system_bus(systemd_hostnamed_t)
+-- 
+1.8.3.1
+

allow-systemd-machined-create-userdbd-runtime-sock-file.patch

@@ -0,0 +1,54 @@
+From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 11 Aug 2020 12:47:42 +0200
+Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files
+
+Create the systemd_create_userdbd_runtime_sock_files() interface.
+
+Resolves: rhbz#1862686
+---
+ policy/modules/system/systemd.if | 18 ++++++++++++++++++
+ policy/modules/system/systemd.te |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index c9d2ed7..a6d8bd0 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',`
+ 
+ 	allow $1 systemd_userdbd_t:unix_stream_socket connectto;
+ ')
++
++#######################################
++## <summary>
++##	Create a named socket in userdbd runtime directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_create_userdbd_runtime_sock_files',`
++	gen_require(`
++        	type systemd_userdbd_runtime_t;
++	')
++
++	create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 367758a..806b7d6 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t)
+ logging_dgram_send(systemd_machined_t)
+ 
+ systemd_read_efivarfs(systemd_machined_t)
++systemd_create_userdbd_runtime_sock_files(systemd_machined_t)
+ 
+ userdom_dbus_send_all_users(systemd_machined_t)
+ 
+-- 
+1.8.3.1
+

allow-systemd_machined_t-delete-userdbd-runtime-sock.patch

@@ -0,0 +1,25 @@
+From 99e2285e42bb9d06dbf1322b2990ccee974e1c92 Mon Sep 17 00:00:00 2001
+From: HuaxinLuGitee <1539327763@qq.com>
+Date: Thu, 17 Sep 2020 14:27:25 +0800
+Subject: [PATCH] allow systemd_machined_t delete userdbd runtime sock file
+
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 7cb36c4..d0127f6 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -189,6 +189,8 @@ systemd_unit_file(systemd_userdbd_unit_file_t)
+ type systemd_userdbd_runtime_t;
+ files_pid_file(systemd_userdbd_runtime_t)
+ 
++delete_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
++
+ #######################################
+ #
+ # Systemd_logind local policy
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 56
+Release: 60
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -63,6 +63,10 @@ Patch10: add-avc-for-systemd-journald.patch
 Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
 Patch12: add-avc-for-systemd.patch
 Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch
+Patch14: add_userman_access_run_dir.patch
+Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch
+Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch
+Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -728,6 +732,18 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-60
+- add allow-systemd-hostnamed-and-logind-read-policy.patch
+
+* Thu Sep 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-59
+- add allow-systemd_machined_t-delete-userdbd-runtime-sock.patch
+
+* Thu Sep 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-58
+- add allow-systemd-machined-create-userdbd-runtime-sock-file.patch
+
+* Fri Aug 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-57
+- add add_userman_access_run_dir.patch
+
 * Mon Jul 27 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-56
 - update selinux