backport upstream patches

backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch

@@ -0,0 +1,38 @@
+From 705fc27141d8aeb736fecdd6a6048f59c55f6d1f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 27 Jul 2022 18:11:34 +0200
+Subject: [PATCH] Add permissions to manage lnk_files into
+ gnome_manage_home_config
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/705fc27141d8aeb736fecdd6a6048f59c55f6d1f
+Conflict: NA
+
+The gnome_manage_home_config() interface contains manage_files_pattern()
+call for config_home_t files only, but symlinks can be there, too.
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1652884370.574:523): avc:  denied  { unlink } for  pid=45745 comm="systemd-user-ru" name="user" dev="tmpfs" ino=240 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=lnk_file permissive=0
+
+Resolves: rhbz#2088269
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/gnome.if | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
+index 1d62f2a..f52d635 100644
+--- a/policy/modules/contrib/gnome.if
++++ b/policy/modules/contrib/gnome.if
+@@ -1398,7 +1398,8 @@ interface(`gnome_manage_home_config',`
+ 	')
+ 
+ 	manage_files_pattern($1, config_home_t, config_home_t)
+-    allow $1 config_home_t:file map;
++	manage_lnk_files_pattern($1, config_home_t, config_home_t)
++	allow $1 config_home_t:file map;
+ ')
+ 
+ #######################################
+-- 
+1.8.3.1
+

backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch

@@ -0,0 +1,45 @@
+From aa0d31bad83cf8664e5b415b55022deaa0648552 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 2 Aug 2022 16:31:48 +0200
+Subject: [PATCH] Add the userdom_prog_run_bpf_userdomain() interface
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/aa0d31bad83cf8664e5b415b55022deaa0648552
+Conflict: NA
+
+The userdom_prog_run_bpf_userdomain() interface was added
+to allow the caller domain to run bpftool on the userdomain attribute.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.if | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index aeb2deb..e14a3c5 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -6809,3 +6809,21 @@ template(`userdom_security_admin_template',`
+ 		samhain_run($1, $2)
+ 	')
+ ')
++#
++########################################
++## <summary>
++##	Allow caller domain to run bpftool on userdomain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_prog_run_bpf_userdomain',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run };
++')
+-- 
+1.8.3.1
+

backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch

@@ -0,0 +1,62 @@
+From bf1751a3a139dfb05160330d04f68d4ab89a80f4 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 21 Jun 2022 17:45:28 +0200
+Subject: [PATCH] Allow dhclient manage pid files used by chronyd
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf1751a3a139dfb05160330d04f68d4ab89a80f4
+Conflict: NA
+
+The chronyd_manage_pid_files() interface was added.
+
+Resolves: rhbz#2093709
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/chronyd.if   | 19 +++++++++++++++++++
+ policy/modules/system/sysnetwork.te |  1 +
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
+index cad4d31..d2f5504 100644
+--- a/policy/modules/contrib/chronyd.if
++++ b/policy/modules/contrib/chronyd.if
+@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',`
+ 	manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
+ ')
+ 
++########################################
++## <summary>
++##	Manage pid files used by chronyd
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`chronyd_manage_pid_files',`
++	gen_require(`
++		type chronyd_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
++')
++
+ ######################################
+ ## <summary>
+ ##      Create objects in /var/run
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 1bb35d1..41b851f 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -201,6 +201,7 @@ optional_policy(`
+ 	chronyd_systemctl(dhcpc_t)
+ 	chronyd_domtrans(dhcpc_t)
+ 	chronyd_domtrans_chronyc(dhcpc_t)
++	chronyd_manage_pid_files(dhcpc_t)
+ 	chronyd_read_keys(dhcpc_t)
+ ')
+
+-- 
+1.8.3.1
+

backport-Allow-domain-use-userfaultfd-over-all-domains.patch

@@ -0,0 +1,33 @@
+From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 22 Jun 2022 21:27:59 +0200
+Subject: [PATCH] Allow domain use userfaultfd over all domains
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586
+Conflict: NA
+
+Until now, all processes were allowed to use userfaultfd as well other
+anon_inodes to get a file descriptor from the same domain.
+Since this commit the permissions are allowed between different domains.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/domain.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index f1e0bd6..1289b4c 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *;
+ # Rules applied to all domains
+ #
+ 
+-allow domain self:anon_inode userfaultfd_anon_inode_perms;
++allow domain domain:anon_inode userfaultfd_anon_inode_perms;
+ # read /proc/(pid|self) entries
+ allow domain self:dir { list_dir_perms watch_dir_perms };
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+-- 
+1.8.3.1
+

backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch

@@ -0,0 +1,35 @@
+From 6c9ef9467ee7e7c9d569a102b05869419409b15e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 27 Jun 2022 09:17:43 +0200
+Subject: [PATCH] Allow firewalld read the contents of the sysfs filesystem
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6c9ef9467ee7e7c9d569a102b05869419409b15e
+Conflict: NA
+
+Addresses the following AVC denial which is triggered on the firewalld
+service start when it tries to read /sys/devices/system/cpu/possible:
+
+type=AVC msg=audit(1656139734.292:232): avc:  denied  { read } for  pid=1396 comm="firewalld" name="possible" dev="sysfs" ino=46 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
+
+Resolves: rhbz#2101062
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/firewalld.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
+index 62cb02c..1c2d25e 100644
+--- a/policy/modules/contrib/firewalld.te
++++ b/policy/modules/contrib/firewalld.te
+@@ -81,7 +81,7 @@ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+ 
+ dev_read_urand(firewalld_t)
+-dev_search_sysfs(firewalld_t)
++dev_read_sysfs(firewalld_t)
+ 
+ domain_use_interactive_fds(firewalld_t)
+ domain_obj_id_change_exemption(firewalld_t)
+-- 
+1.8.3.1
+

backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch

@@ -0,0 +1,29 @@
+From db12459fc6360763f7358adff0026577f2d51261 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 31 May 2022 19:51:21 +0200
+Subject: [PATCH] Allow iscsid the sys_ptrace userns capability
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/db12459fc6360763f7358adff0026577f2d51261
+Conflict: NA
+
+Resolves: rhbz#2086871
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/iscsi.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
+index 76a7607..5bcf209 100644
+--- a/policy/modules/contrib/iscsi.te
++++ b/policy/modules/contrib/iscsi.te
+@@ -36,6 +36,7 @@ files_pid_file(iscsi_var_run_t)
+ #
+ 
+ allow iscsid_t self:capability { dac_read_search  ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
++allow iscsid_t self:cap_userns sys_ptrace;
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { accept connectto listen };
+-- 
+1.8.3.1
+

backport-Allow-launch-xenstored-read-filesystem-sysctls.patch

@@ -0,0 +1,33 @@
+From 81ab7c124eea5b9227589286c69e08f3bbd3fe5e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 5 Aug 2022 21:13:32 +0200
+Subject: [PATCH] Allow launch-xenstored read filesystem sysctls
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/81ab7c124eea5b9227589286c69e08f3bbd3fe5e
+Conflict: NA
+
+Addresses the following AVC denial:
+Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { search } for  pid=949 comm="launch-xenstore" name="fs" dev="proc" ino=15591 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1
+
+Resolves: rhbz#2114498
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/xen.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
+index c4bee9b..bbda603 100644
+--- a/policy/modules/contrib/xen.te
++++ b/policy/modules/contrib/xen.te
+@@ -450,6 +450,8 @@ files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }
+ 
+ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
+ 
++kernel_read_fs_sysctls(xenstored_t)
++
+ auth_use_nsswitch(xenstored_t)
+ 
+ can_exec(xenstored_t, xenstored_exec_t)
+-- 
+1.8.3.1
+

backport-Allow-login_userdomain-check-status-of-mount-units.patch

@@ -0,0 +1,39 @@
+From 68f9e4a144df544adc7fa733a64ac505f8189373 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 10 Aug 2022 17:08:03 +0200
+Subject: [PATCH] Allow login_userdomain check status of mount units
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/68f9e4a144df544adc7fa733a64ac505f8189373
+Conflict: NA
+
+Allow systemd user manager running in the context of the logged user
+check status of mount units:
+
+systemctl --user status/show run-user-ID.mount
+
+Addresses the following AVC denial:
+
+Jul 28 11:26:24 hostname systemd[1483]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0
+
+Resolves: rhbz#2111834
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 3ac8c12..5576a97 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -372,6 +372,8 @@ optional_policy(`
+ ############################################################
+ # login_userdomain local policy
+ 
++allow login_userdomain self:service status;
++
+ corenet_tcp_bind_xmsg_port(login_userdomain)
+ 
+ create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+-- 
+1.8.3.1
+

backport-Allow-openvswitch-fsetid-capability.patch

@@ -0,0 +1,40 @@
+From e7afdeddde3b9bc8419032fe753e404947a5f2e9 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 8 Aug 2022 16:53:05 +0200
+Subject: [PATCH] Allow openvswitch fsetid capability
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7afdeddde3b9bc8419032fe753e404947a5f2e9
+Conflict: NA
+
+Working directories used by openvswitch are handled in
+/usr/share/openvswitch/scripts/ovs-lib using the install command
+with explicit permission mode settings.
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(08/08/2022 10:51:16.059:173) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch
+type=PATH msg=audit(08/08/2022 10:51:16.059:173) : item=0 name=(null) inode=972 dev=00:1a mode=dir,700 ouid=openvswitch ogid=hugetlbfs rdev=00:00 obj=system_u:object_r:openvswitch_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(08/08/2022 10:51:16.059:173) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=1 ppid=579 pid=660 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:system_r:openvswitch_t:s0 key=(null)
+type=AVC msg=audit(08/08/2022 10:51:16.059:173) : avc:  denied  { fsetid } for  pid=660 comm=install capability=fsetid  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
+
+Resolves: rhbz#2103487
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/openvswitch.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
+index 95acc29..ed4a73d 100644
+--- a/policy/modules/contrib/openvswitch.te
++++ b/policy/modules/contrib/openvswitch.te
+@@ -35,7 +35,7 @@ systemd_unit_file(openvswitch_unit_file_t)
+ # openvswitch local policy
+ #
+ 
+-allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
++allow openvswitch_t self:capability { dac_override dac_read_search fowner fsetid net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+ allow openvswitch_t self:capability2 block_suspend;
+ allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+-- 
+1.8.3.1
+

backport-Allow-openvswitch-search-tracefs-dirs.patch

@@ -0,0 +1,68 @@
+From bae18addf147f786b24a7d2fabdaf50629bf2565 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 8 Aug 2022 13:13:35 +0200
+Subject: [PATCH] Allow openvswitch search tracefs dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bae18addf147f786b24a7d2fabdaf50629bf2565
+Conflict: NA
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(08/08/2022 05:46:18.724:169) : proctitle=modprobe openvswitch
+type=KERN_MODULE msg=audit(08/08/2022 05:46:18.724:169) : name=openvswitch
+type=SYSCALL msg=audit(08/08/2022 05:46:18.724:169) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x5630bbc2d8a0 a1=0xbde36 a2=0x5630b96f9cd2 a3=0x5 items=0 ppid=676 pid=680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null)
+type=AVC msg=audit(08/08/2022 05:46:18.724:169) : avc:  denied  { search } for  pid=680 comm=modprobe name=events dev="tracefs" ino=69 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+
+The fs_search_tracefs_dirs() interface was added.
+
+Resolves: rhbz#2103487
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/openvswitch.te |  1 +
+ policy/modules/kernel/filesystem.if   | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
+index 3092492..9ed1587 100644
+--- a/policy/modules/contrib/openvswitch.te
++++ b/policy/modules/contrib/openvswitch.te
+@@ -109,6 +109,7 @@ fs_getattr_all_fs(openvswitch_t)
+ fs_search_cgroup_dirs(openvswitch_t)
+ fs_manage_hugetlbfs_files(openvswitch_t)
+ fs_manage_hugetlbfs_dirs(openvswitch_t)
++fs_search_tracefs_dirs(openvswitch_t)
+ 
+ auth_use_nsswitch(openvswitch_t)
+ 
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 90b8393..34de37d 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -6924,6 +6924,24 @@ interface(`fs_rw_onload_sockets',`
+ 
+ ########################################
+ ## <summary>
++##	Search tracefs_t directories
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_search_tracefs_dirs',`
++	gen_require(`
++		type tracefs_t;
++	')
++
++	search_dirs_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write tracefs_t files
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch

@@ -0,0 +1,44 @@
+From 33b66b726be702dd0cdc26521381d7ba33e2bf84 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 8 Aug 2022 16:52:19 +0200
+Subject: [PATCH] Allow openvswitch use its private tmpfs files and dirs
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/33b66b726be702dd0cdc26521381d7ba33e2bf84
+Conflict: NA
+
+Addresses the following AVC denial:
+Jul 29 19:58:32.669000 localhost audit[985]: AVC avc:  denied  { write } for  pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#1988164
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/openvswitch.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
+index 9ed1587..95acc29 100644
+--- a/policy/modules/contrib/openvswitch.te
++++ b/policy/modules/contrib/openvswitch.te
+@@ -21,6 +21,9 @@ logging_log_file(openvswitch_log_t)
+ type openvswitch_tmp_t;
+ files_tmp_file(openvswitch_tmp_t)
+ 
++type openvswitch_tmpfs_t;
++files_tmpfs_file(openvswitch_tmpfs_t)
++
+ type openvswitch_var_run_t;
+ files_pid_file(openvswitch_var_run_t)
+ 
+@@ -68,6 +71,9 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
+ files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file })
+ 
++manage_dirs_pattern(openvswitch_t, openvswitch_tmpfs_t, openvswitch_tmpfs_t)
++fs_tmpfs_filetrans(openvswitch_t, openvswitch_tmpfs_t, dir)
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+-- 
+1.8.3.1
+

backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch

@@ -0,0 +1,32 @@
+From 57b29111318880eb60e2fed57b7117e87b6ece24 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 8 Aug 2022 17:46:46 +0200
+Subject: [PATCH] Allow pmdalinux read files on an nfsd filesystem
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/57b29111318880eb60e2fed57b7117e87b6ece24
+Conflict: NA
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1659885488.520:327): avc:  denied  { search } for  pid=1394 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=1
+
+Resolves: rhbz#2116153
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/pcp.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
+index c10717d..66200d4 100644
+--- a/policy/modules/contrib/pcp.te
++++ b/policy/modules/contrib/pcp.te
+@@ -145,6 +145,7 @@ fs_getattr_all_fs(pcp_pmcd_t)
+ fs_getattr_all_dirs(pcp_pmcd_t)
+ fs_list_cgroup_dirs(pcp_pmcd_t)
+ fs_read_cgroup_files(pcp_pmcd_t)
++fs_read_nfsd_files(pcp_pmcd_t)
+ 
+ init_read_utmp(pcp_pmcd_t)
+ 
+-- 
+1.8.3.1
+

backport-Allow-pmie-read-network-state-information-and-networ.patch

@@ -0,0 +1,35 @@
+From 3b46ee3ddbcc41a754d824bc4411a8c022e17390 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 2 Aug 2022 16:45:44 +0200
+Subject: [PATCH] Allow pmie read network state information and network sysctls
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b46ee3ddbcc41a754d824bc4411a8c022e17390
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(08/02/2022 11:34:16.597:12831) : proctitle=/usr/bin/pmie -b -F -P -l /var/log/pcp/pmie/ip-172-31-24-64.us-east-2.compute.internal/pmie.log -c config.default
+type=PATH msg=audit(08/02/2022 11:34:16.597:12831) : item=0 name=/proc/net/if_inet6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(08/02/2022 11:34:16.597:12831) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f4aa35486d5 a1=F_OK a2=0x0 a3=0x8 items=1 ppid=1 pid=284086 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pmie exe=/usr/bin/pmie subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
+type=AVC msg=audit(08/02/2022 11:34:16.597:12831) : avc:  denied  { read } for  pid=284086 comm=pmie name=net dev="proc" ino=4026531845 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/contrib/pcp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
+index f1c2804..c10717d 100644
+--- a/policy/modules/contrib/pcp.te
++++ b/policy/modules/contrib/pcp.te
+@@ -230,6 +230,8 @@ allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+ 
+ allow pcp_pmie_t pcp_pmcd_t:process signal;
+ 
++kernel_read_net_sysctls(pcp_pmie_t)
++kernel_read_network_state(pcp_pmie_t)
+ kernel_read_system_state(pcp_pmie_t)
+ kernel_dontaudit_request_load_module(pcp_pmie_t)
+ 
+-- 
+1.8.3.1
+

backport-Allow-services-execute-systemd-notify.patch

@@ -0,0 +1,82 @@
+From 051d2d7821542cb9dd4555f97a684c28a1861d1a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 9 Aug 2022 15:25:45 +0200
+Subject: [PATCH] Allow services execute systemd-notify
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/051d2d7821542cb9dd4555f97a684c28a1861d1a
+Conflict: NA
+
+With the ea76c5e8b58 ("Allow some domains use sd_notify()") commit,
+daemon and unconfined_service_t were allowed permissions required
+to use the sd_notify() API. This commit allows to the same callers
+the permissions to execute systemd-notify in the caller domain.
+
+Aug 02 13:10:18 hostname audit[956]: AVC avc:  denied  { execute_no_trans } for  pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
+
+Resolves: rhbz#2114498
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/init.te       |  1 +
+ policy/modules/system/systemd.if    | 18 ++++++++++++++++++
+ policy/modules/system/unconfined.te |  4 ++++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index e4bc96f..33052c6 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1955,6 +1955,7 @@ allow initrc_domain systemprocess:process transition;
+ optional_policy(`
+ 	systemd_getattr_unit_dirs(daemon)
+ 	systemd_getattr_unit_dirs(systemprocess)
++	systemd_exec_notify(daemon)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 51b966a..61f5476 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -998,6 +998,24 @@ interface(`systemd_timedated_manage_lib_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Execute systemd-notify in the caller domain
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_exec_notify',`
++	gen_require(`
++		type systemd_notify_exec_t;
++	')
++
++	can_exec($1, systemd_notify_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Execute a domain transition to run systemd_notify.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 4da1290..e6f86cf 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -35,6 +35,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	systemd_exec_notify(unconfined_service_t)
++')
++
++optional_policy(`
+ 	virt_transition_svirt(unconfined_service_t, system_r)
+ ')
+ 
+-- 
+1.8.3.1
+

backport-Allow-some-domains-use-sd_notify.patch

@@ -0,0 +1,100 @@
+From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 14 Jul 2022 10:30:12 +0200
+Subject: [PATCH] Allow some domains use sd_notify()
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af
+Conflict: NA
+
+sd_notify() and a few similar systemd library functions may be called by
+a service to notify the service manager about state changes. It can be
+used to send arbitrary information. Most importantly, it can be used for
+start-up completion notification.
+
+With this commit, all types in the daemon and login_userdomain
+attributes and unconfined_service_t can connect to init (PID 1) and
+init can write back to the fifo_file created by the domain.
+
+Resolves: rhbz#1903305
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/init.if       | 21 +++++++++++++++++++++
+ policy/modules/system/init.te       |  2 ++
+ policy/modules/system/unconfined.te |  2 ++
+ policy/modules/system/userdomain.te |  2 ++
+ 4 files changed, 27 insertions(+)
+
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 4b3bb59..c07649b 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',`
+     allow $1 init_t:tcp_socket { read write getattr };
+ ')
+ 
++#######################################
++## <summary>
++##	Use sd_notify
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_use_notify',`
++	gen_require(`
++		type init_t, init_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++	allow $1 init_var_run_t:sock_file read_sock_file_perms;
++	allow init_t $1:fifo_file write_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Get the system status information from init
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 073ce2c..e4bc96f 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',`
+ 
+ domain_dontaudit_use_interactive_fds(daemon)
+ 
++init_use_notify(daemon)
++
+ userdom_dontaudit_list_admin_dir(daemon)
+ userdom_dontaudit_search_user_tmp(daemon)
+ 
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index ed03aad..4da1290 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t;
+ corecmd_bin_entry_type(unconfined_service_t)
+ corecmd_shell_entry_type(unconfined_service_t)
+ 
++init_use_notify(unconfined_service_t)
++
+ optional_policy(`
+ 	rpm_transition_script(unconfined_service_t, system_r)
+ ')
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 3ac8c12..0980247 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain)
+ fs_create_cgroup_files(login_userdomain)
+ fs_watch_cgroup_files(login_userdomain)
+ 
++init_use_notify(login_userdomain)
++
+ libs_watch_lib_dirs(login_userdomain)
+ 
+ miscfiles_watch_fonts_dirs(login_userdomain)
+-- 
+1.8.3.1
+

backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch

@@ -0,0 +1,34 @@
+From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 2 Aug 2022 16:42:58 +0200
+Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf
+Conflict: NA
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test
+type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index d9e11b6..ed1b86f 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t)
+ userdom_manage_admin_files(sysadm_t)
+ userdom_manage_admin_dirs(sysadm_t)
+ 
++userdom_prog_run_bpf_userdomain(sysadm_t)
++
+ corenet_ib_access_unlabeled_pkeys(sysadm_t)
+ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+ corenet_tcp_bind_all_rpc_ports(sysadm_t)
+-- 
+1.8.3.1
+

backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch

@@ -0,0 +1,92 @@
+From d3e2a2c32da4229c1c27840560074585b7762844 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 13 May 2022 19:02:56 +0200
+Subject: [PATCH] Allow systemd watch and watch_reads user ptys
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d3e2a2c32da4229c1c27840560074585b7762844
+Conflict: NA
+
+This permission is required for "systemd-run --shell" to work.
+
+The following AVC denial was addressed:
+
+type=PROCTITLE msg=audit(05/13/2022 10:57:19.765:435) : proctitle=(bash)
+type=PATH msg=audit(05/13/2022 10:57:19.765:435) : item=0 name=/dev/pts/1 inode=4 dev=00:19 mode=character,620 ouid=root ogid=tty rdev=88:01 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(05/13/2022 10:57:19.765:435) : cwd=/
+type=SYSCALL msg=audit(05/13/2022 10:57:19.765:435) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55e39a4fe560 a2=0x18 a3=0x0 items=1 ppid=1 pid=1109 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(bash) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(05/13/2022 10:57:19.765:435) : avc:  denied  { watch watch_reads } for  pid=1109 comm=(bash) path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
+
+The following interfaces were added:
+- userdom_watch_user_ptys
+- userdom_watch_reads_user_ptys
+
+Resolves: rhbz#1980241
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/init.te       |  2 ++
+ policy/modules/system/userdomain.if | 36 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index a838cdd..f772288 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -419,6 +419,8 @@ userdom_nnp_transition_login_userdomain(init_t)
+ userdom_noatsecure_login_userdomain(init_t)
+ userdom_sigchld_login_userdomain(init_t)
+ userdom_use_user_ptys(init_t)
++userdom_watch_user_ptys(init_t)
++userdom_watch_reads_user_ptys(init_t)
+ 
+ allow init_t self:process setsched;
+ 
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b16984d..aeb2deb 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -3989,6 +3989,42 @@ interface(`userdom_use_user_ptys',`
+ 
+ ########################################
+ ## <summary>
++##	Watch a user pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_watch_user_ptys',`
++	gen_require(`
++		type user_devpts_t;
++	')
++
++	allow $1 user_devpts_t:chr_file watch_chr_file_perms;
++')
++
++########################################
++## <summary>
++##	Watch_reads a user pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_watch_reads_user_ptys',`
++	gen_require(`
++		type user_devpts_t;
++	')
++
++	allow $1 user_devpts_t:chr_file watch_reads_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Read and write a inherited user domain pty.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.8.3.1
+

backport-Allow-xdm-read-the-kernel-key-ring.patch

@@ -0,0 +1,66 @@
+From 400c278dc20c89d2b85a351c9a6567d3fb348a01 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 10 Aug 2022 17:26:03 +0200
+Subject: [PATCH] Allow xdm read the kernel key ring
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/400c278dc20c89d2b85a351c9a6567d3fb348a01
+Conflict: NA
+
+The kernel_read_key() interface was added.
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:250) : proctitle=gdm-session-worker [pam/gdm-autologin]
+type=SYSCALL msg=audit(28.7.2022 13:38:34.889:250) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x0 a3=0x0 items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(28.7.2022 13:38:34.889:250) : avc:  denied  { read } for  pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
+
+Resolves: rhbz#2111834
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/kernel/kernel.if    | 18 ++++++++++++++++++
+ policy/modules/services/xserver.te |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 6828750..8ffd498 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -510,6 +510,24 @@ interface(`kernel_rw_key',`
+ 
+ ########################################
+ ## <summary>
++##	Allow read the kernel key ring.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_read_key',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:key read;
++')
++
++########################################
++## <summary>
+ ##	Allow view the kernel key ring.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index cc215b8..6638ed9 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -566,6 +566,7 @@ kernel_read_net_sysctls(xdm_t)
+ kernel_read_network_state(xdm_t)
+ kernel_request_load_module(xdm_t)
+ kernel_stream_connect(xdm_t)
++kernel_read_key(xdm_t)
+ kernel_view_key(xdm_t)
+ 
+ corecmd_exec_shell(xdm_t)
+-- 
+1.8.3.1
+

backport-Do-not-allow-login_userdomain-use-sd_notify.patch

@@ -0,0 +1,35 @@
+From 722bd1fc180b12193c2d551c82eda101f26c098f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 8 Aug 2022 17:35:10 +0200
+Subject: [PATCH] Do not allow login_userdomain use sd_notify()
+
+Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/722bd1fc180b12193c2d551c82eda101f26c098f
+Conflict: NA
+
+This commit partially reverts the ea76c5e8b586 ("Allow some domains use
+sd_notify()") commit. While any systemd service should be allowed to
+use sd_notify, which includes unconfined_service_t, login userdomains
+should only talk to user service manager which runs in the respective
+userdomain.
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/system/userdomain.te | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 0980247..3ac8c12 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -400,8 +400,6 @@ files_watch_generic_tmp_dirs(login_userdomain)
+ fs_create_cgroup_files(login_userdomain)
+ fs_watch_cgroup_files(login_userdomain)
+ 
+-init_use_notify(login_userdomain)
+-
+ libs_watch_lib_dirs(login_userdomain)
+ 
+ miscfiles_watch_fonts_dirs(login_userdomain)
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 11
+Release: 12
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -155,6 +155,25 @@ Patch6087: backport-Allow-keepalived-setsched-and-sys_nice.patch
 Patch6088: backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch
 Patch6089: backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch
 Patch6090: backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch
+Patch6091: backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch
+Patch6092: backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch
+Patch6093: backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch
+Patch6094: backport-Allow-domain-use-userfaultfd-over-all-domains.patch
+Patch6095: backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch
+Patch6096: backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch
+Patch6097: backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch
+Patch6098: backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch
+Patch6099: backport-Allow-pmie-read-network-state-information-and-networ.patch
+Patch6100: backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch
+Patch6101: backport-Allow-some-domains-use-sd_notify.patch
+Patch6102: backport-Do-not-allow-login_userdomain-use-sd_notify.patch
+Patch6103: backport-Allow-services-execute-systemd-notify.patch
+Patch6104: backport-Allow-openvswitch-search-tracefs-dirs.patch
+Patch6105: backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch
+Patch6106: backport-Allow-openvswitch-fsetid-capability.patch
+Patch6107: backport-Allow-launch-xenstored-read-filesystem-sysctls.patch
+Patch6108: backport-Allow-login_userdomain-check-status-of-mount-units.patch
+Patch6109: backport-Allow-xdm-read-the-kernel-key-ring.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -825,6 +844,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 15 2022 lujie <lujie54@huawei.com> - 35.5-12
+- backport upstream patches
+
 * Tue Sep 13 2022 lujie <lujie54@huawei.com> - 35.5-11
 - backport upstream patches