+ ##
+@@ -1396,6 +1396,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
+ files_relabelto_home(systemd_tmpfiles_t)
+ files_relabelto_etc_dirs(systemd_tmpfiles_t)
+ files_setattr_lock_dirs(systemd_tmpfiles_t)
++
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
++
+ # for /etc/mtab
+ files_manage_etc_symlinks(systemd_tmpfiles_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch
deleted file mode 100644
index d673d54..0000000
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f23178d9d89bf39895f75867c29bda4dfb27e786 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 23 Jun 2020 08:39:44 +0800
-Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs
-
-Fixes:
-avc: denied { search } for pid=211 comm="agetty" name="/" dev="tmpfs"
-ino=1 scontext=system_u:system_r:getty_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/getty.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 95b1ec632..0415e1ee7 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -66,6 +66,7 @@ dev_read_sysfs(getty_t)
- files_read_etc_runtime_files(getty_t)
- files_read_etc_files(getty_t)
- files_search_spool(getty_t)
-+fs_search_tmpfs(getty_t)
-
- fs_search_auto_mountpoints(getty_t)
- # for error condition handling
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
new file mode 100644
index 0000000..ea8af31
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
@@ -0,0 +1,60 @@
+From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Mon, 25 Jan 2021 14:14:59 +0800
+Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
+ failures
+
+* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
+ files
+* Allow systemd_resolved_t to send and recevie messages from dhcpc over
+ dbus
+
+Fixes:
+avc: denied { create } for pid=329 comm="systemd-resolve"
+name=".#stub-resolv.conf53cb7f9d1e3aa72b"
+scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
+permissive=0
+
+avc: denied { send_msg } for msgtype=method_call
+interface=org.freedesktop.resolve1.Manager member=RevertLink
+dest=org.freedesktop.resolve1 spid=340 tpid=345
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tclass=dbus permissive=0
+
+avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345
+tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 31d28a0e3..448905ff7 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
+
+ manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
++manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
+
+@@ -1236,6 +1237,7 @@ optional_policy(`
+ dbus_system_bus_client(systemd_resolved_t)
+ dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
+ dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
++ sysnet_dbus_chat_dhcpc(systemd_resolved_t)
+ ')
+
+ #########################################
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
deleted file mode 100644
index 8532a24..0000000
--- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 21c60a1ed37aef0427dbd49f602896b09b875bca Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 23 Jun 2020 08:54:20 +0800
-Subject: [PATCH] policy/modules/services/bluetooth: fix bluetoothd startup
- failures
-
-* Allow bluetooth_t to create and use bluetooth_socket
-* Allow bluetooth_t to create alg_socket
-* Allow bluetooth_t to send and receive messages from systemd hostnamed
- over dbus
-
-Fixes:
-avc: denied { create } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { bind } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { write } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { getattr } for pid=324 comm="bluetoothd"
-path="socket:[11771]" dev="sockfs" ino=11771
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { listen } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { read } for pid=324 comm="bluetoothd" path="socket:[11771]"
-dev="sockfs" ino=11771 scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { create } for pid=268 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
-permissive=0
-
-avc: denied { send_msg } for msgtype=method_call
-interface=org.freedesktop.DBus.Properties member=GetAll
-dest=org.freedesktop.hostname1 spid=266 tpid=312
-scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tclass=dbus permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/bluetooth.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 69a38543e..b3df695db 100644
---- a/policy/modules/services/bluetooth.te
-+++ b/policy/modules/services/bluetooth.te
-@@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms;
- allow bluetooth_t self:unix_stream_socket { accept connectto listen };
- allow bluetooth_t self:tcp_socket { accept listen };
- allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
-+allow bluetooth_t self:alg_socket create;
-
- read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
-
-@@ -127,6 +129,9 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
- userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
-
-+init_dbus_send_script(bluetooth_t)
-+systemd_dbus_chat_hostnamed(bluetooth_t)
-+
- optional_policy(`
- dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
new file mode 100644
index 0000000..91588f1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
@@ -0,0 +1,156 @@
+From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 28 Sep 2021 10:03:04 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
+ attributes of tmpfs and cgroups
+
+Fixes:
+avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
+tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 448905ff7..847895e63 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
+
+ files_search_var_lib(systemd_backlight_t)
+
++fs_getattr_tmpfs(systemd_backlight_t)
++fs_search_cgroup_dirs(systemd_backlight_t)
++fs_getattr_cgroup(systemd_backlight_t)
++
+ #######################################
+ #
+ # Binfmt local policy
+@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
+ fs_list_efivars(systemd_generator_t)
+ fs_getattr_cgroup(systemd_generator_t)
+ fs_getattr_xattr_fs(systemd_generator_t)
++fs_getattr_tmpfs(systemd_generator_t)
+
+ init_create_runtime_files(systemd_generator_t)
+ init_manage_runtime_dirs(systemd_generator_t)
+@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
+ # Allow reading /run/udev/data/+dmi:id
+ udev_read_runtime_files(systemd_hostnamed_t)
+
++fs_getattr_tmpfs(systemd_hostnamed_t)
++fs_search_cgroup_dirs(systemd_hostnamed_t)
++fs_getattr_cgroup(systemd_hostnamed_t)
++
+ optional_policy(`
+ dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
+@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
+ files_mmap_read_kernel_modules(systemd_modules_load_t)
+ files_read_etc_files(systemd_modules_load_t)
+
++fs_getattr_tmpfs(systemd_modules_load_t)
++fs_search_cgroup_dirs(systemd_modules_load_t)
++fs_getattr_cgroup(systemd_modules_load_t)
++
+ modutils_read_module_config(systemd_modules_load_t)
+ modutils_read_module_deps(systemd_modules_load_t)
+
+@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
+ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+ fs_getattr_xattr_fs(systemd_networkd_t)
++fs_getattr_tmpfs(systemd_networkd_t)
+ fs_getattr_cgroup(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
+
+ systemd_log_parse_environment(systemd_rfkill_t)
+
++fs_getattr_tmpfs(systemd_rfkill_t)
++fs_search_cgroup_dirs(systemd_rfkill_t)
++fs_getattr_cgroup(systemd_rfkill_t)
++
+ #########################################
+ #
+ # Resolved local policy
+@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
+ files_watch_root_dirs(systemd_resolved_t)
+ files_watch_runtime_dirs(systemd_resolved_t)
+ files_list_runtime(systemd_resolved_t)
++fs_getattr_tmpfs(systemd_resolved_t)
++fs_search_cgroup_dirs(systemd_resolved_t)
++fs_getattr_cgroup(systemd_resolved_t)
+
+ init_dgram_send(systemd_resolved_t)
+
+@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
+
+ systemd_log_parse_environment(systemd_sessions_t)
+
++fs_getattr_tmpfs(systemd_sessions_t)
++fs_search_cgroup_dirs(systemd_sessions_t)
++fs_getattr_cgroup(systemd_sessions_t)
++
+ ########################################
+ #
+ # sysctl local policy
+@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
+ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+
+ files_read_etc_files(systemd_sysctl_t)
++fs_getattr_tmpfs(systemd_sysctl_t)
++fs_search_cgroup_dirs(systemd_sysctl_t)
++fs_getattr_cgroup(systemd_sysctl_t)
+
+ systemd_log_parse_environment(systemd_sysctl_t)
+
+@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+ fs_getattr_xattr_fs(systemd_tmpfiles_t)
+ fs_list_tmpfs(systemd_tmpfiles_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
++fs_search_cgroup_dirs(systemd_tmpfiles_t)
++fs_getattr_cgroup(systemd_tmpfiles_t)
+
+ selinux_get_fs_mount(systemd_tmpfiles_t)
+ selinux_use_status_page(systemd_tmpfiles_t)
+@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+ files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+
++fs_getattr_tmpfs(systemd_update_done_t)
++fs_search_cgroup_dirs(systemd_update_done_t)
++fs_getattr_cgroup(systemd_update_done_t)
++
+ kernel_read_kernel_sysctls(systemd_update_done_t)
+
+ selinux_use_status_page(systemd_update_done_t)
+@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
+ fs_read_cgroup_files(systemd_user_runtime_dir_t)
+ fs_getattr_cgroup(systemd_user_runtime_dir_t)
++fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
+
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+ kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch
deleted file mode 100644
index bd06065..0000000
--- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e67fe4fa79d59be7bcefd256c1966ea8c034a3d9 Mon Sep 17 00:00:00 2001
-From: Roy Li
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo
-
-Fixes:
-$ rpcinfo
-rpcinfo: can't contact rpcbind: RPC: Remote system error - Permission denied
-
-avc: denied { connectto } for pid=406 comm="rpcinfo"
-path="/run/rpcbind.sock" scontext=root:sysadm_r:sysadm_t
-tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Roy Li
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/roles/sysadm.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index ddf973693..1642f3b93 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -947,6 +947,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_stream_connect(sysadm_t)
- rpcbind_admin(sysadm_t, sysadm_r)
- ')
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
new file mode 100644
index 0000000..2232d48
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
@@ -0,0 +1,55 @@
+From dc2c9c91219311f6c4d985169dff6c5931a465d7 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Thu, 4 Feb 2016 02:10:15 -0500
+Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for
+ systemd
+
+Fixes:
+syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/syslog: Permission denied
+syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied
+syslogd[243]: Error opening log file: /var/log/messages: Permission denied
+
+avc: denied { search } for pid=243 comm="syslogd" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t
+tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
+
+avc: denied { write } for pid=162 comm="systemd-journal"
+name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t
+tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index cc530a2be..5b4b5ec5d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t)
+
+ # manage runtime files
+ allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
+-allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
++allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write };
+ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+@@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_search_tmpfs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch
deleted file mode 100644
index 534c280..0000000
--- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 14 May 2019 15:22:08 +0800
-Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
- for rpcd_t
-
-Fixes:
-type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search }
-for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t
-tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/rpc.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index c3e37177b..87b6b4561 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -232,7 +232,7 @@ optional_policy(`
- # Local policy
- #
-
--allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
-+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
- allow rpcd_t self:capability2 block_suspend;
- allow rpcd_t self:process { getcap setcap };
- allow rpcd_t self:fifo_file rw_fifo_file_perms;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
new file mode 100644
index 0000000..108f62f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -0,0 +1,172 @@
+From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Thu, 4 Feb 2021 10:48:54 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
+
+Fixes:
+systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
+$XDG_RUNTIME_DIR not defined (consider using --machine=@.host
+--user to connect to bus of other user)
+
+avc: denied { connectto } for pid=293 comm="login"
+path="/run/systemd/userdb/io.systemd.Multiplexer"
+scontext=system_u:system_r:local_login_t
+tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
+permissive=0
+
+avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn"
+dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { read } for pid=293 comm="login"
+name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
+scontext=system_u:system_r:local_login_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { connectto } for pid=244 comm="systemd-logind"
+path="/run/systemd/userdb/io.systemd.Multiplexer"
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
+permissive=0
+
+avc: denied { read } for pid=244 comm="systemd-logind"
+name="io.systemd.DropIn" dev="tmpfs" ino=44
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { read } for pid=244 comm="systemd-logind"
+name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { mknod } for pid=297 comm="systemd" capability=27
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { setrlimit } for pid=297 comm="systemd"
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
+
+avc: denied { bpf } for pid=297 comm="systemd" capability=39
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { perfmon } for pid=297 comm="systemd" capability=38
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
+ino=173 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:etc_t tclass=dir permissive=0
+
+avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
+ino=2 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
+
+avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
+ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ policy/modules/system/init.if | 1 +
+ policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 46d3e2f0b..e1933a5bd 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
+ # Allow sysadm to query and set networking settings on the system.
+ systemd_dbus_chat_networkd(sysadm_t)
+ fs_read_nsfs_files(sysadm_t)
++
++ systemd_sysadm_user(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 0171ee299..8ca29f654 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
+ ')
+
+ allow $1 init_t:unix_stream_socket connectto;
++ allow $1 initrc_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 38adf050c..5c44d8d8a 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -57,7 +57,7 @@ template(`systemd_role_template',`
+ allow $1_systemd_t self:process { getsched signal };
+ allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
++ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
+ corecmd_shell_domtrans($1_systemd_t, $3)
+ corecmd_bin_domtrans($1_systemd_t, $3)
+
+@@ -88,8 +88,11 @@ template(`systemd_role_template',`
+
+ fs_manage_cgroup_files($1_systemd_t)
+ fs_watch_cgroup_files($1_systemd_t)
++ files_watch_etc_dirs($1_systemd_t)
++ fs_getattr_xattr_fs($1_systemd_t)
+
+ kernel_dontaudit_getattr_proc($1_systemd_t)
++ kernel_read_network_state($1_systemd_t)
+
+ selinux_use_status_page($1_systemd_t)
+
+@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
+ init_search_runtime($1)
+ allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+ allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
++ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
+ init_unix_stream_socket_connectto($1)
+ ')
+
+@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
+ allow $1 systemd_machined_t:fd use;
+ allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
+ ')
++
++#########################################
++##
++## sysadm user for systemd --user
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`systemd_sysadm_user',`
++ gen_require(`
++ type sysadm_systemd_t;
++ ')
++
++ allow sysadm_systemd_t self:capability { mknod sys_admin };
++ allow sysadm_systemd_t self:capability2 { bpf perfmon };
++ allow sysadm_systemd_t self:process setrlimit;
++ allow $1 sysadm_systemd_t:system reload;
++')
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
deleted file mode 100644
index 408df05..0000000
--- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 40101e4da939fcea2eebe3e4800d0de4e551ca26 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 1 Jul 2020 08:44:07 +0800
-Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
- directory with label rpcbind_runtime_t
-
-* Allow rpcbind_t to create directory with label rpcbind_runtime_t
-* Set context for nfsserver and nfscommon
-
-Fixes:
-avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
-scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/rpc.fc | 2 ++
- policy/modules/services/rpcbind.te | 5 +++--
- 2 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 88d2acaf0..d9c0a4aa7 100644
---- a/policy/modules/services/rpc.fc
-+++ b/policy/modules/services/rpc.fc
-@@ -1,7 +1,9 @@
- /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
-
- /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-
- /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 370c9bce6..8972980fa 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t)
- # Local policy
- #
-
--allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
- # net_admin is for SO_SNDBUFFORCE
- dontaudit rpcbind_t self:capability net_admin;
- allow rpcbind_t self:fifo_file rw_fifo_file_perms;
- allow rpcbind_t self:unix_stream_socket { accept listen };
- allow rpcbind_t self:tcp_socket { accept listen };
-
-+manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
--files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file })
-+files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir })
-
- manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
- manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
new file mode 100644
index 0000000..504e028
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
@@ -0,0 +1,132 @@
+From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Thu, 24 Sep 2020 14:05:52 +0800
+Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
+ separation for dhcpcd
+
+Fixes:
+
+avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
+permissive=0
+
+avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
+permissive=0
+
+avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
+permissive=0
+
+avc: denied { setrlimit } for pid=332 comm="dhcpcd"
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
+permissive=0
+
+avc: denied { create } for pid=330 comm="dhcpcd"
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tclass=netlink_kobject_uevent_socket permissive=0
+
+avc: denied { setopt } for pid=330 comm="dhcpcd"
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tclass=netlink_kobject_uevent_socket permissive=0
+
+avc: denied { bind } for pid=330 comm="dhcpcd"
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tclass=netlink_kobject_uevent_socket permissive=0
+
+avc: denied { getattr } for pid=330 comm="dhcpcd"
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tclass=netlink_kobject_uevent_socket permissive=0
+
+avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
+ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
+
+avc: denied { open } for pid=330 comm="dhcpcd"
+path="/run/udev/data/n1" dev="tmpfs" ino=15616
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
+
+avc: denied { getattr } for pid=330 comm="dhcpcd"
+path="/run/udev/data/n1" dev="tmpfs" ino=15616
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
+
+avc: denied { connectto } for pid=1600 comm="dhcpcd"
+path="/run/dhcpcd/unpriv.sock"
+scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tclass=unix_stream_socket permissive=0
+
+avc: denied { kill } for pid=314 comm="dhcpcd" capability=5
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
+permissive=0
+
+avc: denied { getattr } for pid=300 comm="dhcpcd"
+path="net:[4026532008]" dev="nsfs" ino=4026532008
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/sysnetwork.te | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 4c317cc4c..05a9a52b8 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -58,10 +58,11 @@ ifdef(`distro_debian',`
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
++allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
+ dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
+ allow dhcpc_t self:packet_socket create_socket_perms;
+ allow dhcpc_t self:netlink_generic_socket create_socket_perms;
+ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
++allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+ allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
++allow dhcpc_t self:unix_stream_socket connectto;
+
+ allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
+ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t)
+ fs_getattr_all_fs(dhcpc_t)
+ fs_search_auto_mountpoints(dhcpc_t)
+ fs_search_cgroup_dirs(dhcpc_t)
++fs_read_nsfs_files(dhcpc_t)
+
+ term_dontaudit_use_all_ttys(dhcpc_t)
+ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -181,6 +185,7 @@ ifdef(`init_systemd',`
+ init_stream_connect(dhcpc_t)
+ init_get_all_units_status(dhcpc_t)
+ init_search_units(dhcpc_t)
++ udev_read_runtime_files(dhcpc_t)
+ ')
+
+ optional_policy(`
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch
deleted file mode 100644
index 7bd1402..0000000
--- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 5dbfff582a9c7745f8517adefb27c5f90653f8fa Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Wed, 25 May 2016 03:16:24 -0400
-Subject: [PATCH] policy/modules/services/rngd: fix security context for
- rng-tools
-
-* Fix security context for /etc/init.d/rng-tools
-* Allow rngd_t to read sysfs
-
-Fixes:
-avc: denied { read } for pid=355 comm="rngd" name="cpu" dev="sysfs"
-ino=36 scontext=system_u:system_r:rngd_t
-tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1
-
-avc: denied { getsched } for pid=355 comm="rngd"
-scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
-tclass=process permissive=1
-
-avc: denied { setsched } for pid=355 comm="rngd"
-scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
-tclass=process permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Yi Zhao
----
- policy/modules/services/rngd.fc | 1 +
- policy/modules/services/rngd.te | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
-index 382c067f9..0ecc5acc4 100644
---- a/policy/modules/services/rngd.fc
-+++ b/policy/modules/services/rngd.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-
- /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
-
-diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
-index 4540e4ec7..48f08fb48 100644
---- a/policy/modules/services/rngd.te
-+++ b/policy/modules/services/rngd.te
-@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
- #
-
- allow rngd_t self:capability { ipc_lock sys_admin };
--allow rngd_t self:process signal;
-+allow rngd_t self:process { signal getsched setsched };
- allow rngd_t self:fifo_file rw_fifo_file_perms;
- allow rngd_t self:unix_stream_socket { accept listen };
-
-@@ -34,6 +34,7 @@ dev_read_rand(rngd_t)
- dev_read_urand(rngd_t)
- dev_rw_tpm(rngd_t)
- dev_write_rand(rngd_t)
-+dev_read_sysfs(rngd_t)
-
- files_read_etc_files(rngd_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
new file mode 100644
index 0000000..2f94974
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
@@ -0,0 +1,34 @@
+From 8343ff97a265836ba1e1e2f4159f888c21e5cabe Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 9 Feb 2021 17:31:55 +0800
+Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys
+
+Fixes:
+kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
+
+avc: denied { write } for pid=219 comm="modprobe"
+scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
+tclass=key permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/modutils.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 5b4f0aca1..008f286a8 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms;
+ allow kmod_t self:rawip_socket create_socket_perms;
+
+ allow kmod_t self:lockdown confidentiality;
++allow kmod_t self:key write;
+
+ # Read module config and dependency information
+ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
deleted file mode 100644
index 4b7e2b5..0000000
--- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From be61411d6d7d3bb2c700ec24f42661ce9c728df4 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 29 Jan 2021 10:32:00 +0800
-Subject: [PATCH] policy/modules/services/ssh: allow ssh_keygen_t to read
- proc_t
-
-Fixes:
-avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems"
-dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
-tcontext=system_u:object_r:proc_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/ssh.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 238c45ed8..2bbf50e84 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -330,6 +330,8 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
-+allow ssh_keygen_t proc_t:file read_file_perms;
-+
- allow ssh_keygen_t sshd_key_t:file manage_file_perms;
- files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
new file mode 100644
index 0000000..49aa7a6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
@@ -0,0 +1,43 @@
+From 4e2df7ca542b6c94e74345daaecb33efc82d749a Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Sat, 18 Dec 2021 09:26:43 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read
+ the process state of all domains
+
+We encountered the following su runtime error:
+$ useradd user1
+$ passwd user1
+New password:
+Retype new password:
+passwd: password updated successfully
+$ su - user1
+Session terminated, terminating shell...Hangup
+
+Fixes:
+avc: denied { use } for pid=344 comm="su"
+path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661
+scontext=root:sysadm_r:sysadm_su_t
+tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 847895e63..1a83148c1 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
++domain_read_all_domains_state(systemd_logind_t)
+
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch
deleted file mode 100644
index fd8d527..0000000
--- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 20e6395a7e8bce552fb0190dbc57d836d763fc18 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Sun, 28 Jun 2020 16:14:45 +0800
-Subject: [PATCH] policy/modules/services/ssh: make respective init scripts
- create pid dirs with proper contexts
-
-Fix sshd starup failure.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/ssh.te | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2bbf50e84..ad0a1b7ad 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t)
- type sshd_keytab_t;
- files_type(sshd_keytab_t)
-
--ifdef(`distro_debian',`
-- init_daemon_runtime_file(sshd_runtime_t, dir, "sshd")
--')
-+init_daemon_runtime_file(sshd_runtime_t, dir, "sshd")
-
- ##############################
- #
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
new file mode 100644
index 0000000..4cae8c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -0,0 +1,35 @@
+From 705008ba8ef960cf2e4813b4b8c5a87b919d545f Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Sat, 15 Feb 2014 04:22:47 -0500
+Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
+ for writing to processes up to its clearance
+
+Fixes:
+avc: denied { setsched } for pid=148 comm="mount"
+scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
+permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signen-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/mount.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index e39ab41a8..3481f9294 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+
+ mls_file_read_all_levels(mount_t)
+ mls_file_write_all_levels(mount_t)
++mls_process_write_to_clearance(mount_t)
+
+ selinux_get_enforce_mode(mount_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch
deleted file mode 100644
index cafdd61..0000000
--- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f0249cb5802af7f9113786940d0c49e786f774ae Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Mon, 29 Jun 2020 14:27:02 +0800
-Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty
- perms
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/kernel/terminal.if | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index e8c0735eb..9ccecfa0d 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -119,9 +119,7 @@ interface(`term_user_tty',`
-
- # Debian login is from shadow utils and does not allow resetting the perms.
- # have to fix this!
-- ifdef(`distro_debian',`
-- type_change $1 ttynode:chr_file $2;
-- ')
-+ type_change $1 ttynode:chr_file $2;
-
- tunable_policy(`console_login',`
- # When user logs in from /dev/console, relabel it
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
new file mode 100644
index 0000000..86317b3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,40 @@
+From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Mon, 28 Jan 2019 14:05:18 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
+
+The two new rules make sysadm_t domain MLS trusted for:
+ - reading from files at all levels.
+ - writing to processes up to its clearance(s0-s15).
+
+With default MLS policy, root user would login in as sysadm_t:s0 by
+default. Most processes will run in sysadm_t:s0 because no
+domtrans/rangetrans rules, as a result, even root could not access
+high level files/processes.
+
+So with the two new rules, root user could work easier in MLS policy.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Yi Zhao
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index e1933a5bd..0682ed31a 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t)
+ logging_watch_audit_log(sysadm_t)
+
+ mls_process_read_all_levels(sysadm_t)
++mls_file_read_all_levels(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
+
+ selinux_read_policy(sysadm_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
new file mode 100644
index 0000000..f659e7e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -0,0 +1,48 @@
+From 18ad027229a06fdcb833482dff0c2ae637d08e78 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
+ for reading from files up to its clearance
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/services/rpcbind.te | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index ca951cb44..a32c59eb1 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index e1eb7d5fc..da0994749 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch
deleted file mode 100644
index 54dd451..0000000
--- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 74f611538d63cdf4157e6b5f4b982cafe0378b9a Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Mon, 29 Jun 2020 14:30:58 +0800
-Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read
- /var/lib
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/selinuxutil.te | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 8f8f42ec7..a505b3987 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -549,10 +549,8 @@ userdom_map_user_home_content_files(semanage_t)
- userdom_read_user_tmp_files(semanage_t)
- userdom_map_user_tmp_files(semanage_t)
-
--ifdef(`distro_debian',`
-- files_read_var_lib_files(semanage_t)
-- files_read_var_lib_symlinks(semanage_t)
--')
-+files_read_var_lib_files(semanage_t)
-+files_read_var_lib_symlinks(semanage_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
new file mode 100644
index 0000000..ace056a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -0,0 +1,36 @@
+From b41a910654f5c5fe198b1695df18b6f6a1af7904 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 30 Jun 2020 10:18:20 +0800
+Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
+ from files up to its clearance
+
+Fixes:
+avc: denied { read } for pid=255 comm="dmesg" name="kmsg"
+dev="devtmpfs" ino=10032
+scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/dmesg.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index f3421fdbb..d87ee5583 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+ userdom_use_user_terminals(dmesg_t)
+
++mls_file_read_to_clearance(dmesg_t)
++
+ optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+ ')
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch
deleted file mode 100644
index ae1d71a..0000000
--- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c2a6ad9b4eee990b79175ec1866cfe20b7c61ef3 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Thu, 4 Feb 2016 06:03:19 -0500
-Subject: [PATCH] policy/modules/system/systemd: enable support for
- systemd-tmpfiles to manage all non-security files
-
-Fixes:
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied
-
-avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/"
-dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus"
-dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir
-permissive=0
-
-avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile"
-name="log" dev="vda" ino=14129
-scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
-
-avc: denied { create } for pid=137 comm="systemd-tmpfile"
-name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 2e08efd19..7da836136 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.11.1)
- ## Enable support for systemd-tmpfiles to manage all non-security files.
- ##
- ##
--gen_tunable(systemd_tmpfiles_manage_all, false)
-+gen_tunable(systemd_tmpfiles_manage_all, true)
-
- ##
- ##
-@@ -1332,6 +1332,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
- files_relabelto_home(systemd_tmpfiles_t)
- files_relabelto_etc_dirs(systemd_tmpfiles_t)
- files_setattr_lock_dirs(systemd_tmpfiles_t)
-+
-+files_manage_non_auth_files(systemd_tmpfiles_t)
-+files_relabel_non_auth_files(systemd_tmpfiles_t)
-+
- # for /etc/mtab
- files_manage_etc_symlinks(systemd_tmpfiles_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
new file mode 100644
index 0000000..8b9f98c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,76 @@
+From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Fri, 13 Oct 2017 07:20:40 +0000
+Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
+ lowering the level of files
+
+The boot process hangs with the error while using MLS policy:
+
+ [!!!!!!] Failed to mount API filesystems, freezing.
+ [ 4.085349] systemd[1]: Freezing execution.
+
+Make kernel_t mls trusted for lowering the level of files to fix below
+avc denials and remove the hang issue.
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:device_t:s0 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
+
+ avc: denied { create } for pid=1 comm="systemd" name="shm" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+ systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
+
+ avc: denied { create } for pid=1 comm="systemd" name="pts" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:unlabeled_t:s0 \
+ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:cgroup_t:s0 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
+
+ avc: denied { create } for pid=1 comm="systemd" name="pstore" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/kernel.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index a32c59eb1..1c53754ee 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
++# https://bugzilla.redhat.com/show_bug.cgi?id=667370
++mls_file_downgrade(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch
deleted file mode 100644
index a0dc9f2..0000000
--- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 8e762e1070e98a4235a70536ee6ca81725858a4b Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Mon, 25 Jan 2021 14:14:59 +0800
-Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
- failures
-
-* Allow systemd_resolved_t to create socket file
-* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
- files
-* Allow systemd_resolved_t to send and recevie messages from dhcpc over
- dbus
-
-Fixes:
-avc: denied { create } for pid=258 comm="systemd-resolve"
-name="io.systemd.Resolve"
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:systemd_resolved_runtime_t:s0
-tclass=sock_file permissive=0
-
-avc: denied { create } for pid=329 comm="systemd-resolve"
-name=".#stub-resolv.conf53cb7f9d1e3aa72b"
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
-permissive=0
-
-avc: denied { send_msg } for msgtype=method_call
-interface=org.freedesktop.resolve1.Manager member=RevertLink
-dest=org.freedesktop.resolve1 spid=340 tpid=345
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tclass=dbus permissive=0
-
-avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345
-tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 7da836136..0411729ea 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1164,6 +1164,8 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
-
- manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
-+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
-+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
-
- dev_read_sysfs(systemd_resolved_t)
-@@ -1194,6 +1196,8 @@ seutil_read_file_contexts(systemd_resolved_t)
- systemd_log_parse_environment(systemd_resolved_t)
- systemd_read_networkd_runtime(systemd_resolved_t)
-
-+sysnet_dbus_chat_dhcpc(systemd_resolved_t)
-+
- optional_policy(`
- dbus_connect_system_bus(systemd_resolved_t)
- dbus_system_bus_client(systemd_resolved_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
deleted file mode 100644
index f7758c5..0000000
--- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 3 Feb 2021 09:47:59 +0800
-Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon
- for init_t
-
-Fixes:
-avc: denied { bpf } for pid=1 comm="systemd" capability=39
-scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
-tclass=capability2 permissive=0
-avc: denied { perfmon } for pid=1 comm="systemd" capability=38
-scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
-tclass=capability2 permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/init.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index e82177938..b7d494398 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -134,7 +134,7 @@ ifdef(`enable_mls',`
-
- # Use capabilities. old rule:
- allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
--allow init_t self:capability2 { wake_alarm block_suspend };
-+allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon };
- # is ~sys_module really needed? observed:
- # sys_boot
- # sys_tty_config
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
new file mode 100644
index 0000000..b4da47d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -0,0 +1,46 @@
+From 7bcc117ea39532427df297299c10ca1d2948a70c Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Fri, 15 Jan 2016 03:47:05 -0500
+Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
+ lowering/raising the leve of files
+
+Fix security_validate_transition issues:
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:device_t:s0 \
+ taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tclass=dir
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:var_run_t:s0 \
+ newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \
+ taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tclass=dir
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/init.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 932d1f7b3..36becaa6e 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t)
+ mls_fd_use_all_levels(init_t)
+ mls_process_set_level(init_t)
+
++# MLS trusted for lowering/raising the level of files
++mls_file_downgrade(init_t)
++mls_file_upgrade(init_t)
++
+ # the following one is needed for libselinux:is_selinux_enabled()
+ # otherwise the call fails and sysvinit tries to load the policy
+ # again when using the initramfs
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
deleted file mode 100644
index aa49ac7..0000000
--- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 5db5b20728dff6c5e75dc07ea4feb6c507661b62 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 8 Jul 2020 13:53:28 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to
- watch initrc_runtime_t
-
-Fixes:
-avc: denied { watch } for pid=200 comm="systemd-logind"
-path="/run/utmp" dev="tmpfs" ino=12766
-scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0
-
-systemd-logind[200]: Failed to create inotify watch on /var/run/utmp, ignoring: Permission denied
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 0411729ea..2d9d7d331 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -651,6 +651,8 @@ init_stop_all_units(systemd_logind_t)
- init_start_system(systemd_logind_t)
- init_stop_system(systemd_logind_t)
-
-+allow systemd_logind_t initrc_runtime_t:file watch;
-+
- locallogin_read_state(systemd_logind_t)
-
- seutil_libselinux_linked(systemd_logind_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
new file mode 100644
index 0000000..4b768e0
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -0,0 +1,63 @@
+From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Thu, 4 Feb 2016 06:03:19 -0500
+Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
+ MLS trusted for raising/lowering the level of files
+
+Fixes:
+ avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \
+ dev="proc" ino=7987 \
+ scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+ tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tclass=dir
+
+ avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+ name="journal" dev="tmpfs" ino=8226 \
+ scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+ tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \
+ tclass=dir
+
+ avc: denied { write } for pid=92 comm="systemd-tmpfile" \
+ name="kmsg" dev="devtmpfs" ino=7242 \
+ scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+ tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \
+ tclass=chr_file
+
+ avc: denied { read } for pid=92 comm="systemd-tmpfile" \
+ name="kmod.conf" dev="tmpfs" ino=8660 \
+ scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+ tcontext=system_u:object_r:var_run_t:s0 \
+ tclass=file
+
+ avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+ name="kernel" dev="proc" ino=8731 \
+ scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+ tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 1a83148c1..736107fad 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+
+ systemd_log_parse_environment(systemd_tmpfiles_t)
+
++mls_file_write_all_levels(systemd_tmpfiles_t)
++mls_file_read_all_levels(systemd_tmpfiles_t)
++mls_file_downgrade(systemd_tmpfiles_t)
++mls_file_upgrade(systemd_tmpfiles_t)
++
+ userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+ userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
deleted file mode 100644
index a4b387a..0000000
--- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 14 May 2019 16:02:19 +0800
-Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
- /dev/log
-
-* Set labe devlog_t to symlink /dev/log
-* Allow syslogd_t to manage devlog_t link file
-
-Fixes:
-avc: denied { unlink } for pid=250 comm="rsyslogd" name="log"
-dev="devtmpfs" ino=10997
-scontext=system_u:system_r:syslogd_t:s15:c0.c1023
-tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/logging.fc | 2 ++
- policy/modules/system/logging.if | 4 ++++
- policy/modules/system/logging.te | 1 +
- 3 files changed, 7 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index a4ecd570a..02f0b6270 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,4 +1,5 @@
- /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-+/dev/log -l gen_context(system_u:object_r:devlog_t,s0)
-
- /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
-@@ -24,6 +25,7 @@
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 9bb3afdb2..7233a108c 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
- ')
-
- allow $1 devlog_t:sock_file write_sock_file_perms;
-+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
-
- # systemd journal socket is in /run/systemd/journal/dev-log
- init_search_run($1)
-@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
- ')
-
- allow $1 devlog_t:sock_file relabelto_sock_file_perms;
-+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
- ')
-
- ########################################
-@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
-
- allow $1 devlog_t:sock_file manage_sock_file_perms;
- dev_filetrans($1, devlog_t, sock_file)
-+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
-+ dev_filetrans($1, devlog_t, lnk_file)
- init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
- ')
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b3254f63..d864cfd3d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
- files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
- init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
new file mode 100644
index 0000000..60f7dae
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -0,0 +1,91 @@
+From 71986d0c6775408a1c89415dd5d4e7ea03302248 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Thu, 18 Jun 2020 09:59:58 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
+ MLS trusted for writing/reading from files up to its clearance
+
+Fixes:
+audit: type=1400 audit(1592892455.376:3): avc: denied { write } for
+pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+audit: type=1400 audit(1592892455.381:4): avc: denied { write } for
+pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb"
+dev="devtmpfs" ino=42
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
+tclass=blk_file permissive=0
+
+avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg"
+dev="devtmpfs" ino=2060
+scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 736107fad..8cea6baa1 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t)
+ fs_search_cgroup_dirs(systemd_backlight_t)
+ fs_getattr_cgroup(systemd_backlight_t)
+
++mls_file_read_to_clearance(systemd_backlight_t)
++mls_file_write_to_clearance(systemd_backlight_t)
++
+ #######################################
+ #
+ # Binfmt local policy
+@@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+
+ udev_search_runtime(systemd_generator_t)
+
++mls_file_read_to_clearance(systemd_generator_t)
++mls_file_write_to_clearance(systemd_generator_t)
++
+ ifdef(`distro_gentoo',`
+ corecmd_shell_entry_type(systemd_generator_t)
+ ')
+@@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
+ domain_read_all_domains_state(systemd_logind_t)
+
++mls_file_read_to_clearance(systemd_logind_t)
++mls_file_write_to_clearance(systemd_logind_t)
++
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+ # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
+@@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t)
+ fs_search_cgroup_dirs(systemd_rfkill_t)
+ fs_getattr_cgroup(systemd_rfkill_t)
+
++mls_file_read_to_clearance(systemd_rfkill_t)
++mls_file_write_to_clearance(systemd_rfkill_t)
++
+ #########################################
+ #
+ # Resolved local policy
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
new file mode 100644
index 0000000..75be11d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -0,0 +1,37 @@
+From 511f7fdad45a150f7ea3666eb51463573eabab0a Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
+ object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Roy.Li
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 5b4b5ec5d..e67c25a9e 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t)
+ fs_search_tmpfs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_file_read_all_levels(syslogd_t)
++mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
++mls_fd_use_all_levels(syslogd_t)
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
deleted file mode 100644
index f7abefb..0000000
--- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: support systemd --user
-
-Fixes:
-$ systemctl status user@0.service
-* user@0.service - User Manager for UID 0
- Loaded: loaded (/lib/systemd/system/user@.service; static)
- Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
- Docs: man:user@.service(5)
- Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
- Main PID: 1502 (code=exited, status=1/FAILURE)
-
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/roles/sysadm.te | 2 +
- policy/modules/system/init.if | 1 +
- policy/modules/system/logging.te | 5 ++-
- policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++-
- 4 files changed, 81 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1642f3b93..1de7e441d 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
- # Allow sysadm to resolve the username of dynamic users by calling
- # LookupDynamicUserByUID on org.freedesktop.systemd1.
- init_dbus_chat(sysadm_t)
-+
-+ systemd_sysadm_user(sysadm_t)
- ')
-
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index ba533ba1a..98e94283f 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
- ')
-
- allow $1 init_t:unix_stream_socket connectto;
-+ allow $1 initrc_t:unix_stream_socket connectto;
- ')
-
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index d864cfd3d..bdd97631c 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
- # for systemd-journal
- allow syslogd_t self:netlink_audit_socket connected_socket_perms;
- allow syslogd_t self:capability2 audit_read;
-- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
- allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
-
- # remove /run/log/journal when switching to permanent storage
-@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
- systemd_manage_journal_files(syslogd_t)
-
- udev_read_runtime_files(syslogd_t)
-+
-+ userdom_search_user_runtime(syslogd_t)
-+ systemd_search_user_runtime(syslogd_t)
- ')
-
- ifdef(`distro_gentoo',`
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 6a66a2d79..152139261 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -30,6 +30,7 @@ template(`systemd_role_template',`
- attribute systemd_user_session_type, systemd_log_parse_env_type;
- type systemd_user_runtime_t, systemd_user_runtime_notify_t;
- type systemd_run_exec_t, systemd_analyze_exec_t;
-+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
- ')
-
- #################################
-@@ -55,10 +56,42 @@ template(`systemd_role_template',`
-
- allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
-+ allow $1_systemd_t self:process setrlimit;
-+
-+ kernel_getattr_proc($1_systemd_t)
-+ fs_watch_cgroup_files($1_systemd_t)
-+ files_watch_etc_dirs($1_systemd_t)
-+
-+ userdom_search_user_home_dirs($1_systemd_t)
-+ allow $1_systemd_t $3:dir search_dir_perms;
-+ allow $1_systemd_t $3:file read_file_perms;
-+
-+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
-+
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+
- # This domain is per-role because of the below transitions.
- # See the systemd --user section of systemd.te for the
- # remainder of the rules.
-- allow $1_systemd_t $3:process { setsched rlimitinh };
-+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
- corecmd_shell_domtrans($1_systemd_t, $3)
- corecmd_bin_domtrans($1_systemd_t, $3)
- allow $1_systemd_t self:process signal;
-@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
- init_search_runtime($1)
- allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
- allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
- init_unix_stream_socket_connectto($1)
- ')
-
-@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
- allow $1 systemd_machined_t:fd use;
- allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+##
-+## sysadm user for systemd --user
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+#
-+interface(`systemd_sysadm_user',`
-+ gen_require(`
-+ type sysadm_systemd_t;
-+ ')
-+
-+ allow sysadm_systemd_t self:capability { mknod sys_admin };
-+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+ allow $1 sysadm_systemd_t:system reload;
-+')
-+
-+#######################################
-+##
-+## Search systemd users runtime directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_search_user_runtime',`
-+ gen_require(`
-+ type systemd_user_runtime_t;
-+ ')
-+
-+ allow $1 systemd_user_runtime_t:dir search_dir_perms;
-+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
-+')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
new file mode 100644
index 0000000..5c01ef4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -0,0 +1,33 @@
+From 3f875fae6d9a4538b3e7d33f30dd2a98fc9ea2bd Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 28 May 2019 16:41:37 +0800
+Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
+ writing to keys at all levels
+
+Fixes:
+type=AVC msg=audit(1559024138.454:31): avc: denied { link } for
+pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 36becaa6e..9c0a98eb7 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t)
+ mls_process_write_all_levels(init_t)
+ mls_fd_use_all_levels(init_t)
+ mls_process_set_level(init_t)
++mls_key_write_all_levels(init_t)
+
+ # MLS trusted for lowering/raising the level of files
+ mls_file_downgrade(init_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
deleted file mode 100644
index 9d4bbf7..0000000
--- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 954a49ec0a4dc64fd9e513abe7a737d956b337ca Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 9 Feb 2021 17:50:24 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd-generators to
- get the attributes of tmpfs and cgroup
-
-* Allow systemd-generators to get the attributes of a tmpfs
-* Allow systemd-generators to get the attributes of cgroup filesystems
-
-Fixes:
-systemd[95]: /lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1.
-
-avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=98 comm="systemd-getty-g" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=104 comm="systemd-sysv-ge" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=97 comm="systemd-fstab-g" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
-dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=100 comm="systemd-hiberna" name="/"
-dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=99 comm="systemd-gpt-aut" name="/"
-dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=97 comm="systemd-fstab-g"
-path="/var/volatile" dev="vda" ino=37131
-scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 2d9d7d331..c1111198d 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -431,6 +431,9 @@ files_list_usr(systemd_generator_t)
-
- fs_list_efivars(systemd_generator_t)
- fs_getattr_xattr_fs(systemd_generator_t)
-+fs_getattr_tmpfs(systemd_generator_t)
-+fs_getattr_cgroup(systemd_generator_t)
-+kernel_getattr_unlabeled_dirs(systemd_generator_t)
-
- init_create_runtime_files(systemd_generator_t)
- init_manage_runtime_dirs(systemd_generator_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
new file mode 100644
index 0000000..d3ddcd2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -0,0 +1,40 @@
+From a59dae035b7d5063e0f25c4cf40b5b180ad69022 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Wed, 3 Feb 2016 04:16:06 -0500
+Subject: [PATCH] policy/modules/system/init: all init_t to read any level
+ sockets
+
+Fixes:
+ avc: denied { listen } for pid=1 comm="systemd" \
+ path="/run/systemd/journal/stdout" \
+ scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \
+ tclass=unix_stream_socket permissive=1
+
+ systemd[1]: Failded to listen on Journal Socket
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/init.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 9c0a98eb7..5a19f0e43 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t)
+ mls_file_downgrade(init_t)
+ mls_file_upgrade(init_t)
+
++# MLS trusted for reading from sockets at any level
++mls_socket_read_all_levels(init_t)
++
+ # the following one is needed for libselinux:is_selinux_enabled()
+ # otherwise the call fails and sysvinit tries to load the policy
+ # again when using the initramfs
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
deleted file mode 100644
index 1c1b459..0000000
--- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 8b0bb1e349e2ea021acec1639be0802ac4d7d0c2 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Thu, 4 Feb 2021 15:13:50 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_backlight_t to
- read kernel sysctl
-
-Fixes:
-avc: denied { search } for pid=354 comm="systemd-backlig" name="sys"
-dev="proc" ino=4026531854
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index c1111198d..7d2ba2796 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -324,6 +324,8 @@ udev_read_runtime_files(systemd_backlight_t)
-
- files_search_var_lib(systemd_backlight_t)
-
-+kernel_read_kernel_sysctls(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
new file mode 100644
index 0000000..47328be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -0,0 +1,39 @@
+From 96437ba860d352304246fbe3381030da0665f239 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Thu, 25 Feb 2016 04:25:08 -0500
+Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
+ at any level
+
+Allow auditd_t to write init_t:unix_stream_socket at any level.
+
+Fixes:
+ avc: denied { write } for pid=748 comm="auditd" \
+ path="socket:[17371]" dev="sockfs" ino=17371 \
+ scontext=system_u:system_r:auditd_t:s15:c0.c1023 \
+ tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tclass=unix_stream_socket permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index e67c25a9e..f8d8b73f0 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t)
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
++mls_socket_write_all_levels(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
deleted file mode 100644
index d283879..0000000
--- a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5973dc3824b395ce9f6620e3ae432664cc357b66 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Thu, 4 Feb 2016 02:10:15 -0500
-Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
- failures
-
-Fixes:
-avc: denied { audit_control } for pid=109 comm="systemd-journal"
-capability=30 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
-
-avc: denied { search } for pid=233 comm="systemd-journal" name="/"
-dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Yi Zhao
----
- policy/modules/system/logging.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index bdd97631c..62caa7a56 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -492,6 +492,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
-
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_tmpfs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-
-@@ -552,6 +553,8 @@ ifdef(`init_systemd',`
- # needed for systemd-initrd case when syslog socket is unlabelled
- logging_send_syslog_msg(syslogd_t)
-
-+ logging_set_loginuid(syslogd_t)
-+
- systemd_manage_journal_files(syslogd_t)
-
- udev_read_runtime_files(syslogd_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
new file mode 100644
index 0000000..ad92c7f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,31 @@
+From 102255e89863c5a31d0d6c8df67b258d819b9a68 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Thu, 31 Oct 2019 17:35:59 +0800
+Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
+ writing to keys at all levels.
+
+Fixes:
+systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 1c53754ee..2031576e0 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=667370
+ mls_file_downgrade(kernel_t)
++mls_key_write_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
deleted file mode 100644
index b7e7c1d..0000000
--- a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e8ff96c9bb98305d1b50fccce67025df3ebbf184 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Thu, 23 May 2019 15:52:17 +0800
-Subject: [PATCH] policy/modules/services/cron: allow crond_t to search
- logwatch_cache_t
-
-Fixes:
-avc: denied { search } for pid=234 comm="crond" name="logcheck"
-dev="vda" ino=29080 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/cron.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index 2902820b0..36eb33060 100644
---- a/policy/modules/services/cron.te
-+++ b/policy/modules/services/cron.te
-@@ -318,6 +318,8 @@ miscfiles_read_localization(crond_t)
-
- userdom_list_user_home_dirs(crond_t)
-
-+logwatch_search_cache_dir(crond_t)
-+
- tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
deleted file mode 100644
index d5e40d0..0000000
--- a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 1571e6da8a90bb325a94330dcd130d56bae30b37 Mon Sep 17 00:00:00 2001
-From: Roy Li
-Date: Thu, 20 Feb 2014 17:07:05 +0800
-Subject: [PATCH] policy/modules/services/crontab: allow sysadm_r to run
- crontab
-
-This permission has been given if release is not redhat; but we want it
-even we define distro_redhat
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Roy Li
-Signed-off-by: Yi Zhao
----
- policy/modules/roles/sysadm.te | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1de7e441d..129e94229 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -1277,6 +1277,10 @@ optional_policy(`
- zebra_admin(sysadm_t, sysadm_r)
- ')
-
-+optional_policy(`
-+ cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
- ifndef(`distro_redhat',`
- optional_policy(`
- auth_role(sysadm_r, sysadm_t)
-@@ -1295,10 +1299,6 @@ ifndef(`distro_redhat',`
- chromium_role(sysadm_r, sysadm_t)
- ')
-
-- optional_policy(`
-- cron_admin_role(sysadm_r, sysadm_t)
-- ')
--
- optional_policy(`
- cryfs_role(sysadm_r, sysadm_t)
- ')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
new file mode 100644
index 0000000..96d0588
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -0,0 +1,30 @@
+From 5fa9e03a3b90f97e573a7724cd9d49b53730d083 Mon Sep 17 00:00:00 2001
+From: Roy Li
+Date: Sat, 22 Feb 2014 13:35:38 +0800
+Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
+ level
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Roy Li
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/setrans.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
+index 25aadfc5f..564e2d4d1 100644
+--- a/policy/modules/system/setrans.te
++++ b/policy/modules/system/setrans.te
+@@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t)
+ mls_socket_write_all_levels(setrans_t)
+ mls_process_read_all_levels(setrans_t)
+ mls_socket_read_all_levels(setrans_t)
++mls_fd_use_all_levels(setrans_t)
++mls_trusted_object(setrans_t)
+
+ selinux_compute_access_vector(setrans_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch
deleted file mode 100644
index 64cc90e..0000000
--- a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From ab462f0022c35fde984dbe792ce386f5d507aeeb Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Thu, 24 Sep 2020 14:05:52 +0800
-Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
- separation for dhcpcd
-
-Fixes:
-
-avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setrlimit } for pid=332 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
-permissive=0
-
-avc: denied { create } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { setopt } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { bind } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { getattr } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
-ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { open } for pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { getattr } for pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { connectto } for pid=1600 comm="dhcpcd"
-path="/run/dhcpcd/unpriv.sock"
-scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=unix_stream_socket permissive=0
-
-avc: denied { kill } for pid=314 comm="dhcpcd" capability=5
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { getattr } for pid=300 comm="dhcpcd"
-path="net:[4026532008]" dev="nsfs" ino=4026532008
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/sysnetwork.te | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index cb1434180..a9297f976 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -72,6 +72,11 @@ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
- allow dhcpc_t self:rawip_socket create_socket_perms;
- allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
-
-+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
-+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow dhcpc_t self:process setrlimit;
-+allow dhcpc_t self:unix_stream_socket connectto;
-+
- allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
- read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
- exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-@@ -145,6 +150,7 @@ files_manage_var_files(dhcpc_t)
- fs_getattr_all_fs(dhcpc_t)
- fs_search_auto_mountpoints(dhcpc_t)
- fs_search_cgroup_dirs(dhcpc_t)
-+fs_read_nsfs_files(dhcpc_t)
-
- term_dontaudit_use_all_ttys(dhcpc_t)
- term_dontaudit_use_all_ptys(dhcpc_t)
-@@ -180,6 +186,7 @@ ifdef(`init_systemd',`
- init_stream_connect(dhcpc_t)
- init_get_all_units_status(dhcpc_t)
- init_search_units(dhcpc_t)
-+ udev_read_runtime_files(dhcpc_t)
- ')
-
- optional_policy(`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
new file mode 100644
index 0000000..8bfe607
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -0,0 +1,42 @@
+From fe70aaf9a104b4b0c3439d2767eccb0136951f08 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Mon, 22 Feb 2021 11:28:12 +0800
+Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
+ for writing/reading from files at all levels
+
+Fixes:
+avc: denied { search } for pid=1148 comm="systemd" name="journal"
+dev="tmpfs" ino=206
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc: denied { write } for pid=1148 comm="systemd" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 5c44d8d8a..5f2038f22 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -171,6 +171,9 @@ template(`systemd_role_template',`
+ xdg_read_config_files($1_systemd_t)
+ xdg_read_data_files($1_systemd_t)
+ ')
++
++ mls_file_read_all_levels($1_systemd_t)
++ mls_file_write_all_levels($1_systemd_t)
+ ')
+
+ ######################################
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
deleted file mode 100644
index 8de3d5f..0000000
--- a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7418cd97f2c92579bd4d18cbd9063f811ff9a81e Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 9 Feb 2021 16:42:36 +0800
-Subject: [PATCH] policy/modules/services/acpi: allow acpid to watch the
- directories in /dev
-
-Fixes:
-acpid: inotify_add_watch() failed: Permission denied (13)
-
-avc: denied { watch } for pid=269 comm="acpid" path="/dev/input"
-dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao