From 53fd72d9d068621b6c53ee3ebfcbdbfad20e0a86 Mon Sep 17 00:00:00 2001
From: xzyang <yangxianzhao@uniontech.com>
Date: Thu, 23 Dec 2021 18:43:20 +0800
Subject: [PATCH] update to selinux-policy-3.13.1-268.el7_9.2.src.rpm

Signed-off-by: xzyang <yangxianzhao@uniontech.com>
---
 policy-rhel-7.9.z-base.patch    | 13 ++++++++++++
 policy-rhel-7.9.z-contrib.patch | 36 +++++++++++++++++++++++++++++++++
 selinux-policy.spec             | 22 +++++++++++++++-----
 3 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100644 policy-rhel-7.9.z-base.patch
 create mode 100644 policy-rhel-7.9.z-contrib.patch

diff --git a/policy-rhel-7.9.z-base.patch b/policy-rhel-7.9.z-base.patch
new file mode 100644
index 0000000..8aa44c7
--- /dev/null
+++ b/policy-rhel-7.9.z-base.patch
@@ -0,0 +1,13 @@
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index e229517afa..53c780b2e7 100644
+--- a/policy/modules/system/miscfiles.if
++++ b/policy/modules/system/miscfiles.if
+@@ -81,7 +81,7 @@ interface(`miscfiles_manage_all_certs',`
+ 		attribute cert_type;
+ 	')
+ 
+-	allow $1 cert_type:dir list_dir_perms;
++	manage_dirs_pattern($1, cert_type, cert_type)
+ 	manage_files_pattern($1, cert_type, cert_type)
+ 	manage_lnk_files_pattern($1, cert_type, cert_type)
+ ')
diff --git a/policy-rhel-7.9.z-contrib.patch b/policy-rhel-7.9.z-contrib.patch
new file mode 100644
index 0000000..de773a9
--- /dev/null
+++ b/policy-rhel-7.9.z-contrib.patch
@@ -0,0 +1,36 @@
+diff --git a/glusterd.te b/glusterd.te
+index 382d67a996..322a4fe005 100644
+--- a/glusterd.te
++++ b/glusterd.te
+@@ -331,3 +331,16 @@ optional_policy(`
+ optional_policy(`
+ 	ssh_exec(glusterd_t)
+ ')
++
++
++########################################
++#
++# Local policy for ssh_keygen
++#
++
++gen_require(`
++    type ssh_keygen_t;
++')
++
++manage_dirs_pattern(ssh_keygen_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_files_pattern(ssh_keygen_t, glusterd_var_lib_t, glusterd_var_lib_t)
+diff --git a/ldap.te b/ldap.te
+index 1c922b3402..9079ab40eb 100644
+--- a/ldap.te
++++ b/ldap.te
+@@ -57,8 +57,8 @@ allow slapd_t self:process { setsched signal } ;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
+ allow slapd_t self:tcp_socket { accept listen };
+ 
+-allow slapd_t slapd_cert_t:dir list_dir_perms;
+-read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
++manage_dirs_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
++manage_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+ 
+ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5325c1..c2c80b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,4 +1,3 @@
-%define anolis_release .0.1
 %define distro redhat
 %define polyinstatiate n
 %define monolithic n
@@ -21,12 +20,14 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 268%{anolis_release}%{?dist}
+Release: 268%{?dist}.2
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch0: policy-rhel-7.9-base.patch
 patch1: policy-rhel-7.9-contrib.patch
+patch2: policy-rhel-7.9.z-base.patch
+patch3: policy-rhel-7.9.z-contrib.patch
 Source1: modules-targeted-base.conf
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -341,9 +342,11 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
+%patch3 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch0 -p1
+%patch2 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -454,7 +457,7 @@ echo "
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
-SELINUX=disabled
+SELINUX=enforcing
 # SELINUXTYPE= can take one of three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected. 
@@ -654,8 +657,17 @@ fi
 %endif
 
 %changelog
-* Fri Oct 29 2021 zhangbinchen <zhangbinchen@openanolis.org> - 3.13.1-268.0.1
-- disable selinux default
+* Thu Oct 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-268.2
+- Allow certmonger add new entries in a generic certificates directory
+Resolves: rhbz#1879496
+- Allow slapd add new entries in ldap certificates directory
+Resolves: rhbz#1879496
+- Add miscfiles_add_entry_generic_cert_dirs() interface
+Resolves: rhbz#1879496
+
+* Mon Sep 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-268.1
+- Allow ssh-keygen create file in /var/lib/glusterd
+Resolves: rhbz#1867995
 
 * Tue May 12 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-268
 - Allow rhsmd read process state of all domains and kernel threads
-- 
Gitee