From 899b6a7957fce2a594b62848cffa1642c6158bd4 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Sat, 30 May 2020 10:59:50 +0800
Subject: [PATCH] allow passwd to map and write sssd var lib

---
 add-allow-passwd-to-write-sssd-var-lib.patch | 27 ++++++++++++++++++++
 selinux-policy.spec                          |  6 ++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 add-allow-passwd-to-write-sssd-var-lib.patch

diff --git a/add-allow-passwd-to-write-sssd-var-lib.patch b/add-allow-passwd-to-write-sssd-var-lib.patch
new file mode 100644
index 0000000..de1a88a
--- /dev/null
+++ b/add-allow-passwd-to-write-sssd-var-lib.patch
@@ -0,0 +1,27 @@
+From e237958d348766aac7f83414ed7af2ab44f8efca Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Sat, 30 May 2020 10:56:41 +0800
+Subject: [PATCH] add allow passwd to write sssd var lib
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/admin/usermanage.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 1977309..426bae8 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -391,6 +391,9 @@ logging_send_syslog_msg(passwd_t)
+ seutil_read_config(passwd_t)
+ seutil_read_file_contexts(passwd_t)
+ 
++sssd_var_lib_map_file(passwd_t)
++sssd_var_lib_write_file(passwd_t)
++
+ userdom_use_inherited_user_terminals(passwd_t)
+ userdom_use_unpriv_users_fds(passwd_t)
+ # make sure that getcon succeeds
+-- 
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed19b2a..9deedec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 52
+Release: 53
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -67,6 +67,7 @@ Patch16: add-avc-for-systemd-journald.patch
 Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
 Patch18: add-allowed-avc-for-systemd-1.patch
 Patch19: add-allow-to-be-access-to-sssd-dir-and-file.patch  
+Patch20: add-allow-passwd-to-write-sssd-var-lib.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -663,6 +664,9 @@ exit 0
 %endif
 
 %changelog
+* Sat May 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-53
+- allow passwd to map and write sssd var lib
+
 * Fri Mar 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-52
 - use container-selinux.tgz of 2.73, the same version as package container-selinux
 
-- 
Gitee