From cd7db0c2008d1da19f8a4ba77cd3ce43fb771a63 Mon Sep 17 00:00:00 2001
From: Linux_zhang <zhangruifang1@h-partners.com>
Date: Tue, 25 Feb 2025 11:13:12 +0800
Subject: [PATCH] add avc for haveged

(cherry picked from commit 22d7f70a0afee3106163dd3c0eab841d6d62fbff)
---
 add-avc-for-haveged.patch | 27 +++++++++++++++++++++++++++
 selinux-policy.spec       |  6 +++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 add-avc-for-haveged.patch

diff --git a/add-avc-for-haveged.patch b/add-avc-for-haveged.patch
new file mode 100644
index 0000000..0253fcb
--- /dev/null
+++ b/add-avc-for-haveged.patch
@@ -0,0 +1,27 @@
+From 65b804ea592c667bfd8c52adc750e52d4177f835 Mon Sep 17 00:00:00 2001
+From: Linux_zhang <Linux_zhang@h-partners.com>
+Date: Tue, 25 Feb 2025 11:05:00 +0800
+Subject: [PATCH] add avc for haveged
+Resolves: https://gitee.com/src-openeuler/haveged/issues/IBMY06
+
+---
+ policy/modules/contrib/entropyd.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
+index 7e63592..5b5a2ec 100644
+--- a/policy/modules/contrib/entropyd.te
++++ b/policy/modules/contrib/entropyd.te
+@@ -33,6 +33,9 @@ allow entropyd_t self:capability { dac_read_search  ipc_lock sys_admin };
+ dontaudit entropyd_t self:capability sys_tty_config;
+ allow entropyd_t self:process signal_perms;
+ 
++fs_rw_inherited_tmpfs_files(entropyd_t)
++allow entropyd_t tmpfs_t:file {map getattr open}; 
++
+ manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+ files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+ 
+-- 
+2.33.0
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 227687a..8ffdae8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 40.7
-Release: 5
+Release: 6
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -64,6 +64,7 @@ Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
 Patch11: backport-Add-support-for-secretmem-anon-inode.patch
+Patch12: add-avc-for-haveged.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -744,6 +745,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 25 2025 Linux_zhang <zhangruifang@h-partners.com> - 40.7-6
+- add avc for haveged
+
 * Mon Dec 09 2024 wangjiang <app@cameyan.com> - 40.7-5
 - Recovering the SELinux Label
 
-- 
Gitee