backport some selinux-policy upstream patches

backport-Add-gpg_filetrans_admin_home_content-interface.patch

@@ -0,0 +1,38 @@
+From 1137f639bb3cb0b7257ffe8348abbd93882ce37b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Aug 2022 18:49:25 +0200
+Subject: [PATCH] Add gpg_filetrans_admin_home_content() interface
+
+---
+ policy/modules/contrib/gpg.if | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
+index 55fbfd996e..6e5aa43576 100644
+--- a/policy/modules/contrib/gpg.if
++++ b/policy/modules/contrib/gpg.if
+@@ -281,6 +281,24 @@ interface(`gpg_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+ ')
+ 
++########################################
++## <summary>
++##	Transition to gpg named admin home content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gpg_filetrans_admin_home_content',`
++	gen_require(`
++		type gpg_secret_t;
++	')
++
++	userdom_admin_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
++')
++
+ ########################################
+ ## <summary>
+ ##	Connected to gpg_agent_t unix stream socket.

backport-Add-userdom_view_all_users_keys-interface.patch

@@ -0,0 +1,38 @@
+From e37087d58b6422d0d90e321d9172cf396186fa46 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Aug 2022 15:47:25 +0200
+Subject: [PATCH] Add userdom_view_all_users_keys() interface
+
+---
+ policy/modules/system/userdomain.if | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 97c27a957a..d23f2ce305 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -4811,6 +4811,24 @@ interface(`userdom_read_all_users_keys',`
+ 	allow $1 userdomain:key read;
+ ')
+ 
++########################################
++## <summary>
++##	View keys for all user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_view_all_users_keys',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:key view;
++')
++
+ ########################################
+ ## <summary>
+ ##	Write keys for all user domains.

backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch

@@ -0,0 +1,22 @@
+From 63ba7c49db91e64e2a37c4d4c58959dd2d9c1c89 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Mon, 10 Oct 2022 11:45:30 +0200
+Subject: [PATCH] Allow aide to connect to systemd_machined with a unix socket.
+
+Resolves: bz#2062936
+---
+ policy/modules/contrib/aide.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
+index 05ae4ad2ed..670aa96f8b 100644
+--- a/policy/modules/contrib/aide.te
++++ b/policy/modules/contrib/aide.te
+@@ -64,6 +64,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	systemd_machined_stream_connect(aide_t)
+ 	systemd_userdbd_stream_connect(aide_t)
+ ')
+ 

backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch

@@ -0,0 +1,35 @@
+From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 22 Aug 2022 10:41:49 +0200
+Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets
+
+These permissions are required when packets tagging following
+/usr/share/doc/nftables/examples/secmark.nft is enabled.
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1661030515.019:1079): avc:  denied  { send } for  pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0
+
+and a similar one for chronyd_client_packet_t.
+
+Resolves: rhbz#2120016
+---
+ policy/modules/contrib/chronyd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
+index 165e311002..16ce14d97b 100644
+--- a/policy/modules/contrib/chronyd.te
++++ b/policy/modules/contrib/chronyd.te
+@@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t)
+ corenet_udp_bind_generic_node(chronyd_t)
+ 
+ corenet_sendrecv_ntp_server_packets(chronyd_t)
++corenet_sendrecv_ntp_client_packets(chronyd_t)
+ corenet_udp_bind_ntp_port(chronyd_t)
+ corenet_udp_sendrecv_ntp_port(chronyd_t)
+ 
+ corenet_sendrecv_chronyd_server_packets(chronyd_t)
++corenet_sendrecv_chronyd_client_packets(chronyd_t)
+ corenet_udp_bind_chronyd_port(chronyd_t)
+ corenet_udp_sendrecv_chronyd_port(chronyd_t)
+ 

backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch

@@ -0,0 +1,22 @@
+From 193883f3bcfb64143f5ae6754021d0f4d7bfa16d Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 15:06:35 +0200
+Subject: [PATCH] Allow dhcpd bpf capability to run bpf programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/contrib/dhcp.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
+index dab0abe4cb..67c865926b 100644
+--- a/policy/modules/contrib/dhcp.te
++++ b/policy/modules/contrib/dhcp.te
+@@ -39,6 +39,7 @@ files_pid_file(dhcpd_var_run_t)
+ 
+ allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
+ dontaudit dhcpd_t self:capability { net_admin sys_admin sys_tty_config };
++allow dhcpd_t self:capability2 bpf;
+ allow dhcpd_t self:process { getcap setcap signal_perms };
+ allow dhcpd_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpd_t self:tcp_socket { accept listen };

backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch

@@ -0,0 +1,29 @@
+From 8479a8400fe1b7583814356e74e9cf1c35da1dd9 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 16:34:31 +0200
+Subject: [PATCH] Allow dirsrv_snmp_t to manage dirsrv_config_t &
+ dirsrv_var_run_t files
+
+Allow LDAP-agent to manage files in directories /etc/dirsrv/ and /var/run/dirsrv.
+
+Resolves: rhbz#2042515
+---
+ policy/modules/contrib/dirsrv.te | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te
+index feeea4467f..9865382c87 100644
+--- a/policy/modules/contrib/dirsrv.te
++++ b/policy/modules/contrib/dirsrv.te
+@@ -189,9 +189,9 @@ allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+ 
+ rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+ 
+-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+ 
+-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++manage_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+ 
+ manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+ files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })

backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch

@@ -0,0 +1,23 @@
+From d3a62f953b580565068ada2f73968ccaaab80a7f Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 14:04:55 +0200
+Subject: [PATCH] Allow fprintd bpf capability to run bpf programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/contrib/fprintd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
+index 7826990a3d..7a48e69eb4 100644
+--- a/policy/modules/contrib/fprintd.te
++++ b/policy/modules/contrib/fprintd.te
+@@ -22,7 +22,7 @@ files_tmp_file(fprintd_tmp_t)
+ #
+ 
+ allow fprintd_t self:capability { sys_admin sys_nice };
+-allow fprintd_t self:capability2 wake_alarm;
++allow fprintd_t self:capability2 { bpf wake_alarm };
+ allow fprintd_t self:process { getsched setsched signal sigkill };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+ allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;

backport-Allow-ftpd-map-ftpd_var_run-files.patch

@@ -0,0 +1,22 @@
+From 58294166420c372e9788b9c0308b1240dbad0c60 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 6 Oct 2022 18:30:58 +0200
+Subject: [PATCH] Allow ftpd map ftpd_var_run files
+
+Resolves: bz#2124943
+---
+ policy/modules/contrib/ftp.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index ad80f16496..5edd00839f 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -161,6 +161,7 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ 
++allow ftpd_t ftpd_var_run_t:file map;
+ manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)

backport-Allow-gpg-read-and-write-generic-pty-type.patch

@@ -0,0 +1,21 @@
+From 0df5ce75a40e9bfe51995d7b11dd9441c9061a1f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Aug 2022 13:49:23 +0200
+Subject: [PATCH] Allow gpg read and write generic pty type
+
+---
+ policy/modules/contrib/gpg.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
+index 7f96408265..24ce9b7915 100644
+--- a/policy/modules/contrib/gpg.te
++++ b/policy/modules/contrib/gpg.te
+@@ -156,6 +156,7 @@ logging_send_syslog_msg(gpg_t)
+ miscfiles_map_generic_certs(gpg_t)
+ 
+ term_search_ptys(gpg_t)
++term_use_generic_ptys(gpg_t)
+ 
+ userdom_use_inherited_user_terminals(gpg_t)
+ # sign/encrypt user files

backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch

@@ -0,0 +1,22 @@
+From f7ee387e69162a3e82cb328d42e6e308aa1ad752 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 14:21:32 +0200
+Subject: [PATCH] Allow keepalived bpf capability to run bpf programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/contrib/keepalived.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
+index 0879eeb4ec..ff0b498188 100644
+--- a/policy/modules/contrib/keepalived.te
++++ b/policy/modules/contrib/keepalived.te
+@@ -38,6 +38,7 @@ files_tmpfs_file(keepalived_tmpfs_t)
+ #
+ 
+ allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
++allow keepalived_t self:capability2 bpf;
+ allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
+ allow keepalived_t self:icmp_socket create_socket_perms;
+ allow keepalived_t self:netlink_socket create_socket_perms;

backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch

@@ -0,0 +1,22 @@
+From d9ae9be30d67166caf9c5d6d3e0757317e5b49b9 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 14:22:31 +0200
+Subject: [PATCH] Allow lldpad bpf capability to run bpf programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/contrib/lldpad.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
+index 075893cb9d..ffe3796484 100644
+--- a/policy/modules/contrib/lldpad.te
++++ b/policy/modules/contrib/lldpad.te
+@@ -27,6 +27,7 @@ systemd_mount_dir(lldpad_var_run_t)
+ #
+ allow lldpad_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot sys_resource };
+ dontaudit lldpad_t self:capability { sys_admin };
++allow lldpad_t self:capability2 bpf;
+ allow lldpad_t self:shm create_shm_perms;
+ allow lldpad_t self:fifo_file rw_fifo_file_perms;
+ allow lldpad_t self:unix_stream_socket { accept connectto listen };

backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch

@@ -0,0 +1,28 @@
+From 14a208a78ed843964f8f79903d130760aa7a9a4e Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 5 Oct 2022 19:53:23 +0200
+Subject: [PATCH] Allow login_userdomain dbus chat with rhsmcertd
+
+Addresses the following USER_AVC denial:
+type=USER_AVC msg=audit(1662423125.839:301): pid=896 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.RHSM1.Config member=GetAll dest=:1.386 spid=4090 tpid=2540 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
+
+Resolves: rhbz#2124388
+---
+ policy/modules/system/userdomain.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 6502db7bf0..4f63e6f662 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -448,6 +448,10 @@ optional_policy(`
+ 	pkcs_tmpfs_named_filetrans(login_userdomain)
+ ')
+ 
++optional_policy(`
++	rhsmcertd_dbus_chat(login_userdomain)
++')
++
+ optional_policy(`
+ 	rpc_watch_exports(login_userdomain)
+ ')

backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch

@@ -0,0 +1,31 @@
+From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 14:59:49 +0200
+Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf
+ programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/admin/netutils.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index c9526d2b92..312b047edc 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ # Perform network administration operations and have raw access to the network.
+ allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot  setpcap };
+ dontaudit netutils_t self:capability { sys_admin sys_tty_config };
++allow netutils_t self:capability2 bpf;
+ allow netutils_t self:process { setcap signal_perms };
+ allow netutils_t self:netlink_generic_socket create_socket_perms;
+ allow netutils_t self:netlink_rdma_socket create_socket_perms;
+@@ -214,6 +215,7 @@ optional_policy(`
+ 
+ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+ dontaudit traceroute_t self:capability { sys_admin };
++allow traceroute_t self:capability2 bpf;
+ allow traceroute_t self:netlink_generic_socket create_socket_perms;
+ allow traceroute_t self:netlink_rdma_socket create_socket_perms;
+ allow traceroute_t self:rawip_socket create_socket_perms;

backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch

@@ -0,0 +1,22 @@
+From 33f983cf633bbdfba33958ee313f469b869f3c30 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Thu, 27 Oct 2022 14:27:43 +0200
+Subject: [PATCH] Allow pkcs_slotd_t bpf capability to run bpf programs
+
+Resolves: rhbz#2134827
+---
+ policy/modules/contrib/pkcs.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
+index 4eb8a50c83..babcc56f60 100644
+--- a/policy/modules/contrib/pkcs.te
++++ b/policy/modules/contrib/pkcs.te
+@@ -47,6 +47,7 @@ systemd_unit_file(pkcs_slotd_unit_file_t)
+ #
+ 
+ allow pkcs_slotd_t self:capability { fsetid kill chown };
++allow pkcs_slotd_t self:capability2 bpf;
+ allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
+ allow pkcs_slotd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow pkcs_slotd_t self:sem create_sem_perms;

backport-Allow-pulseaudio-create-gnome-content-.config.patch

@@ -0,0 +1,30 @@
+From a120005379c8629aa7b6d174d7c763e4f84fedc4 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 5 Oct 2022 20:36:22 +0200
+Subject: [PATCH] Allow pulseaudio create gnome content (~/.config)
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
+type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc:  denied  { create } for  pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#2124387
+---
+ policy/modules/contrib/pulseaudio.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
+index b89c5f706a..bdc8263687 100644
+--- a/policy/modules/contrib/pulseaudio.te
++++ b/policy/modules/contrib/pulseaudio.te
+@@ -152,6 +152,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	gnome_create_home_config_dirs(pulseaudio_t)
+ 	gnome_read_gkeyringd_state(pulseaudio_t)
+ 	gnome_signull_gkeyringd(pulseaudio_t)
+ 	gnome_manage_gstreamer_home_files(pulseaudio_t)

backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch

@@ -0,0 +1,32 @@
+From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 20 Oct 2022 19:20:14 +0200
+Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks
+
+This permission is required when rotatelogs is used in apache httpd
+configuration for handling logs and the /etc/httpd/logs path is used
+where the last directory is a symlink to ../../var/log/httpd:
+
+CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined
+
+It is executed with /etc/httpd as CWD, so it needs the search permission
+for httpd_config_t, too.
+
+Resolves: rhbz#2030633
+---
+ policy/modules/contrib/apache.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 73957e4459..9101494b7e 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -1668,6 +1668,8 @@ optional_policy(`
+ allow httpd_rotatelogs_t self:capability { dac_read_search  };
+ 
+ manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
++allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms;
+ 
+ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ kernel_dontaudit_list_proc(httpd_rotatelogs_t)

backport-Allow-sbd-the-sys_ptrace-capability.patch

@@ -0,0 +1,41 @@
+From 533de74a9a344542ab504915938b636698fd9838 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 5 Oct 2022 14:12:22 +0200
+Subject: [PATCH] Allow sbd the sys_ptrace capability
+
+The capability is required to scan open file descriptors to find out
+which additional processes also have them open.
+
+The sbd binary implements both the daemon that watches message slots
+as well as the management tool for interacting with the block storage
+device(s).
+
+To get a full cluster view, pcs invokes the sbd-cmdline-tool on other
+nodes through the pcsd instances running there which effects sbd
+transition to sbd_t although it is a command in this case, not a
+service.
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(09/12/2022 15:00:59.857:4015) : proctitle=/usr/sbin/sbd query-watchdog
+type=PATH msg=audit(09/12/2022 15:00:59.857:4015) : item=0 name=/proc/851/fd/0 inode=21560 dev=00:05 mode=link,500 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:rpcbind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(09/12/2022 15:00:59.857:4015) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd9edd46c0 a1=0x7ffd9edd44b0 a2=0xff a3=0x0 items=1 ppid=538646 pid=538650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null)
+type=AVC msg=audit(09/12/2022 15:00:59.857:4015) : avc:  denied  { sys_ptrace } for  pid=538650 comm=sbd capability=sys_ptrace  scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:sbd_t:s0 tclass=capability permissive=0
+
+Resolves: rhbz#2124552
+---
+ policy/modules/contrib/sbd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/sbd.te b/policy/modules/contrib/sbd.te
+index 5aea5cbe1d..4da7c6223b 100644
+--- a/policy/modules/contrib/sbd.te
++++ b/policy/modules/contrib/sbd.te
+@@ -22,7 +22,7 @@ userdom_user_tmpfs_file(sbd_tmpfs_t)
+ #
+ # sbd local policy
+ #
+-allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_admin};
++allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_ptrace sys_admin};
+ allow sbd_t self:process { fork setsched signal_perms };
+ allow sbd_t self:fifo_file rw_fifo_file_perms;
+ allow sbd_t self:unix_stream_socket create_stream_socket_perms;

backport-Allow-system_mail-t-read-network-sysctls.patch

@@ -0,0 +1,26 @@
+From 6ceec051905cb5f8a80122eb74682ac3b9dd2f22 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 23 Sep 2022 19:30:53 +0200
+Subject: [PATCH] Allow system_mail-t read network sysctls
+
+Addresses the following AVC denial:
+type=AVC msg=audit(1663932465.372:588): avc:  denied  { read } for  pid=122144 comm="sendmail" name="disable_ipv6" dev="proc" ino=2645630 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
+
+Resolves: rhbz#2129326
+---
+ policy/modules/contrib/mta.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
+index 36c3641806..72bfa1c98a 100644
+--- a/policy/modules/contrib/mta.te
++++ b/policy/modules/contrib/mta.te
+@@ -188,7 +188,7 @@ allow system_mail_t mail_home_t:file manage_file_perms;
+ 
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+ 
+-kernel_search_network_sysctl(system_mail_t)
++kernel_read_net_sysctls(system_mail_t)
+ 
+ corecmd_exec_shell(system_mail_t)
+ 

backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch

@@ -0,0 +1,36 @@
+From c19e4cb9a3f23f2b14c31c978627f9c486a369f4 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 31 Aug 2022 18:20:03 +0200
+Subject: [PATCH] Allow systemd permissions needed for sandboxed services
+
+The permissions to mounton self and get mail spool files attributes
+were added for init_t. Example service requiring them is accounts-daemon
+from the accountsservice package which since v22 has more tightened
+sandboxing, including mounting into private namespaces and listing
+accessible paths.
+
+Resolves: rhbz#2122059
+---
+ policy/modules/system/init.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 06be25304a..4311dbc359 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -187,6 +187,7 @@ allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+ # setuid (from /sbin/shutdown)
+ # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
+ 
++allow init_t self:file mounton;
+ allow init_t self:fifo_file rw_fifo_file_perms;
+ 
+ allow init_t self:service manage_service_perms;
+@@ -544,6 +545,7 @@ optional_policy(`
+ optional_policy(`
+ 	postfix_exec(init_t)
+ 	postfix_list_spool(init_t)
++	mta_getattr_spool(init_t)
+ 	mta_read_config(init_t)
+ 	mta_manage_aliases(init_t)
+ ')

backport-Allow-tor-get-filesystem-attributes.patch

@@ -0,0 +1,32 @@
+From e485345b572121f09778da9c146cf1bcd22ae0cf Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 12 Sep 2022 17:26:03 +0200
+Subject: [PATCH] Allow tor get filesystem attributes
+
+In particular, attributes of cgroup filesystems and generic filesystems
+with extended attributes.
+
+Addresses the following AVC denials:
+
+type=AVC msg=audit(1633585335.809:601): avc:  denied  { getattr } for  pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
+type=AVC msg=audit(1633585335.809:602): avc:  denied  { getattr } for  pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
+
+Resolves: rhbz#2012006
+---
+ policy/modules/contrib/tor.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
+index 0dc670b885..ae36c255ca 100644
+--- a/policy/modules/contrib/tor.te
++++ b/policy/modules/contrib/tor.te
+@@ -124,6 +124,9 @@ domain_use_interactive_fds(tor_t)
+ 
+ files_read_etc_runtime_files(tor_t)
+ 
++fs_getattr_cgroup(tor_t)
++fs_getattr_xattr_fs(tor_t)
++
+ auth_use_nsswitch(tor_t)
+ 
+ logging_send_syslog_msg(tor_t)

backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch

@@ -0,0 +1,41 @@
+From 9cc99c46be86915aec6dd7a13c00dfb6117c5c12 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Wed, 24 Aug 2022 18:51:14 +0200
+Subject: [PATCH] Allow unconfined and sysadm users transition for /root/.gnupg
+
+---
+ policy/modules/roles/sysadm.te         | 5 +++++
+ policy/modules/roles/unconfineduser.te | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 529a5146d4..c40f1edb04 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -308,6 +308,11 @@ optional_policy(`
+ optional_policy(`
+        	gnome_filetrans_fontconfig_home_content(sysadm_t)
+ ')
++
++optional_policy(`
++	gpg_filetrans_admin_home_content(sysadm_t)
++')
++
+ optional_policy(`
+ 	hostname_run(sysadm_t, sysadm_r)
+ ')
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index e01e515ce3..6ab52d9032 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -152,6 +152,10 @@ optional_policy(`
+ 		devicekit_dbus_chat_power(unconfined_t)
+ 	')
+ 
++	optional_policy(`
++		gpg_filetrans_admin_home_content(unconfined_t)
++	')
++
+     optional_policy(`
+         kpatch_run(unconfined_t,unconfined_r)
+     ')

backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch

@@ -0,0 +1,29 @@
+From f5d181f909dc380ede72219ede558ed4052c143f Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 10 Oct 2022 16:47:39 +0200
+Subject: [PATCH] Allow vlock search the contents of the /dev/pts directory
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(08/31/2022 09:28:27.751:867) : proctitle=vlock
+type=PATH msg=audit(08/31/2022 09:28:27.751:867) : item=0 name=/dev/pts/1 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(08/31/2022 09:28:27.751:867) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55b5ce6f0b60 a1=0x7ffdd6518320 a2=0x7ffdd6518320 a3=0x0 items=1 ppid=9040 pid=12550 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=17 comm=vlock exe=/usr/bin/vlock subj=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(08/31/2022 09:28:27.751:867) : avc:  denied  { search } for  pid=12550 comm=vlock name=/ dev="devpts" ino=1 scontext=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
+
+Resolves: rhbz#2122838
+---
+ policy/modules/contrib/vlock.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
+index de409cc610..418f2f7ab5 100644
+--- a/policy/modules/contrib/vlock.te
++++ b/policy/modules/contrib/vlock.te
+@@ -40,5 +40,7 @@ init_dontaudit_rw_utmp(vlock_t)
+ 
+ logging_send_syslog_msg(vlock_t)
+ 
++term_search_ptys(vlock_t)
++
+ userdom_dontaudit_search_user_home_dirs(vlock_t)
+ userdom_use_inherited_user_terminals(vlock_t)

backport-Stop-ignoring-standalone-interface-files.patch

@@ -0,0 +1,52 @@
+From 3a55e3a69bb33261abcd8104d93e0ee83d5da35a Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 1 Sep 2021 10:06:44 +0200
+Subject: [PATCH] Stop ignoring standalone interface files
+
+Interface files without corresponding .te where ignored, unless the
+module name was specified in modules.conf.
+
+Standalone interface files are useful for backwards compatibility in
+case a policy module removed from this repository.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ Makefile      | 4 ++++
+ Rules.modular | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index a9dfef1bc1..4a08bba6fa 100644
+--- a/Makefile
++++ b/Makefile
+@@ -264,6 +264,7 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
+ # sort here since it removes duplicates, which can happen
+ # when a generated file is already generated
+ detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
++detected_ifs := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if)) $(generated_if))
+ 
+ modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+ layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+@@ -307,6 +308,9 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ # add modules not in modules.conf to the off list
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+ 
++# all interface files without corresponding .te - backwards compatibility
++standalone_ifs := $(filter-out $(subst .te,.if, $(base_mods) $(mod_mods) $(off_mods)), $(notdir $(detected_ifs)))
++
+ # filesystems to be used in labeling targets
+ filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+diff --git a/Rules.modular b/Rules.modular
+index ad65733e10..258c8b6560 100644
+--- a/Rules.modular
++++ b/Rules.modular
+@@ -4,7 +4,7 @@
+ #
+ 
+ all_modules := $(base_mods) $(mod_mods) $(off_mods)
+-all_interfaces := $(all_modules:.te=.if)
++all_interfaces := $(all_modules:.te=.if) $(standalone_ifs)
+ 
+ base_pkg := $(builddir)base.pp
+ base_fc := $(builddir)base.fc

backport-Update-tor_bind_all_unreserved_ports-interface.patch

@@ -0,0 +1,34 @@
+From 5ba29432782295ceaeb0085d0fe9123d7736b0f1 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Mon, 22 Aug 2022 15:43:13 +0200
+Subject: [PATCH] Update tor_bind_all_unreserved_ports interface
+
+When enabled boolean tor_bind_all_unreserved_ports,
+allow tor bind UDP sockets to all ports > 1024.
+
+Fix: bz#2089486
+---
+ policy/modules/contrib/tor.te | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
+index 4b0554c374..0dc670b885 100644
+--- a/policy/modules/contrib/tor.te
++++ b/policy/modules/contrib/tor.te
+@@ -8,7 +8,7 @@ policy_module(tor, 1.9.0)
+ ## <desc>
+ ##	<p>
+ ##	Determine whether tor can bind
+-##	tcp sockets to all unreserved ports.
++##	tcp and udp sockets to all unreserved ports.
+ ##	</p>
+ ## </desc>
+ gen_tunable(tor_bind_all_unreserved_ports, false)
+@@ -131,6 +131,7 @@ logging_send_syslog_msg(tor_t)
+ tunable_policy(`tor_bind_all_unreserved_ports',`
+ 	corenet_sendrecv_all_server_packets(tor_t)
+ 	corenet_tcp_bind_all_unreserved_ports(tor_t)
++	corenet_udp_bind_all_unreserved_ports(tor_t)
+ ')
+ 
+ tunable_policy(`tor_can_network_relay',`

backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch

@@ -0,0 +1,28 @@
+From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001
+From: Milos Malik <mmalik@redhat.com>
+Date: Wed, 7 Sep 2022 10:53:07 +0200
+Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe
+
+At least one of the ABRT addons calls `pidof abrtd` which leads to
+{ sys_ptrace } SELinux denials in cap_userns class.
+
+In order to support the full functionality of ABRT and its addons,
+I believe that SELinux policy should allow this access.
+
+Resolves: BZ#2071586
+---
+ policy/modules/contrib/abrt.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
+index 02a12dfab1..16db11a3c3 100644
+--- a/policy/modules/contrib/abrt.te
++++ b/policy/modules/contrib/abrt.te
+@@ -115,6 +115,7 @@ ifdef(`enable_mcs',`
+ #
+ 
+ allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
++allow abrt_t self:cap_userns sys_ptrace;
+ dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
+ allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+ 

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 19
+Release: 20
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -203,6 +203,34 @@ Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-mess
 Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch
 Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch
 Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch
+Patch6137: backport-Allow-gpg-read-and-write-generic-pty-type.patch
+Patch6138: backport-Add-userdom_view_all_users_keys-interface.patch
+Patch6139: backport-Add-gpg_filetrans_admin_home_content-interface.patch
+Patch6140: backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch
+Patch6141: backport-Update-tor_bind_all_unreserved_ports-interface.patch
+Patch6142: backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch
+Patch6143: backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch
+Patch6144: backport-Allow-tor-get-filesystem-attributes.patch
+Patch6145: backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch
+Patch6146: backport-Allow-system_mail-t-read-network-sysctls.patch
+Patch6147: backport-Stop-ignoring-standalone-interface-files.patch
+Patch6148: backport-Allow-sbd-the-sys_ptrace-capability.patch
+Patch6149: backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch
+Patch6150: backport-Allow-pulseaudio-create-gnome-content-.config.patch
+Patch6151: backport-Allow-ftpd-map-ftpd_var_run-files.patch
+Patch6152: backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch
+Patch6153: backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch
+Patch6154: backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch
+Patch6155: backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch
+Patch6156: backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch
+Patch6157: backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch
+Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch
+Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch
+Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch
+Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch
+Patch6162: backport-Add-watch-interfaces.patch
+Patch6163: backport-Add-watch_sb-interfaces.patch
+Patch6164: backport-Add-interface-to-watch-all-filesystems.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -879,6 +907,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Jul 28 2023 huangzq6 <huangzhenqiang2@huawei.com> - 35.5-20
+- backport some selinux-policy upstream patches
+
 * Fri Jun 30 2023 zcfsite <zhchf2010@126.com> - 35.5-19
 - backport upstream patches