fix build error

backport-Fix-users-for-SELinux-userspace-3.4.patch

@@ -0,0 +1,146 @@
+From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 14 Apr 2022 12:07:40 +0200
+Subject: [PATCH] Fix users for SELinux userspace 3.4
+
+Latest yet to be released userspace version 3.4 added new validation and
+discovered several issues in current implementation. This patch tries to
+address them:
+
+- move guest and xguest module from contrib to roles - refpolicy did
+this change long time ago
+
+- roles guest_r and xguest_r need to be defined in kernel.te
+
+- gen_user() is supposed to be in policy/users, not in modules
+
+- drop role multiple definitions from userdom_base_user_template as it's
+and is supposed to be defined in kernel.te
+---
+ policy/modules/kernel/kernel.te             | 3 +++
+ policy/modules/{contrib => roles}/guest.fc  | 0
+ policy/modules/{contrib => roles}/guest.if  | 0
+ policy/modules/{contrib => roles}/guest.te  | 4 ++--
+ policy/modules/roles/unconfineduser.te      | 3 +--
+ policy/modules/{contrib => roles}/xguest.fc | 0
+ policy/modules/{contrib => roles}/xguest.if | 0
+ policy/modules/{contrib => roles}/xguest.te | 4 ++--
+ policy/modules/system/userdomain.if         | 3 +--
+ 9 files changed, 9 insertions(+), 8 deletions(-)
+ rename policy/modules/{contrib => roles}/guest.fc (100%)
+ rename policy/modules/{contrib => roles}/guest.if (100%)
+ rename policy/modules/{contrib => roles}/guest.te (82%)
+ rename policy/modules/{contrib => roles}/xguest.fc (100%)
+ rename policy/modules/{contrib => roles}/xguest.if (100%)
+ rename policy/modules/{contrib => roles}/xguest.te (98%)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index acbb2f74e6..73696bcb0a 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -39,6 +39,9 @@ role user_r;
+ # here until order dependence is fixed:
+ role unconfined_r;
+ 
++role guest_r;
++role xguest_r;
++
+ ifdef(`enable_mls',`
+ 	role secadm_r;
+ 	role auditadm_r;
+diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc
+similarity index 100%
+rename from policy/modules/contrib/guest.fc
+rename to policy/modules/roles/guest.fc
+diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if
+similarity index 100%
+rename from policy/modules/contrib/guest.if
+rename to policy/modules/roles/guest.if
+diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te
+similarity index 82%
+rename from policy/modules/contrib/guest.te
+rename to policy/modules/roles/guest.te
+index 0605776333..2e9505d1cc 100644
+--- a/policy/modules/contrib/guest.te
++++ b/policy/modules/roles/guest.te
+@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
+ # Declarations
+ #
+ 
+-role guest_r;
++# role guest_r;
+ 
+ userdom_restricted_user_template(guest)
+ 
+@@ -20,4 +20,4 @@ optional_policy(`
+ 	apache_role(guest_r, guest_t)
+ ')
+ 
+-gen_user(guest_u, user, guest_r, s0, s0)
++# gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index 55bca1e31e..5596e6f0ee 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -399,5 +399,4 @@ optional_policy(`
+ 	xserver_xsession_entry_type(unconfined_t)
+ ')
+ 
+-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-
++# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc
+similarity index 100%
+rename from policy/modules/contrib/xguest.fc
+rename to policy/modules/roles/xguest.fc
+diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if
+similarity index 100%
+rename from policy/modules/contrib/xguest.if
+rename to policy/modules/roles/xguest.if
+diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te
+similarity index 98%
+rename from policy/modules/contrib/xguest.te
+rename to policy/modules/roles/xguest.te
+index 8d3ef540a7..e19bf40fc5 100644
+--- a/policy/modules/contrib/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
+ ## </desc>
+ gen_tunable(xguest_use_bluetooth, true)
+ 
+-role xguest_r;
++# role xguest_r;
+ 
+ userdom_restricted_xwindows_user_template(xguest)
+ sysnet_dns_name_resolve(xguest_t)
+@@ -203,4 +203,4 @@ optional_policy(`
+ 	role xguest_r types mozilla_t;
+ ')
+ 
+-gen_user(xguest_u, user, xguest_r, s0, s0)
++# gen_user(xguest_u, user, xguest_r, s0, s0)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b16984dd82..d5be647e85 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
+ 		attribute userdomain;
+ 		type user_devpts_t, user_tty_device_t;
+ 		class context contains;
++		role $1_r;
+ 	')
+ 
+ 	attribute $1_file_type;
+@@ -34,12 +35,10 @@ template(`userdom_base_user_template',`
+ 
+ 	type $1_t, userdomain, $1_usertype;
+ 	domain_type($1_t)
+-	role $1_r;
+ 	corecmd_shell_entry_type($1_t)
+ 	corecmd_bin_entry_type($1_t)
+ 	domain_user_exemption_target($1_t)
+ 	ubac_constrained($1_t)
+-	role $1_r;
+ 	role $1_r types $1_t;
+ 	allow system_r $1_r;
+ 

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 21
+Release: 22
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -275,6 +275,7 @@ Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch
 Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch
 Patch6207: backport-Allow-exim-read-network-sysctls.patch
 Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
+Patch6209: backport-Fix-users-for-SELinux-userspace-3.4.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -951,6 +952,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Mar 25 2024 gengqihu <gengqihu2@h-partners.com> - 35.5-22
+- fix semodule_package fail
+
 * Thu Aug 24 2023 wangqingsan <wangqingsan@huawei.com> - 35.5-21
 - backport upstream patches
 

users-minimum

@@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-mls

@@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)

users-targeted

@@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)