From ee355371e26c11d6dc2bc69f2c11f95850f62709 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Fri, 17 Jan 2020 18:18:35 +0800
Subject: [PATCH] enable selinux

---
 add-allowed-avc-for-systemd.patch | 62 +++++++++++++++++++++++++++++++
 selinux-policy.spec               | 15 ++------
 2 files changed, 66 insertions(+), 11 deletions(-)
 create mode 100644 add-allowed-avc-for-systemd.patch

diff --git a/add-allowed-avc-for-systemd.patch b/add-allowed-avc-for-systemd.patch
new file mode 100644
index 0000000..172ed20
--- /dev/null
+++ b/add-allowed-avc-for-systemd.patch
@@ -0,0 +1,62 @@
+From 3ee8fe2590c37f451ad2ff2271b13daa128335d8 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Sat, 18 Jan 2020 12:03:36 +0800
+Subject: [PATCH] add allowed avc for systemd
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/kernel/kernel.if  | 17 +++++++++++++++++
+ policy/modules/system/init.te    |  1 +
+ policy/modules/system/systemd.te |  2 ++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index cb9602c..be3f313 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -4108,3 +4108,20 @@ interface(`kernel_unlabeled_entry_type',`
+ 	allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
+ ')
+ 
++########################################
++## <summary>
++##     add for systemd mounton
++## </summary>
++## <param name="domain">
++##     <summary>
++##     The domain for sysctl_kernel_t.
++##     </summary>
++## </param>
++##
++interface(`kernel_file_mounton','
++       gen_require(`
++               type sysctl_kernel_t;
++       ')
++
++       allow $1 sysctl_kernel_t:file mounton;
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index ffe5293..035720b 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t)
+ kernel_read_core_if(init_t)
+ kernel_mounton_core_if(init_t)
+ kernel_get_sysvipc_info(init_t)
++kernel_file_mounton(init_t)
+ 
+ # There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
+ kernel_dontaudit_request_load_module(init_t)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22ddccf..d6ce679 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1140,3 +1140,5 @@ optional_policy(`
+ optional_policy(`
+     gpg_exec(systemd_importd_t)
+ ')
++allow init_t systemd_logind_inhibit_var_run_t:dir mounton;
++allow init_t systemd_logind_sessions_t:dir mounton;
+-- 
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 321f523..92f7506 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -58,6 +58,7 @@ Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch
 Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
 Patch9007: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
 Patch9008: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch
+Patch9009: add-allowed-avc-for-systemd.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -309,10 +310,6 @@ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
-/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
-mkdir %{buildroot}%{_usr}/share/selinux/devel/html
-mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html
-mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
 
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE24} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
@@ -328,7 +325,7 @@ echo "
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
-SELINUX=permissive
+SELINUX=enforcing
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected. 
@@ -410,9 +407,6 @@ exit 0
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
-%dir %{_usr}/share/selinux/devel/html
-%{_usr}/share/selinux/devel/html/*html
-%{_usr}/share/selinux/devel/html/*css
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
@@ -429,7 +423,6 @@ Obsoletes: selinux-policy-doc < %{version}-%{release}
 SELinux policy documentation package
 
 %files help
-%{_mandir}/man*/*
 %{_mandir}/ru/*/*
 %doc %{_usr}/share/doc/%{name}
 
@@ -660,8 +653,8 @@ exit 0
 %endif
 
 %changelog
-* Wed Jan 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-46
-- clean code
+* Thu Jan 16 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-46
+- enable selinux; delete man
 
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-45
 - update container-selinux.tgz
-- 
Gitee