From 4ecde064034f17478d0bb9cc60cf7ec1a8b272c5 Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Tue, 16 Mar 2021 12:04:51 +0100
Subject: [PATCH] Allow Apache web server to access TPM

---
 add-rw-perms-tpm-apache.patch | 12 ++++++++++++
 selinux-policy.spec           |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 add-rw-perms-tpm-apache.patch

diff --git a/add-rw-perms-tpm-apache.patch b/add-rw-perms-tpm-apache.patch
new file mode 100644
index 0000000..f425fb8
--- /dev/null
+++ b/add-rw-perms-tpm-apache.patch
@@ -0,0 +1,12 @@
+diff -uprN selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c.orig/policy/modules/contrib/apache.te selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/policy/modules/contrib/apache.te
+--- selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c.orig/policy/modules/contrib/apache.te	2021-03-11 17:07:01.195611439 +0100
++++ selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/policy/modules/contrib/apache.te	2021-03-12 09:03:47.199430000 +0100
+@@ -521,6 +521,8 @@ allow httpd_t httpd_keytab_t:file read_f
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+ 
++dev_rw_tpm(httpd_t)
++
+ allow httpd_t httpd_log_t:dir setattr;
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 751410f..07a585e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 68
+Release: 69
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -75,6 +75,7 @@ Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch
 Patch23: backport-selinux-tweak-selinux_get_enforce_mode-to-allow-stat.patch
 Patch24: backport-Allow-resolved-to-created-varlink-sockets-and-the-do.patch
 Patch25: backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch
+Patch26: add-rw-perms-tpm-apache.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -740,6 +741,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Mar 16 2021 Roberto Sassu <roberto.sassu@huawei.com> - 3.14.2-69
+- add add-rw-perms-tpm-apache.patch
+
 * Sat Mar 13 2021 luhuaxin <1539327763@qq.com> - 3.14.2-68
 - add patches for system_resolved
 
-- 
Gitee