From 10eaf03a66b137ecc26a7e8e58c4b8140fdbca46 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Feb 17 2023 13:46:41 +0000
Subject: systemd 252.4-598.7 hyperscale release


---

diff --git a/sources b/sources
index d0fbd61..ccb9db7 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (systemd-hs-252.4.tar.gz) = 81d249262de886492582ee0c2c5ea68e0b5a7ce9c047ccbdd0bb0b028090c9ba9d31e0297d4f550192ffdde88e8f0664752f8e149c86d323a7aa0b3a5ac97c83
-SHA512 (systemd-hs+fb-252.4.tar.gz) = 658eedf146dbcf5e0866145c4524252ff49eb89e98c2f93ad4c5181f10f7ebb8e65f7d4e9a238267f878c3d59baa45c733e965babbcd614a29e6f6818a1343cb
+SHA512 (systemd-hs-252.4.tar.gz) = 2200da8d76c1940545d4184389e104b878d7538a320748235e12ecfaca293d7075ba0bd432589eff059740e30066f14ac05757e6a309992cee1978ad3dbba0d2
+SHA512 (systemd-hs+fb-252.4.tar.gz) = ae5462c7263e94b30d4552df6c8e1c5371ce86eda2e8dd78e1a5ec80938d5cd9f79b7611e34487748296958af51a6e7f69042f5f6adff3c75b4b41b1b3b6ec86
diff --git a/systemd.spec b/systemd.spec
index ddff14b..9c22a48 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -4,9 +4,9 @@
 %global stable 1
 
 %if 0%{?facebook}
-%global hs_commit 6f34e02bc885d5bf248eac0914e4605380ef82c9
+%global hs_commit 5a240fdebea1f6b24cb9b15cd1e5c19c851ce1fa
 %else
-%global hs_commit ab2623c42b43d997d5ccd1d3f1f7a224b09245d8
+%global hs_commit ebdc7d8d718bc0aa48f18a2517ed209271a319b1
 %endif
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -43,7 +43,7 @@ Name:           systemd
 Url:            https://pagure.io/centos-sig-hyperscale/systemd
 %if %{without inplace}
 Version:        252.4
-Release:        598.6%{?dist}
+Release:        598.7%{?dist}
 %else
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
@@ -85,6 +85,7 @@ Source24:       sysusers.generate-pre.sh
 Source100:      Makefile.selinux
 Source101:      systemd_hs.te
 Source102:      systemd_hs.if
+Source103:      systemd_hs.fc
 
 %if 0
 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
@@ -527,7 +528,7 @@ runs properly under an environment with SELinux enabled.
 
 %if %{with selinux}
 mkdir selinux
-cp %SOURCE100 %SOURCE101 %SOURCE102 selinux
+cp %SOURCE100 %SOURCE101 %SOURCE102 %SOURCE103 selinux
 %endif
 
 %build
@@ -1155,6 +1156,10 @@ fi
 
 %changelog
 
+* Wed Jan 04 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 252.4-598.7
+- Backport udev rules fix
+- Fix selinux module
+
 * Wed Jan 04 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 252.4-598.6
 - Bump release for 252.4
 - Sync from rawhide
diff --git a/systemd_hs.fc b/systemd_hs.fc
new file mode 100644
index 0000000..a76845b
--- /dev/null
+++ b/systemd_hs.fc
@@ -0,0 +1,2 @@
+/usr/lib/systemd/libsystemd-core-.+\.so.* --        system_u:object_r:lib_t:s0
+/usr/lib/systemd/libsystemd-shared-.+\.so.* --      system_u:object_r:lib_t:s0
diff --git a/systemd_hs.te b/systemd_hs.te
index ce80487..98347d9 100644
--- a/systemd_hs.te
+++ b/systemd_hs.te
@@ -2,67 +2,56 @@ policy_module(systemd_hs,0.0.1)
 
 # systemd overrides for 247
 gen_require(`
-	type avahi_t;
-	type cgroup_t;
 	type init_t;
 	type init_var_run_t;
-	type initrc_t;
-	class dbus send_msg;
-	type install_t;
 	type kmsg_device_t;
-	type policykit_auth_t;
-	type policykit_t;
 	type proc_kmsg_t;
-	type rpm_t;
-	type system_dbusd_t;
-	type system_dbusd_var_run_t;
+	type proc_security_t;
 	type systemd_hostnamed_t;
 	type systemd_localed_t;
 	type systemd_logind_t;
-	type systemd_machined_t;
 	type systemd_resolved_t;
 	type systemd_tmpfiles_t;
+	type systemd_hwdb_t;
+	type systemd_sysctl_t;
 	type security_t;
-	type sssd_t;
+	type tpm_device_t;
+	type ramfs_t;
+	type shadow_t;
 	type syslogd_t;
-	type udev_var_run_t;
 	type user_tmp_t;
-	type useradd_t;
-	type xdm_t;
+	type systemd_machined_t;
+	type system_dbusd_var_run_t;
+	type systemd_networkd_t;
 ')
 
-allow avahi_t init_var_run_t:dir read;
+#============= init_t ==============
 allow init_t kmsg_device_t:chr_file mounton;
 allow init_t proc_kmsg_t:file { getattr mounton };
-allow init_t system_dbusd_var_run_t:sock_file read;
-allow init_t systemd_machined_t:unix_stream_socket connectto;
-allow policykit_auth_t init_var_run_t:dir read;
-allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;
-allow policykit_t systemd_machined_t:unix_stream_socket connectto;
-allow sssd_t cgroup_t:filesystem getattr;
-allow syslogd_t user_tmp_t:lnk_file read;
-allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto;
-allow systemd_hostnamed_t init_var_run_t:dir write;
-allow systemd_hostnamed_t init_var_run_t:file { getattr ioctl open read };
-allow systemd_hostnamed_t initrc_t:dbus send_msg;
-allow systemd_hostnamed_t install_t:dbus send_msg;
-allow systemd_hostnamed_t udev_var_run_t:file getattr;
-allow systemd_hostnamed_t udev_var_run_t:file open;
-allow systemd_hostnamed_t udev_var_run_t:file read;
-allow systemd_logind_t self:netlink_selinux_socket bind;
-allow systemd_logind_t self:netlink_selinux_socket create;
-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
-allow systemd_logind_t user_tmp_t:chr_file unlink;
-allow systemd_machined_t init_var_run_t:sock_file create;
-allow sssd_t cgroup_t:dir search;
-allow sssd_t cgroup_t:filesystem getattr;
-allow useradd_t init_var_run_t:dir read;
-allow xdm_t systemd_machined_t:unix_stream_socket connectto;
+allow init_t ramfs_t:file manage_file_perms;
+allow init_t tpm_device_t:chr_file { read write open };
+allow init_t shadow_t:file { read open };
+
+#============= systemd_hwdb_t ==============
+allow systemd_hwdb_t security_t:file { read open };
+allow systemd_hwdb_t self:netlink_selinux_socket { create bind };
+
+#============= systemd_sysctl_t ==============
+allow systemd_sysctl_t proc_security_t:file read;
+
+#============= syslogd_t ==============
+allow syslogd_t user_tmp_t:dir search;
+
+#============= systemd_machined_t ==============
+allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;
+
+#============= systemd_networkd_t ==============
+allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch;
 
 selinux_use_status_page(init_t)
-selinux_use_status_page(rpm_t)
 selinux_use_status_page(systemd_hostnamed_t)
 selinux_use_status_page(systemd_localed_t)
 selinux_use_status_page(systemd_logind_t)
 selinux_use_status_page(systemd_resolved_t)
 selinux_use_status_page(systemd_tmpfiles_t)
+selinux_use_status_page(systemd_hwdb_t)