diff --git a/sources b/sources
index d0fbd61..ccb9db7 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (systemd-hs-252.4.tar.gz) = 81d249262de886492582ee0c2c5ea68e0b5a7ce9c047ccbdd0bb0b028090c9ba9d31e0297d4f550192ffdde88e8f0664752f8e149c86d323a7aa0b3a5ac97c83
-SHA512 (systemd-hs+fb-252.4.tar.gz) = 658eedf146dbcf5e0866145c4524252ff49eb89e98c2f93ad4c5181f10f7ebb8e65f7d4e9a238267f878c3d59baa45c733e965babbcd614a29e6f6818a1343cb
+SHA512 (systemd-hs-252.4.tar.gz) = 2200da8d76c1940545d4184389e104b878d7538a320748235e12ecfaca293d7075ba0bd432589eff059740e30066f14ac05757e6a309992cee1978ad3dbba0d2
+SHA512 (systemd-hs+fb-252.4.tar.gz) = ae5462c7263e94b30d4552df6c8e1c5371ce86eda2e8dd78e1a5ec80938d5cd9f79b7611e34487748296958af51a6e7f69042f5f6adff3c75b4b41b1b3b6ec86
diff --git a/systemd.spec b/systemd.spec
index ddff14b..9c22a48 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -4,9 +4,9 @@
%global stable 1
%if 0%{?facebook}
-%global hs_commit 6f34e02bc885d5bf248eac0914e4605380ef82c9
+%global hs_commit 5a240fdebea1f6b24cb9b15cd1e5c19c851ce1fa
%else
-%global hs_commit ab2623c42b43d997d5ccd1d3f1f7a224b09245d8
+%global hs_commit ebdc7d8d718bc0aa48f18a2517ed209271a319b1
%endif
# We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -43,7 +43,7 @@ Name: systemd
Url: https://pagure.io/centos-sig-hyperscale/systemd
%if %{without inplace}
Version: 252.4
-Release: 598.6%{?dist}
+Release: 598.7%{?dist}
%else
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
@@ -85,6 +85,7 @@ Source24: sysusers.generate-pre.sh
Source100: Makefile.selinux
Source101: systemd_hs.te
Source102: systemd_hs.if
+Source103: systemd_hs.fc
%if 0
GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
@@ -527,7 +528,7 @@ runs properly under an environment with SELinux enabled.
%if %{with selinux}
mkdir selinux
-cp %SOURCE100 %SOURCE101 %SOURCE102 selinux
+cp %SOURCE100 %SOURCE101 %SOURCE102 %SOURCE103 selinux
%endif
%build
@@ -1155,6 +1156,10 @@ fi
%changelog
+* Wed Jan 04 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 252.4-598.7
+- Backport udev rules fix
+- Fix selinux module
+
* Wed Jan 04 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 252.4-598.6
- Bump release for 252.4
- Sync from rawhide
diff --git a/systemd_hs.fc b/systemd_hs.fc
new file mode 100644
index 0000000..a76845b
--- /dev/null
+++ b/systemd_hs.fc
@@ -0,0 +1,2 @@
+/usr/lib/systemd/libsystemd-core-.+\.so.* -- system_u:object_r:lib_t:s0
+/usr/lib/systemd/libsystemd-shared-.+\.so.* -- system_u:object_r:lib_t:s0
diff --git a/systemd_hs.te b/systemd_hs.te
index ce80487..98347d9 100644
--- a/systemd_hs.te
+++ b/systemd_hs.te
@@ -2,67 +2,56 @@ policy_module(systemd_hs,0.0.1)
# systemd overrides for 247
gen_require(`
- type avahi_t;
- type cgroup_t;
type init_t;
type init_var_run_t;
- type initrc_t;
- class dbus send_msg;
- type install_t;
type kmsg_device_t;
- type policykit_auth_t;
- type policykit_t;
type proc_kmsg_t;
- type rpm_t;
- type system_dbusd_t;
- type system_dbusd_var_run_t;
+ type proc_security_t;
type systemd_hostnamed_t;
type systemd_localed_t;
type systemd_logind_t;
- type systemd_machined_t;
type systemd_resolved_t;
type systemd_tmpfiles_t;
+ type systemd_hwdb_t;
+ type systemd_sysctl_t;
type security_t;
- type sssd_t;
+ type tpm_device_t;
+ type ramfs_t;
+ type shadow_t;
type syslogd_t;
- type udev_var_run_t;
type user_tmp_t;
- type useradd_t;
- type xdm_t;
+ type systemd_machined_t;
+ type system_dbusd_var_run_t;
+ type systemd_networkd_t;
')
-allow avahi_t init_var_run_t:dir read;
+#============= init_t ==============
allow init_t kmsg_device_t:chr_file mounton;
allow init_t proc_kmsg_t:file { getattr mounton };
-allow init_t system_dbusd_var_run_t:sock_file read;
-allow init_t systemd_machined_t:unix_stream_socket connectto;
-allow policykit_auth_t init_var_run_t:dir read;
-allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;
-allow policykit_t systemd_machined_t:unix_stream_socket connectto;
-allow sssd_t cgroup_t:filesystem getattr;
-allow syslogd_t user_tmp_t:lnk_file read;
-allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto;
-allow systemd_hostnamed_t init_var_run_t:dir write;
-allow systemd_hostnamed_t init_var_run_t:file { getattr ioctl open read };
-allow systemd_hostnamed_t initrc_t:dbus send_msg;
-allow systemd_hostnamed_t install_t:dbus send_msg;
-allow systemd_hostnamed_t udev_var_run_t:file getattr;
-allow systemd_hostnamed_t udev_var_run_t:file open;
-allow systemd_hostnamed_t udev_var_run_t:file read;
-allow systemd_logind_t self:netlink_selinux_socket bind;
-allow systemd_logind_t self:netlink_selinux_socket create;
-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
-allow systemd_logind_t user_tmp_t:chr_file unlink;
-allow systemd_machined_t init_var_run_t:sock_file create;
-allow sssd_t cgroup_t:dir search;
-allow sssd_t cgroup_t:filesystem getattr;
-allow useradd_t init_var_run_t:dir read;
-allow xdm_t systemd_machined_t:unix_stream_socket connectto;
+allow init_t ramfs_t:file manage_file_perms;
+allow init_t tpm_device_t:chr_file { read write open };
+allow init_t shadow_t:file { read open };
+
+#============= systemd_hwdb_t ==============
+allow systemd_hwdb_t security_t:file { read open };
+allow systemd_hwdb_t self:netlink_selinux_socket { create bind };
+
+#============= systemd_sysctl_t ==============
+allow systemd_sysctl_t proc_security_t:file read;
+
+#============= syslogd_t ==============
+allow syslogd_t user_tmp_t:dir search;
+
+#============= systemd_machined_t ==============
+allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;
+
+#============= systemd_networkd_t ==============
+allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch;
selinux_use_status_page(init_t)
-selinux_use_status_page(rpm_t)
selinux_use_status_page(systemd_hostnamed_t)
selinux_use_status_page(systemd_localed_t)
selinux_use_status_page(systemd_logind_t)
selinux_use_status_page(systemd_resolved_t)
selinux_use_status_page(systemd_tmpfiles_t)
+selinux_use_status_page(systemd_hwdb_t)