From a0fdc727a693e44d162c2e7572e733a1547adbc0 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Wed, 26 Feb 2025 11:35:16 +0800
Subject: [PATCH] Allow init_t nnp domain transition to rngd_t

(cherry picked from commit 398713ebb29b13d368f3d1558351a0ccebd74447)
---
 ...it_t-nnp-domain-transition-to-rngd_t.patch | 28 +++++++++++++++++++
 selinux-policy.spec                           |  6 +++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 Allow-init_t-nnp-domain-transition-to-rngd_t.patch

diff --git a/Allow-init_t-nnp-domain-transition-to-rngd_t.patch b/Allow-init_t-nnp-domain-transition-to-rngd_t.patch
new file mode 100644
index 0000000..6da6236
--- /dev/null
+++ b/Allow-init_t-nnp-domain-transition-to-rngd_t.patch
@@ -0,0 +1,28 @@
+From 0e0d86f6800e8e939bfd55e97c1824ab5e82c584 Mon Sep 17 00:00:00 2001
+From: yixiangzhike <yixiangzhike007@163.com>
+Date: Wed, 26 Feb 2025 11:19:57 +0800
+Subject: [PATCH] Allow init_t nnp domain transition to rngd_t
+
+The permission is required when rngd.service contains
+systemd option "NoNewPrivileges=true".
+
+Resolves: https://gitee.com/src-openeuler/rng-tools/issues/IBOPVZ
+---
+ policy/modules/contrib/rngd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
+index ca8c996..89f47db 100644
+--- a/policy/modules/contrib/rngd.te
++++ b/policy/modules/contrib/rngd.te
+@@ -15,6 +15,7 @@ gen_tunable(rngd_execmem, false)
+ type rngd_t;
+ type rngd_exec_t;
+ init_daemon_domain(rngd_t, rngd_exec_t)
++init_nnp_daemon_domain(rngd_t)
+ 
+ type rngd_initrc_exec_t;
+ init_script_file(rngd_initrc_exec_t)
+-- 
+2.33.0
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8ffdae8..e2f900c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 40.7
-Release: 6
+Release: 7
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -65,6 +65,7 @@ Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
 Patch11: backport-Add-support-for-secretmem-anon-inode.patch
 Patch12: add-avc-for-haveged.patch
+Patch13: Allow-init_t-nnp-domain-transition-to-rngd_t.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -745,6 +746,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Feb 26 2025 yixiangzhike <yixiangzhike007@163.com> - 40.7-7
+- Allow init_t nnp domain transition to rngd_t
+
 * Tue Feb 25 2025 Linux_zhang <zhangruifang@h-partners.com> - 40.7-6
 - add avc for haveged
 
-- 
Gitee