From 80eb53d3a14d212f04ae6252a32d4551d4893802 Mon Sep 17 00:00:00 2001
From: tigro <tigro@msvsphere-os.ru>
Date: Tue, 19 Nov 2024 21:08:50 +0300
Subject: [PATCH] Added policy fprintd_t for focal fingerprint

---
 SOURCES/selinux-policy-focal-moh-spi.patch | 44 ++++++++++++++++++++++
 SPECS/selinux-policy.spec                  | 10 ++++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/selinux-policy-focal-moh-spi.patch

diff --git a/SOURCES/selinux-policy-focal-moh-spi.patch b/SOURCES/selinux-policy-focal-moh-spi.patch
new file mode 100644
index 0000000..d07b13a
--- /dev/null
+++ b/SOURCES/selinux-policy-focal-moh-spi.patch
@@ -0,0 +1,44 @@
+--- selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.if.orig	2024-11-18 22:57:25.780148480 +0300
++++ selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.if	2024-11-18 22:52:43.561598444 +0300
+@@ -6806,6 +6806,7 @@
+ 	type smartcard_device_t;
+ 	type mtrr_device_t;
+ 	type ecryptfs_device_t;
++	type fprintd_device_t;
+     type mptctl_device_t;
+     type hypervkvp_device_t;
+     type hypervvssd_device_t;
+@@ -6988,6 +6989,7 @@
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
++	filetrans_pattern($1, device_t, fprintd_device_t, chr_file, "focal_moh_spi")
+ 	filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
+ 	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
+ 	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
+
+--- selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.fc.orig	2024-11-18 23:04:01.420517717 +0300
++++ selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.fc	2024-11-18 23:04:54.842432548 +0300
+@@ -39,6 +39,7 @@
+ /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
++/dev/focal_moh_spi	-c	gen_context(system_u:object_r:fprintd_device_t,s0)
+ /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+--- selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.te.orig	2024-11-18 23:31:22.140887322 +0300
++++ selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/kernel/devices.te	2024-11-18 23:33:28.487683696 +0300
+@@ -132,6 +132,12 @@
+ dev_node(framebuf_device_t)
+ 
+ #
++# Type for fpr /dev/focal_moh_spi
++#
++type fprintd_device_t;
++dev_node(fprintd_device_t)
++
++#
+ # Type for hyperv devices
+ #
+ type hypervkvp_device_t;
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 99b62f4..4a1c065 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -24,7 +24,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 38.1.44
-Release: 1%{?dist}
+Release: 1%{?dist}.inferit
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 Source1: modules-targeted-base.conf
@@ -64,6 +64,10 @@ Source36: selinux-check-proper-disable.service
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
 
+# MSVSphere
+# Added policy fprintd_t for facal fingerprint driver
+Patch0: selinux-policy-focal-moh-spi.patch
+
 Url: %{giturl}
 BuildArch: noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
@@ -404,6 +408,7 @@ end
 
 %prep
 %setup -n %{name}-%{commit} -q
+%patch -P0 -p1 -b .focal
 tar -C policy/modules/contrib -xf %{SOURCE35}
 
 mkdir selinux_config
@@ -809,6 +814,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 19 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 38.1.44-1.inferit
+- Added policy fprintd_t for focal fingerprint
+
 * Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1
 - Allow coreos-installer-generator work with partitions
 Resolves: RHEL-38614