selinux-policy/fix_kernel.patch

Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
===================================================================
--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
+++ fedora-policy-20230206/policy/modules/kernel/kernel.te
@@ -393,6 +393,13 @@ ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+# this is a temporary fix. This permission doesn't make a lot of sense, but
+# without a kernel change there's not much we can do about it. I don't want to
+# audit it due to the unknown impact (happens e.g. during firewall changes)
+optional_policy(`
+    modutils_execute_kmod_tmpfs_files(kernel_t)
+')
+
 optional_policy(`
     abrt_filetrans_named_content(kernel_t)
     abrt_dump_oops_domtrans(kernel_t)
@@ -418,6 +425,7 @@ optional_policy(`
 	init_dbus_chat(kernel_t)
 	init_sigchld(kernel_t)
 	init_dyntrans(kernel_t)
+	init_read_state(kernel_t)
 ')
 
 optional_policy(`
@@ -519,6 +527,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_read_xdm_state(kernel_t)
 	xserver_xdm_manage_spool(kernel_t)
 	xserver_filetrans_home_content(kernel_t)
 ')
Index: fedora-policy-20230206/policy/modules/system/modutils.if
===================================================================
--- fedora-policy-20230206.orig/policy/modules/system/modutils.if
+++ fedora-policy-20230206/policy/modules/system/modutils.if
@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs
 
     dontaudit $1 kmod_tmpfs_t:file { getattr };
 ')
+
+#######################################
+## <summary>
+## Execute accesses to tmp file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_execute_kmod_tmpfs_files',`
+    gen_require(`
+        type kmod_tmpfs_t;
+    ')
+
+    allow $1 kmod_tmpfs_t:file { execute execute_no_trans };
+')