new file mode 100644
@@ -0,0 +1,45 @@
+From 684b47eddf512402db552601c33e2d0ad4eef578 Mon Sep 17 00:00:00 2001
+From: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
+Date: Fri, 17 Jan 2025 15:51:48 +0100
+Subject: [PATCH] fixdep dbus
+
+auth_use_pam_systemd requires dbus :
+
+> /var/lib/selinux/targeted/tmp/modules/400/authlogin/cil:133 =
+> (typeattributeset cil_gen_require dbusd_system_bus_client)
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/684b47eddf512402db552601c33e2d0ad4eef578]
+
+Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/authlogin.te | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index a75a669b9..d9d1a1428 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -142,7 +142,6 @@ term_dontaudit_use_all_ptys(chkpwd_t)
+
+ auth_read_shadow_history(chkpwd_t)
+ auth_use_nsswitch(chkpwd_t)
+-auth_use_pam_systemd(chkpwd_t)
+
+ logging_send_audit_msgs(chkpwd_t)
+ logging_send_syslog_msg(chkpwd_t)
+@@ -160,6 +159,10 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
++ifdef(`init_systemd',`
++ auth_use_pam_systemd(chkpwd_t)
++')
++
+ optional_policy(`
+ # apache leaks file descriptors
+ apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+--
+2.34.1
+
new file mode 100644
@@ -0,0 +1,42 @@
+From 1d62379321c19e89268ac7854a8ff8dce280ed07 Mon Sep 17 00:00:00 2001
+From: Dave Sugar <dsugar100@gmail.com>
+Date: Thu, 15 May 2025 10:05:24 -0400
+Subject: [PATCH] fix building when dbus module is not enabled
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/1d62379321c19e89268ac7854a8ff8dce280ed07]
+
+Signed-off-by: Dave Sugar <dsugar100@gmail.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/selinuxutil.te | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 86a6e5503..cd0e8762f 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -99,7 +99,8 @@ role run_init_roles types run_init_t;
+
+ type selinux_dbus_t;
+ type selinux_dbus_exec_t;
+-dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
++domain_type(selinux_dbus_t)
++domain_entry_file(selinux_dbus_t, selinux_dbus_exec_t)
+
+ type semanage_t;
+ type semanage_exec_t;
+@@ -504,6 +505,10 @@ miscfiles_read_localization(selinux_dbus_t)
+
+ seutil_domtrans_semanage(selinux_dbus_t)
+
++optional_policy(`
++ dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
++')
++
+ optional_policy(`
+ policykit_dbus_chat(selinux_dbus_t)
+ ')
+--
+2.34.1
+
@@ -82,6 +82,8 @@ SRC_URI += " \
file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \
file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \
file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
+ file://0067-fixdep-dbus.patch \
+ file://0068-fix-building-when-dbus-module-is-not-enabled.patch \
"
S = "${WORKDIR}/refpolicy"
Backport 2 patches to fix build for refpolicy-minimum when INIT_MANAGER is set to sysvinit. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../refpolicy/0067-fixdep-dbus.patch | 45 +++++++++++++++++++ ...ding-when-dbus-module-is-not-enabled.patch | 42 +++++++++++++++++ .../refpolicy/refpolicy_common.inc | 2 + 3 files changed, 89 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch create mode 100644 recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch