From: Openkylin Developers <packaging@lists.openkylin.top>
Date: Tue, 16 Jun 2026 15:28:28 +0800
Subject: hacks

===================================================================
---
 Makefile                              |  1 +
 config/appconfig-mcs/default_contexts |  2 +-
 policy/modules/services/mta.if        | 19 +++++++++++++++++++
 policy/modules/system/fstools.te      |  5 +++++
 policy/modules/system/init.if         |  6 +++++-
 policy/modules/system/sysnetwork.te   |  5 +++++
 policy/modules/system/systemd.te      |  4 ++++
 policy/modules/system/userdomain.if   | 19 +++++++++++++++++++
 8 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 962bcaf..6f18d8e 100644
--- a/Makefile
+++ b/Makefile
@@ -244,6 +244,7 @@ M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_ca
 # differently on different distros
 ifeq ($(DISTRO),debian)
 	CTAGS := ctags-exuberant
+	M4PARAM += -D use_alsa
 endif
 
 ifeq ($(DISTRO),gentoo)
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index de0baa8..166a74f 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -2,7 +2,7 @@ system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 un
 system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 01bca30..de292d5 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -1237,3 +1237,22 @@ interface(`mta_rw_user_mail_stream_sockets',`
 
 	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
 ')
+
+# hack for exim postinst in Debian
+#######################################
+## <summary>
+##	Allow system_mail_t to run in a role
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_system_mail_role',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	role $1 types system_mail_t;
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 5c6c0a2..55bbf8b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -168,6 +168,11 @@ init_dontaudit_getattr_initctl(fsadm_t)
 init_read_state(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(fsadm_t)
+')
+
 logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 70deb81..610be87 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -178,7 +178,11 @@ interface(`init_domain',`
 
 	role system_r types $1;
 
-	domtrans_pattern(init_t, $2, $1)
+	ifdef(`init_systemd', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
 
 	allow init_t $1:process rlimitinh;
 
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index e62ba52..ff5fc2c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -359,6 +359,11 @@ files_dontaudit_read_root_files(ifconfig_t)
 init_use_fds(ifconfig_t)
 init_use_script_ptys(ifconfig_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(ifconfig_t)
+')
+
 logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c109b81..cdfc548 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -2298,3 +2298,7 @@ optional_policy(`
 optional_policy(`
 	userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
 ')
+
+optional_policy(`
+	userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t)
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 04a483f..14d33d9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4845,6 +4845,25 @@ interface(`userdom_dontaudit_write_user_tmp_files',`
 	dontaudit $1 user_tmp_t:file write;
 ')
 
+########################################
+## <summary>
+##      Delete user_tmp_t device nodes (probably should not have been
+##	created in the first place)
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow deleting
+##      </summary>
+## </param>
+#
+interface(`userdom_unlink_user_tmp_devices',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:{ chr_file blk_file } unlink;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to use user ttys.
