File combined.patch of Package selinux-policy

commit 528c38c08b013a9b5ca974ad07bcd6a16f7799cd
Author: Robert Frohl <rfrohl@suse.com>
Date:   Tue Nov 4 11:36:05 2025 +0100

    update support for polkit agent helper
    
    init_nnp_daemon_domain(policykit_auth_t):
    type=AVC msg=audit(..): avc:  denied  { nnp_transition } for  pid=1850 comm="(helper-1)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process2 permissive=0
    
    auth_nnp_domtrans_chkpwd():
    type=AVC msg=audit(..): avc:  denied  { nnp_transition } for  pid=2353 comm="polkit-agent-he" scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process2 permissive=0
    
    label socket also policykit_var_run_t:
    /run/polkit/agent-helper.socket

diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 44b167af4..a05ae8ca3 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -20,3 +20,4 @@
 /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
 /run/polkit-1(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
+/run/polkit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 26844e407..33312e982 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -15,6 +15,7 @@ init_nnp_daemon_domain(policykit_t)
 type policykit_auth_t, policykit_domain;
 type policykit_auth_exec_t;
 init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+init_nnp_daemon_domain(policykit_auth_t)
 
 type policykit_grant_t, policykit_domain;
 type policykit_grant_exec_t;
@@ -209,6 +210,7 @@ fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
 auth_rw_var_auth(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 auth_domtrans_chk_passwd(policykit_auth_t)
+auth_nnp_domtrans_chkpwd(policykit_auth_t)
 
 logging_send_syslog_msg(policykit_auth_t)
 
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index de62df4df..d195a78fd 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -488,6 +488,23 @@ interface(`auth_domtrans_chkpwd',`
 	auth_domtrans_upd_passwd($1)
 ')
 
+########################################
+## <summary>
+##	Allow caller to transition to chkpwd_t with NoNewPrivileges
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_nnp_domtrans_chkpwd',`
+	gen_require(`
+		type chkpwd_t;
+	')
+	allow $1 chkpwd_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##  Execute chkpwd in the caller domain.