From 6105e14747d7dc510f259a81abe4456dfdeba186 Mon Sep 17 00:00:00 2001
From: Robert Frohl <rfrohl@suse.com>
Date: Wed, 5 Nov 2025 11:17:22 +0100
Subject: [PATCH 1/2] Add auth_nnp_domtrans_chkpwd()

---
 policy/modules/system/authlogin.if | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index de62df4df2..d195a78fd1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -488,6 +488,23 @@ interface(`auth_domtrans_chkpwd',`
 	auth_domtrans_upd_passwd($1)
 ')
 
+########################################
+## <summary>
+##	Allow caller to transition to chkpwd_t with NoNewPrivileges
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_nnp_domtrans_chkpwd',`
+	gen_require(`
+		type chkpwd_t;
+	')
+	allow $1 chkpwd_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##  Execute chkpwd in the caller domain.

From 444fae292c76a749fbf888ca77b421bad96c1c5b Mon Sep 17 00:00:00 2001
From: Robert Frohl <rfrohl@suse.com>
Date: Wed, 5 Nov 2025 11:17:47 +0100
Subject: [PATCH 2/2] update support for polkit agent helper (bsc#1251931)

init_nnp_daemon_domain(policykit_auth_t):
type=AVC msg=audit(..): avc:  denied  { nnp_transition } for  pid=1850 comm="(helper-1)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process2 permissive=0

auth_nnp_domtrans_chkpwd():
type=AVC msg=audit(..): avc:  denied  { nnp_transition } for  pid=2353 comm="polkit-agent-he" scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process2 permissive=0

label socket placed under /run/polkit as policykit_var_run_t
---
 policy/modules/contrib/policykit.fc | 1 +
 policy/modules/contrib/policykit.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 44b167af43..a05ae8ca37 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -20,3 +20,4 @@
 /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
 /run/polkit-1(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
+/run/polkit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 26844e4070..33312e9826 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -15,6 +15,7 @@ init_nnp_daemon_domain(policykit_t)
 type policykit_auth_t, policykit_domain;
 type policykit_auth_exec_t;
 init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+init_nnp_daemon_domain(policykit_auth_t)
 
 type policykit_grant_t, policykit_domain;
 type policykit_grant_exec_t;
@@ -209,6 +210,7 @@ fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
 auth_rw_var_auth(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 auth_domtrans_chk_passwd(policykit_auth_t)
+auth_nnp_domtrans_chkpwd(policykit_auth_t)
 
 logging_send_syslog_msg(policykit_auth_t)