From 02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:36:15 +0100
Subject: [PATCH] Allow gssproxy access to various system files.

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/02d90bb3e2fc39d67a7d07cec5ca113bd0a53421
Conflict: NA

gssproxy was allowed to:
- read system state information in /proc
- read from random number generator devices (e.g., /dev/random)
- read hardware state information

Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/contrib/gssproxy.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index f48457c..aa53de0 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -41,6 +41,7 @@ files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_fil
 
 kernel_rw_rpc_sysctls(gssproxy_t)
 kernel_read_network_state(gssproxy_t)
+kernel_read_system_state(gssproxy_t)
 
 domain_use_interactive_fds(gssproxy_t)
 domain_read_all_domains_state(gssproxy_t)
@@ -51,7 +52,9 @@ fs_getattr_all_fs(gssproxy_t)
 
 auth_use_nsswitch(gssproxy_t)
 
+dev_read_rand(gssproxy_t)
 dev_read_urand(gssproxy_t)
+dev_read_sysfs(gssproxy_t)
 dev_rw_crypto(gssproxy_t)
 
 logging_send_syslog_msg(gssproxy_t)
-- 
1.8.3.1