From 1a6889def34747b606f4e520fbff72fe86f90b0f Mon Sep 17 00:00:00 2001
From: lujie42 <572084868@qq.com>
Date: Tue, 24 Aug 2021 15:38:40 +0800
Subject: [PATCH] add avc for systemd no17479

Signed-off-by: lujie42 <572084868@qq.com>
---
 policy/modules/kernel/domain.te  | 4 ++--
 policy/modules/kernel/selinux.if | 2 +-
 policy/modules/system/logging.te | 1 +
 policy/modules/system/systemd.if | 7 ++++---
 policy/modules/system/systemd.te | 3 +++
 5 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 8e52b17..27b112c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -510,7 +510,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	systemd_dbus_chat_resolved(domain)
+	systemd_chat_resolved(domain)
 	systemd_login_status(unconfined_domain_type)
 	systemd_login_reboot(unconfined_domain_type)
 	systemd_login_halt(unconfined_domain_type)
@@ -519,7 +519,7 @@ optional_policy(`
 	systemd_filetrans_named_content(named_filetrans_domain)
 	systemd_filetrans_named_hostname(named_filetrans_domain)
 	systemd_filetrans_home_content(named_filetrans_domain)
-    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+        systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
 ')
 
 optional_policy(`
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ac70efb..a2ab3fc 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -324,7 +324,7 @@ interface(`selinux_get_enforce_mode',`
 	dev_search_sysfs($1)
 	selinux_get_fs_mount($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:file mmap_read_file_perms;
 	allow $1 security_t:lnk_file read_lnk_file_perms;
 ')
 
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index df4e985..482fe6d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -622,6 +622,7 @@ term_write_unallocated_ttys(syslogd_t)
 term_use_generic_ptys(syslogd_t)
 
 init_stream_connect(syslogd_t)
+init_read_pid_files(syslogd_t)
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 514bbd7..6503c87 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2345,8 +2345,8 @@ interface(`systemd_map_resolved_exec_files',`
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	systemd resolved over dbus.
+##	Exchange messages with
+##	systemd resolved over dbus or varlink.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2354,13 +2354,14 @@ interface(`systemd_map_resolved_exec_files',`
 ##	</summary>
 ## </param>
 #
-interface(`systemd_dbus_chat_resolved',`
+interface(`systemd_chat_resolved',`
 	gen_require(`
 		type systemd_resolved_t;
 		class dbus send_msg;
 	')
 
 	allow $1 systemd_resolved_t:dbus send_msg;
+	allow $1 systemd_resolved_t:unix_stream_socket connectto;
 	allow systemd_resolved_t $1:dbus send_msg;
 	ps_process_pattern(systemd_resolved_t, $1)
 ')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1e96c31..7849d51 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -13,6 +13,7 @@ attribute systemd_private_tmp_type;
 
 attribute systemd_read_efivarfs_type;
 fs_read_efivarfs_files(systemd_read_efivarfs_type)
+read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
 
 systemd_domain_template(systemd_logger)
 systemd_domain_template(systemd_logind)
@@ -501,6 +502,7 @@ corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
 corenet_udp_bind_dhcpd_port(systemd_networkd_t)
 
 fs_read_xenfs_files(systemd_networkd_t)
+fs_read_nsfs_files(systemd_networkd_t)
 
 dev_read_sysfs(systemd_networkd_t)
 dev_write_kmsg(systemd_networkd_t)
@@ -1066,6 +1068,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
-- 
1.8.3.1

