From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 12 Aug 2020 12:09:21 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/6fe205674f9cd1face5e2cf1aeb90d265ef89ba8
Conflict: NA
Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a
 unix socket

Create the systemd_machined_stream_connect() interface.

Resolves: rhbz#1865748
---
 policy/modules/system/authlogin.te |  1 +
 policy/modules/system/systemd.if   | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 25d1691..6043c45 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -563,6 +563,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_userdbd_stream_connect(nsswitch_domain)
+	systemd_machined_stream_connect(nsswitch_domain)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a6d8bd0..dbc8fc9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to connect to
+##	systemd_machined with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_machined_stream_connect',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	systemd machined over dbus.
 ## </summary>
-- 
1.8.3.1