From 9592c9a75c610109c17eb8591611826715e3c969 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Wed, 26 Feb 2020 17:20:57 +0800
Subject: [PATCH] add avc for systemd

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/contrib/dbus.te   |  4 ++++
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.te |  5 +++++
 4 files changed, 28 insertions(+)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 3bcff01..848342e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -386,3 +386,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
 
 kernel_stream_connect(session_bus_type)
 systemd_login_read_pid_files(session_bus_type)
+
+# avc for openEuler
+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
+allow init_t system_dbusd_var_run_t:sock_file read;
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2378f06..c3659c7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7276,3 +7276,21 @@ type kmsg_device_t;
 
 allow $1 kmsg_device_t:chr_file read;
 ')
+
+########################################
+## <summary>
+##      Allow to read the clock device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`dev_read_clock_device',`
+gen_require(`
+type clock_device_t;
+')
+
+allow $1 clock_device_t:chr_file read;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index afd20b0..8de5b08 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1874,3 +1874,4 @@ systemd_manage_faillog(init_t)
 kernel_netlink_audit_socket(init_t, getattr)
 dev_read_kernel_msg(init_t)
 logging_journal(init_t)
+dev_read_clock_device(init_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f2919f0..3634510 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1148,3 +1148,8 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
 allow init_t systemd_logind_var_run_t:dir mounton;
 init_nnp_daemon_domain(systemd_hostnamed_t)
 init_nnp_daemon_domain(systemd_logind_t)
+init_nnp_daemon_domain(systemd_coredump_t)
+init_nnp_daemon_domain(systemd_initctl_t)
+init_nnp_daemon_domain(systemd_localed_t)
+init_nnp_daemon_domain(systemd_machined_t)
+init_nnp_daemon_domain(systemd_timedated_t)
-- 
1.8.3.1