From f984d0f1fa193e7f5fdf8bd8aef92b24550eaec4 Mon Sep 17 00:00:00 2001
From: lujie42 <lujie42@huawei.com>
Date: Tue, 21 Dec 2021 17:19:13 +0800
Subject: [PATCH] add avc for systemd-journald

Signed-off-by: lujie42 <lujie42@huawei.com>
---
 policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  5 +++++
 policy/modules/system/logging.if | 18 ++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 62845c1..a2e2750 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -4245,6 +4245,24 @@ interface(`kernel_read_netlink_audit_socket',`
 
 ########################################
 ## <summary>
+##      Access to netlink audit socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_netlink_audit_socket',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:netlink_audit_socket $2;
+')
+
+########################################
+## <summary>
 ##	Execute an unlabeled file in the specified domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a4a0d2..0aea278 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -731,6 +731,11 @@ auth_rw_lastlog(init_t)
 auth_domtrans_chk_passwd(init_t)
 auth_manage_passwd(init_t)
 
+# avc for openEuler
+kernel_netlink_audit_socket(init_t, getattr)
+logging_access_journal(init_t)
+dev_read_kmsg(init_t)
+
 ifdef(`distro_redhat',`
     # it comes from setupr scripts used in systemd unit files
     # has been covered by initrc_t
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8092f3e..3452bd2 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1753,6 +1753,24 @@ interface(`logging_mmap_journal',`
 
 #######################################
 ## <summary>
+##	Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_access_journal',`
+	gen_require(`
+		type syslogd_var_run_t;
+	')
+
+	allow $1 syslogd_var_run_t:file { create rename write };
+')
+
+#######################################
+## <summary>
 ##	Watch the /run/log/journal directory.
 ## </summary>
 ## <param name="domain">
-- 
1.8.3.1