selinux-policy/backport-Allow-systemd-logind-manage-init-s-pid-files.patch

From 099b9776b76a31cdf8281e06f9cc27946b26cf9f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 7 Dec 2020 22:15:18 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/099b9776b76a31cdf8281e06f9cc27946b26cf9f
Conflict: NA
Subject: [PATCH] Allow systemd-logind manage init's pid files

Added init_manage_pid_files() interface.

Resolves: rhbz#1856399
---
 policy/modules/system/init.if    | 18 ++++++++++++++++++
 policy/modules/system/systemd.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 629af26..4674755 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2838,6 +2838,24 @@ interface(`init_read_pid_files',`
 
 ########################################
 ## <summary>
+##	Manage init pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	manage_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Read init unnamed pipes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 24cf02e..332d716 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -297,6 +297,7 @@ init_signal_script(systemd_logind_t)
 init_getattr_script_status_files(systemd_logind_t)
 init_read_utmp(systemd_logind_t)
 init_config_transient_files(systemd_logind_t)
+init_manage_pid_files(systemd_logind_t)
 
 getty_systemctl(systemd_logind_t)
 
-- 
1.8.3.1