From ad1f8e0d0d94690aadb9856336ad539a0ad1d3f4 Mon Sep 17 00:00:00 2001
From: ExtinctFire <shenyining_00@126.com>
Date: Sat, 28 Aug 2021 11:26:03 +0800
Subject: [PATCH] add avc for systemd selinux page

Signed-off-by: ExtinctFire <shenyining_00@126.com>
---
 add-avc-for-systemd-selinux-page.patch | 123 +++++++++++++++++++++++++
 selinux-policy.spec                    |   9 +-
 2 files changed, 130 insertions(+), 2 deletions(-)
 create mode 100644 add-avc-for-systemd-selinux-page.patch

diff --git a/add-avc-for-systemd-selinux-page.patch b/add-avc-for-systemd-selinux-page.patch
new file mode 100644
index 0000000..8e26311
--- /dev/null
+++ b/add-avc-for-systemd-selinux-page.patch
@@ -0,0 +1,123 @@
+From 1a6889def34747b606f4e520fbff72fe86f90b0f Mon Sep 17 00:00:00 2001
+From: lujie42 <572084868@qq.com>
+Date: Tue, 24 Aug 2021 15:38:40 +0800
+Subject: [PATCH] add avc for systemd no17479
+
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/kernel/domain.te  | 4 ++--
+ policy/modules/kernel/selinux.if | 2 +-
+ policy/modules/system/logging.te | 1 +
+ policy/modules/system/systemd.if | 7 ++++---
+ policy/modules/system/systemd.te | 3 +++
+ 5 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 8e52b17..27b112c 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -510,7 +510,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	systemd_dbus_chat_resolved(domain)
++	systemd_chat_resolved(domain)
+ 	systemd_login_status(unconfined_domain_type)
+ 	systemd_login_reboot(unconfined_domain_type)
+ 	systemd_login_halt(unconfined_domain_type)
+@@ -519,7 +519,7 @@ optional_policy(`
+ 	systemd_filetrans_named_content(named_filetrans_domain)
+ 	systemd_filetrans_named_hostname(named_filetrans_domain)
+ 	systemd_filetrans_home_content(named_filetrans_domain)
+-    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
++        systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index ac70efb..a2ab3fc 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -324,7 +324,7 @@ interface(`selinux_get_enforce_mode',`
+ 	dev_search_sysfs($1)
+ 	selinux_get_fs_mount($1)
+ 	allow $1 security_t:dir list_dir_perms;
+-	allow $1 security_t:file read_file_perms;
++	allow $1 security_t:file mmap_read_file_perms;
+ 	allow $1 security_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index df4e985..482fe6d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -622,6 +622,7 @@ term_write_unallocated_ttys(syslogd_t)
+ term_use_generic_ptys(syslogd_t)
+ 
+ init_stream_connect(syslogd_t)
++init_read_pid_files(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 514bbd7..6503c87 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -2345,8 +2345,8 @@ interface(`systemd_map_resolved_exec_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Send and receive messages from
+-##	systemd resolved over dbus.
++##	Exchange messages with
++##	systemd resolved over dbus or varlink.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2354,13 +2354,14 @@ interface(`systemd_map_resolved_exec_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`systemd_dbus_chat_resolved',`
++interface(`systemd_chat_resolved',`
+ 	gen_require(`
+ 		type systemd_resolved_t;
+ 		class dbus send_msg;
+ 	')
+ 
+ 	allow $1 systemd_resolved_t:dbus send_msg;
++	allow $1 systemd_resolved_t:unix_stream_socket connectto;
+ 	allow systemd_resolved_t $1:dbus send_msg;
+ 	ps_process_pattern(systemd_resolved_t, $1)
+ ')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 1e96c31..7849d51 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -13,6 +13,7 @@ attribute systemd_private_tmp_type;
+ 
+ attribute systemd_read_efivarfs_type;
+ fs_read_efivarfs_files(systemd_read_efivarfs_type)
++read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
+ 
+ systemd_domain_template(systemd_logger)
+ systemd_domain_template(systemd_logind)
+@@ -501,6 +502,7 @@ corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
+ corenet_udp_bind_dhcpd_port(systemd_networkd_t)
+ 
+ fs_read_xenfs_files(systemd_networkd_t)
++fs_read_nsfs_files(systemd_networkd_t)
+ 
+ dev_read_sysfs(systemd_networkd_t)
+ dev_write_kmsg(systemd_networkd_t)
+@@ -1066,6 +1068,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
+ 
+ manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+ 
+-- 
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f356921..12f22ef 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 72
+Release: 73
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -112,7 +112,9 @@ Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch
 Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch
 Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
 Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
-Patch6039: add-qemu_exec_t-for-stratovirt.patch
+
+Patch9000: add-qemu_exec_t-for-stratovirt.patch
+Patch9001: add-avc-for-systemd-selinux-page.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@@ -779,6 +781,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 20 2021 ExtinctFire <shenyining_00@126.com> -3.14.2-73
+- Add avc for systemd selinux page
+
 * Fri Aug 20 2021 mingyang <yangming73@huawei.com> -3.14.2-72
 - Add qemu_exec_t for stratovirt
 
-- 
Gitee