From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
 MLS trusted for raising/lowering the level of files

Fixes:
  avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \
  dev="proc" ino=7987 \
  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
  tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
  tclass=dir

  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
  name="journal" dev="tmpfs" ino=8226 \
  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \
  tclass=dir

  avc: denied { write } for pid=92 comm="systemd-tmpfile" \
  name="kmsg" dev="devtmpfs" ino=7242 \
  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \
  tclass=chr_file

  avc: denied { read } for pid=92 comm="systemd-tmpfile" \
  name="kmod.conf" dev="tmpfs" ino=8660 \
  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:var_run_t:s0 \
  tclass=file

  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
  name="kernel" dev="proc" ino=8731 \
  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1a83148c1..736107fad 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
+mls_file_write_all_levels(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_downgrade(systemd_tmpfiles_t)
+mls_file_upgrade(systemd_tmpfiles_t)
+
 userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
 userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
 
-- 
2.17.1