From 7bcba980168b70a4164a1ec768ea56e723ed390b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 25 Jan 2021 22:08:16 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/7bcba980168b70a4164a1ec768ea56e723ed390b
Conflict: NA
Subject: [PATCH] Allow domain write to systemd-resolved PID socket files

Previously, the permission was allowed for the nsswitch_domain
attribute which turned out not to be sufficient.

Resolves: rhbz#1900175
---
 policy/modules/kernel/domain.te    | 1 +
 policy/modules/system/authlogin.te | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index dff8caa..2ab7a49 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -510,6 +510,7 @@ optional_policy(`
 	systemd_login_reboot(unconfined_domain_type)
 	systemd_login_halt(unconfined_domain_type)
 	systemd_login_undefined(unconfined_domain_type)
+	systemd_resolved_write_pid_sock_files(domain)
 	systemd_filetrans_named_content(named_filetrans_domain)
 	systemd_filetrans_named_hostname(named_filetrans_domain)
 	systemd_filetrans_home_content(named_filetrans_domain)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 576ec5f..068caed 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -562,7 +562,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	systemd_resolved_write_pid_sock_files(nsswitch_domain)
 	systemd_userdbd_stream_connect(nsswitch_domain)
 	systemd_machined_stream_connect(nsswitch_domain)
 ')
-- 
1.8.3.1