init/systemd: allow systemd to map the SELinux status page

systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

policy/modules/system/init.te

@@ -439,6 +439,8 @@ ifdef(`init_systemd',`
 	selinux_compute_access_vector(init_t)
 	# for starting systemd --user in the right domain:
 	selinux_compute_user_contexts(init_t)
+	# mmap status page
+	selinux_map_security_files(init_t)
 
 	storage_getattr_removable_dev(init_t)
 

policy/modules/system/systemd.te

@@ -424,6 +424,9 @@ dev_read_sysfs(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 
+selinux_get_enforce_mode(systemd_hostnamed_t)
+selinux_map_security_files(systemd_hostnamed_t)
+
 seutil_read_file_contexts(systemd_hostnamed_t)
 
 sysnet_etc_filetrans_config(systemd_hostnamed_t)
@@ -454,6 +457,8 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
 files_search_runtime(systemd_hw_t)
 
 selinux_get_fs_mount(systemd_hw_t)
+selinux_get_enforce_mode(systemd_hw_t)
+selinux_map_security_files(systemd_hw_t)
 
 init_read_state(systemd_hw_t)
 
@@ -469,6 +474,9 @@ kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
 
+selinux_get_enforce_mode(systemd_locale_t)
+selinux_map_security_files(systemd_locale_t)
+
 seutil_read_file_contexts(systemd_locale_t)
 
 systemd_log_parse_environment(systemd_locale_t)
@@ -561,6 +569,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 
 selinux_get_enforce_mode(systemd_logind_t)
+selinux_map_security_files(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
 storage_getattr_scsi_generic_dev(systemd_logind_t)
@@ -1080,6 +1089,9 @@ corenet_udp_bind_generic_node(systemd_resolved_t)
 corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
+selinux_get_enforce_mode(systemd_resolved_t)
+selinux_map_security_files(systemd_resolved_t)
+
 auth_use_nsswitch(systemd_resolved_t)
 
 files_watch_root_dirs(systemd_resolved_t)
@@ -1113,6 +1125,7 @@ kernel_read_kernel_sysctls(systemd_sessions_t)
 
 selinux_get_enforce_mode(systemd_sessions_t)
 selinux_get_fs_mount(systemd_sessions_t)
+selinux_map_security_files(systemd_sessions_t)
 
 seutil_read_config(systemd_sessions_t)
 seutil_read_default_contexts(systemd_sessions_t)
@@ -1134,6 +1147,9 @@ files_manage_etc_files(systemd_sysusers_t)
 
 kernel_read_kernel_sysctls(systemd_sysusers_t)
 
+selinux_get_enforce_mode(systemd_sysusers_t)
+selinux_map_security_files(systemd_sysusers_t)
+
 auth_manage_shadow(systemd_sysusers_t)
 auth_etc_filetrans_shadow(systemd_sysusers_t)
 auth_use_nsswitch(systemd_sysusers_t)
@@ -1202,7 +1218,8 @@ fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
-selinux_search_fs(systemd_tmpfiles_t)
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+selinux_map_security_files(systemd_tmpfiles_t)
 
 auth_append_lastlog(systemd_tmpfiles_t)
 auth_manage_faillog(systemd_tmpfiles_t)
@@ -1287,6 +1304,9 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
 kernel_read_kernel_sysctls(systemd_update_done_t)
 
+selinux_get_enforce_mode(systemd_update_done_t)
+selinux_map_security_files(systemd_update_done_t)
+
 seutil_read_file_contexts(systemd_update_done_t)
 
 systemd_log_parse_environment(systemd_update_done_t)
@@ -1381,6 +1401,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 
 selinux_get_enforce_mode(systemd_user_runtime_dir_t)
+selinux_map_security_files(systemd_user_runtime_dir_t)
 
 systemd_log_parse_environment(systemd_user_runtime_dir_t)
 systemd_dbus_chat_logind(systemd_user_runtime_dir_t)