From 233e13cb44c6d4a52113c608e5ea694297c14119 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 6 Sep 2019 23:28:40 +0200
Subject: [PATCH] systemd: allow systemd-modules-load.service to read sysfs

systemd-modules-load.service needs to read file
/sys/module/${MODULE}/initstate for each ${MODULE} defined in
/etc/modules-load.d/. These files are labeled sysfs_t.

This fixes:

    type=AVC msg=audit(1567804818.331:138713): avc:  denied  { read }
    for  pid=31153 comm="systemd-modules" name="initstate" dev="sysfs"
    ino=14778 scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysfs_t tclass=file permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 45684f2b6..e381e167e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -626,6 +626,8 @@ optional_policy(`
 kernel_load_module(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
 
+dev_read_sysfs(systemd_modules_load_t)
+
 files_read_etc_files(systemd_modules_load_t)
 
 modutils_read_module_config(systemd_modules_load_t)