From c8af923318853d90e5fe0b41f439d53e9c995291 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Mon, 30 Dec 2019 18:01:43 +0100
Subject: [PATCH] systemd: allow reading options from EFI variable
 SystemdOptions

Since systemd 244, systemd can parse EFI variable
SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 like /proc/cmdline
in order to find options. systemd's NEWS file [1] states:

    systemd will also read configuration options from the EFI variable
    SystemdOptions. This may be used to configure systemd behaviour when
    modifying the kernel command line is inconvenient, but configuration
    on disk is read too late, for example for the options related to
    cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
    set the EFI variable.

In practice, all callers of log_parse_environment() read this EFI
variable, because:

* log_parse_environment() is a macro which is expanded to
  log_parse_environment_realm(LOG_REALM) [2].
* log_parse_environment_realm() calls proc_cmdline_parse() when being
  use in system daemons [3].
* proc_cmdline_parse() always calls systemd_efi_options_variable() [4].
* systemd_efi_options_variable() reads SystemdOptions variable [5].

For SELinux, this means that every domain with attribute
systemd_log_parse_env_type wants to read an EFI variable. Allow this
access.

[1] https://github.com/systemd/systemd/blob/v244/NEWS#L18-L23
[2] https://github.com/systemd/systemd/blob/v244/src/basic/log.h#L84
[3] https://github.com/systemd/systemd/blob/v244/src/basic/log.c#L1116
[4] https://github.com/systemd/systemd/blob/v244/src/basic/proc-cmdline.c#L122
[5] https://github.com/systemd/systemd/blob/v244/src/basic/efivars.c#L242

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1422d8e20..1549d5bb1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -416,6 +416,9 @@ kernel_read_system_state(systemd_log_parse_env_type)
 
 dev_write_kmsg(systemd_log_parse_env_type)
 
+# For /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67
+fs_read_efivarfs_files(systemd_log_parse_env_type)
+
 term_use_console(systemd_log_parse_env_type)
 
 init_read_state(systemd_log_parse_env_type)