Add policy for systemd-resolved

Initial policy for systemd-resolved, tested with systemd 230 on debian

policy/modules/system/systemd.fc

@@ -17,6 +17,7 @@
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files
@@ -33,6 +34,7 @@
 /var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
+/var/run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

policy/modules/system/systemd.te

@@ -80,6 +80,13 @@ type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_resolved_t;
+type systemd_resolved_exec_t;
+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
+
 type systemd_run_t;
 type systemd_run_exec_t;
 init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -242,6 +249,39 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+#########################################
+#
+# Resolved local policy
+#
+
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
+
+allow systemd_resolved_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+
+kernel_read_crypto_sysctls(systemd_resolved_t)
+kernel_read_kernel_sysctls(systemd_resolved_t)
+kernel_read_system_state(systemd_resolved_t)
+
+corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+auth_use_nsswitch(systemd_resolved_t)
+
+seutil_read_file_contexts(systemd_resolved_t)
+
+systemd_log_parse_environment(systemd_resolved_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_resolved_t)
+')
+
 #########################################
 #
 # Sessions local policy