From 7558698ab1eb44e397b6daa1c58782c113fa7f41 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Wed, 15 Jan 2020 22:01:08 +0100
Subject: [PATCH] usermanage: allow groupadd to lookup dynamic users from
 systemd

On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:

    type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByName dest=org.freedesktop.systemd1
    spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'

Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/admin/usermanage.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 16f6bac3d..cc83d8833 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -277,6 +277,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	systemd_use_nss(groupadd_t)
+')
+
 optional_policy(`
 	unconfined_use_fds(groupadd_t)
 ')