From 96ea14ed594239951f0b9a0523797c2ccab63865 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Wed, 1 Sep 2021 19:37:19 +0000
Subject: [PATCH] systemd, ssh, ntp: Read fips_enabled crypto sysctl.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/ntp.te   | 1 +
 policy/modules/services/ssh.if   | 1 +
 policy/modules/system/systemd.te | 1 +
 3 files changed, 3 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 1626ae87a..4d7e00243 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -94,6 +94,7 @@ can_exec(ntpd_t, ntpd_exec_t)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
+kernel_read_crypto_sysctls(ntpd_t)
 kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_netlabel(ntpd_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 10b8d12e5..ae23e1995 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -214,6 +214,7 @@ template(`ssh_server_template', `
 
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_network_state($1_t)
+	kernel_read_crypto_sysctls($1_t)
 
 	corenet_all_recvfrom_netlabel($1_t)
 	corenet_tcp_sendrecv_generic_if($1_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4bc6b04cd..0d55588ed 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -577,6 +577,7 @@ optional_policy(`
 dontaudit systemd_log_parse_env_type self:capability net_admin;
 
 kernel_read_system_state(systemd_log_parse_env_type)
+kernel_read_crypto_sysctls(systemd_log_parse_env_type)
 
 dev_write_kmsg(systemd_log_parse_env_type)