From ae40418b24d4704ba786d3759aad73ea4d683d1b Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 10 Sep 2017 20:22:21 +0200
Subject: [PATCH] init: allow systemd to create /dev/pts as devpts_t

This is currently denied:

     avc:  denied  { create } for  pid=1 comm="systemd" name="pts"
     scontext=system_u:system_r:init_t
     tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
---
 policy/modules/kernel/terminal.if | 18 ++++++++++++++++++
 policy/modules/system/init.te     |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 16a96ec77..8be5a1d6d 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -149,6 +149,24 @@ interface(`term_mount_devpts',`
 	allow $1 devpts_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Create directory /dev/pts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process creating the directory.
+##	</summary>
+## </param>
+#
+interface(`term_create_devpts',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create a pty in the /dev/pts directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bdb0d6c86..c6d230456 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -323,6 +323,8 @@ ifdef(`init_systemd',`
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 
+	term_create_devpts(init_t)
+
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)