From d5d6fe00462178e7f4b40a5735b26cc28b357670 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Sun, 11 Nov 2018 13:37:00 +0100
Subject: [PATCH] Allow systemd_resolved_t to bind to port 53 and use net_raw

resolved also binds against port 53 on lo interface
---
 policy/modules/system/systemd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a658621d..e70ccb214 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -864,7 +864,7 @@ optional_policy(`
 # Resolved local policy
 #
 
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
 allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
 
 allow systemd_resolved_t self:tcp_socket { accept listen };
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
 auth_use_nsswitch(systemd_resolved_t)