sysadm, systemd: fixes for systemd-networkd

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/roles/sysadm.te

@@ -88,6 +88,10 @@ ifdef(`init_systemd',`
 	# Allow sysadm to get the status of and set properties of other users,
 	# sessions, and seats on the system.
 	systemd_dbus_chat_logind(sysadm_t)
+
+	# Allow sysadm to query and set networking settings on the system.
+	systemd_dbus_chat_networkd(sysadm_t)
+	fs_read_nsfs_files(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`

policy/modules/system/systemd.if

@@ -1425,6 +1425,27 @@ interface(`systemd_startstop_networkd',`
 	allow $1 systemd_networkd_unit_t:service { start stop };
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd networkd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_networkd',`
+	gen_require(`
+		type systemd_networkd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_networkd_t:dbus send_msg;
+	allow systemd_networkd_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to get status of systemd-networkd

policy/modules/system/systemd.te

@@ -887,6 +887,9 @@ files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
 fs_getattr_xattr_fs(systemd_networkd_t)
+fs_getattr_cgroup(systemd_networkd_t)
+fs_search_cgroup_dirs(systemd_networkd_t)
+fs_read_nsfs_files(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)