systemd: add policy for systemd-pcrphase

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/system/systemd.fc

@@ -36,6 +36,7 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)

policy/modules/system/systemd.te

@@ -215,6 +215,10 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_pcrphase_t;
+type systemd_pcrphase_exec_t;
+init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
+
 type systemd_pstore_t;
 type systemd_pstore_exec_t;
 init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
@@ -1360,6 +1364,28 @@ optional_policy(`
 	plymouthd_stream_connect(systemd_passwd_agent_t)
 ')
 
+#########################################
+#
+# systemd-pcrphase local policy
+#
+
+allow systemd_pcrphase_t self:capability dac_override;
+dontaudit systemd_pcrphase_t self:capability net_admin;
+
+dev_rw_tpm(systemd_pcrphase_t)
+dev_write_kmsg(systemd_pcrphase_t)
+
+fs_read_efivarfs_files(systemd_pcrphase_t)
+fs_getattr_cgroup(systemd_pcrphase_t)
+fs_search_cgroup_dirs(systemd_pcrphase_t)
+
+kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
+kernel_read_kernel_sysctls(systemd_pcrphase_t)
+kernel_read_system_state(systemd_pcrphase_t)
+
+init_read_state(systemd_pcrphase_t)
+
+logging_send_syslog_msg(systemd_pcrphase_t)
 
 #########################################
 #