From 9b5d89fcf6315635850f5ebe082b09cac7d3d9fe Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 5 Jan 2017 11:32:17 +0100
Subject: [PATCH] newrole: fix denials

dontaudit net_admin access due to setsockopt
allow communication with systemd-logind
---
 policy/modules/system/selinuxutil.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 24390c3df..a8d8ca4db 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -221,6 +221,7 @@ optional_policy(`
 #
 
 allow newrole_t self:capability { dac_override fowner setgid setuid };
+dontaudit newrole_t self:capability net_admin;
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
@@ -280,6 +281,7 @@ auth_use_nsswitch(newrole_t)
 auth_run_chk_passwd(newrole_t, newrole_roles)
 auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
+auth_use_pam_systemd(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
@@ -313,6 +315,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(newrole_t)
 ')
 
+optional_policy(`
+	systemd_use_logind_fds(newrole_t)
+')
+
 ########################################
 #
 # Restorecond local policy