Merge pull request #523 from dsugar100/systemd

systemd: fixes for system-logind and systemd-update-done to start in enforcing

policy/modules/system/init.te

@@ -551,6 +551,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
+		systemd_create_logind_linger_dir(init_t)
 		systemd_search_all_user_keys(init_t)
 		systemd_create_all_user_keys(init_t)
 		systemd_write_all_user_keys(init_t)

policy/modules/system/systemd.if

@@ -2031,6 +2031,27 @@ interface(`systemd_read_logind_state',`
 	allow systemd_logind_t $1:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	the systemd-logind linger directory with
+##	the correct context.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_create_logind_linger_dir',`
+	gen_require(`
+		type systemd_logind_var_lib_t;
+	')
+
+	init_var_lib_filetrans($1, systemd_logind_var_lib_t, dir, "linger")
+	allow $1 systemd_logind_var_lib_t:dir create;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to start systemd

policy/modules/system/systemd.te

@@ -1725,6 +1725,7 @@ kernel_read_kernel_sysctls(systemd_update_done_t)
 
 selinux_use_status_page(systemd_update_done_t)
 
+seutil_read_config(systemd_update_done_t)
 seutil_read_file_contexts(systemd_update_done_t)
 
 systemd_log_parse_environment(systemd_update_done_t)