From 29cb31090e8f2e88c75447eff6a1de2ec4d0409b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 16 Nov 2023 17:38:51 +0100
Subject: [PATCH] Allow systemd-sleep create efivarfs files

The commit addresses the following AVC denial:
type=AVC msg=audit(1700090306.889:353): avc:  denied  { write } for  pid=4539 comm="systemd-sleep" name="/" dev="efivarfs" ino=18441 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=0

Resolves: rhbz#2249928
---
 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
 policy/modules/system/systemd.te    |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7cc2c4c9a3..7688097f44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -7024,6 +7024,25 @@ interface(`fs_rw_efivarfs_files',`
 	rw_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+#######################################
+## <summary>
+##      Create efivarfs files 
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_create_efivarfs_files',`
+        gen_require(`
+                type efivarfs_t;
+        ')
+
+        create_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 #######################################
 ## <summary>
 ##      Manage efivarfs files 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ea299e2caa..c70a77c671 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1602,6 +1602,7 @@ dev_create_sysfs_files(systemd_sleep_t)
 dev_rw_sysfs(systemd_sleep_t)
 dev_write_kmsg(systemd_sleep_t)
 
+fs_create_efivarfs_files(systemd_sleep_t)
 fs_rw_efivarfs_files(systemd_sleep_t)
 
 fstools_rw_swap_files(systemd_sleep_t)