From: bigon@debian.org (Laurent Bigonville)
Date: Wed,  6 Dec 2017 18:06:03 +0100
Subject: [refpolicy] [PATCH 1/2] Allow domains using
	sysnet_dns_name_resolve() interface to access NSS mymachines files
Message-ID: <20171206170604.3036-1-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Laurent Bigonville <bigon@bigon.be>

If the machine is using the mymachine NSS module, the domain doing DNS
resolution should be able to access files under /run/systemd/machines/
---
 policy/modules/system/sysnetwork.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5b8266ca..a53122b1 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -751,6 +751,11 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+
+	# This seems needed when the mymachines NSS module is used
+	optional_policy(`
+		systemd_read_machines($1)
+	')
 ')
 
 ########################################
-- 
2.15.1