From 6e7956ce424da5a6bf89f08a40d082c1df48cf68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 10 Apr 2023 05:20:56 +0200
Subject: [PATCH] Workaround Fedora selinux preventing shutdown

Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2185490

QubesOS/qubes-issues#8069
---
 selinux/qubes-misc.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/selinux/qubes-misc.te b/selinux/qubes-misc.te
index 1a441dad6..6b73e951f 100644
--- a/selinux/qubes-misc.te
+++ b/selinux/qubes-misc.te
@@ -1,6 +1,9 @@
 policy_module(qubes-misc,0.0.1)
 require {
 	attribute domain;
+	type kernel_systemctl_t;
+	type system_dbusd_t;
+	type system_dbusd_var_run_t;
 	type systemd_modules_load_t;
 	type iptables_t, xen_device_t;
 	type local_login_t, init_t;
@@ -9,6 +12,9 @@ require {
 	class service { start };
 	class fifo_file { write };
 	class process { transition };
+	class dir search;
+	class sock_file write;
+	class unix_stream_scoket connectto;
 }
 
 type qubes_var_run_t;
@@ -17,3 +23,8 @@ allow iptables_t xen_device_t:chr_file { read write };
 allow local_login_t init_t: service { start };
 allow rpmdb_t user_tmp_t:fifo_file { write };
 allow { init_t unconfined_service_t } domain:process transition;
+
+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2185490
+allow kernel_systemctl_t system_dbusd_var_run_t:dir search;
+allow kernel_systemctl_t system_dbusd_var_run_t:sock_file write;
+allow kernel_systemctl_t system_dbusd_t:unix_stream_socket connectto;