From fa1dd32079f151422b5032cd0c6f2b2a54eba278 Mon Sep 17 00:00:00 2001
From: Cathy Hu <cathy.hu@suse.com>
Date: Tue, 27 Aug 2024 17:19:06 +0200
Subject: [PATCH] Allow systemd-ssh-generator to load net-pf-40

see:
https://www.freedesktop.org/software/systemd/man/devel/systemd-ssh-generator.html
"systemd-ssh-generator binds a socket-activated SSH server to local AF_VSOCK"

and modinfo suggests net-pf-40 to be the kernel modules for virtual sockets

Fixes:
> Aug 22 05:17:20 localhost kernel: audit: type=1400 audit(1724303839.663:5): avc:  denied  { module_request } for  pid=593 comm="systemd-ssh-gen" kmod="net-pf-40" scontext=system_u:system_r:systemd_ssh_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Signed-off-by: Cathy Hu <cahu@suse.de>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 716b871908..06071e9aaa 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1366,6 +1366,7 @@ allow systemd_ssh_generator_t self:vsock_socket create;
 allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms };
 
 dev_read_sysfs(systemd_ssh_generator_t)
+kernel_request_load_module(systemd_ssh_generator_t)
 
 optional_policy(`
 	ssh_domtrans(systemd_ssh_generator_t)