From: Openkylin Developers <packaging@lists.openkylin.top>
Date: Tue, 16 Jun 2026 15:28:27 +0800
Subject: newsystemd

===================================================================
---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/services/xserver.te  |  2 ++
 policy/modules/system/authlogin.if  |  1 +
 policy/modules/system/locallogin.te |  4 ++--
 policy/modules/system/systemd.if    | 18 ++++++++++++++++++
 policy/modules/system/userdomain.if | 18 ++++++++++++++++++
 6 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 72d94d1..aef42f9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1270,6 +1270,24 @@ interface(`fs_watch_memory_pressure',`
 	allow $1 memory_pressure_t:file { rw_file_perms setattr };
 ')
 
+########################################
+## <summary>
+##      Allow mounting a file ovr a memory.pressure file
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`fs_mounton_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	allow $1 memory_pressure_t:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 13ffaca..ee99067 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -584,6 +584,8 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		auth_use_pam_systemd(xdm_t)
+		systemd_dbus_chat_hostnamed(xdm_t)
 		systemd_read_logind_runtime_files(xdm_t)
 	')
 ')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 6b9d957..f21bead 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -91,6 +91,7 @@ interface(`auth_use_pam_systemd',`
 	systemd_connect_machined($1)
 	systemd_dbus_chat_logind($1)
 	systemd_read_logind_state($1)
+	systemd_logind_use_fds($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 8330be8..04f8e57 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,8 +131,9 @@ auth_domtrans_pam_console(local_login_t)
 auth_read_pam_motd_dynamic(local_login_t)
 auth_read_shadow_history(local_login_t)
 
-# if local_login_t can not inherit fd from init it takes ages to login
+# if local_login_t can not inherit fd from init then login fails
 init_use_fds(local_login_t)
+init_use_script_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
@@ -148,7 +149,6 @@ ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
 	init_dbus_chat(local_login_t)
-	init_use_fds(local_login_t)
 
 	systemd_connect_machined(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 71abae7..a01477f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1264,6 +1264,24 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##   Allow systemd-logind to use fds received from dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_logind_use_fds',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow systemd_logind_t $1:fd use;
+')
+
 ######################################
 ## <summary>
 ##      Watch logind sessions dirs.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 48850cf..c4aa798 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4188,6 +4188,24 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
 	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	watch a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file watch;
+')
+
 ########################################
 ## <summary>
 ##	Read and write a user domain tty.
