From 25a9bcb40569d5565a24d2eb7338bb20b4bd13e9 Mon Sep 17 00:00:00 2001
From: Russell Coker <russell@coker.com.au>
Date: Sun, 17 Sep 2017 11:07:41 -0400
Subject: [PATCH] minor nspawn, dnsmasq, and mon patches

Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.
---
 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/system/systemd.te      |  4 +++-
 policy/modules/system/userdomain.if   | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 546de8eb3..1dff01992 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bridge-utils/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6cb1bd010..b8fc87b02 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	dev_mounton(systemd_nspawn_t)
 	dev_setattr_generic_dirs(systemd_nspawn_t)
 
-	files_search_home(systemd_nspawn_t)
+	# manage etc symlinks for /etc/localtime
+	files_manage_etc_symlinks(systemd_nspawn_t)
 	files_mounton_pid_dirs(systemd_nspawn_t)
+	files_search_home(systemd_nspawn_t)
 
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a7c89e723..9d817e32e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2866,6 +2866,25 @@ interface(`userdom_read_user_tmpfs_files',`
 	fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##	dontaudit Read attempts of user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	dontaudit $1 user_tmpfs_t:file read_file_perms;
+	dontaudit $1 user_tmpfs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	relabel to/from user tmpfs dirs