From 42d46c14bcc85433e60fa5225500cca15449dcd2 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 13 Mar 2021 19:59:42 -0500
Subject: [PATCH] init, udev: various fixes for systemd

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te |  5 +++++
 policy/modules/system/udev.if | 40 +++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d313d70c8..f87be1877 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	dontaudit init_t self:process { dyntransition setcurrent };
 
 	allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
 
@@ -430,6 +431,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_blk_files(init_t)
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
+	fs_read_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -508,6 +510,9 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	udev_relabel_rules_dirs(init_t)
+	udev_relabel_rules_files(init_t)
+
 	userdom_relabel_user_runtime_root_dirs(init_t)
 
 	tunable_policy(`init_mounton_non_security',`
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 538f28514..f02b73edd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
 	udev_search_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Relabel udev rules directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_dirs',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Relabel udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit search of udev database directories.  (Deprecated)