From 73d8b3026cdb9372087dfeb418d9590f53d95803 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Thu, 6 Apr 2017 17:37:50 -0400
Subject: [PATCH] Systemd-related changes from Russell Coker.

---
 policy/modules/contrib              |  2 +-
 policy/modules/kernel/files.if      | 36 +++++++++++
 policy/modules/kernel/files.te      |  2 +-
 policy/modules/roles/sysadm.te      | 12 +---
 policy/modules/services/ssh.if      |  4 ++
 policy/modules/services/ssh.te      |  7 ++-
 policy/modules/services/xserver.te  |  6 +-
 policy/modules/system/fstools.te    |  3 +-
 policy/modules/system/init.if       | 94 +++++++++++++++++++++++++++++
 policy/modules/system/init.te       |  6 +-
 policy/modules/system/locallogin.te |  7 ++-
 policy/modules/system/lvm.fc        |  1 +
 policy/modules/system/lvm.te        |  7 ++-
 policy/modules/system/sysnetwork.if | 20 ++++++
 policy/modules/system/sysnetwork.te |  2 +-
 policy/modules/system/systemd.if    | 84 ++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  5 +-
 policy/modules/system/udev.te       | 12 +++-
 policy/modules/system/unconfined.if |  4 ++
 policy/modules/system/unconfined.te |  6 +-
 20 files changed, 293 insertions(+), 27 deletions(-)

diff --git a/policy/modules/contrib b/policy/modules/contrib
index ecfc24a33..443f5abc9 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit ecfc24a33fa1c1e53f73960954d74887d9a80f93
+Subproject commit 443f5abc9ca3e5f10ecbccde88dbf8d7906cab81
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b3fb49873..28a6f7f39 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
 	allow $1 etc_t:service status;
 ')
 
+########################################
+## <summary>
+##	start etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+##	stop etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service stop;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 67be5c71c..c979bcc1b 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.10)
+policy_module(files, 1.23.11)
 
 ########################################
 #
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5b49dc18e..e790e4257 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.3)
+policy_module(sysadm, 2.11.4)
 
 ########################################
 #
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_admin(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 21374c77e..2ea91129f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
 		files_read_var_lib_symlinks($1_t)
 		nx_spec_domtrans_server($1_t)
 	')
+
+	optional_policy(`
+		systemd_read_logind_sessions_files($1_t)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 13e9a7388..94c00e2ae 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.9.2)
+policy_module(ssh, 2.9.3)
 
 ########################################
 #
@@ -316,6 +316,11 @@ optional_policy(`
 	rssh_read_ro_content(sshd_t)
 ')
 
+optional_policy(`
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
+	systemd_dbus_chat_logind(sshd_t)
+')
+
 optional_policy(`
 	unconfined_shell_domtrans(sshd_t)
 ')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f0d3c688b..141bf2e81 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.6)
+policy_module(xserver, 3.13.7)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
 
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
 kernel_request_load_module(xauth_t)
 
 domain_use_interactive_fds(xauth_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 9d729671e..a56bfc052 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.1)
+policy_module(fstools, 1.20.2)
 
 ########################################
 #
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
 
 logging_send_syslog_msg(fsadm_t)
 
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e68e8d8a5..006513b4f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1175,6 +1175,25 @@ interface(`init_search_pids',`
 	allow $1 init_var_run_t:dir search_dir_perms;
 ')
 
+######################################
+## <summary>
+##  Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_list_pids',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir list_dir_perms;
+	files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init PID directory.
@@ -1575,6 +1594,25 @@ interface(`init_all_labeled_script_domtrans',`
 	init_labeled_script_domtrans($1, init_script_file_type)
 ')
 
+########################################
+## <summary>
+##      Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`init_get_script_status',`
+	gen_require(`
+		type initrc_exec_t;
+		class service status;
+	')
+
+	allow $1 initrc_exec_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	Allow the role to start and stop
@@ -2823,6 +2861,26 @@ interface(`init_get_all_units_status',`
 	allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
+#######################################
+## <summary>
+##      All perms on all systemd units.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service all_service_perms;
+	')
+
+	allow $1 systemdunit:service all_service_perms;
+	allow $1 systemdunit:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Start all systemd units.
@@ -2879,3 +2937,39 @@ interface(`init_reload_all_units',`
 
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
+
+########################################
+## <summary>
+##      Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`init_admin',`
+	gen_require(`
+		type initrc_exec_t;
+		class service status;
+	')
+
+	dev_manage_null_service($1)
+	init_disable($1)
+	init_enable($1)
+	init_get_all_units_status($1)
+	init_get_generic_units_status($1)
+	init_get_system_status($1)
+	init_manage_all_units($1)
+	init_manage_script_service($1)
+	init_reboot_system($1)
+	init_reload($1)
+	init_reload_all_units($1)
+	init_shutdown_system($1)
+	init_start_all_units($1)
+	init_start_generic_units($1)
+	init_stop_all_units($1)
+	init_stop_generic_units($1)
+	init_stop_system($1)
+	init_telinit($1)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6027a32bd..4a6467a5e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.15)
+policy_module(init, 2.2.16)
 
 gen_require(`
 	class passwd rootok;
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
 	seutil_read_default_contexts(initrc_t)
 
 	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
-	sysnet_create_config(initrc_t)
-	sysnet_write_config(initrc_t)
-	sysnet_setattr_config(initrc_t)
+	sysnet_manage_config(initrc_t)
 
 	optional_policy(`
 		abrt_manage_pid_files(initrc_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 6a9277fbf..c7aaa731f 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.15.3)
+policy_module(locallogin, 1.15.4)
 
 ########################################
 #
@@ -192,6 +192,11 @@ optional_policy(`
 	nscd_use(local_login_t)
 ')
 
+optional_policy(`
+	systemd_dbus_chat_logind(local_login_t)
+	systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
 optional_policy(`
 	unconfined_shell_domtrans(local_login_t)
 ')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index b92460211..12438b7d9 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/lvm-10/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/lvm-200/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/systemd/system/blk-availability.*	--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/dm-event.*		--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/lvm2-.*			--	gen_context(system_u:object_r:lvm_unit_t,s0)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 815d07486..7ba62cb54 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.7)
+policy_module(lvm, 1.19.8)
 
 ########################################
 #
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
+kernel_request_load_module(lvm_t)
 kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
 kernel_search_debugfs(lvm_t)
 
 corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
 
 logging_send_syslog_msg(lvm_t)
 
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692c0..5b8266cae 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -416,6 +416,25 @@ interface(`sysnet_create_config',`
 	allow $1 net_conf_t:file create_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Relabel network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_relabel_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file { relabelfrom relabelto };
+')
+
 #######################################
 ## <summary>
 ##	Create files in /etc with the type used for
@@ -455,6 +474,7 @@ interface(`sysnet_manage_config',`
 		type net_conf_t;
 	')
 
+	files_search_etc($1)
 	allow $1 net_conf_t:file manage_file_perms;
 
 	ifdef(`distro_debian',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c9b8a70a4..2c969b553 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.7)
+policy_module(sysnetwork, 1.20.8)
 
 ########################################
 #
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 5e5268c07..cd6d2e4a2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -58,6 +58,26 @@ interface(`systemd_manage_logind_pid_pipes',`
 	manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
 ')
 
+######################################
+## <summary>
+##     Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	init_search_run($1)
+	files_search_pids($1)
+	allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
 ######################################
 ## <summary>
 ##   Use inherited systemd
@@ -77,6 +97,27 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Read logind sessions files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+	gen_require(`
+		type systemd_sessions_var_run_t, systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	init_search_run($1)
+	allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+	read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
 ######################################
 ## <summary>
 ##      Write inherited logind sessions pipes.
@@ -170,6 +211,25 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##	Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+	gen_require(`
+		type systemd_machined_var_run_t;
+	')
+
+	allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+	allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      allow systemd_passwd_agent to inherit fds
@@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',`
 	allow systemd_passwd_agent_t $1:fd use;
 ')
 
+#######################################
+## <summary>
+##	Allow a systemd_passwd_agent_t process to interact with a daemon
+##	that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+		type systemd_passwd_var_run_t;
+	')
+
+	manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+	allow systemd_passwd_agent_t $1:process signull;
+	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##      Transition to systemd_passwd_var_run_t when creating dirs
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 672d289d3..210ebc1d7 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.15)
+policy_module(systemd, 1.3.16)
 
 #########################################
 #
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
 seutil_read_config(systemd_tmpfiles_t)
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f5f2f77c0..e1749ef93 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.6)
+policy_module(udev, 1.21.7)
 
 ########################################
 #
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
@@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
 init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+# for hdparm init script run by udev
+init_get_script_status(udev_t)
 
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
@@ -228,6 +235,7 @@ ifdef(`init_systemd',`
 
 	init_dgram_send(udev_t)
 
+	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)
 ',`
 	fs_manage_tmpfs_dirs(udev_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3f7f66a73..02f9dfce0 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
+		class service all_service_perms;
 	')
 
 	# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
+	files_get_etc_unit_status($1)
+	files_start_etc_service($1)
+	files_stop_etc_service($1)
 
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 3a57bc13d..bb88f2610 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.2)
+policy_module(unconfined, 3.9.3)
 
 ########################################
 #
@@ -95,6 +95,10 @@ optional_policy(`
 	hadoop_role(unconfined_r, unconfined_t)
 ')
 
+optional_policy(`
+	init_admin(unconfined_t)
+')
+
 optional_policy(`
 	inn_domtrans(unconfined_t)
 ')