From 40bf66309039c116bd771db09c99a2e473a5a3cc Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 15 Mar 2019 16:38:44 -0400
Subject: [PATCH 1/3] systemd: Drop unconfined kernel access for
 systemd_nspawn.

Revise kernel assertion to /proc/kmsg to be more precise.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/kernel.te  | 2 +-
 policy/modules/system/systemd.te | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e971c5331..863c25d6e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -84,7 +84,7 @@ genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
-neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read;
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 07529a5de..10e59cf62 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -745,7 +745,6 @@ kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
-kernel_unconfined(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)

From 99f967d3b5f5241bd687c69510e0fa44375a4548 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 15 Mar 2019 16:40:23 -0400
Subject: [PATCH 2/3] udev: Drop write by udev to its executable.

This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/system/udev.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6190a46d3..134ea86ab 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -66,7 +66,6 @@ allow udev_t self:rawip_socket create_socket_perms;
 # for systemd-udevd to rename interfaces
 allow udev_t self:netlink_route_socket nlmsg_write;
 
-allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
 allow udev_t udev_helper_exec_t:dir list_dir_perms;

From e19f3d658cfd29311cfd1de904efa0815d62f6cf Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Mon, 18 Mar 2019 09:08:16 -0400
Subject: [PATCH 3/3] init: Remove duplicate setenforce rule for init scripts.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/system/init.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 95d2b26fa..08dd6cf25 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -987,8 +987,6 @@ ifdef(`init_systemd',`
 	# for logsave in strict configuration
 	fstools_write_log(initrc_t)
 
-	selinux_set_enforce_mode(initrc_t)
-
 	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
 	init_rw_stream_sockets(initrc_t)