From 50b988606100abb7cb504e5014dd4138805525f7 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 22 Dec 2019 17:29:58 +0100
Subject: [PATCH] init: allow systemd to mount over /dev/kmsg and /proc/kmsg

When spawning services such as systemd-timedated with systemd 244,
systemd now mounts an inaccessible directory on /dev/kmsg and
/proc/kmsg:

    type=AVC msg=audit(1576535711.579:363): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=9055
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1576535711.583:364): avc:  denied  { getattr }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

    type=AVC msg=audit(1576535711.589:365): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

Running "findmnt" in the resulting mount namespace shows:

    |-/dev         dev                             devtmpfs   rw,...
    | `-/dev/kmsg  run[/systemd/inaccessible/chr]  tmpfs      ro,...

    |-/proc        proc                            proc       rw,...
    | `-/proc/kmsg run[/systemd/inaccessible/reg]  tmpfs      ro,...

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 44479fe5f..6ace740f0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2352,6 +2352,24 @@ interface(`dev_rw_kmsg',`
 	rw_chr_files_pattern($1, device_t, kmsg_device_t)
 ')
 
+########################################
+## <summary>
+##	Mount on the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_kmsg',`
+	gen_require(`
+		type kmsg_device_t;
+	')
+
+	allow $1 kmsg_device_t:chr_file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the ksm devices.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8973a622a..4f8157671 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -286,6 +286,7 @@ ifdef(`init_systemd',`
 	kernel_search_key(init_t)
 	kernel_setsched(init_t)
 	kernel_rw_unix_sysctls(init_t)
+	kernel_mounton_message_if(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -297,6 +298,7 @@ ifdef(`init_systemd',`
 	dev_relabel_all_sysfs(init_t)
 	dev_relabel_generic_symlinks(init_t)
 	dev_read_urand(init_t)
+	dev_mounton_kmsg(init_t)
 	dev_write_kmsg(init_t)
 	dev_write_urand(init_t)
 	dev_rw_lvm_control(init_t)