From ada848b35254fb00c4264114c011df2047ba2fcb Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Thu, 4 Jun 2020 10:30:19 +0200
Subject: [PATCH 1/3] systemd: private type for /run/systemd/userdb

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/init.te    |  3 ++
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 56 ++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te |  3 ++
 4 files changed, 63 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ffd29be79..af237cd3b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -469,6 +469,9 @@ ifdef(`init_systemd',`
 	systemd_relabelto_journal_dirs(init_t)
 	systemd_relabelto_journal_files(init_t)
 	systemd_rw_networkd_netlink_route_sockets(init_t)
+	systemd_manage_userdb_runtime_sock_files(init_t)
+	systemd_manage_userdb_runtime_dirs(init_t)
+	systemd_filetrans_userdb_runtime_dirs(init_t)
 
 	term_create_devpts_dirs(init_t)
 	term_create_ptmx(init_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index b48612f19..29986a92f 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -70,6 +70,7 @@
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
+/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 262c26d18..895437e78 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -426,6 +426,42 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##  Manage systemd userdb runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_dirs', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+')
+
+########################################
+## <summary>
+##  Manage socket files under /run/systemd/userdb .
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_sock_files', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow reading /run/systemd/machines
@@ -528,6 +564,26 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 	init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
 ')
 
+########################################
+## <summary>
+##  Transition to systemd_userdb_runtime_t when
+##  creating the userdb directory inside an init runtime
+##  directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_filetrans_userdb_runtime_dirs', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+')
+
 ######################################
 ## <summary>
 ##  Allow to domain to create systemd-passwd symlink
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9843dd96e..2c169b554 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -242,6 +242,9 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
 type systemd_user_tmpfs_t;
 userdom_user_tmpfs_file(systemd_user_tmpfs_t)
 
+type systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdb_runtime_t)
+
 #
 # Unit file types
 #

From 69b709930a54c6d7aa2a63e448b1a3e7c2522a5d Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Thu, 4 Jun 2020 17:45:35 +0200
Subject: [PATCH 2/3] authlogin: connect to userdb

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/authlogin.te |  4 ++++
 policy/modules/system/init.if      | 19 +++++++++++++++++++
 policy/modules/system/systemd.if   | 21 +++++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 0fc5951e9..e5049e1fd 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -426,6 +426,10 @@ files_read_etc_files(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
 
+ifdef(`init_systemd', `
+	systemd_stream_connect_userdb(nsswitch_domain)
+')
+
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 66482eb35..3a60ebd42 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -923,6 +923,25 @@ interface(`init_stream_connect',`
 	allow $1 init_t:unix_stream_socket getattr;
 ')
 
+########################################
+## <summary>
+##	Connect to init with a unix socket.
+##  Without any additional permissions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_unix_stream_socket_connectto',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use file descriptors from init.
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 895437e78..c8f33d51d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -462,6 +462,27 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
 	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Connect to /run/systemd/userdb/io.systemd.DynamicUser .
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_stream_connect_userdb', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	init_search_runtime($1)
+	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+	init_unix_stream_socket_connectto($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow reading /run/systemd/machines

From b172fd71d2ccea3890eb4575d68e25f4b49591f1 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Thu, 4 Jun 2020 18:41:21 +0200
Subject: [PATCH 3/3] systemd-logind: utilize nsswitch

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2c169b554..2ca95cebc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -550,7 +550,6 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
-files_read_etc_files(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
@@ -574,6 +573,7 @@ term_setattr_unallocated_ttys(systemd_logind_t)
 term_use_unallocated_ttys(systemd_logind_t)
 
 auth_manage_faillog(systemd_logind_t)
+auth_use_nsswitch(systemd_logind_t)
 
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)