From a7e34076061e2500204938508e2a92ca509d41aa Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 29 Aug 2019 20:05:29 +0200
Subject: [PATCH] systemd: introduce an interface for services using
 PrivateDevices=yes

When a service is configured with PrivateDevices=yes, its /dev directory
has label tmpfs_t. This requires allowing more accesses in order for the
service to use /dev.

This is related to https://github.com/SELinuxProject/refpolicy/pull/61

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 2f782d9d7..28f96fab4 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -76,6 +76,24 @@ interface(`systemd_log_parse_environment',`
 	typeattribute $1 systemd_log_parse_env_type;
 ')
 
+######################################
+## <summary>
+##   Allow domain to be used as a systemd service with a unit
+##   that uses PrivateDevices=yes in section [Service].
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access
+##   </summary>
+## </param>
+#
+interface(`systemd_PrivateDevices',`
+	# For services using PrivateDevices, systemd mounts a dedicated
+	# tmpfs filesystem for the /dev, which gets label tmpfs_t.
+	# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
+	fs_read_tmpfs_symlinks($1)
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read udev hwdb file