From b9470d408a1ba591fd2ed54c93269019be577ebd Mon Sep 17 00:00:00 2001
From: Krzysztof Nowicki <krissn@op.pl>
Date: Mon, 24 Feb 2020 08:24:18 +0100
Subject: [PATCH] Allow systemd to relabel startup-important directories

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
---
 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
 policy/modules/system/init.te       | 12 +++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 648abb480..e0a7e4bc7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5076,6 +5076,25 @@ interface(`fs_relabel_tmpfs_blk_file',`
 	fs_relabel_tmpfs_blk_files($1)
 ')
 
+########################################
+## <summary>
+##	Relabel named pipes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_fifo_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write, create and delete generic
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1003c3d33..4734a9510 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -252,9 +252,10 @@ ifdef(`init_systemd',`
 
 	allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
 
-	# for /run/systemd/inaccessible/{chr,blk}
-	allow init_t init_runtime_t:blk_file create_blk_file_perms;
-	allow init_t init_runtime_t:chr_file create_chr_file_perms;
+	# for /run/systemd/inaccessible/{chr,blk,fifo}
+	allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
+	allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
+	allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };
 
 	allow init_t systemprocess:process { dyntransition siginh };
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
@@ -411,6 +412,9 @@ ifdef(`init_systemd',`
 	fs_remount_all_fs(init_t)
 	fs_relabelfrom_tmpfs_symlinks(init_t)
 	fs_unmount_all_fs(init_t)
+	fs_relabel_tmpfs_blk_files(init_t)
+	fs_relabel_tmpfs_chr_files(init_t)
+	fs_relabel_tmpfs_fifo_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -485,6 +489,8 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	userdom_relabel_user_runtime_root_dirs(init_t)
+
 	tunable_policy(`init_mounton_non_security',`
 		files_mounton_non_security(init_t)
 	')