From aa6c7f28f269eb8194dcac6f1e572f1c2197577b Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Thu, 4 Jun 2020 22:03:34 +0200
Subject: [PATCH 1/7] allow most common permissions for systemd sandboxing
 options

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/kernel/devices.if  | 36 +++++++++++++++++++++++++++
 policy/modules/kernel/terminal.if | 41 +++++++++++++++++++++++++++++++
 policy/modules/system/init.te     |  7 ++++++
 3 files changed, 84 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9f6c79293..406b29796 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3791,6 +3791,24 @@ interface(`dev_write_rand',`
 	write_chr_files_pattern($1, device_t, random_device_t)
 ')
 
+########################################
+## <summary>
+##  Create the random device (/dev/random).
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_create_rand_dev',`
+	gen_require(`
+		type device_t, random_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, random_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the realtime clock (/dev/rtc).
@@ -4675,6 +4693,24 @@ interface(`dev_write_urand',`
 	write_chr_files_pattern($1, device_t, urandom_device_t)
 ')
 
+########################################
+## <summary>
+##  Create the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_create_urand_dev',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Getattr generic the USB devices.
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 2b56068be..aece29822 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -729,6 +729,27 @@ interface(`term_dontaudit_use_generic_ptys',`
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
+#######################################
+## <summary>
+##  Create the tty device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_create_controlling_term',`
+	gen_require(`
+		type devtty_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	dev_add_entry_generic_dirs($1)
+	allow $1 devtty_t:chr_file create_chr_file_perms;
+	allow $1 self:capability mknod;
+')
+
 #######################################
 ## <summary>
 ##	Set the attributes of the tty device
@@ -768,6 +789,26 @@ interface(`term_use_controlling_term',`
 	allow $1 devtty_t:chr_file { rw_term_perms lock append };
 ')
 
+#######################################
+## <summary>
+##  Create the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_create_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	dev_add_entry_generic_dirs($1)
+	allow $1 ptmx_t:chr_file create_chr_file_perms;
+	allow $1 self:capability mknod;
+')
+
 #######################################
 ## <summary>
 ##	Get the attributes of the pty multiplexor (/dev/ptmx).
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4970e0b61..5d52490bb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -332,6 +332,11 @@ ifdef(`init_systemd',`
 	dev_manage_sysfs_dirs(init_t)
 	dev_relabel_sysfs_dirs(init_t)
 	dev_read_usbfs(initrc_t)
+	# sandbox
+	dev_create_null_dev(init_t)
+	dev_create_zero_dev(init_t)
+	dev_create_rand_dev(init_t)
+	dev_create_urand_dev(init_t)
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 
@@ -458,6 +463,8 @@ ifdef(`init_systemd',`
 	systemd_rw_networkd_netlink_route_sockets(init_t)
 
 	term_create_devpts_dirs(init_t)
+	term_create_ptmx(init_t)
+	term_create_controlling_term(init_t)
 
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)

From d9a58c8434d23a085ad1049004fb0378a06baa93 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Thu, 11 Jun 2020 18:37:17 +0200
Subject: [PATCH 2/7] terminal: cleanup term_create interfaces

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/kernel/terminal.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index aece29822..4bd4884f8 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -163,6 +163,7 @@ interface(`term_create_devpts_dirs',`
 		type devpts_t;
 	')
 
+	dev_add_entry_generic_dirs($1)
 	allow $1 devpts_t:dir create_dir_perms;
 ')
 
@@ -395,7 +396,7 @@ interface(`term_create_console_dev',`
 	')
 
 	dev_add_entry_generic_dirs($1)
-	allow $1 console_device_t:chr_file create;
+	allow $1 console_device_t:chr_file create_chr_file_perms;
 	allow $1 self:capability mknod;
 ')
 

From 0a596401f11a483f54aaf3a2b601af5fd3fee5ce Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Fri, 17 Apr 2020 20:42:18 +0200
Subject: [PATCH 3/7] logrotate.service sandbox required permissions

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/kernel/files.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index a681ec51a..24eae3b4d 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -101,6 +101,10 @@ files_mountpoint(mnt_t)
 type modules_object_t;
 files_type(modules_object_t)
 
+optional_policy(`
+	init_mountpoint(modules_object_t)
+')
+
 type no_access_t;
 files_type(no_access_t)
 

From 83a39ad4fdce90e2a9c4bc765a338ef7f06ae2e5 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sat, 16 May 2020 22:45:36 +0200
Subject: [PATCH 4/7] udev.service sandbox required permissions

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/kernel/kernel.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 9600ec1fd..562671bcd 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -136,6 +136,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 
+optional_policy(`
+	init_mountpoint(sysctl_kernel_t)
+')
+
 # /sys/kernel/ns_last_pid file
 type sysctl_kernel_ns_last_pid_t, sysctl_type;
 genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)

From e20db26b7b7be4cf98989662a8bdc62d8d1b7b51 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sun, 17 May 2020 13:36:56 +0200
Subject: [PATCH 5/7] systemd-timesyncd.service sandbox requried permissions

For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.:

Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc:  granted  { create } for  pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/kernel/devices.te    | 6 +++++-
 policy/modules/kernel/files.te      | 4 ++++
 policy/modules/kernel/filesystem.te | 4 ++++
 policy/modules/kernel/kernel.te     | 8 ++++++++
 policy/modules/services/ntp.te      | 2 ++
 policy/modules/system/init.te       | 1 +
 6 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 2795ad803..33f743b83 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -197,6 +197,10 @@ type mtrr_device_t;
 dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
+optional_policy(`
+	init_mountpoint(mtrr_device_t)
+')
+
 #
 # null_device_t is the type of /dev/null.
 #
@@ -285,7 +289,7 @@ type tpm_device_t;
 dev_node(tpm_device_t)
 
 #
-# uhid_device_t is the thpe of /dev/uhid - 
+# uhid_device_t is the type of /dev/uhid -
 # User-space I/O driver support for HID subsystem
 #
 type uhid_device_t;
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 24eae3b4d..9cd71d5ab 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -136,6 +136,10 @@ type system_map_t;
 files_type(system_map_t)
 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
 
+optional_policy(`
+	init_mountpoint(system_map_t)
+')
+
 #
 # tmp_t is the type of the temporary directories
 #
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index a6a56bf1e..a345398fa 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -181,6 +181,10 @@ type tracefs_t;
 fs_type(tracefs_t)
 genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
 
+optional_policy(`
+	init_mountpoint(tracefs_t)
+')
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 562671bcd..750dccac7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -95,6 +95,10 @@ type proc_kcore_t, proc_type;
 neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
+optional_policy(`
+	init_mountpoint(proc_kcore_t)
+')
+
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
 
@@ -119,6 +123,10 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
 type sysctl_irq_t, sysctl_type;
 genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
 
+optional_policy(`
+	init_mountpoint(sysctl_irq_t)
+')
+
 # /proc/net/rpc directory and files
 type sysctl_rpc_t, sysctl_type;
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index a8ab90d47..b5dc138d2 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -12,6 +12,7 @@ files_config_file(ntp_conf_t)
 
 type ntp_drift_t;
 files_type(ntp_drift_t)
+init_mountpoint(ntp_drift_t)
 
 type ntpd_t;
 type ntpd_exec_t;
@@ -33,6 +34,7 @@ logging_log_file(ntpd_log_t)
 
 type ntpd_pid_t;
 files_pid_file(ntpd_pid_t)
+init_mountpoint(ntpd_pid_t)
 
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d52490bb..cc9438ce5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -408,6 +408,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
 	fs_relabelfrom_tmpfs_sockets(init_t)
+	fs_manage_tmpfs_symlinks(init_t)
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)

From 93beef3ce52df1a7fdc2b7938a92e54b7e41d2b3 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sun, 17 May 2020 13:37:04 +0200
Subject: [PATCH 6/7] systemd-logind.service sandbox required permissions

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index bff2471cf..de9d6fb74 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -137,13 +137,16 @@ init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
 
 type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
 files_pid_file(systemd_logind_inhibit_runtime_t)
+init_mountpoint(systemd_logind_inhibit_runtime_t)
 
 type systemd_logind_runtime_t alias systemd_logind_var_run_t;
 files_pid_file(systemd_logind_runtime_t)
 init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_mountpoint(systemd_logind_runtime_t)
 
 type systemd_logind_var_lib_t;
 files_type(systemd_logind_var_lib_t)
+init_mountpoint(systemd_logind_var_lib_t)
 
 type systemd_machined_t;
 type systemd_machined_exec_t;
@@ -222,6 +225,7 @@ init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
 type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
 files_pid_file(systemd_sessions_runtime_t)
 init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
+init_mountpoint(systemd_sessions_runtime_t)
 
 type systemd_tmpfiles_t;
 type systemd_tmpfiles_exec_t;

From 0f4eb2a324f7c5e1d618b7035377525bddcd75f2 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sat, 16 May 2020 22:25:40 +0200
Subject: [PATCH 7/7] init: fix systemd boot

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/init.te    |  1 +
 policy/modules/system/logging.if | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cc9438ce5..29dd74633 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -447,6 +447,7 @@ ifdef(`init_systemd',`
 	logging_relabelto_devlog_sock_files(init_t)
 	logging_relabel_generic_log_dirs(init_t)
 	logging_audit_socket_activation(init_t)
+	logging_use_syslogd_fd(init_t)
 
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(init_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4223e6b76..583b873a4 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -687,6 +687,25 @@ interface(`logging_send_syslog_msg',`
 	')
 ')
 
+########################################
+## <summary>
+##  Allow domain to use a file descriptor
+##  from syslogd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_use_syslogd_fd', `
+	gen_require(`
+		type syslogd_t;
+	')
+
+	allow $1 syslogd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Allow domain to relabelto devlog sock_files