systemd: Further revisions from Russell Coker.

policy/modules/kernel/devices.if

@@ -878,6 +878,24 @@ interface(`dev_relabel_generic_symlinks',`
 	relabel_lnk_files_pattern($1, device_t, device_t)
 ')
 
+########################################
+## <summary>
+##     write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	write_sock_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, delete, read, and write device nodes in device directories.

policy/modules/kernel/devices.te

@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.3)
+policy_module(devices, 1.20.4)
 
 ########################################
 #

policy/modules/kernel/filesystem.if

@@ -785,6 +785,26 @@ interface(`fs_relabel_cgroup_dirs',`
 	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
+########################################
+## <summary>
+##     Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Read cgroup files.

policy/modules/kernel/filesystem.te

@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.2)
+policy_module(filesystem, 1.22.3)
 
 ########################################
 #

policy/modules/system/init.if

@@ -1066,6 +1066,24 @@ interface(`init_dbus_chat',`
 	allow init_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##      List /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_list_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage files in /var/lib/systemd/.

policy/modules/system/init.te

@@ -1,4 +1,4 @@
-policy_module(init, 2.2.6)
+policy_module(init, 2.2.7)
 
 gen_require(`
 	class passwd rootok;

policy/modules/system/lvm.if

@@ -63,6 +63,24 @@ interface(`lvm_run',`
 	role $2 types lvm_t;
 ')
 
+########################################
+## <summary>
+##      Send lvm a null signal.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lvm_signull',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	allow $1 lvm_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Read LVM configuration files.

policy/modules/system/lvm.te

@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.3)
+policy_module(lvm, 1.19.4)
 
 ########################################
 #

policy/modules/system/systemd.te

@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.7)
+policy_module(systemd, 1.3.8)
 
 #########################################
 #
@@ -158,24 +158,6 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 type power_unit_t;
 init_unit_file(power_unit_t)
 
-######################################
-#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
 ######################################
 #
 # Backlight local policy
@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t)
 
 systemd_log_parse_environment(systemd_cgroups_t)
 
-#######################################
+######################################
 #
-# locale local policy
+# coredump local policy
 #
 
-kernel_read_kernel_sysctls(systemd_locale_t)
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
 
-files_read_etc_files(systemd_locale_t)
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
 
-seutil_read_file_contexts(systemd_locale_t)
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
 
-systemd_log_parse_environment(systemd_locale_t)
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+
+dev_write_kmsg(systemd_coredump_t)
+
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+
+fs_getattr_xattr_fs(systemd_coredump_t)
+
+selinux_getattr_fs(systemd_coredump_t)
+
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pids(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+
+logging_send_syslog_msg(systemd_coredump_t)
+
+seutil_search_default_contexts(systemd_coredump_t)
 
-optional_policy(`
-	dbus_connect_system_bus(systemd_locale_t)
-	dbus_system_bus_client(systemd_locale_t)
-')
 
 #######################################
 #
@@ -262,6 +264,42 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 ')
 
+#######################################
+#
+# locale local policy
+#
+
+kernel_read_kernel_sysctls(systemd_locale_t)
+
+files_read_etc_files(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+systemd_log_parse_environment(systemd_locale_t)
+
+optional_policy(`
+	dbus_connect_system_bus(systemd_locale_t)
+	dbus_system_bus_client(systemd_locale_t)
+')
+
+######################################
+#
+# systemd log parse enviroment
+#
+
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
 #########################################
 #
 # Logind local policy
@@ -325,6 +363,71 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+
+init_read_script_state(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+
+logging_send_syslog_msg(systemd_machined_t)
+
+seutil_search_default_contexts(systemd_machined_t)
+
+optional_policy(`
+	init_dbus_chat(systemd_machined_t)
+	init_dbus_send_script(systemd_machined_t)
+
+	dbus_connect_system_bus(systemd_machined_t)
+	dbus_system_bus_client(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+init_rw_stream_sockets(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
+
 ########################################
 #
 # Nspawn local policy
@@ -332,6 +435,66 @@ optional_policy(`
 
 init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
 
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+	getty_use_fds(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+	lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+	plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
 
 #########################################
 #