From 02e558be0f546a05571d8ce0dc01dc65c963267a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 13:18:41 -0500
Subject: [PATCH] fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 40 ++++++++++++++++++++++++++++-
 policy/modules/system/udev.te       |  6 ++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a60fa3bb..a9bff7207 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	create_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Watch cgroup files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index c86fa6d4d..90a71239e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
 	files_search_kernel_modules(udev_t)
 
-	fs_read_cgroup_files(udev_t)
+	# systemd-udev creates cgroup files under
+	# /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+	fs_create_cgroup_dirs(udev_t)
+	fs_create_cgroup_files(udev_t)
+	fs_rw_cgroup_files(udev_t)
 
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)