From 4d0d7cfc6f1289cf856af463a49054f2c67d8748 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Sat, 18 Feb 2017 22:16:30 +0100
Subject: [PATCH] systemd-tmpfiles: refactor runtime configs

handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
---
 policy/modules/system/init.te     |   1 -
 policy/modules/system/modutils.fc |   4 +-
 policy/modules/system/modutils.if |   6 +-
 policy/modules/system/modutils.te |  24 ++--
 policy/modules/system/systemd.fc  |   4 +-
 policy/modules/system/systemd.if  | 208 +++++++++++++++++++-----------
 policy/modules/system/systemd.te  |  12 +-
 7 files changed, 156 insertions(+), 103 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f241e15a4..79b638916 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -324,7 +324,6 @@ ifdef(`init_systemd',`
 	')
 
 	optional_policy(`
-		systemd_relabelto_kmod_files(init_t)
 		systemd_dbus_chat_logind(init_t)
 	')
 
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index ff8b6c0f7..6984277ba 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -8,7 +8,9 @@ ifdef(`distro_gentoo',`
 /etc/modprobe.devfs.*		--	gen_context(system_u:object_r:modules_conf_t,s0)
 ')
 
-/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:kmod_var_run_t,s0)
+ifdef(`init_systemd',`
+/run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+')
 
 /usr/bin/kmod			--	gen_context(system_u:object_r:kmod_exec_t,s0)
 
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9f487e1c7..9ddbdae26 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -376,9 +376,5 @@ interface(`modutils_exec_update_mods',`
 ## </param>
 #
 interface(`modutils_read_var_run_files',`
-	gen_require(`
-		type kmod_var_run_t;
-	')
-
-	allow $1 kmod_var_run_t:file read_file_perms;
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 133c5e02e..dd49612f9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -23,8 +23,12 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type kmod_var_run_t;
-files_pid_file(kmod_var_run_t)
+ifdef(`init_systemd',`
+	type kmod_tmpfiles_conf_t;
+	typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
+	systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
+	systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
+')
 
 ########################################
 #
@@ -68,11 +72,6 @@ kernel_dontaudit_search_unlabeled(kmod_t)
 corecmd_exec_bin(kmod_t)
 corecmd_exec_shell(kmod_t)
 
-# for /run/tmpfiles.d/kmod.conf
-files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
-allow kmod_t kmod_var_run_t:dir manage_dir_perms;
-allow kmod_t kmod_var_run_t:file manage_file_perms;
-
 dev_rw_sysfs(kmod_t)
 dev_search_usbfs(kmod_t)
 dev_rw_mtrr(kmod_t)
@@ -115,9 +114,12 @@ userdom_use_user_terminals(kmod_t)
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
 ifdef(`init_systemd',`
-	init_rw_stream_sockets(kmod_t)
+	# for /run/tmpfiles.d/kmod.conf
+	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
+	# kmod needs to create /run/tmpdiles.d
+	systemd_tmpfiles_creator(kmod_t)
 
-	systemd_write_kmod_files(kmod_t)
+	init_rw_stream_sockets(kmod_t)
 ')
 
 optional_policy(`
@@ -158,10 +160,6 @@ optional_policy(`
 	xserver_dontaudit_write_log(kmod_t)
 	xserver_stream_connect(kmod_t)
 	xserver_dontaudit_rw_stream_sockets(kmod_t)
-
-	ifdef(`hide_broken_symptoms',`
-		xserver_dontaudit_rw_tcp_sockets(kmod_t)
-	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 2264336da..46aa81eb8 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -47,7 +47,9 @@
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
-/run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+/run/tmpfiles\.d/.*		<<none>>
 
 /var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
 /var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 70047dbe0..5e5268c07 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -130,53 +130,44 @@ interface(`systemd_dbus_chat_logind',`
 ## <rolecap/>
 #
 interface(`systemd_write_kmod_files',`
-	gen_require(`
-		type systemd_kmod_conf_t;
-	')
-
-	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
-')
-
-#######################################
-## <summary>
-##  Allow systemd_tmpfiles_t to manage filesystem objects
-## </summary>
-## <param name="type">
-## <summary>
-##  type of object to manage
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-##  object class to manage
-## </summary>
-## </param>
-#
-interface(`systemd_tmpfilesd_managed',`
-	gen_require(`
-		type systemd_tmpfiles_t;
-	')
-
-	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
 ## <summary>
-##   Allow process to relabel to systemd_kmod_conf_t.
+##	Get the system status information from systemd_login
 ## </summary>
 ## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`systemd_relabelto_kmod_files',`
+interface(`systemd_status_logind',`
 	gen_require(`
-		type systemd_kmod_conf_t;
+		type systemd_logind_t;
+		class service status;
 	')
 
-	allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+	allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+##	Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:process signull;
 ')
 
 ########################################
@@ -276,49 +267,12 @@ interface(`systemd_read_logind_state',`
 
 ########################################
 ## <summary>
-##   Get the system status information from systemd_login
+##	Allow specified domain to start power units
 ## </summary>
 ## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
-## </param>
-#
-interface(`systemd_status_logind',`
-	gen_require(`
-		type systemd_logind_t;
-		class service status;
-	')
-
-	allow $1 systemd_logind_t:service status;
-')
-
-########################################
-## <summary>
-##   Send systemd_login a null signal.
-## </summary>
-## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
-## </param>
-#
-interface(`systemd_signull_logind',`
-	gen_require(`
-		type systemd_logind_t;
-	')
-
-	allow $1 systemd_logind_t:process signull;
-')
-
-########################################
-## <summary>
-## Allow specified domain to start power units
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
+##	<summary>
+##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`systemd_start_power_units',`
@@ -329,3 +283,103 @@ interface(`systemd_start_power_units',`
 
 	allow $1 power_unit_t:service start;
 ')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	systemd tmpfiles config files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for systemd tmpfiles config files.
+##	</summary>
+## </param>
+#
+	interface(`systemd_tmpfiles_conf_file',`
+	gen_require(`
+		attribute systemd_tmpfiles_conf_type;
+	')
+
+	files_config_file($1)
+	typeattribute $1 systemd_tmpfiles_conf_type;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	the tmpfiles config directory with
+##	the correct context.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_tmpfiles_creator',`
+	gen_require(`
+		type systemd_tmpfiles_conf_t;
+	')
+
+	files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
+	allow $1 systemd_tmpfiles_conf_t:dir create;
+')
+
+########################################
+## <summary>
+##	Create an object in the systemd tmpfiles config
+##	directory, with a private type
+##	using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`systemd_tmpfiles_conf_filetrans',`
+	gen_require(`
+		type systemd_tmpfiles_conf_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+
+	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6c8caa8d7..be5b5770c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -21,6 +21,7 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
 gen_tunable(systemd_nspawn_labeled_namespace, false)
 
 attribute systemd_log_parse_env_type;
+attribute systemd_tmpfiles_conf_type;
 
 type systemd_activate_t;
 type systemd_activate_exec_t;
@@ -147,10 +148,11 @@ init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
 
 type systemd_tmpfiles_t;
 type systemd_tmpfiles_exec_t;
-type systemd_kmod_conf_t;
-files_config_file(systemd_kmod_conf_t)
 init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 
+type systemd_tmpfiles_conf_t;
+files_config_file(systemd_tmpfiles_conf_t)
+
 #
 # Unit file types
 #
@@ -551,6 +553,9 @@ manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
 allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
 
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -567,9 +572,6 @@ auth_manage_login_records(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
-# for /run/tmpfiles.d/kmod.conf
-modutils_read_var_run_files(systemd_tmpfiles_t)
-
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)