Merge pull request #462 from pebenito/systemd-updates

Systemd updates including systemd-homed and systemd-userdbd.
2022-02-01 09:17:00 -05:00 · 2022-02-01 09:17:00 -05:00 · 709bfd95f9
commit 709bfd95f9
parent c58823f748 80598ee30d
15 changed files with 342 additions and 21 deletions
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -3849,6 +3849,24 @@ interface(`files_relabelfrom_home',`
 	allow $1 home_root_t:dir relabelfrom;
 ')

+########################################
+## <summary>
+##	Watch the user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in /home.
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@ -784,6 +784,7 @@ interface(`mta_list_spool',`
 	')

 	allow $1 mail_spool_t:dir list_dir_perms;
+	files_search_spool($1)
 ')

 #######################################
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -277,6 +277,7 @@ template(`ssh_server_template', `

 	optional_policy(`
 		systemd_read_logind_sessions_files($1_t)
+		systemd_stream_connect_userdb($1_t)
 	')
 ')

--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -339,6 +339,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)

 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_read_crypto_sysctls(ssh_keygen_t)
 kernel_dontaudit_getattr_proc(ssh_keygen_t)
 kernel_dontaudit_read_system_state(ssh_keygen_t)

--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@ -61,6 +61,7 @@ interface(`fstools_exec',`
 	')

 	can_exec($1, fsadm_exec_t)
+	corecmd_search_bin($1)
 ')

 ########################################
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -1114,6 +1114,24 @@ interface(`init_rw_stream_sockets',`
 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to search init keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_search_keys',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:key search;
+')
+
 ########################################
 ## <summary>
 ##	start service (systemd).
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -514,6 +514,7 @@ ifdef(`init_systemd',`
 	systemd_manage_userdb_runtime_sock_files(init_t)
 	systemd_manage_userdb_runtime_dirs(init_t)
 	systemd_filetrans_userdb_runtime_dirs(init_t)
+	systemd_stream_connect_userdb(init_t)

 	term_create_devpts_dirs(init_t)
 	term_create_ptmx(init_t)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -549,6 +549,7 @@ ifdef(`init_systemd',`
 	init_dgram_send(syslogd_t)
 	init_read_runtime_pipes(syslogd_t)
 	init_read_runtime_symlinks(syslogd_t)
+	init_read_runtime_files(syslogd_t)
 	init_read_state(syslogd_t)

 	# needed for systemd-initrd case when syslog socket is unlabelled
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@ -251,6 +251,10 @@ optional_policy(`
 	rpm_manage_script_tmp_files(lvm_t)
 ')

+optional_policy(`
+	systemd_rw_homework_semaphores(lvm_t)
+')
+
 optional_policy(`
 	udev_read_runtime_files(lvm_t)
 ')
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@ -10,6 +10,7 @@ ifdef(`distro_gentoo',`

 ifdef(`init_systemd',`
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+/run/tmpfiles\.d/static-nodes\.conf --  gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 ')

 /usr/bin/depmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@ -29,6 +29,8 @@
 /usr/lib/systemd/systemd-binfmt		--	gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
 /usr/lib/systemd/systemd-cgroups-agent	--	gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
 /usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-homed  	--	gen_context(system_u:object_r:systemd_homed_exec_t,s0)
+/usr/lib/systemd/systemd-homework       --      gen_context(system_u:object_r:systemd_homework_exec_t,s0)
 /usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
@ -43,6 +45,8 @@
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-userdbd	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
+/usr/lib/systemd/systemd-userwork	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)

 # Systemd unit files
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
@ -62,6 +66,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-userdbd\.(service|socket)		--	gen_context(system_u:object_r:systemd_userdbd_unit_t,s0)
 /usr/lib/systemd/system/user@\.service	--	gen_context(system_u:object_r:systemd_user_manager_unit_t,s0)

 /usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)
@ -70,6 +75,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data

 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
+/var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@ -86,11 +92,12 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data

 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+/run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
-/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
+/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -863,6 +863,24 @@ interface(`systemd_PrivateDevices',`
 	fs_read_tmpfs_symlinks($1)
 ')

+######################################
+## <summary>
+##   Read and write systemd-homework semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`systemd_rw_homework_semaphores',`
+	gen_require(`
+		type systemd_homework_t;
+	')
+
+	allow $1 systemd_homework_t:sem rw_sem_perms;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read udev hwdb file
@ -1191,10 +1209,10 @@ interface(`systemd_signull_logind',`
 #
 interface(`systemd_manage_userdb_runtime_dirs', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')

-	manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+	manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')

 ########################################
@ -1209,10 +1227,10 @@ interface(`systemd_manage_userdb_runtime_dirs', `
 #
 interface(`systemd_manage_userdb_runtime_sock_files', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')

-	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+	manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')

 ########################################
@ -1227,12 +1245,12 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
 #
 interface(`systemd_stream_connect_userdb', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_t, systemd_userdbd_runtime_t;
 	')

 	init_search_runtime($1)
-	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
-	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+	allow $1 systemd_userdbd_runtime_t:dir list_dir_perms;
+	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
 	init_unix_stream_socket_connectto($1)
 ')

@ -1404,7 +1422,7 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`

 ########################################
 ## <summary>
-##  Transition to systemd_userdb_runtime_t when
+##  Transition to systemd_userdbd_runtime_t when
 ##  creating the userdb directory inside an init runtime
 ##  directory.
 ## </summary>
@ -1416,10 +1434,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 #
 interface(`systemd_filetrans_userdb_runtime_dirs', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')

-	init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+	init_runtime_filetrans($1, systemd_userdbd_runtime_t, dir, "userdb")
 ')

 ######################################
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -115,6 +115,28 @@ typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_gene
 typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };
 init_system_domain(systemd_generator_t, systemd_generator_exec_t)

+type systemd_homed_t;
+type systemd_homed_exec_t;
+init_daemon_domain(systemd_homed_t, systemd_homed_exec_t)
+
+type systemd_homework_t;
+type systemd_homework_exec_t;
+domain_type(systemd_homework_t)
+domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
+role system_r types systemd_homework_t;
+
+type systemd_homed_runtime_t;
+files_runtime_file(systemd_homed_runtime_t)
+
+type systemd_homed_storage_t;
+files_type(systemd_homed_storage_t)
+
+type systemd_homed_tmpfs_t;
+files_tmpfs_file(systemd_homed_tmpfs_t)
+
+type systemd_homed_var_lib_t;
+files_type(systemd_homed_var_lib_t)
+
 type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
@ -297,8 +319,15 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
 type systemd_user_tmpfs_t;
 userdom_user_tmpfs_file(systemd_user_tmpfs_t)

-type systemd_userdb_runtime_t;
-files_runtime_file(systemd_userdb_runtime_t)
+type systemd_userdbd_t;
+type systemd_userdbd_exec_t;
+init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdbd_runtime_t)
+
+type systemd_userdbd_unit_t;
+init_unit_file(systemd_userdbd_unit_t)

 type systemd_user_unit_t;
 init_unit_file(systemd_user_unit_t)
@ -449,8 +478,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)

 fs_list_efivars(systemd_generator_t)
-fs_getattr_cgroup(systemd_generator_t)
-fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_all_fs(systemd_generator_t)

 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@ -469,6 +497,8 @@ kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
 kernel_dontaudit_getattr_proc(systemd_generator_t)
+# Where an unlabeled mountpoint is encounted:
+kernel_dontaudit_search_unlabeled(systemd_generator_t)

 storage_raw_read_fixed_disk(systemd_generator_t)

@ -476,7 +506,7 @@ systemd_log_parse_environment(systemd_generator_t)

 term_use_unallocated_ttys(systemd_generator_t)

-udev_search_runtime(systemd_generator_t)
+udev_read_runtime_files(systemd_generator_t)

 ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
@ -493,6 +523,125 @@ optional_policy(`
 	miscfiles_read_localization(systemd_generator_t)
 ')

+#######################################
+#
+# systemd-homed policy
+#
+
+dontaudit systemd_homed_t self:capability { sys_resource sys_admin };
+allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t)
+
+allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)
+
+manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t)
+manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t, systemd_homed_runtime_t)
+filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t, sock_file)
+init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir)
+
+allow systemd_homed_t systemd_homed_storage_t:file read_file_perms;
+
+allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
+allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
+init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
+
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homed_t)
+
+files_list_home(systemd_homed_t)
+files_watch_home(systemd_homed_t)
+files_read_etc_files(systemd_homed_t)
+files_search_tmp(systemd_homed_t)
+
+fs_get_xattr_fs_quotas(systemd_homed_t)
+fs_getattr_all_fs(systemd_homed_t)
+
+kernel_read_kernel_sysctls(systemd_homed_t)
+kernel_read_crypto_sysctls(systemd_homed_t)
+kernel_read_system_state(systemd_homed_t)
+
+systemd_log_parse_environment(systemd_homed_t)
+
+udev_read_runtime_files(systemd_homed_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_homed_t)
+	dbus_connect_system_bus(systemd_homed_t)
+
+	init_dbus_chat(systemd_homed_t)
+')
+
+optional_policy(`
+	mta_list_spool(systemd_homed_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(systemd_homed_t)
+')
+
+#######################################
+#
+# systemd-homework policy
+#
+
+allow systemd_homework_t self:capability { chown fowner fsetid sys_admin };
+dontaudit systemd_homework_t self:capability sys_resource;
+allow systemd_homework_t self:key { search write };
+allow systemd_homework_t self:process getsched;
+allow systemd_homework_t self:sem create_sem_perms;
+
+allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms;
+allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
+files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
+init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
+
+# mount on /run/systemd/user-home-mount
+allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
+
+allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
+files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
+
+allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
+
+dev_rw_loop_control(systemd_homework_t)
+dev_read_rand(systemd_homework_t)
+dev_read_urand(systemd_homework_t)
+dev_rw_lvm_control(systemd_homework_t)
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homework_t)
+
+files_read_etc_files(systemd_homework_t)
+files_mounton_runtime_dirs(systemd_homework_t)
+
+fs_getattr_all_fs(systemd_homework_t)
+fs_search_all(systemd_homework_t)
+fs_mount_xattr_fs(systemd_homework_t)
+fs_unmount_xattr_fs(systemd_homework_t)
+
+fstools_exec(systemd_homework_t)
+
+init_rw_inherited_stream_socket(systemd_homework_t)
+init_use_fds(systemd_homework_t)
+init_dontaudit_search_keys(systemd_homework_t)
+
+kernel_write_key(systemd_homework_t)
+kernel_get_sysvipc_info(systemd_homework_t)
+kernel_request_load_module(systemd_homework_t)
+
+kernel_read_kernel_sysctls(systemd_homework_t)
+kernel_read_crypto_sysctls(systemd_homework_t)
+kernel_read_system_state(systemd_homework_t)
+
+# loopback:
+storage_raw_read_fixed_disk(systemd_homework_t)
+storage_raw_write_fixed_disk(systemd_homework_t)
+
+systemd_log_parse_environment(systemd_homework_t)
+
+udev_read_runtime_files(systemd_homework_t)
+
 #######################################
 #
 # Hostnamed policy
@ -541,12 +690,17 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)

 files_search_runtime(systemd_hw_t)

+fs_getattr_all_fs(systemd_hw_t)
+fs_search_cgroup_dirs(systemd_hw_t)
+
 selinux_get_fs_mount(systemd_hw_t)
 selinux_use_status_page(systemd_hw_t)

 init_read_state(systemd_hw_t)
 init_search_runtime(systemd_hw_t)

+kernel_read_crypto_sysctls(systemd_hw_t)
+
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)

@ -623,6 +777,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;

+stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
+
 kernel_dontaudit_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)

@ -656,6 +812,7 @@ fs_read_cgroup_files(systemd_logind_t)
 fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)

 selinux_use_status_page(systemd_logind_t)

@ -728,7 +885,6 @@ ifdef(`distro_redhat',`

 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
-	fs_getattr_xattr_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)
 	fs_read_dos_files(systemd_logind_t)

@ -787,6 +943,8 @@ allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perm
 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;

+manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)

@ -889,8 +1047,8 @@ files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
-fs_getattr_xattr_fs(systemd_networkd_t)
-fs_getattr_cgroup(systemd_networkd_t)
+
+fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)

@ -1229,6 +1387,9 @@ files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)

+fs_getattr_all_fs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+
 init_dgram_send(systemd_resolved_t)

 seutil_read_file_contexts(systemd_resolved_t)
@ -1279,6 +1440,11 @@ allow systemd_sessions_t self:process setfscreate;
 allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)

+fs_getattr_all_fs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+fs_search_tmpfs(systemd_sessions_t)
+fs_search_ramfs(systemd_sessions_t)
+
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)

@ -1308,6 +1474,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)

 files_read_etc_files(systemd_sysctl_t)

+fs_getattr_all_fs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+
 systemd_log_parse_environment(systemd_sysctl_t)

 #########################################
@ -1321,6 +1490,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;

 files_manage_etc_files(systemd_sysusers_t)

+fs_getattr_all_fs(systemd_sysusers_t)
+fs_search_cgroup_dirs(systemd_sysusers_t)
+
 kernel_read_kernel_sysctls(systemd_sysusers_t)

 selinux_use_status_page(systemd_sysusers_t)
@ -1404,10 +1576,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)

-fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_xattr_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_getattr_all_fs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)

 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@ -1430,6 +1602,7 @@ init_read_state(systemd_tmpfiles_t)

 init_relabel_utmp(systemd_tmpfiles_t)
 init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+init_read_runtime_files(systemd_tmpfiles_t)

 logging_manage_generic_logs(systemd_tmpfiles_t)
 logging_manage_generic_log_dirs(systemd_tmpfiles_t)
@ -1496,6 +1669,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)

+fs_getattr_all_fs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+
 kernel_read_kernel_sysctls(systemd_update_done_t)

 selinux_use_status_page(systemd_update_done_t)
@ -1578,6 +1754,46 @@ udev_list_runtime(systemd_user_session_type)

 seutil_libselinux_linked(systemd_user_session_type)

+########################################
+#
+# systemd-userdbd local policy
+#
+
+allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:process signal;
+
+stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)
+
+manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir)
+
+can_exec(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+auth_read_shadow(systemd_userdbd_t)
+auth_use_nsswitch(systemd_userdbd_t)
+
+dev_read_urand(systemd_userdbd_t)
+
+files_read_etc_files(systemd_userdbd_t)
+files_read_etc_runtime_files(systemd_userdbd_t)
+files_read_usr_files(systemd_userdbd_t)
+
+fs_getattr_all_fs(systemd_userdbd_t)
+fs_search_cgroup_dirs(systemd_userdbd_t)
+fs_read_efivarfs_files(systemd_userdbd_t)
+
+kernel_read_system_state(systemd_userdbd_t)
+
+init_stream_connect(systemd_userdbd_t)
+init_search_runtime(systemd_userdbd_t)
+init_read_state(systemd_userdbd_t)
+
+kernel_read_kernel_sysctls(systemd_userdbd_t)
+
+systemd_log_parse_environment(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy
@ -1600,6 +1816,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)

 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -912,6 +912,10 @@ template(`userdom_common_user_template',`
 		usernetctl_run($1_t, $1_r)
 	')

+	optional_policy(`
+		systemd_stream_connect_userdb($1_t)
+	')
+
 	optional_policy(`
 		virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
 		virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@ -60,6 +60,34 @@ define(`domtrans_pattern',`
 	allow $3 $1:process sigchld;
 ')

+#
+# Automatic domain transition patterns
+# with NoNewPerms
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nnp_domtrans_pattern',`
+	domtrans_pattern($1,$2,$3)
+	allow $1 $3:process2 nnp_transition;
+')
+
+#
+# Automatic domain transition patterns
+# on nosuid filesystem
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nosuid_domtrans_pattern',`
+	domtrans_pattern($1,$2,$3)
+	allow $1 $3:process2 nosuid_transition;
+')
+
 #
 # Dynamic transition pattern
 #